From 3ee0df541e284074662c7c916951fb37aac4abef Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 15 Apr 2016 15:34:19 -0400 Subject: x11 fixes --- src/firejail/x11.c | 6 ++-- test/icedove-x11.exp | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++ test/test-apps-x11.sh | 20 ++++++++++++- test/xterm-x11.exp | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 186 insertions(+), 4 deletions(-) create mode 100755 test/icedove-x11.exp create mode 100755 test/xterm-x11.exp diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ef1095a49..985ca9337 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -170,7 +170,7 @@ void x11_start_xephyr(int argc, char **argv) { // unfortunately, xephyr does a number of weird things when started by root user!!! if (getuid() == 0) { - fprintf(stderr, "Error: this feature is not available when running as root\n"); + fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); exit(1); } @@ -292,7 +292,7 @@ void x11_start_xpra(int argc, char **argv) { // unfortunately, xpra does a number of weird things when started by root user!!! if (getuid() == 0) { - fprintf(stderr, "Error: this feature is not available when running as root\n"); + fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); exit(1); } @@ -410,7 +410,7 @@ void x11_start(int argc, char **argv) { // unfortunately, xpra does a number of weird things when started by root user!!! if (getuid() == 0) { - fprintf(stderr, "Error: this feature is not available when running as root\n"); + fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); exit(1); } diff --git a/test/icedove-x11.exp b/test/icedove-x11.exp new file mode 100755 index 000000000..6f8eee90d --- /dev/null +++ b/test/icedove-x11.exp @@ -0,0 +1,82 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --net=br0 --x11 icedove\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "icedove" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "icedove" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 2 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "icedove" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh index 6521fa2b0..93d984501 100755 --- a/test/test-apps-x11.sh +++ b/test/test-apps-x11.sh @@ -1,5 +1,14 @@ #!/bin/bash +which xterm +if [ "$?" -eq 0 ]; +then + echo "TESTING: xterm x11" + ./xterm-x11.exp +else + echo "TESTING: xterm not found" +fi + which firefox if [ "$?" -eq 0 ]; then @@ -22,8 +31,17 @@ which transmission-gtk if [ "$?" -eq 0 ]; then echo "TESTING: transmission-gtk x11" - ./transmission-gtk.exp + ./transmission-gtk-x11.exp else echo "TESTING: transmission-gtk not found" fi +which icedove +if [ "$?" -eq 0 ]; +then + echo "TESTING: icedove x11" + ./icedove-x11.exp +else + echo "TESTING: chromium not found" +fi + diff --git a/test/xterm-x11.exp b/test/xterm-x11.exp new file mode 100755 index 000000000..592f77659 --- /dev/null +++ b/test/xterm-x11.exp @@ -0,0 +1,82 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --net=br0 --x11 xterm\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "xterm" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 128c4882110cf1a35efff623d0dd348cc1025e73 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Apr 2016 08:39:25 -0400 Subject: fixed --profile option --- src/firejail/main.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index bdf960b96..6b50b450c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1154,23 +1154,27 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); exit(1); } - invalid_filename(argv[i] + 10); + + char *ppath = expand_home(argv[i] + 10, cfg.homedir); + if (!ppath) + errExit("strdup"); + invalid_filename(ppath); // multiple profile files are allowed! - char *ptr = argv[i] + 10; - if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) { + if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { fprintf(stderr, "Error: invalid profile file\n"); exit(1); } // access call checks as real UID/GID, not as effective UID/GID - if (access(argv[i] + 10, R_OK)) { + if (access(ppath, R_OK)) { fprintf(stderr, "Error: cannot access profile file\n"); return 1; } - profile_read(argv[i] + 10); + profile_read(ppath); custom_profile = 1; + free(ppath); } else if (strncmp(argv[i], "--profile-path=", 15) == 0) { if (arg_noprofile) { -- cgit v1.2.3-70-g09d2 From fa5e81aa1490f13372cc973543aeae9df09e506d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Apr 2016 09:08:56 -0400 Subject: fix: firejail config in /etc/firejail is not blacklisted if the sandbox is started as root in order to allow sandbox chanining --- src/firejail/fs.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ee76d096..652f897d0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -750,7 +750,13 @@ void fs_basic_fs(void) { // don't leak user information restrict_users(); - disable_firejail_config(); + // when starting as root, firejail config is not disabled; + // this mode could be used to install and test new software by chaining + // firejail sandboxes (firejail --force) + if (getuid() != 0) + disable_firejail_config(); + else + fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); } @@ -967,13 +973,13 @@ void fs_overlayfs(void) { // don't leak user information restrict_users(); - // when starting as root in overlay mode, firejail config is not disabled; + // when starting as root, firejail config is not disabled; // this mode could be used to install and test new software by chaining // firejail sandboxes (firejail --force) if (getuid() != 0) disable_firejail_config(); else - fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n"); + fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); // cleanup and exit free(option); @@ -1104,7 +1110,13 @@ void fs_chroot(const char *rootdir) { // don't leak user information restrict_users(); - disable_firejail_config(); + // when starting as root, firejail config is not disabled; + // this mode could be used to install and test new software by chaining + // firejail sandboxes (firejail --force) + if (getuid() != 0) + disable_firejail_config(); + else + fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); } #endif -- cgit v1.2.3-70-g09d2 From 4aceb53813508181242eddcfe3950292b7c5355c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 16 Apr 2016 23:27:18 +1000 Subject: Moved to ~ --- README.md | 2 +- configure | 18 +++++++++--------- configure.ac | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 7f6f573b4..d49a01986 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` -# Current development version: 0.9.40-rc2 +# Current development version: 0.9.40~rc2 Version 0.9.40-rc1 released! ## X11 sandboxing support diff --git a/configure b/configure index 73a5c89e6..46e792f64 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.40~rc2. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.40-rc2' -PACKAGE_STRING='firejail 0.9.40-rc2' +PACKAGE_VERSION='0.9.40~rc2' +PACKAGE_STRING='firejail 0.9.40~rc2' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.40~rc2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1307,7 +1307,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";; + short | recursive ) echo "Configuration of firejail 0.9.40~rc2:";; esac cat <<\_ACEOF @@ -1403,7 +1403,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.40-rc2 +firejail configure 0.9.40~rc2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.40-rc2, which was +It was created by firejail $as_me 0.9.40~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.40-rc2, which was +This file was extended by firejail $as_me 0.9.40~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4238,7 +4238,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.40-rc2 +firejail config.status 0.9.40~rc2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index a4486b3ff..09b1076c4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.40~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From 926f21a51c2c9f1cd97b815323a8c2c8f5e9b927 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Apr 2016 10:06:26 -0400 Subject: added netsurf profile --- Makefile.in | 1 + README.md | 2 +- RELNOTES | 2 +- etc/netsurf.profile | 34 ++++++++++++++++++++++++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 etc/netsurf.profile diff --git a/Makefile.in b/Makefile.in index 16f8e8717..64a6fbd76 100644 --- a/Makefile.in +++ b/Makefile.in @@ -164,6 +164,7 @@ realinstall: install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README.md b/README.md index 7f6f573b4..0edf87d48 100644 --- a/README.md +++ b/README.md @@ -281,5 +281,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, -OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad +OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf diff --git a/RELNOTES b/RELNOTES index fbd620408..fc7df6f19 100644 --- a/RELNOTES +++ b/RELNOTES @@ -18,7 +18,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq - * new profiles: PaleMoon, Icedove, abrowser, 0ad + * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/netsurf.profile b/etc/netsurf.profile new file mode 100644 index 000000000..26b621126 --- /dev/null +++ b/etc/netsurf.profile @@ -0,0 +1,34 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) + +noblacklist ~/.config/netsurf +noblacklist ~/.cache/netsurf +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +tracelog +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.config +mkdir ~/.config/netsurf +whitelist ~/.config/netsurf +mkdir ~/.cache +mkdir ~/.cache/netsurf +whitelist ~/.cache/netsurf + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc + + + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index dc8640147..5f1546a4f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -83,3 +83,4 @@ /etc/firejail/palemoon.profile /etc/firejail/abrowser.profile /etc/firejail/0ad.profile +/etc/firejail/netsurf.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c28f8e352..fed477f44 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -27,6 +27,7 @@ seamonkey-bin vivaldi-beta vivaldi dillo +netsurf # bittorrent/ftp deluge -- cgit v1.2.3-70-g09d2 From 072e1c2fec78d4c618397f456171e332388739a7 Mon Sep 17 00:00:00 2001 From: Matthew Gyurgyik Date: Sat, 16 Apr 2016 10:58:17 -0400 Subject: add new files to rpm --- platform/rpm/firejail.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index e365af2d6..e1799d7a6 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec @@ -33,16 +33,21 @@ rm -rf %{buildroot} %doc %defattr(-, root, root, -) %attr(4755, -, -) %{_bindir}/__NAME__ +%{_bindir}/firecfg %{_bindir}/firemon +%{_libdir}/__NAME__/firecfg.config %{_libdir}/__NAME__/ftee %{_libdir}/__NAME__/fshaper.sh %{_libdir}/__NAME__/libtrace.so %{_libdir}/__NAME__/libtracelog.so %{_datarootdir}/bash-completion/completions/__NAME__ +%{_datarootdir}/bash-completion/completions/firecfg %{_datarootdir}/bash-completion/completions/firemon %{_docdir}/__NAME__ %{_mandir}/man1/__NAME__.1.gz +%{_mandir}/man1/firecfg.1.gz %{_mandir}/man1/firemon.1.gz +%{_mandir}/man5/__NAME__-config.5.gz %{_mandir}/man5/__NAME__-login.5.gz %{_mandir}/man5/__NAME__-profile.5.gz %config %{_sysconfdir}/__NAME__ -- cgit v1.2.3-70-g09d2 From 2259798bbb4c450639f5d7a77d0ff60c47c087ed Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 17 Apr 2016 08:27:13 -0400 Subject: update --- README | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README b/README index 81481f512..ade4b4258 100644 --- a/README +++ b/README @@ -18,6 +18,8 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +Matthew Gyurgyik (https://github.com/pyther) + - rpm spec and several fixes Joan Figueras (https://github.com/figue) - added abrowser profile Fred-Barclay (https://github.com/Fred-Barclay) @@ -25,6 +27,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added PaleMoon profile - split Icedove and Thunderbird profiles - added 0ad profile + - fixed version for deb packages avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix @@ -132,8 +135,6 @@ andrew160 (https://github.com/andrew160) - profile and man pages fixes Loïc Damien (https://github.com/dzamlo) - small fixes -Matthew Gyurgyik (https://github.com/pyther) - - rpm spec and several fixes greigdp (https://github.com/greigdp) - add Spotify profile Mattias Wadman (https://github.com/wader) -- cgit v1.2.3-70-g09d2 From 2cc65305e470638cd00bfc4aa90821851b35b53c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 17 Apr 2016 23:53:27 +1000 Subject: added warzone2100 profile --- etc/warzone2100.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/warzone2100.profile diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile new file mode 100644 index 000000000..73408ffb1 --- /dev/null +++ b/etc/warzone2100.profile @@ -0,0 +1,19 @@ +# Firejail profile for warzone2100 +# Currently supports warzone2100-3.1 +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +noblacklist ~/.warzone2100-3.1 +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 -- cgit v1.2.3-70-g09d2 From eb5c4692f16f9329975ddc2919442aa1fb2c0a44 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 00:02:21 +1000 Subject: warzone2100 extra files --- Makefile.in | 1 + etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 4 files changed, 4 insertions(+) diff --git a/Makefile.in b/Makefile.in index 64a6fbd76..590f2cd5f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -165,6 +165,7 @@ realinstall: install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7f18aa16f..43b9cff38 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -54,6 +54,7 @@ blacklist ${HOME}/.hedgewars blacklist ${HOME}/.steam blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad +blacklist ${HOME}/.warzone2100-3.1 # Cryptocoins blacklist ${HOME}/.*coin diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5f1546a4f..2413965ba 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -84,3 +84,4 @@ /etc/firejail/abrowser.profile /etc/firejail/0ad.profile /etc/firejail/netsurf.profile +/etc/firejail/warzone2100.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fed477f44..80433f1e5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -75,3 +75,4 @@ xchat # games hedgewars wesnot +warzone2100 -- cgit v1.2.3-70-g09d2 From 20b1a0d188129568efccfb21478cc035a1b0f048 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 17 Apr 2016 12:13:17 -0400 Subject: warzone2100 and firecfg fixes --- README | 1 + README.md | 3 ++- RELNOTES | 2 +- etc/warzone2100.profile | 2 +- src/firecfg/main.c | 5 +++-- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/README b/README index ade4b4258..e42c187e2 100644 --- a/README +++ b/README @@ -28,6 +28,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - split Icedove and Thunderbird profiles - added 0ad profile - fixed version for deb packages + - added Warzone2100 profile avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index d6a9a6c7a..ed564e58a 100644 --- a/README.md +++ b/README.md @@ -281,5 +281,6 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, -OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf +OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, +Warzone2100 diff --git a/RELNOTES b/RELNOTES index fc7df6f19..4bff6d092 100644 --- a/RELNOTES +++ b/RELNOTES @@ -18,7 +18,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq - * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf + * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 73408ffb1..7588da657 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -1,5 +1,6 @@ # Firejail profile for warzone2100 # Currently supports warzone2100-3.1 +noblacklist ~/.warzone2100-3.1 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -14,6 +15,5 @@ seccomp tracelog # Whitelist -noblacklist ~/.warzone2100-3.1 mkdir ~/.warzone2100-3.1 whitelist ~/.warzone2100-3.1 diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 70d29a3ed..5fcace6cb 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -79,7 +79,8 @@ static int find(const char *program, const char *directory) { static int which(const char *program) { // check some well-known paths if (find(program, "/bin") || find(program, "/usr/bin") || - find(program, "/sbin") || find(program, "/usr/sbin")) + find(program, "/sbin") || find(program, "/usr/sbin") || + find(program, "/usr/games")) return 1; // check environment @@ -268,7 +269,7 @@ static void set(void) { // empty line if (*start == '\0') continue; - + // set link set_file(start, firejail_exec); } -- cgit v1.2.3-70-g09d2 From 908d2a1d616a00462dbda4776aa51ee67727b2ad Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 02:33:11 +1000 Subject: disabled VeraCrypt access --- etc/disable-common.inc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b1133f28f..2c8773b00 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -26,6 +26,14 @@ blacklist ${HOME}/.VirtualBox blacklist ${HOME}/VirtualBox VMs blacklist ${HOME}/.config/VirtualBox +# VeraCrypt +blacklist /usr/bin/veracrypt +blacklist /usr/bin/veracrypt-uninstall.sh +blacklist /usr/share/veracrypt +blacklist /usr/share/applications/veracrypt.* +blacklist /usr/share/pixmaps/veracrypt.* +blacklist ${HOME}/.VeraCrypt + # var blacklist /var/spool/cron blacklist /var/spool/anacron -- cgit v1.2.3-70-g09d2 From d5ba1843daa3dd8b8a73881c252d18eb764784b8 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 02:35:10 +1000 Subject: added VeraCrypt --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index ade4b4258..1fdd0e45b 100644 --- a/README +++ b/README @@ -28,6 +28,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - split Icedove and Thunderbird profiles - added 0ad profile - fixed version for deb packages + - blacklisted VeraCrypt avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix -- cgit v1.2.3-70-g09d2 From f7894327672b9e54f237ffa377ebd019a76334a2 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 03:19:54 +1000 Subject: Removed thunderbird todo --- todo | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/todo b/todo index da732be9f..f23b4b13d 100644 --- a/todo +++ b/todo @@ -74,11 +74,9 @@ CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 -11. cleanup thunderbird profile - disable-common was commented out - -12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ +11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ Seccomp lists: https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl -13. check for --chroot why .config/pulse dir is not created +12. check for --chroot why .config/pulse dir is not created -- cgit v1.2.3-70-g09d2 From 9bb31411516cb6df99f3ebbf31a4fb17b8b56f77 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 05:21:41 +1000 Subject: Fixed path --- etc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 2c8773b00..4d05ba783 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -27,8 +27,8 @@ blacklist ${HOME}/VirtualBox VMs blacklist ${HOME}/.config/VirtualBox # VeraCrypt -blacklist /usr/bin/veracrypt -blacklist /usr/bin/veracrypt-uninstall.sh +blacklist ${PATH}/veracrypt +blacklist ${PATH}/veracrypt-uninstall.sh blacklist /usr/share/veracrypt blacklist /usr/share/applications/veracrypt.* blacklist /usr/share/pixmaps/veracrypt.* -- cgit v1.2.3-70-g09d2 From 0b5429c995966fa0e3c36737a16a9ac20bf2513d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Apr 2016 07:19:14 -0400 Subject: added --writable-etc and --writable-var options --- RELNOTES | 1 + src/firejail/firejail.h | 2 ++ src/firejail/fs.c | 6 ++++-- src/firejail/main.c | 16 ++++++++++++++++ src/firejail/usage.c | 6 ++++++ src/man/firejail.txt | 21 +++++++++++++++++++++ 6 files changed, 50 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 4bff6d092..37b4faf47 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,6 +5,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * added --x11=xephyr option * added --cpu.print option * added filetransfer options --ls and --get + * added --writable-etc and --writable-var options * added mkdir, ipc-namespace, and nosound profile commands * added net iface, and iprange profile commands * --version also prints compile options diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 24ea53476..ece1eee4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -256,6 +256,8 @@ extern int arg_join_network; // join only the network namespace extern int arg_join_filesystem; // join only the mount namespace extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace +extern int arg_writable_etc; // writable etc +extern int arg_writable_var; // writable var extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 652f897d0..af1ddf93b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -734,8 +734,10 @@ void fs_basic_fs(void) { fs_rdonly("/lib32"); fs_rdonly("/libx32"); fs_rdonly("/usr"); - fs_rdonly("/etc"); - fs_rdonly("/var"); + if (!arg_writable_etc) + fs_rdonly("/etc"); + if (!arg_writable_var) + fs_rdonly("/var"); // update /var directory in order to support multiple sandboxes running on the same root directory if (!arg_private_dev) diff --git a/src/firejail/main.c b/src/firejail/main.c index 6b50b450c..27bd7c385 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -96,6 +96,8 @@ int arg_join_network = 0; // join only the network namespace int arg_join_filesystem = 0; // join only the mount namespace int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace +int arg_writable_etc = 0; // writable etc +int arg_writable_var = 0; // writable var int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -1272,6 +1274,20 @@ int main(int argc, char **argv) { } #endif + else if (strcmp(argv[i], "--writable-etc") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: --writable-etc is available only for root user\n"); + exit(1); + } + arg_writable_etc = 1; + } + else if (strcmp(argv[i], "--writable-var") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: --writable-var is available only for root user\n"); + exit(1); + } + arg_writable_var = 1; + } else if (strcmp(argv[i], "--private") == 0) arg_private = 1; else if (strncmp(argv[i], "--private=", 10) == 0) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 539785f21..8b61629f4 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -246,6 +246,12 @@ void usage(void) { printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); printf(" --version - print program version and exit.\n\n"); printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); + + printf(" --writable-etc - /etc directory is mounted read-write. This option is\n"); + printf("\tavailable only when running the sandbox as root user.\n\n"); + printf(" --writable-var - /var directory is mounted read-write. This option is\n"); + printf("\tavailable only when running the sandbox as root user.\n\n"); + printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); printf("\tthen it checks if Xephyr is installed.\n\n"); printf(" --x11=xpra - enable Xpra X11 server.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 23db832c1..14b3c6a60 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1461,6 +1461,27 @@ $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null .br $ firejail "\-\-whitelist=/home/username/My Virtual Machines" +.TP +\fB\-\-writable-etc +Mount /etc directory read-write. This option is available only when running the sandbox as root user +.br + +.br +Example: +.br +$ sudo firejail --writable-etc + +.TP +\fB\-\-writable-var +Mount /var directory read-write. This option is available only when running the sandbox as root user +.br + +.br +Example: +.br +$ sudo firejail --writable-var + + .TP \fB\-\-x11 Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. -- cgit v1.2.3-70-g09d2 From 96e801fd8a8f4a743e2286b9367177ce8f7b3c65 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Apr 2016 09:38:54 -0400 Subject: added okular and gwenview profiles --- Makefile.in | 2 ++ README | 7 ++++--- README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 5 +++++ etc/gwenview.profile | 19 +++++++++++++++++++ etc/okular.profile | 21 +++++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 2 ++ 9 files changed, 58 insertions(+), 4 deletions(-) create mode 100644 etc/gwenview.profile create mode 100644 etc/okular.profile diff --git a/Makefile.in b/Makefile.in index 590f2cd5f..bc8061985 100644 --- a/Makefile.in +++ b/Makefile.in @@ -166,6 +166,8 @@ realinstall: install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 55f9109da..e4ad5a49f 100644 --- a/README +++ b/README @@ -18,6 +18,10 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +curiosity-seeker (https://github.com/curiosity-seeker) + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) @@ -86,9 +90,6 @@ Rahiel Kasim (https://github.com/rahiel) - Mathematica profile creideiki (https://github.com/creideiki) - make the sandbox process reap all children -curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile sinkuu (https://github.com/sinkuu) - blacklisting kwalletd - fix symlink invocation for programs placing symlinks in $PATH diff --git a/README.md b/README.md index ed564e58a..afa1fa35c 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100 +Warzone2100, okular, gwenview diff --git a/RELNOTES b/RELNOTES index 37b4faf47..188f9d513 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,6 +20,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 + * new profiles: okular, gwenview * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 43b9cff38..23dd8e025 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -8,6 +8,11 @@ blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet +blacklist ~/.kde/share/apps/okular +blacklist ~/.kde/share/config/okularrc +blacklist ~/.kde/share/config/okularpartrc +blacklist ~/.kde/share/apps/gwenview +blacklist ~/.kde/share/config/gwenviewrc # Media players blacklist ${HOME}/.config/cmus diff --git a/etc/gwenview.profile b/etc/gwenview.profile new file mode 100644 index 000000000..d61c57adc --- /dev/null +++ b/etc/gwenview.profile @@ -0,0 +1,19 @@ +# KDE gwenview profile +noblacklist ~/.kde/share/apps/gwenview +noblacklist ~/.kde/share/config/gwenviewrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all +seccomp +protocol unix +noroot +nogroups +private-dev + +#Experimental: +#shell none +#private-bin gwenview +#private-etc X11 + diff --git a/etc/okular.profile b/etc/okular.profile new file mode 100644 index 000000000..7929a8796 --- /dev/null +++ b/etc/okular.profile @@ -0,0 +1,21 @@ +# KDE okular profile +noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde/share/config/okularpartrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all +seccomp +protocol unix +noroot +nogroups +private-dev + +#Experimental: +#net none +#shell none +#private-bin okular,kbuildsycoca4,kbuildsycoca5 +#private-etc X11 + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2413965ba..1ea112301 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -85,3 +85,6 @@ /etc/firejail/0ad.profile /etc/firejail/netsurf.profile /etc/firejail/warzone2100.profile +/etc/firejail/okular.profile +/etc/firejail/gwenview.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 80433f1e5..d732796e9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -51,6 +51,8 @@ loweb lowriter Mathematica mathematica +gwenview +okular # Media vlc -- cgit v1.2.3-70-g09d2 From bc5a06e9970fe03325f28e0cdef96ea5c596113f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 00:06:13 +1000 Subject: added gpredict profile --- Makefile.in | 1 + README | 3 ++- README.md | 2 +- etc/disable-programs.inc | 1 + etc/gpredict.profile | 23 +++++++++++++++++++++++ platform/debian/conffiles | 2 +- src/firecfg/firecfg.config | 3 +++ 7 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 etc/gpredict.profile diff --git a/Makefile.in b/Makefile.in index bc8061985..cb897c23d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -168,6 +168,7 @@ realinstall: install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index e4ad5a49f..d0a7aaf8d 100644 --- a/README +++ b/README @@ -31,9 +31,10 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added PaleMoon profile - split Icedove and Thunderbird profiles - added 0ad profile - - fixed version for deb packages + - fixed version for .deb packages - added Warzone2100 profile - blacklisted VeraCrypt + - added Gpredict profile avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index afa1fa35c..ca7927fff 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview +Warzone2100, okular, gwenview, Gpredict diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 23dd8e025..6c5515894 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -8,6 +8,7 @@ blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/Gpredict blacklist ~/.kde/share/apps/okular blacklist ~/.kde/share/config/okularrc blacklist ~/.kde/share/config/okularpartrc diff --git a/etc/gpredict.profile b/etc/gpredict.profile new file mode 100644 index 000000000..f53cb1b4f --- /dev/null +++ b/etc/gpredict.profile @@ -0,0 +1,23 @@ +# Firejail profile for gpredict. + +# Noblacklist +noblacklist ~/.config/Gpredict + +# Include +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +mkdir ~/.config +mkdir ~/.config/Gpredict +whitelist ~/.config/Gpredict diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 1ea112301..6f5b564a0 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -87,4 +87,4 @@ /etc/firejail/warzone2100.profile /etc/firejail/okular.profile /etc/firejail/gwenview.profile - +/etc/firejail/gpredict.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d732796e9..8bebf76af 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -2,6 +2,9 @@ # This is the list of programs handled by firecfg utility # +# astronomy +gpredict + # browsers/email firefox iceweasel -- cgit v1.2.3-70-g09d2 From 843f5d266a59c6722414630b0efb36eeb99f7897 Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 18 Apr 2016 19:38:47 +0200 Subject: fs.c: correct debug message --- src/firejail/fs.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index af1ddf93b..4c2510021 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -726,7 +726,16 @@ static void disable_firejail_config(void) { // build a basic read-only filesystem void fs_basic_fs(void) { if (arg_debug) - printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n"); + printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); + if (!arg_writable_etc) { + fs_rdonly("/etc"); + if (arg_debug) printf(", /etc"); + } + if (!arg_writable_var) { + fs_rdonly("/var"); + if (arg_debug) printf(", /var"); + } + if (arg_debug) printf("\n"); fs_rdonly("/bin"); fs_rdonly("/sbin"); fs_rdonly("/lib"); @@ -734,10 +743,6 @@ void fs_basic_fs(void) { fs_rdonly("/lib32"); fs_rdonly("/libx32"); fs_rdonly("/usr"); - if (!arg_writable_etc) - fs_rdonly("/etc"); - if (!arg_writable_var) - fs_rdonly("/var"); // update /var directory in order to support multiple sandboxes running on the same root directory if (!arg_private_dev) -- cgit v1.2.3-70-g09d2 From 63958869fef0e01adb64b83ffa8cdbaf892a93b9 Mon Sep 17 00:00:00 2001 From: Joan Figueras Date: Mon, 18 Apr 2016 23:00:55 +0200 Subject: added google-play-music-desktop-player profile --- etc/google-play-music-desktop-player.profile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/google-play-music-desktop-player.profile diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..56d09d5b2 --- /dev/null +++ b/etc/google-play-music-desktop-player.profile @@ -0,0 +1,16 @@ +# Google Play Music desktop player profile +noblacklist ~/.config/Google Play Music Desktop Player + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +noroot + +#whitelist ~/.pulse +#whitelist ~/.config/pulse +whitelist ~/.config/Google Play Music Desktop Player -- cgit v1.2.3-70-g09d2 From 8e9104f6a93c6c1b8cc3b4e68b74405564ec3bed Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Apr 2016 18:51:27 -0400 Subject: close lock file --- src/firejail/main.c | 4 +++- src/firemon/netstats.c | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 27bd7c385..b51ba2e65 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2104,8 +2104,10 @@ int main(int argc, char **argv) { close(parent_to_child_fds[1]); EUID_ROOT(); - if (lockfd != -1) + if (lockfd != -1) { flock(lockfd, LOCK_UN); + close(lockfd); + } // create name file under /run/firejail diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 89e4202bd..0ff0dd33d 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c @@ -26,6 +26,10 @@ #define MAXBUF 4096 +// ip -s link: device stats +// ss -s: socket stats + + static char *get_header(void) { char *rv; if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", -- cgit v1.2.3-70-g09d2 From aff18630c4fbe49859135c76dbb7ee83233c8f64 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 10:43:38 +1000 Subject: added aweather profile --- etc/aweather.profile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/aweather.profile diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d7f510a7e --- /dev/null +++ b/etc/aweather.profile @@ -0,0 +1,23 @@ +# Firejail profile for aweather. + +# Noblacklist +noblacklist ~/.config/aweather + +# Include +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +mkdir ~/.config +mkdir ~/.config/aweather +whitelist ~/.config/aweather -- cgit v1.2.3-70-g09d2 From e42a45614a31eb06a9741490666ffc11a64d9931 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 11:04:24 +1000 Subject: extra aweather files --- Makefile.in | 1 + README | 1 + README.md | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 4 ++++ 6 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index cb897c23d..0ba490454 100644 --- a/Makefile.in +++ b/Makefile.in @@ -169,6 +169,7 @@ realinstall: install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index d0a7aaf8d..db7410a73 100644 --- a/README +++ b/README @@ -35,6 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Warzone2100 profile - blacklisted VeraCrypt - added Gpredict profile + - added Aweather profile avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index ca7927fff..99ded275e 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict +Warzone2100, okular, gwenview, Gpredict, Aweather diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6c5515894..2b3a933a5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -9,6 +9,7 @@ blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/Gpredict +blacklist ${HOME}/.config/aweather blacklist ~/.kde/share/apps/okular blacklist ~/.kde/share/config/okularrc blacklist ~/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6f5b564a0..1cdf3d0f4 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -88,3 +88,4 @@ /etc/firejail/okular.profile /etc/firejail/gwenview.profile /etc/firejail/gpredict.profile +/etc/firejail/aweather.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8bebf76af..da31a7c7e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -5,6 +5,9 @@ # astronomy gpredict +# weather/climate +aweather + # browsers/email firefox iceweasel @@ -78,6 +81,7 @@ quassel xchat # games +0ad hedgewars wesnot warzone2100 -- cgit v1.2.3-70-g09d2 From 14bc13ca49895676e36e4ffa2f56657dc5336d10 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 11:44:05 +1000 Subject: added stellarium profile --- etc/stellarium.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/stellarium.profile diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..7cb74eeaa --- /dev/null +++ b/etc/stellarium.profile @@ -0,0 +1,27 @@ +# Firejail profile for Stellarium. + +# Noblacklist +noblacklist ~/.stellarium +noblacklist ~/.config/stellarium + +# Include +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium + +mkdir ~/.config +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium -- cgit v1.2.3-70-g09d2 From 7c0d9f974660f10ffc096a379d6dd4cb46761023 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 11:49:44 +1000 Subject: extra stellarium files --- Makefile.in | 1 + README | 8 ++++---- README.md | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Makefile.in b/Makefile.in index 0ba490454..c15ecd7dd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -170,6 +170,7 @@ realinstall: install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index db7410a73..7919bdaad 100644 --- a/README +++ b/README @@ -19,9 +19,9 @@ Firejail Authors: netblue30 (netblue30@yahoo.com) curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile - - okular and gwenview profiles + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) @@ -35,7 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Warzone2100 profile - blacklisted VeraCrypt - added Gpredict profile - - added Aweather profile + - added Aweather, Stellarium profiles avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index 99ded275e..5b2626288 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather +Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 2b3a933a5..317ac082f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -5,11 +5,13 @@ blacklist ${HOME}/.FBReader blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research +blacklist ${HOME}/.stellarium blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/Gpredict blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/stellarium blacklist ~/.kde/share/apps/okular blacklist ~/.kde/share/config/okularrc blacklist ~/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 1cdf3d0f4..7ce729d6e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -89,3 +89,4 @@ /etc/firejail/gwenview.profile /etc/firejail/gpredict.profile /etc/firejail/aweather.profile +/etc/firejail/stellarium.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index da31a7c7e..3812ee7d8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -4,6 +4,7 @@ # astronomy gpredict +stellarium # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 7cc1fa0d7e572b7e9417f011509c4cf6d719dd9b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Apr 2016 08:54:04 -0400 Subject: google-play-music-desktop-player.profile --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 3 ++- etc/google-play-music-desktop-player.profile | 1 + platform/debian/conffiles | 1 + 6 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index c15ecd7dd..dfeea565b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -171,6 +171,7 @@ realinstall: install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 7919bdaad..b1e1bd546 100644 --- a/README +++ b/README @@ -26,6 +26,7 @@ Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) - added abrowser profile + - added Google-Play-Music-Desktop-Player Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/README.md b/README.md index 5b2626288..1cfbd0aa9 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium +Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player diff --git a/RELNOTES b/RELNOTES index 188f9d513..1502f5bba 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,8 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 - * new profiles: okular, gwenview + * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player + * new profiles: Aweather, Stellarium, gpredict * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 56d09d5b2..7fe43f1f6 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -10,6 +10,7 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink noroot +netfilter #whitelist ~/.pulse #whitelist ~/.config/pulse diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7ce729d6e..a5ca6d072 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -90,3 +90,4 @@ /etc/firejail/gpredict.profile /etc/firejail/aweather.profile /etc/firejail/stellarium.profile +/etc/firejail/google-play-music-desktop-player.profile -- cgit v1.2.3-70-g09d2 From 0d5453fc72da34081f22caf191ff31a22be52af8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Apr 2016 11:28:19 -0400 Subject: networking profile file support --- src/firejail/main.c | 24 +++++----- src/firejail/profile.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++- test/net-profile.profile | 10 ++++ test/net_profile.exp | 73 ++++++++++++++++++++++++++++ test/test.sh | 3 ++ todo | 2 + 6 files changed, 220 insertions(+), 13 deletions(-) create mode 100644 test/net-profile.profile create mode 100755 test/net_profile.exp diff --git a/src/firejail/main.c b/src/firejail/main.c index b51ba2e65..15720b4c6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1542,17 +1542,17 @@ int main(int argc, char **argv) { Bridge *br = last_bridge_configured(); if (br == NULL) { fprintf(stderr, "Error: no network device configured\n"); - return 1; + exit(1); } if (mac_not_zero(br->macsandbox)) { fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); - return 1; + exit(1); } // read the address if (atomac(argv[i] + 6, br->macsandbox)) { fprintf(stderr, "Error: invalid MAC address\n"); - return 1; + exit(1); } } else { @@ -1566,12 +1566,12 @@ int main(int argc, char **argv) { Bridge *br = last_bridge_configured(); if (br == NULL) { fprintf(stderr, "Error: no network device configured\n"); - return 1; + exit(1); } if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { fprintf(stderr, "Error: invalid mtu value\n"); - return 1; + exit(1); } } else { @@ -1585,11 +1585,11 @@ int main(int argc, char **argv) { Bridge *br = last_bridge_configured(); if (br == NULL) { fprintf(stderr, "Error: no network device configured\n"); - return 1; + exit(1); } if (br->arg_ip_none || br->ipsandbox) { fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); - return 1; + exit(1); } // configure this IP address for the last bridge defined @@ -1598,7 +1598,7 @@ int main(int argc, char **argv) { else { if (atoip(argv[i] + 5, &br->ipsandbox)) { fprintf(stderr, "Error: invalid IP address\n"); - return 1; + exit(1); } } } @@ -1613,11 +1613,11 @@ int main(int argc, char **argv) { Bridge *br = last_bridge_configured(); if (br == NULL) { fprintf(stderr, "Error: no network device configured\n"); - return 1; + exit(1); } if (br->arg_ip_none || br->ip6sandbox) { fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); - return 1; + exit(1); } // configure this IP address for the last bridge defined @@ -1625,7 +1625,7 @@ int main(int argc, char **argv) { br->ip6sandbox = argv[i] + 6; // if (atoip(argv[i] + 5, &br->ipsandbox)) { // fprintf(stderr, "Error: invalid IP address\n"); -// return 1; +// exit(1); // } } else { @@ -1639,7 +1639,7 @@ int main(int argc, char **argv) { if (checkcfg(CFG_NETWORK)) { if (atoip(argv[i] + 12, &cfg.defaultgw)) { fprintf(stderr, "Error: invalid IP address\n"); - return 1; + exit(1); } } else { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 6ded0ca2f..7ff7c7926 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } - + +// from here + else if (strncmp(ptr, "mac ", 4) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + + if (mac_not_zero(br->macsandbox)) { + fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); + exit(1); + } + + // read the address + if (atomac(ptr + 4, br->macsandbox)) { + fprintf(stderr, "Error: invalid MAC address\n"); + exit(1); + } + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + + else if (strncmp(ptr, "mtu ", 4) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + + if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { + fprintf(stderr, "Error: invalid mtu value\n"); + exit(1); + } + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + + else if (strncmp(ptr, "ip ", 3) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + if (br->arg_ip_none || br->ipsandbox) { + fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); + exit(1); + } + + // configure this IP address for the last bridge defined + if (strcmp(ptr + 3, "none") == 0) + br->arg_ip_none = 1; + else { + if (atoip(ptr + 3, &br->ipsandbox)) { + fprintf(stderr, "Error: invalid IP address\n"); + exit(1); + } + } + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + + else if (strncmp(ptr, "ip6 ", 4) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + if (br->arg_ip_none || br->ip6sandbox) { + fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); + exit(1); + } + + // configure this IP address for the last bridge defined + // todo: verify ipv6 syntax + br->ip6sandbox = ptr + 4; +// if (atoip(argv[i] + 5, &br->ipsandbox)) { +// fprintf(stderr, "Error: invalid IP address\n"); +// exit(1); +// } + + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + + else if (strncmp(ptr, "defaultgw ", 10) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (atoip(ptr + 10, &cfg.defaultgw)) { + fprintf(stderr, "Error: invalid IP address\n"); + exit(1); + } + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + if (strncmp(ptr, "protocol ", 9) == 0) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) diff --git a/test/net-profile.profile b/test/net-profile.profile new file mode 100644 index 000000000..05052b6dc --- /dev/null +++ b/test/net-profile.profile @@ -0,0 +1,10 @@ +net br0 +mac 00:11:22:33:44:55 +mtu 1000 +net br1 +ip 10.10.30.50 +net br2 +ip 10.10.40.100 +net br3 +defaultgw 10.10.20.2 + diff --git a/test/net_profile.exp b/test/net_profile.exp new file mode 100755 index 000000000..37043c906 --- /dev/null +++ b/test/net_profile.exp @@ -0,0 +1,73 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check eth0 +send -- "firejail --profile=net-profile.profile\r" +expect { + timeout {puts "TESTING ERROR 0.0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "00:11:22:33:44:55" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "10.10.20" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" +} + + +# check default gw +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "default via 10.10.20.2 dev eth0" +} + +# check mtu +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mtu 1000" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "state UP" +} + +sleep 1 + +puts "\nall done\n" + diff --git a/test/test.sh b/test/test.sh index c6fe4f299..961b48807 100755 --- a/test/test.sh +++ b/test/test.sh @@ -10,6 +10,9 @@ echo "TESTING: cpu.print (cpu-print.exp)" echo "TESTING: failing under VirtualBox where there is only one CPU" ./cpu-print.exp +echo "TESTING: network profile (net_profile.exp)" +./net_profile.exp + echo "TESTING: bandwidth (bandwidth.exp)" ./bandwidth.exp diff --git a/todo b/todo index f23b4b13d..56cc3dc0b 100644 --- a/todo +++ b/todo @@ -80,3 +80,5 @@ https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/ https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl 12. check for --chroot why .config/pulse dir is not created + +13. print error line number for profile files in profile_check_line() -- cgit v1.2.3-70-g09d2 From 99c2a67527dc9658165110a7f2cde0f6bc3350dd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Apr 2016 16:04:40 -0400 Subject: profile manpage --- RELNOTES | 2 +- src/man/firejail-profile.txt | 55 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 1502f5bba..3ce9ffaf7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -7,7 +7,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * added filetransfer options --ls and --get * added --writable-etc and --writable-var options * added mkdir, ipc-namespace, and nosound profile commands - * added net iface, and iprange profile commands + * added net, ip, defaultgw, ip, mac, mtu and iprange profile commands * --version also prints compile options * --output option also redirects stderr * added compile-time option to restrict --net= to root only diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9045c1122..f5610cafc 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -284,9 +284,15 @@ Enable IPC namespace. .TP \fBnosound Disable sound system. + .SH Networking Networking features available in profile files. +.TP +\fBdefaultgw address +Use this address as default gateway in the new network namespace. + +.TP \fBdns address Set a DNS server for the sandbox. Up to three DNS servers can be defined. @@ -294,6 +300,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined. \fBhostname name Set a hostname for the sandbox. +.TP +\fBip address +Assign IP addresses to the last network interface defined by a net command. A +default gateway is assigned by default. +.br + +.br +Example: +.br +net eth0 +.br +ip 10.10.20.56 + +.TP +\fBip none +No IP address and no default gateway are configured for the last interface +defined by a net command. Use this option +in case you intend to start an external DHCP client in the sandbox. +.br + +.br +Example: +.br +net eth0 +.br +ip none + +.TP +\fBip6 address +Assign IPv6 addresses to the last network interface defined by a net command. +.br + +.br +Example: +.br +net eth0 +.br +ip6 2001:0db8:0:f101::1/64 + .TP \fBiprange address,address Assign an IP address in the provided range to the last network @@ -310,6 +355,16 @@ net eth0 iprange 192.168.1.150,192.168.1.160 .br +.TP +\fBmac address +Assign MAC addresses to the last network interface defined by a net command. + +.TP +\fBmtu number +Assign a MTU value to the last network interface defined by a net command. + + + .TP \fBnetfilter If a new network namespace is created, enabled default network filter. -- cgit v1.2.3-70-g09d2 From 2d30810f09d34156e7f945e22f6256db1cc41910 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 08:38:42 -0400 Subject: RELNOTES fix --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 3ce9ffaf7..19bd54dd6 100644 --- a/RELNOTES +++ b/RELNOTES @@ -7,7 +7,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * added filetransfer options --ls and --get * added --writable-etc and --writable-var options * added mkdir, ipc-namespace, and nosound profile commands - * added net, ip, defaultgw, ip, mac, mtu and iprange profile commands + * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * --version also prints compile options * --output option also redirects stderr * added compile-time option to restrict --net= to root only -- cgit v1.2.3-70-g09d2 From 4288f19e27005e559c0b75387738da831bf64035 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 09:03:27 -0400 Subject: fix: --private-etc and --writable-etc are mutually exclusive --- src/firejail/main.c | 9 +++++++++ src/firejail/profile.c | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 15720b4c6..0f7809fea 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1279,6 +1279,10 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: --writable-etc is available only for root user\n"); exit(1); } + if (cfg.etc_private_keep) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } arg_writable_etc = 1; } else if (strcmp(argv[i], "--writable-var") == 0) { @@ -1304,6 +1308,11 @@ int main(int argc, char **argv) { arg_private_dev = 1; } else if (strncmp(argv[i], "--private-etc=", 14) == 0) { + if (arg_writable_etc) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } + // extract private etc list cfg.etc_private_keep = argv[i] + 14; if (*cfg.etc_private_keep == '\0') { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 7ff7c7926..a2336090f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -580,6 +580,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { + if (arg_writable_etc) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } cfg.etc_private_keep = ptr + 12; fs_check_etc_list(); if (*cfg.etc_private_keep != '\0') -- cgit v1.2.3-70-g09d2 From 66cd15982d1d763afe70852aa4b3342313d04656 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 09:16:35 -0400 Subject: profile support for writable-etc and writable-var --- src/firejail/profile.c | 24 ++++++++++++++++++++++++ src/man/firejail-profile.txt | 8 ++++++++ src/man/firejail.txt | 4 ++-- 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a2336090f..9e0f0325e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -570,6 +570,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + // writable-etc + if (strcmp(ptr, "writable-etc") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: writable-etc is available only for root user\n"); + exit(1); + } + if (cfg.etc_private_keep) { + fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); + exit(1); + } + arg_writable_etc = 1; + return 0; + } + + // writable-var + if (strcmp(ptr, "writable-var") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: writable-var is available only for root user\n"); + exit(1); + } + arg_writable_var = 1; + return 0; + } + // private directory if (strncmp(ptr, "private ", 8) == 0) { cfg.home_private = ptr + 8; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f5610cafc..8d0b6a890 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -181,6 +181,14 @@ Build a new user home in a temporary filesystem, and mount-bind file_or_director The modifications to file_or_directory are persistent, everything else is discarded when the sandbox is closed. .TP +\fBwritable-etc +Mount /etc directory read-write. This option is available only +when running the sandbox as root user. +.TP +\fBwritable-var +Mount /var directory read-write. This option is available only +when running the sandbox as root user. +.TP \fBtracelog Blacklist violations logged to syslog. .SH Security filters diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 14b3c6a60..51abaef28 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1463,7 +1463,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" .TP \fB\-\-writable-etc -Mount /etc directory read-write. This option is available only when running the sandbox as root user +Mount /etc directory read-write. This option is available only when running the sandbox as root user. .br .br @@ -1473,7 +1473,7 @@ $ sudo firejail --writable-etc .TP \fB\-\-writable-var -Mount /var directory read-write. This option is available only when running the sandbox as root user +Mount /var directory read-write. This option is available only when running the sandbox as root user. .br .br -- cgit v1.2.3-70-g09d2 From 6517bed2ff93a770c9f1dd2fcf3f6c6b267bc57a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 09:32:47 -0400 Subject: fix mkdir description in man firejail-profile --- src/man/firejail-profile.txt | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8d0b6a890..8ad2eefad 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -135,8 +135,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r Mount-bind file1 on top of file2. This option is only available when running as root. .TP \fBmkdir directory -Create a directory in user home. Use this command for whitelisted directories you need to preserve -when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from +Create a directory in user home before the sandbox is started. +The directory is created if it doesn't already exist. +.br + +.br +Use this command for whitelisted directories you need to preserve +when the sandbox is closed. Without it, the application will create the directory, and the directory +will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from firefox profile: .br -- cgit v1.2.3-70-g09d2 From 4699843c98b6338486cb3e32cd6256708553b614 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 12:43:25 -0400 Subject: added --read-write option --- src/firejail/firejail.h | 5 +++ src/firejail/fs.c | 5 +-- src/firejail/fs_rdwr.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 8 +++++ src/firejail/profile.c | 12 +++++++ 5 files changed, 121 insertions(+), 2 deletions(-) create mode 100644 src/firejail/fs_rdwr.c diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ece1eee4e..302883310 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -568,5 +568,10 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_MAX 8 // this should always be the last entry int checkcfg(int val); +// fs_rdwr.c +void fs_rdwr_add(const char *path); +void fs_rdwr(void); + + #endif diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4c2510021..171b4848c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -729,11 +729,9 @@ void fs_basic_fs(void) { printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); if (!arg_writable_etc) { fs_rdonly("/etc"); - if (arg_debug) printf(", /etc"); } if (!arg_writable_var) { fs_rdonly("/var"); - if (arg_debug) printf(", /var"); } if (arg_debug) printf("\n"); fs_rdonly("/bin"); @@ -764,6 +762,9 @@ void fs_basic_fs(void) { disable_firejail_config(); else fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); + + if (getuid() == 0) + fs_rdwr(); } diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c new file mode 100644 index 000000000..68df6465f --- /dev/null +++ b/src/firejail/fs_rdwr.c @@ -0,0 +1,93 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "firejail.h" +#include +#include +#include +#include +#include + +typedef struct rdwr_t { + struct rdwr_t *next; + const char *path; +} RDWR; + +RDWR *rdwr = NULL; + +void fs_rdwr_add(const char *path) { + // verify path + if (*path != '/') { + fprintf(stderr, "Error: invalid path for read-write command\n"); + exit(1); + } + invalid_filename(path); + if (is_link(path)) { + fprintf(stderr, "Error: invalid symbolic link for read-write command\n"); + exit(1); + } + if (strstr(path, "..")) { + fprintf(stderr, "Error: invalid path for read-write command\n"); + exit(1); + } + + // print warning if the file doesn't exist + struct stat s; + if (stat(path, &s) == -1) { + fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path); + return; + } + + // build list entry + RDWR *r = malloc(sizeof(RDWR)); + if (!r) + errExit("malloc"); + memset(r, 0, sizeof(RDWR)); + r->path = path; + + // add + r->next = rdwr; + rdwr = r; +} + +static void mount_rdwr(const char *path) { + assert(path); + // check directory exists + struct stat s; + int rv = stat(path, &s); + if (rv == 0) { + // mount --bind /bin /bin + if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount read-write"); + // mount --bind -o remount,rw /bin + if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) + errExit("mount read-write"); + fs_logger2("read-write", path); + } +} + +void fs_rdwr(void) { + RDWR *ptr = rdwr; + + while (ptr) { + mount_rdwr(ptr->path); + ptr = ptr->next; + } +} + diff --git a/src/firejail/main.c b/src/firejail/main.c index 0f7809fea..54b9c05f0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1097,6 +1097,14 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--read-write=", 13) == 0) { + char *line; + if (asprintf(&line, "read-write %s", argv[i] + 13) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + // profile_add(line); is not necessary + } else if (strcmp(argv[i], "--overlay") == 0) { if (cfg.chrootdir) { fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9e0f0325e..38052c4f1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -716,6 +716,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + // read-write + if (strncmp(ptr, "read-write ", 11) == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: read-write command is available only for root user\n"); + exit(1); + } +printf("here %d\n", __LINE__); + fs_rdwr_add(ptr + 11); +printf("here %d\n", __LINE__); + return 0; + } + // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; -- cgit v1.2.3-70-g09d2 From 3ef383bfbfc127eabdc96a2686928357593e2177 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 20 Apr 2016 12:44:17 -0400 Subject: added --read-write option --- src/firejail/profile.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 38052c4f1..d358594d9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -722,9 +722,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { fprintf(stderr, "Error: read-write command is available only for root user\n"); exit(1); } -printf("here %d\n", __LINE__); fs_rdwr_add(ptr + 11); -printf("here %d\n", __LINE__); return 0; } -- cgit v1.2.3-70-g09d2 From e547b142597568da678c54da8b5b4164fb3fee86 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Apr 2016 10:47:52 -0400 Subject: --read-write option --- RELNOTES | 1 + src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 21 ++++++++++++--------- src/man/firejail.txt | 27 ++++++++++++++++++++------- 4 files changed, 34 insertions(+), 16 deletions(-) diff --git a/RELNOTES b/RELNOTES index 19bd54dd6..2a7e8ca60 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * added --cpu.print option * added filetransfer options --ls and --get * added --writable-etc and --writable-var options + * added --read-only option * added mkdir, ipc-namespace, and nosound profile commands * added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands * --version also prints compile options diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8b61629f4..8c738a0fc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -209,6 +209,7 @@ void usage(void) { printf("\tcreated for the real user ID of the calling process.\n\n"); printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); printf("\tfor a process.\n\n"); + printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); #ifdef HAVE_NETWORK printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8ad2eefad..19063f5ef 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -121,12 +121,6 @@ blacklist ${PATH}/ifconfig .br blacklist ${HOME}/.ssh -.TP -\fBread-only file_or_directory -Make directory or file read-only. -.TP -\fBtmpfs directory -Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. .TP \fBbind directory1,directory2 Mount-bind directory1 on top of directory2. This option is only available when running as root. @@ -182,6 +176,18 @@ All modifications are discarded when the sandbox is closed. \fBprivate-tmp Mount an empty temporary filesystem on top of /tmp directory. .TP +\fBread-only file_or_directory +Make directory or file read-only. +.TP +\fBread-write file_or_directory +Make directory or file read-write. +.TP +\fBtmpfs directory +Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. +.TP +\fBtracelog +Blacklist violations logged to syslog. +.TP \fBwhitelist file_or_directory Build a new user home in a temporary filesystem, and mount-bind file_or_directory. The modifications to file_or_directory are persistent, everything else is discarded @@ -194,9 +200,6 @@ when running the sandbox as root user. \fBwritable-var Mount /var directory read-write. This option is available only when running the sandbox as root user. -.TP -\fBtracelog -Blacklist violations logged to syslog. .SH Security filters The following security filters are currently implemented: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51abaef28..19415a332 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. .SH USAGE -Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace, -and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options. -The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. -Only /home and /tmp are writable. +Without any options, the sandbox consists of a filesystem build in a new mount namespace, +and new PID and UTS namespaces. IPC, network and user namespaces can be added using the +command line options. The default Firejail filesystem is based on the host filesystem with the main +system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, +/libx32 and /lib64. Only /home and /tmp are writable. .PP As it starts up, Firejail tries to find a security profile based on the name of the application. If an appropriate profile is not found, Firejail will use a default profile. The default profile is quite restrictive. In case the application doesn't work, use --noprofile option -to disable it. For more information, please see \fBSECURITY PROFILES\fR section. +to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. .PP If a program argument is not specified, Firejail starts /bin/bash shell. Examples: @@ -194,7 +195,8 @@ Example: .TP \fB\-\-chroot=dirname -Chroot the sandbox into a root filesystem. If the sandbox is started as a +Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. If the sandbox is started as a regular user, default seccomp and capabilities filters are enabled. This option is not available on Grsecurity systems. .br @@ -946,7 +948,8 @@ $ ls -l sandboxlog* .TP \fB\-\-overlay -Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay. +Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. All filesystem modifications go into the overlay. The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. .br @@ -1143,6 +1146,16 @@ Set the maximum number of processes that can be created for the real user ID of .TP \fB\-\-rlimit-sigpending=number Set the maximum number of pending signals for a process. + +.TP +\fB\-\-read-write=dirname_or_filename +By default, the sandbox mounts system directories read-only. +These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. +Use this option to mount read-write files or directories inside the system directories. + +This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these +cases the system directories are mounted read-write. + .TP \fB\-\-scan ARP-scan all the networks from inside a network namespace. -- cgit v1.2.3-70-g09d2 From 7dc1965e85e5f85cb0cdaf085db9949e4cdc1073 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 22 Apr 2016 01:03:36 +1000 Subject: fixed python libs --- etc/hexchat.profile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 8f6fd6217..7978960c8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,5 +1,6 @@ # HexChat instant messaging profile noblacklist ${HOME}/.config/hexchat +noblacklist /usr/lib/python2* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -8,3 +9,8 @@ caps.drop all seccomp protocol unix,inet,inet6 noroot +netfilter + +mkdir ~/.config +mkdir ~/.config/hexchat +whitelist ~/.config/hexchat -- cgit v1.2.3-70-g09d2 From f586c532955b81a2955aadfbfaddffe279744b54 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 22 Apr 2016 01:04:22 +1000 Subject: added print config dir --- etc/atril.profile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/atril.profile b/etc/atril.profile index e078c1d20..c5b2abc48 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -1,4 +1,5 @@ # Atril profile +noblacklist ~/.config/atril include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -7,6 +8,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 -netfilter +net none noroot tracelog + +mkdir ~/.config +mkdir ~/.config/atril +whitelist ~/.config/atril -- cgit v1.2.3-70-g09d2 From ad2f7bc496e3cc83bca2381515312dd2ef6fc7f1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Apr 2016 14:37:53 -0400 Subject: make test-profiles --- Makefile.in | 5 +++ test/profile_syntax.exp | 63 ------------------------------------- test/profile_syntax2.exp | 47 ---------------------------- test/profiles/profile_syntax.exp | 66 +++++++++++++++++++++++++++++++++++++++ test/profiles/profile_syntax2.exp | 50 +++++++++++++++++++++++++++++ test/profiles/profiles.sh | 19 +++++++++++ test/profiles/test-profile.exp | 23 ++++++++++++++ test/profiles/test.profile | 5 +++ test/profiles/test2.profile | 4 +++ test/test-profile.exp | 20 ------------ test/test-profiles.sh | 10 ------ test/test.profile | 5 --- test/test.sh | 8 ----- test/test2.profile | 4 --- 14 files changed, 172 insertions(+), 157 deletions(-) delete mode 100755 test/profile_syntax.exp delete mode 100755 test/profile_syntax2.exp create mode 100755 test/profiles/profile_syntax.exp create mode 100755 test/profiles/profile_syntax2.exp create mode 100755 test/profiles/profiles.sh create mode 100755 test/profiles/test-profile.exp create mode 100644 test/profiles/test.profile create mode 100644 test/profiles/test2.profile delete mode 100755 test/test-profile.exp delete mode 100755 test/test-profiles.sh delete mode 100644 test/test.profile delete mode 100644 test/test2.profile diff --git a/Makefile.in b/Makefile.in index dfeea565b..8bf9d68a9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -239,6 +239,7 @@ dist: cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd .. cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd .. cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -258,5 +259,9 @@ cppcheck: clean scan-build: clean scan-build make + asc:; ./mkasc.sh $(VERSION) +test-profiles: + cd test/profiles; ./profiles.sh | grep TESTING + diff --git a/test/profile_syntax.exp b/test/profile_syntax.exp deleted file mode 100755 index 559947276..000000000 --- a/test/profile_syntax.exp +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=test.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} - -sleep 2 -send -- "cat /sbin/iptables\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "No such file" {puts "\nTESTING /sbin/iptables not found\n"} - "Permission denied" -} - -sleep 1 -send -- "ls -l /etc/shadow\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "root root 0" -} - -sleep 1 -send -- "rmdir;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "home" -} - -sleep 1 -send -- "mount;pwd\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "home" -} - -sleep 1 -send -- "umount;pwd\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "home" -} -send -- "exit\r" - -sleep 1 -puts "\n" diff --git a/test/profile_syntax2.exp b/test/profile_syntax2.exp deleted file mode 100755 index 96e85ba93..000000000 --- a/test/profile_syntax2.exp +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug --profile=test2.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile test2.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Reading profile test.profile" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Mounting a new /home directory" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Disable /bin/rmdir" {puts "Most Linux platforms\n"} - "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"} -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Drop CAP_SYS_MODULE" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "SECCOMP Filter" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "BLACKLIST" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "mount" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" -} - -sleep 1 -puts "\nall done\n" diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp new file mode 100755 index 000000000..ecad1043b --- /dev/null +++ b/test/profiles/profile_syntax.exp @@ -0,0 +1,66 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=test.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} + +sleep 2 +send -- "cat /sbin/iptables\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "No such file" {puts "\nTESTING /sbin/iptables not found\n"} + "Permission denied" +} + +sleep 1 +send -- "ls -l /etc/shadow\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "root root 0" +} + +sleep 1 +send -- "rmdir;pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "home" +} + +sleep 1 +send -- "mount;pwd\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "home" +} + +sleep 1 +send -- "umount;pwd\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "home" +} +send -- "exit\r" + +sleep 1 +puts "\n" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp new file mode 100755 index 000000000..ba83731be --- /dev/null +++ b/test/profiles/profile_syntax2.exp @@ -0,0 +1,50 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug --profile=test2.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile test2.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile test.profile" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Mounting a new /home directory" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Disable /bin/rmdir" {puts "Most Linux platforms\n"} + "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"} +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "SECCOMP Filter" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "BLACKLIST" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "mount" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} + +sleep 1 +puts "\nall done\n" diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh new file mode 100755 index 000000000..ea1f51c1a --- /dev/null +++ b/test/profiles/profiles.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +echo "TESTING: default profiles installed in /etc" +PROFILES=`ls /etc/firejail/*.profile` +for PROFILE in $PROFILES +do + echo "TESTING: $PROFILE" + ./test-profile.exp $PROFILE +done + +echo "TESTING: profile syntax (profiles/profile_syntax.exp)" +./profile_syntax.exp + +echo "TESTING: profile syntax 2 (profiles/profile_syntax2.exp)" +./profile_syntax2.exp + diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp new file mode 100755 index 000000000..590b42652 --- /dev/null +++ b/test/profiles/test-profile.exp @@ -0,0 +1,23 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +if { $argc != 1 } { + puts "TESTING ERROR: argument missing" + puts "Usage: test-profile.exp profile_name" + exit +} + +send -- "firejail --profile=$argv /bin/bash\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +send -- "exit\r" +after 100 +puts "\n" diff --git a/test/profiles/test.profile b/test/profiles/test.profile new file mode 100644 index 000000000..1d69cc960 --- /dev/null +++ b/test/profiles/test.profile @@ -0,0 +1,5 @@ + blacklist /sbin/iptables +blacklist /etc/shadow + blacklist /bin/rmdir +blacklist ${PATH}/umount +blacklist ${PATH}/mount diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile new file mode 100644 index 000000000..d7e1a1f21 --- /dev/null +++ b/test/profiles/test2.profile @@ -0,0 +1,4 @@ +caps +seccomp + private + include test.profile diff --git a/test/test-profile.exp b/test/test-profile.exp deleted file mode 100755 index a03e8db31..000000000 --- a/test/test-profile.exp +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -if { $argc != 1 } { - puts "TESTING ERROR: argument missing" - puts "Usage: test-profile.exp profile_name" - exit -} - -send -- "firejail --profile=$argv /bin/bash\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -send -- "exit\r" -after 100 -puts "\n" diff --git a/test/test-profiles.sh b/test/test-profiles.sh deleted file mode 100755 index d9142885b..000000000 --- a/test/test-profiles.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -echo "TESTING: default profiles installed in /etc" -PROFILES=`ls /etc/firejail/*.profile` -for PROFILE in $PROFILES -do - echo "TESTING: $PROFILE" - ./test-profile.exp $PROFILE -done - diff --git a/test/test.profile b/test/test.profile deleted file mode 100644 index 1d69cc960..000000000 --- a/test/test.profile +++ /dev/null @@ -1,5 +0,0 @@ - blacklist /sbin/iptables -blacklist /etc/shadow - blacklist /bin/rmdir -blacklist ${PATH}/umount -blacklist ${PATH}/mount diff --git a/test/test.sh b/test/test.sh index 961b48807..0fa26d86d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -2,8 +2,6 @@ ./chk_config.exp -./test-profiles.sh - ./fscheck.sh echo "TESTING: cpu.print (cpu-print.exp)" @@ -220,12 +218,6 @@ echo "TESTING: output (output.exp)" echo "TESTING: profile no permissions (profile_noperm.exp)" ./profile_noperm.exp -echo "TESTING: profile syntax (profile_syntax.exp)" -./profile_syntax.exp - -echo "TESTING: profile syntax 2 (profile_syntax2.exp)" -./profile_syntax2.exp - echo "TESTING: profile rlimit (profile_rlimit.exp)" ./profile_rlimit.exp diff --git a/test/test2.profile b/test/test2.profile deleted file mode 100644 index d7e1a1f21..000000000 --- a/test/test2.profile +++ /dev/null @@ -1,4 +0,0 @@ -caps -seccomp - private - include test.profile -- cgit v1.2.3-70-g09d2 From 3c1a58c2f2b524230db6aeb56251f8a5fa500433 Mon Sep 17 00:00:00 2001 From: Vasya Novikov Date: Thu, 21 Apr 2016 23:45:33 +0300 Subject: fix "clean/clear" typos Finish of the migration from "clear" to "clean" wording. --- README.md | 6 +++--- src/firecfg/main.c | 2 +- src/man/firecfg.txt | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 1cfbd0aa9..8e68232b0 100644 --- a/README.md +++ b/README.md @@ -143,8 +143,8 @@ DESCRIPTION see DESKTOP INTEGRATION section in man 1 firejail. OPTIONS - --clear - Clear all firejail symbolic links + --clean + Remove all firejail symbolic links -?, --help Print options end exit. @@ -164,7 +164,7 @@ OPTIONS /usr/local/bin/firefox /usr/local/bin/vlc [...] - $ sudo firecfg --clear + $ sudo firecfg --clean /usr/local/bin/firefox removed /usr/local/bin/vlc removed [...] diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 5fcace6cb..f0f2aaeb7 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -49,7 +49,7 @@ static void usage(void) { printf(" /usr/local/bin/firefox\n"); printf(" /usr/local/bin/vlc\n"); printf(" [...]\n"); - printf(" $ sudo firecfg --clear\n"); + printf(" $ sudo firecfg --clean\n"); printf(" /usr/local/bin/firefox removed\n"); printf(" /usr/local/bin/vlc removed\n"); printf(" [...]\n"); diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index decc1af73..e2e4229b0 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -48,7 +48,7 @@ $ firecfg --list .br [...] .br -$ sudo firecfg --clear +$ sudo firecfg --clean .br /usr/local/bin/firefox removed .br -- cgit v1.2.3-70-g09d2 From b6fc34dfc641f231751084c50212ec11874ef366 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 08:24:14 -0400 Subject: update --- README | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/README b/README index b1e1bd546..bf02d03ed 100644 --- a/README +++ b/README @@ -18,10 +18,15 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +Vasya Novikov (https://github.com/vn971) + - Wesnoth profile + - Hedegewars profile + - manpage fixes + - fixed firecfg clean/clear issue curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile - - okular and gwenview profiles + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) @@ -37,6 +42,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - blacklisted VeraCrypt - added Gpredict profile - added Aweather, Stellarium profiles + - fixed HexChat and Atril profiles avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix @@ -64,10 +70,6 @@ dshmgh (https://github.com/dshmgh) yumkam (https://github.com/yumkam) - add compile-time option to restrict --net= to root only - man page fixes -Vasya Novikov (https://github.com/vn971) - - Wesnoth profile - - Hedegewars profile - - manpage fixes mahdi1234 (https://github.com/mahdi1234) - cherrytree profile jrabe (https://github.com/jrabe) -- cgit v1.2.3-70-g09d2 From bec09e54d0f78277f5ab1c2cbb9afadbc53ae444 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 08:30:35 -0400 Subject: cherrytree profile fixes --- README | 1 + etc/cherrytree.profile | 2 ++ 2 files changed, 3 insertions(+) diff --git a/README b/README index bf02d03ed..9ea2730ad 100644 --- a/README +++ b/README @@ -27,6 +27,7 @@ curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile - okular and gwenview profiles + - cherrytree profile fixes Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7bcc61e98..77fa79e11 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,4 +1,6 @@ # cherrytree note taking application +noblacklist /usr/bin/python2* +noblacklist /usr/lib/python2* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 47be57441f2f49baddebaca884fc65199b234714 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 09:46:07 -0400 Subject: make test-apps --- Makefile.in | 6 ++ test/apps/apps.sh | 149 +++++++++++++++++++++++++++++++++++++++ test/apps/chromium.exp | 80 +++++++++++++++++++++ test/apps/deluge.exp | 80 +++++++++++++++++++++ test/apps/evince.exp | 80 +++++++++++++++++++++ test/apps/fbreader.exp | 80 +++++++++++++++++++++ test/apps/firefox.exp | 96 +++++++++++++++++++++++++ test/apps/gnome-mplayer.exp | 80 +++++++++++++++++++++ test/apps/hexchat.exp | 80 +++++++++++++++++++++ test/apps/icedove.exp | 80 +++++++++++++++++++++ test/apps/midori.exp | 81 +++++++++++++++++++++ test/apps/opera.exp | 80 +++++++++++++++++++++ test/apps/transmission-gtk.exp | 75 ++++++++++++++++++++ test/apps/transmission-qt.exp | 80 +++++++++++++++++++++ test/apps/vlc.exp | 80 +++++++++++++++++++++ test/apps/weechat.exp | 80 +++++++++++++++++++++ test/apps/wine.exp | 30 ++++++++ test/apps/xchat.exp | 80 +++++++++++++++++++++ test/chromium.exp | 80 --------------------- test/deluge.exp | 80 --------------------- test/evince.exp | 80 --------------------- test/fbreader.exp | 80 --------------------- test/firefox.exp | 96 ------------------------- test/gnome-mplayer.exp | 80 --------------------- test/hexchat.exp | 80 --------------------- test/icedove.exp | 80 --------------------- test/midori.exp | 81 --------------------- test/opera.exp | 80 --------------------- test/profiles/profiles.sh | 3 + test/test-apps.sh | 155 ----------------------------------------- test/test.sh | 1 - test/transmission-gtk.exp | 75 -------------------- test/transmission-qt.exp | 80 --------------------- test/vlc.exp | 80 --------------------- test/weechat.exp | 80 --------------------- test/wine.exp | 30 -------- test/xchat.exp | 80 --------------------- 37 files changed, 1400 insertions(+), 1398 deletions(-) create mode 100755 test/apps/apps.sh create mode 100755 test/apps/chromium.exp create mode 100755 test/apps/deluge.exp create mode 100755 test/apps/evince.exp create mode 100755 test/apps/fbreader.exp create mode 100755 test/apps/firefox.exp create mode 100755 test/apps/gnome-mplayer.exp create mode 100755 test/apps/hexchat.exp create mode 100755 test/apps/icedove.exp create mode 100755 test/apps/midori.exp create mode 100755 test/apps/opera.exp create mode 100755 test/apps/transmission-gtk.exp create mode 100755 test/apps/transmission-qt.exp create mode 100755 test/apps/vlc.exp create mode 100755 test/apps/weechat.exp create mode 100755 test/apps/wine.exp create mode 100755 test/apps/xchat.exp delete mode 100755 test/chromium.exp delete mode 100755 test/deluge.exp delete mode 100755 test/evince.exp delete mode 100755 test/fbreader.exp delete mode 100755 test/firefox.exp delete mode 100755 test/gnome-mplayer.exp delete mode 100755 test/hexchat.exp delete mode 100755 test/icedove.exp delete mode 100755 test/midori.exp delete mode 100755 test/opera.exp delete mode 100755 test/test-apps.sh delete mode 100755 test/transmission-gtk.exp delete mode 100755 test/transmission-qt.exp delete mode 100755 test/vlc.exp delete mode 100755 test/weechat.exp delete mode 100755 test/wine.exp delete mode 100755 test/xchat.exp diff --git a/Makefile.in b/Makefile.in index 8bf9d68a9..fbe9b24c4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -240,6 +240,7 @@ dist: cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd .. cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -265,3 +266,8 @@ asc:; ./mkasc.sh $(VERSION) test-profiles: cd test/profiles; ./profiles.sh | grep TESTING +test-apps: + cd test/apps; ./apps.sh | grep TESTING + +test: test-profiles test-apps + echo "TEST COMPLETE" diff --git a/test/apps/apps.sh b/test/apps/apps.sh new file mode 100755 index 000000000..ff561ef31 --- /dev/null +++ b/test/apps/apps.sh @@ -0,0 +1,149 @@ +#!/bin/bash + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: firefox" + ./firefox.exp +else + echo "TESTING: firefox not found" +fi + +which midori +if [ "$?" -eq 0 ]; +then + echo "TESTING: midori" + ./midori.exp +else + echo "TESTING: midori not found" +fi + +which chromium +if [ "$?" -eq 0 ]; +then + echo "TESTING: chromium" + ./chromium.exp +else + echo "TESTING: chromium not found" +fi + +which opera +if [ "$?" -eq 0 ]; +then + echo "TESTING: opera" + ./opera.exp +else + echo "TESTING: opera not found" +fi + +which transmission-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: transmission-gtk" + ./transmission-gtk.exp +else + echo "TESTING: transmission-gtk not found" +fi + +which transmission-qt +if [ "$?" -eq 0 ]; +then + echo "TESTING: transmission-qt" + ./transmission-qt.exp +else + echo "TESTING: transmission-qt not found" +fi + +which evince +if [ "$?" -eq 0 ]; +then + echo "TESTING: evince" + ./evince.exp +else + echo "TESTING: evince not found" +fi + +which icedove +if [ "$?" -eq 0 ]; +then + echo "TESTING: icedove" + ./icedove.exp +else + echo "TESTING: icedove not found" +fi + +which vlc +if [ "$?" -eq 0 ]; +then + echo "TESTING: vlc" + ./vlc.exp +else + echo "TESTING: vlc not found" +fi + +which fbreader +if [ "$?" -eq 0 ]; +then + echo "TESTING: fbreader" + ./fbreader.exp +else + echo "TESTING: fbreader not found" +fi + +which deluge +if [ "$?" -eq 0 ]; +then + echo "TESTING: deluge" + ./deluge.exp +else + echo "TESTING: deluge not found" +fi + +which gnome-mplayer +if [ "$?" -eq 0 ]; +then + echo "TESTING: gnome-mplayer" + ./gnome-mplayer.exp +else + echo "TESTING: gnome-mplayer not found" +fi + +which xchat +if [ "$?" -eq 0 ]; +then + echo "TESTING: xchat" + ./xchat.exp +else + echo "TESTING: xchat not found" +fi + +which hexchat +if [ "$?" -eq 0 ]; +then + echo "TESTING: hexchat" + ./hexchat.exp +else + echo "TESTING: hexchat not found" +fi + +which weechat-curses +if [ "$?" -eq 0 ]; +then + echo "TESTING: weechat" + ./weechat.exp +else + echo "TESTING: weechat not found" +fi + +which wine +if [ "$?" -eq 0 ]; +then + echo "TESTING: wine" + ./wine.exp +else + echo "TESTING: wine not found" +fi + diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp new file mode 100755 index 000000000..676f7e314 --- /dev/null +++ b/test/apps/chromium.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail chromium www.gentoo.org\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/chromium.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "chromium" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail chromium" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "Seccomp: 0" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail chromium" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "fffffffff" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp new file mode 100755 index 000000000..9f5063495 --- /dev/null +++ b/test/apps/deluge.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail deluge\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/deluge.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "deluge" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail deluge" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail deluge" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/apps/evince.exp b/test/apps/evince.exp new file mode 100755 index 000000000..3c3ad4bdd --- /dev/null +++ b/test/apps/evince.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail evince\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/evince.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "evince" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail evince" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail evince" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp new file mode 100755 index 000000000..d2bee880e --- /dev/null +++ b/test/apps/fbreader.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail fbreader\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/fbreader.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "fbreader" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail fbreader" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail fbreader" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp new file mode 100755 index 000000000..2585e4b5c --- /dev/null +++ b/test/apps/firefox.exp @@ -0,0 +1,96 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail firefox -no-remote www.gentoo.org\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/firefox.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "firefox" {puts "firefox detected\n";} + "iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp new file mode 100755 index 000000000..6965322fc --- /dev/null +++ b/test/apps/gnome-mplayer.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gnome-mplayer\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gnome-mplayer.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gnome-mplayer" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail gnome-mplayer" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gnome-mplayer" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp new file mode 100755 index 000000000..7e99c8cdf --- /dev/null +++ b/test/apps/hexchat.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail hexchat\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/hexchat.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "hexchat" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "hexchat" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "hexchat" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp new file mode 100755 index 000000000..344febb93 --- /dev/null +++ b/test/apps/icedove.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail icedove\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/icedove.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 5 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "icedove" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail icedove" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail icedove" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/midori.exp b/test/apps/midori.exp new file mode 100755 index 000000000..470f5de77 --- /dev/null +++ b/test/apps/midori.exp @@ -0,0 +1,81 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail midori www.gentoo.org\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/midori.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "midori" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail midori" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail midori" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3n";exit} + "name=blablabla" +} +sleep 1 + + +puts "\n" + diff --git a/test/apps/opera.exp b/test/apps/opera.exp new file mode 100755 index 000000000..23eed5504 --- /dev/null +++ b/test/apps/opera.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail opera www.gentoo.org\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/opera.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "opera" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail opera" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "Seccomp: 0" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail opera" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "fffffffff" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp new file mode 100755 index 000000000..1acfc6f94 --- /dev/null +++ b/test/apps/transmission-gtk.exp @@ -0,0 +1,75 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail transmission-gtk\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "transmission-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail transmission-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail transmission-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp new file mode 100755 index 000000000..944fd28a2 --- /dev/null +++ b/test/apps/transmission-qt.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail transmission-qt\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/transmission-qt.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "transmission-qt" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail transmission-qt" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail transmission-qt" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp new file mode 100755 index 000000000..290c0fc2f --- /dev/null +++ b/test/apps/vlc.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail vlc\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/vlc.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "vlc" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail vlc" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail vlc" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/apps/weechat.exp b/test/apps/weechat.exp new file mode 100755 index 000000000..630af55ee --- /dev/null +++ b/test/apps/weechat.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail weechat-curses\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/weechat.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "weechat-curses" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "weechat-curses" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "weechat-curses" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/apps/wine.exp b/test/apps/wine.exp new file mode 100755 index 000000000..f5b7d12b4 --- /dev/null +++ b/test/apps/wine.exp @@ -0,0 +1,30 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail wine --help\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/wine.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Usage: wine PROGRAM" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "wine --version" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Parent is shutting down, bye..." +} + +puts "\nall done\n" + diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp new file mode 100755 index 000000000..cde89d754 --- /dev/null +++ b/test/apps/xchat.exp @@ -0,0 +1,80 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail xchat\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/xchat.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "xchat" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " xchat" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " xchat" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + diff --git a/test/chromium.exp b/test/chromium.exp deleted file mode 100755 index 676f7e314..000000000 --- a/test/chromium.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail chromium www.gentoo.org\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/chromium.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "chromium" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail chromium" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Seccomp: 0" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail chromium" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "fffffffff" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/deluge.exp b/test/deluge.exp deleted file mode 100755 index 9f5063495..000000000 --- a/test/deluge.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail deluge\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/deluge.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "deluge" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail deluge" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail deluge" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/evince.exp b/test/evince.exp deleted file mode 100755 index 3c3ad4bdd..000000000 --- a/test/evince.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail evince\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/evince.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "evince" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail evince" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail evince" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/fbreader.exp b/test/fbreader.exp deleted file mode 100755 index d2bee880e..000000000 --- a/test/fbreader.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail fbreader\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/fbreader.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "fbreader" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail fbreader" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail fbreader" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/firefox.exp b/test/firefox.exp deleted file mode 100755 index 2585e4b5c..000000000 --- a/test/firefox.exp +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail firefox -no-remote www.gentoo.org\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/firefox.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/gnome-mplayer.exp b/test/gnome-mplayer.exp deleted file mode 100755 index 6965322fc..000000000 --- a/test/gnome-mplayer.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail gnome-mplayer\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/gnome-mplayer.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "gnome-mplayer" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail gnome-mplayer" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail gnome-mplayer" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/hexchat.exp b/test/hexchat.exp deleted file mode 100755 index 7e99c8cdf..000000000 --- a/test/hexchat.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail hexchat\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/hexchat.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "hexchat" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "hexchat" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "hexchat" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/icedove.exp b/test/icedove.exp deleted file mode 100755 index 344febb93..000000000 --- a/test/icedove.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail icedove\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/icedove.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 5 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "icedove" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail icedove" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail icedove" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/midori.exp b/test/midori.exp deleted file mode 100755 index 470f5de77..000000000 --- a/test/midori.exp +++ /dev/null @@ -1,81 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail midori www.gentoo.org\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/midori.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "midori" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail midori" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail midori" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3n";exit} - "name=blablabla" -} -sleep 1 - - -puts "\n" - diff --git a/test/opera.exp b/test/opera.exp deleted file mode 100755 index 23eed5504..000000000 --- a/test/opera.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail opera www.gentoo.org\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/opera.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "opera" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail opera" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Seccomp: 0" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail opera" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "fffffffff" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index ea1f51c1a..a20ed5432 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -3,6 +3,9 @@ # Copyright (C) 2014-2016 Firejail Authors # License GPL v2 +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + echo "TESTING: default profiles installed in /etc" PROFILES=`ls /etc/firejail/*.profile` for PROFILE in $PROFILES diff --git a/test/test-apps.sh b/test/test-apps.sh deleted file mode 100755 index 5ada20549..000000000 --- a/test/test-apps.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash - -which firefox -if [ "$?" -eq 0 ]; -then - echo "TESTING: firefox" - ./firefox.exp -else - echo "TESTING: firefox not found" -fi - -which midori -if [ "$?" -eq 0 ]; -then - echo "TESTING: midori" - ./midori.exp -else - echo "TESTING: midori not found" -fi - -which chromium -if [ "$?" -eq 0 ]; -then - echo "TESTING: chromium" - ./chromium.exp -else - echo "TESTING: chromium not found" -fi - -which google-chrome -if [ "$?" -eq 0 ]; -then - echo "TESTING: google-chrome" - ./chromium.exp -else - echo "TESTING: google-chrome not found" -fi - -which opera -if [ "$?" -eq 0 ]; -then - echo "TESTING: opera" - ./opera.exp -else - echo "TESTING: opera not found" -fi - -which transmission-gtk -if [ "$?" -eq 0 ]; -then - echo "TESTING: transmission-gtk" - ./transmission-gtk.exp -else - echo "TESTING: transmission-gtk not found" -fi - -which transmission-qt -if [ "$?" -eq 0 ]; -then - echo "TESTING: transmission-qt" - ./transmission-qt.exp -else - echo "TESTING: transmission-qt not found" -fi - -which evince -if [ "$?" -eq 0 ]; -then - echo "TESTING: evince" - ./evince.exp -else - echo "TESTING: evince not found" -fi - -which icedove -if [ "$?" -eq 0 ]; -then - echo "TESTING: icedove" - ./icedove.exp -else - echo "TESTING: icedove not found" -fi - -which vlc -if [ "$?" -eq 0 ]; -then - echo "TESTING: vlc" - ./vlc.exp -else - echo "TESTING: vlc not found" -fi - -which fbreader -if [ "$?" -eq 0 ]; -then - echo "TESTING: fbreader" - ./fbreader.exp -else - echo "TESTING: fbreader not found" -fi - -which deluge -if [ "$?" -eq 0 ]; -then - echo "TESTING: deluge" - ./deluge.exp -else - echo "TESTING: deluge not found" -fi - -which gnome-mplayer -if [ "$?" -eq 0 ]; -then - echo "TESTING: gnome-mplayer" - ./gnome-mplayer.exp -else - echo "TESTING: gnome-mplayer not found" -fi - -which xchat -if [ "$?" -eq 0 ]; -then - echo "TESTING: xchat" - ./xchat.exp -else - echo "TESTING: xchat not found" -fi - -which hexchat -if [ "$?" -eq 0 ]; -then - echo "TESTING: hexchat" - ./hexchat.exp -else - echo "TESTING: hexchat not found" -fi - -which weechat-curses -if [ "$?" -eq 0 ]; -then - echo "TESTING: weechat" - ./weechat.exp -else - echo "TESTING: weechat not found" -fi - -which wine -if [ "$?" -eq 0 ]; -then - echo "TESTING: wine" - ./wine.exp -else - echo "TESTING: wine not found" -fi - diff --git a/test/test.sh b/test/test.sh index 0fa26d86d..1204d8208 100755 --- a/test/test.sh +++ b/test/test.sh @@ -206,7 +206,6 @@ else echo "TESTING: dash not found" fi -./test-apps.sh ./test-apps-x11.sh echo "TESTING: PID (pid.exp)" diff --git a/test/transmission-gtk.exp b/test/transmission-gtk.exp deleted file mode 100755 index 1acfc6f94..000000000 --- a/test/transmission-gtk.exp +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail transmission-gtk\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "transmission-gtk" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/transmission-qt.exp b/test/transmission-qt.exp deleted file mode 100755 index 944fd28a2..000000000 --- a/test/transmission-qt.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail transmission-qt\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/transmission-qt.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "transmission-qt" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail transmission-qt" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail transmission-qt" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/vlc.exp b/test/vlc.exp deleted file mode 100755 index 290c0fc2f..000000000 --- a/test/vlc.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail vlc\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/vlc.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "vlc" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail vlc" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail vlc" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/weechat.exp b/test/weechat.exp deleted file mode 100755 index 630af55ee..000000000 --- a/test/weechat.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail weechat-curses\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/weechat.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "weechat-curses" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "weechat-curses" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "weechat-curses" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/wine.exp b/test/wine.exp deleted file mode 100755 index f5b7d12b4..000000000 --- a/test/wine.exp +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail wine --help\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/wine.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Usage: wine PROGRAM" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "wine --version" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Parent is shutting down, bye..." -} - -puts "\nall done\n" - diff --git a/test/xchat.exp b/test/xchat.exp deleted file mode 100755 index cde89d754..000000000 --- a/test/xchat.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail xchat\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/xchat.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xchat" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - " xchat" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " xchat" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - -- cgit v1.2.3-70-g09d2 From b37ba96c81f96418834d0b32e32faa5bedea5649 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 23 Apr 2016 00:57:12 +1000 Subject: Temp fix for #472 --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4d05ba783..9faa2aa6a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -141,3 +141,5 @@ blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper +blacklist ${PATH}/mate-terminal +blacklist ${PATH}/mate-terminal.wrapper -- cgit v1.2.3-70-g09d2 From 3373ab1bd7f1abd83246bfd1ddfe76aa77e0726c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 12:01:08 -0400 Subject: fix mate-terminal --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4d05ba783..9faa2aa6a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -141,3 +141,5 @@ blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper +blacklist ${PATH}/mate-terminal +blacklist ${PATH}/mate-terminal.wrapper -- cgit v1.2.3-70-g09d2 From b30aa0b66932e9ee9ceffdf12fa6540f2ca38986 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 12:11:33 -0400 Subject: quiterss profile --- Makefile.in | 1 + README | 2 ++ README.md | 2 +- platform/debian/conffiles | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index fbe9b24c4..b749d7f2f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -172,6 +172,7 @@ realinstall: install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 9ea2730ad..650b5236b 100644 --- a/README +++ b/README @@ -28,6 +28,7 @@ curiosity-seeker (https://github.com/curiosity-seeker) - dnsmasq profile - okular and gwenview profiles - cherrytree profile fixes + - added quiterss profile Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) @@ -44,6 +45,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Gpredict profile - added Aweather, Stellarium profiles - fixed HexChat and Atril profiles + - fixed disable-common.inc for mate-terminal avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index 8e68232b0..68ae3118a 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player +Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a5ca6d072..8297f96eb 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -91,3 +91,4 @@ /etc/firejail/aweather.profile /etc/firejail/stellarium.profile /etc/firejail/google-play-music-desktop-player.profile +/etc/firejail/quiterss.profile -- cgit v1.2.3-70-g09d2 From 36be53b558c7acb69aa6bce0fd1ade810b4bb505 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 12:13:21 -0400 Subject: quiterss profile --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 2a7e8ca60..91b41abcf 100644 --- a/RELNOTES +++ b/RELNOTES @@ -22,7 +22,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player - * new profiles: Aweather, Stellarium, gpredict + * new profiles: Aweather, Stellarium, gpredict, quiterss * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From ca8f44000f4a6a459aa99b883b047b8e5f0efa90 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 23 Apr 2016 04:51:04 +1000 Subject: blacklisted additional terminals --- README | 1 + etc/disable-common.inc | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/README b/README index 650b5236b..f2a9cef35 100644 --- a/README +++ b/README @@ -46,6 +46,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Aweather, Stellarium profiles - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal + - blacklisted escape-happy terminals in disable-common.inc avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9faa2aa6a..3613fbce3 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -143,3 +143,8 @@ blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper blacklist ${PATH}/mate-terminal blacklist ${PATH}/mate-terminal.wrapper +blacklist ${PATH}/lilyterm +blacklist ${PATH}/pantheon-terminal +blacklist ${PATH}/roxterm +blacklist ${PATH}/roxterm-config +blacklist ${PATH}/terminix -- cgit v1.2.3-70-g09d2 From ef25891cfb6f77f462bd47b9295adddda46ebb81 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 23 Apr 2016 05:41:26 +1000 Subject: added urxvtc --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3613fbce3..479f32cb1 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -148,3 +148,5 @@ blacklist ${PATH}/pantheon-terminal blacklist ${PATH}/roxterm blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix +blacklist ${PATH}/urxvtc +blacklist ${PATH}/urxvtcd -- cgit v1.2.3-70-g09d2 From 23f24befa8ebc88e0ba198d889ee5e78e93c3a2f Mon Sep 17 00:00:00 2001 From: Ruan Date: Sat, 23 Apr 2016 10:46:49 +0200 Subject: Allow python3 for hexchat.profile HexChat uses python3 under Arch Linux, so this is required for it to launch. --- etc/hexchat.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 7978960c8..bace1c9e6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,6 +1,7 @@ # HexChat instant messaging profile noblacklist ${HOME}/.config/hexchat noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 53a4601321db31b590019c729ab47e1ceb3679ea Mon Sep 17 00:00:00 2001 From: Ruan Date: Sat, 23 Apr 2016 14:44:55 +0200 Subject: Include common whitelist for hexchat.profile --- etc/hexchat.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/hexchat.profile b/etc/hexchat.profile index bace1c9e6..b77555e55 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -15,3 +15,4 @@ netfilter mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From 2905b9f9ab5c5ed6f9210d1d843a8bcf41451854 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 23 Apr 2016 08:53:07 -0400 Subject: make test-utils --- Makefile.in | 6 +++- test/apps/apps.sh | 3 ++ test/apps/chromium.exp | 3 ++ test/apps/deluge.exp | 3 ++ test/apps/evince.exp | 3 ++ test/apps/fbreader.exp | 3 ++ test/apps/firefox.exp | 3 ++ test/apps/gnome-mplayer.exp | 3 ++ test/apps/hexchat.exp | 3 ++ test/apps/icedove.exp | 3 ++ test/apps/midori.exp | 3 ++ test/apps/opera.exp | 3 ++ test/apps/transmission-gtk.exp | 3 ++ test/apps/transmission-qt.exp | 3 ++ test/apps/vlc.exp | 3 ++ test/apps/weechat.exp | 3 ++ test/apps/wine.exp | 3 ++ test/apps/xchat.exp | 3 ++ test/caps-print.exp | 29 ------------------- test/cpu-print.exp | 21 -------------- test/dns-print.exp | 21 -------------- test/fs-print.exp | 29 ------------------- test/ignore.exp | 47 ------------------------------- test/ignore.profile | 3 -- test/ignore2.profile | 3 -- test/option_help.exp | 22 --------------- test/option_list.exp | 48 -------------------------------- test/option_man.exp | 17 ------------ test/option_tree.exp | 60 ---------------------------------------- test/option_version.exp | 15 ---------- test/profiles/ignore.exp | 50 +++++++++++++++++++++++++++++++++ test/profiles/ignore.profile | 3 ++ test/profiles/ignore2.profile | 3 ++ test/profiles/profiles.sh | 7 +++-- test/protocol-print.exp | 21 -------------- test/seccomp-print.exp | 33 ---------------------- test/test.sh | 35 ----------------------- test/utils/caps-print.exp | 32 +++++++++++++++++++++ test/utils/cpu-print.exp | 24 ++++++++++++++++ test/utils/dns-print.exp | 24 ++++++++++++++++ test/utils/fs-print.exp | 32 +++++++++++++++++++++ test/utils/help.exp | 25 +++++++++++++++++ test/utils/list.exp | 51 ++++++++++++++++++++++++++++++++++ test/utils/man.exp | 20 ++++++++++++++ test/utils/protocol-print.exp | 24 ++++++++++++++++ test/utils/seccomp-print.exp | 36 ++++++++++++++++++++++++ test/utils/tree.exp | 63 ++++++++++++++++++++++++++++++++++++++++++ test/utils/utils.sh | 42 ++++++++++++++++++++++++++++ test/utils/version.exp | 18 ++++++++++++ 49 files changed, 508 insertions(+), 407 deletions(-) delete mode 100755 test/caps-print.exp delete mode 100755 test/cpu-print.exp delete mode 100755 test/dns-print.exp delete mode 100755 test/fs-print.exp delete mode 100755 test/ignore.exp delete mode 100644 test/ignore.profile delete mode 100644 test/ignore2.profile delete mode 100755 test/option_help.exp delete mode 100755 test/option_list.exp delete mode 100755 test/option_man.exp delete mode 100755 test/option_tree.exp delete mode 100755 test/option_version.exp create mode 100755 test/profiles/ignore.exp create mode 100644 test/profiles/ignore.profile create mode 100644 test/profiles/ignore2.profile delete mode 100755 test/protocol-print.exp delete mode 100755 test/seccomp-print.exp create mode 100755 test/utils/caps-print.exp create mode 100755 test/utils/cpu-print.exp create mode 100755 test/utils/dns-print.exp create mode 100755 test/utils/fs-print.exp create mode 100755 test/utils/help.exp create mode 100755 test/utils/list.exp create mode 100755 test/utils/man.exp create mode 100755 test/utils/protocol-print.exp create mode 100755 test/utils/seccomp-print.exp create mode 100755 test/utils/tree.exp create mode 100755 test/utils/utils.sh create mode 100755 test/utils/version.exp diff --git a/Makefile.in b/Makefile.in index b749d7f2f..93104bc02 100644 --- a/Makefile.in +++ b/Makefile.in @@ -242,6 +242,7 @@ dist: cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/utils test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -270,5 +271,8 @@ test-profiles: test-apps: cd test/apps; ./apps.sh | grep TESTING -test: test-profiles test-apps +test-utils: + cd test/utils; ./utils.sh | grep TESTING + +test: test-profiles test-utils test-apps echo "TEST COMPLETE" diff --git a/test/apps/apps.sh b/test/apps/apps.sh index ff561ef31..2410a0d92 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -1,4 +1,7 @@ #!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index 676f7e314..98ea66a51 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index 9f5063495..5142ac184 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/evince.exp b/test/apps/evince.exp index 3c3ad4bdd..e129a00fa 100755 --- a/test/apps/evince.exp +++ b/test/apps/evince.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index d2bee880e..aa9d77c1c 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 2585e4b5c..5ac6b125e 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 6965322fc..b460a5d79 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index 7e99c8cdf..a24ccbf91 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp index 344febb93..9ae89535e 100755 --- a/test/apps/icedove.exp +++ b/test/apps/icedove.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/midori.exp b/test/apps/midori.exp index 470f5de77..2225942e8 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/opera.exp b/test/apps/opera.exp index 23eed5504..bfb2d6f83 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 1acfc6f94..92ed05cc4 100755 --- a/test/apps/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 944fd28a2..3ea2a112f 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index 290c0fc2f..762e1fbd9 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/weechat.exp b/test/apps/weechat.exp index 630af55ee..af2eab1cc 100755 --- a/test/apps/weechat.exp +++ b/test/apps/weechat.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/wine.exp b/test/apps/wine.exp index f5b7d12b4..a2f465acb 100755 --- a/test/apps/wine.exp +++ b/test/apps/wine.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index cde89d754..bfdf581be 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/caps-print.exp b/test/caps-print.exp deleted file mode 100755 index 39e5ec50a..000000000 --- a/test/caps-print.exp +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --caps.print=test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "setgid - disabled" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "setuid - disabled" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "net_raw - disabled" -} -sleep 1 -puts "\nall done\n" diff --git a/test/cpu-print.exp b/test/cpu-print.exp deleted file mode 100755 index d8e3fbb04..000000000 --- a/test/cpu-print.exp +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --cpu=1,2\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --cpu.print=test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Cpus_allowed_list: 1-2" -} -sleep 1 -puts "\nall done\n" diff --git a/test/dns-print.exp b/test/dns-print.exp deleted file mode 100755 index ee7b08e5e..000000000 --- a/test/dns-print.exp +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --dns=1.2.3.4\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --dns.print=test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "nameserver 1.2.3.4" -} -sleep 1 -puts "\nall done\n" diff --git a/test/fs-print.exp b/test/fs-print.exp deleted file mode 100755 index 48056a3bf..000000000 --- a/test/fs-print.exp +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --fs.print=test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "blacklist /boot" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "blacklist /dev/kmsg" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "blacklist /proc/kmsg" -} -sleep 1 -puts "\nall done\n" diff --git a/test/ignore.exp b/test/ignore.exp deleted file mode 100755 index c5ea25684..000000000 --- a/test/ignore.exp +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=ignore.profile --ignore=seccomp \r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error: please use --profile after --ignore" -} - -send -- "firejail --debug --ignore=seccomp\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - BLACKLIST {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --ignore=seccomp --ignore=shell --profile=ignore.profile \r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ps aux | wc -l\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "5" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --debug --profile=ignore2.profile\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - BLACKLIST {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} - - -puts "\nall done\n" diff --git a/test/ignore.profile b/test/ignore.profile deleted file mode 100644 index aec231ad2..000000000 --- a/test/ignore.profile +++ /dev/null @@ -1,3 +0,0 @@ -private -seccomp -shell none diff --git a/test/ignore2.profile b/test/ignore2.profile deleted file mode 100644 index 49fcd8324..000000000 --- a/test/ignore2.profile +++ /dev/null @@ -1,3 +0,0 @@ -ignore seccomp -private -seccomp diff --git a/test/option_help.exp b/test/option_help.exp deleted file mode 100755 index f4518219c..000000000 --- a/test/option_help.exp +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --help\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "License GPL version 2 or later" -} -after 100 - -send -- "firejail -?\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "License GPL version 2 or later" -} -after 100 - -puts "\n" - diff --git a/test/option_list.exp b/test/option_list.exp deleted file mode 100755 index b9c73e52b..000000000 --- a/test/option_list.exp +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -after 100 - -spawn $env(SHELL) -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -after 100 - -spawn $env(SHELL) -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -after 100 - - -puts "\n" - diff --git a/test/option_man.exp b/test/option_man.exp deleted file mode 100755 index d941a2432..000000000 --- a/test/option_man.exp +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "man firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Linux namespaces sandbox program" -} -after 100 - -send -- "q\r" -after 100 -puts "\n" - diff --git a/test/option_tree.exp b/test/option_tree.exp deleted file mode 100755 index 1841907d1..000000000 --- a/test/option_tree.exp +++ /dev/null @@ -1,60 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -after 100 - -spawn $env(SHELL) -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -after 100 - -spawn $env(SHELL) -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --tree\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - ":/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - ":/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - ":/bin/bash" -} -after 100 - - -puts "\n" - diff --git a/test/option_version.exp b/test/option_version.exp deleted file mode 100755 index 44c0c217f..000000000 --- a/test/option_version.exp +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --version\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "firejail version " -} -after 100 - -puts "\n" - diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp new file mode 100755 index 000000000..281697b26 --- /dev/null +++ b/test/profiles/ignore.exp @@ -0,0 +1,50 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=ignore.profile --ignore=seccomp \r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error: please use --profile after --ignore" +} + +send -- "firejail --debug --ignore=seccomp\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + BLACKLIST {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --ignore=seccomp --ignore=shell --profile=ignore.profile \r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ps aux | wc -l\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "5" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --debug --profile=ignore2.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + BLACKLIST {puts "TESTING ERROR 6\n";exit} + "Child process initialized" +} + + +puts "\nall done\n" diff --git a/test/profiles/ignore.profile b/test/profiles/ignore.profile new file mode 100644 index 000000000..aec231ad2 --- /dev/null +++ b/test/profiles/ignore.profile @@ -0,0 +1,3 @@ +private +seccomp +shell none diff --git a/test/profiles/ignore2.profile b/test/profiles/ignore2.profile new file mode 100644 index 000000000..49fcd8324 --- /dev/null +++ b/test/profiles/ignore2.profile @@ -0,0 +1,3 @@ +ignore seccomp +private +seccomp diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index a20ed5432..e3adc8a4f 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -14,9 +14,12 @@ do ./test-profile.exp $PROFILE done -echo "TESTING: profile syntax (profiles/profile_syntax.exp)" +echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" ./profile_syntax.exp -echo "TESTING: profile syntax 2 (profiles/profile_syntax2.exp)" +echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" ./profile_syntax2.exp +echo "TESTING: ignore command (test/profiles/ignore.exp)" +./ignore.exp + diff --git a/test/protocol-print.exp b/test/protocol-print.exp deleted file mode 100755 index 4d1ae34d6..000000000 --- a/test/protocol-print.exp +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --protocol.print=test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "unix,inet,inet6" -} -sleep 1 -puts "\nall done\n" diff --git a/test/seccomp-print.exp b/test/seccomp-print.exp deleted file mode 100755 index b4e6ed35e..000000000 --- a/test/seccomp-print.exp +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --seccomp.print=test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "EXAMINE_SYSCAL" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "init_module" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "delete_module" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "RETURN_ALLOW" -} -sleep 1 -puts "\nall done\n" diff --git a/test/test.sh b/test/test.sh index 1204d8208..24827de9f 100755 --- a/test/test.sh +++ b/test/test.sh @@ -4,10 +4,6 @@ ./fscheck.sh -echo "TESTING: cpu.print (cpu-print.exp)" -echo "TESTING: failing under VirtualBox where there is only one CPU" -./cpu-print.exp - echo "TESTING: network profile (net_profile.exp)" ./net_profile.exp @@ -17,18 +13,6 @@ echo "TESTING: bandwidth (bandwidth.exp)" echo "TESTING: file transfer (ls.exp)" ./ls.exp -echo "TESTING: fs.print (fs-print.exp)" -./fs-print.exp - -echo "TESTING: dns.print (dns-print.exp)" -./dns-print.exp - -echo "TESTING: caps.print (caps-print.exp)" -./caps-print.exp - -echo "TESTING: seccomp.print (seccomp-print.exp)" -./seccomp-print.exp - echo "TESTING: protocol.print (protocol-print.exp)" ./protocol-print.exp @@ -53,9 +37,6 @@ echo "TESTING: environment variables (env.exp)" echo "TESTING: whitelist empty (whitelist-empty.exp)" ./whitelist-empty.exp -echo "TESTING: ignore command (ignore.exp)" -./ignore.exp - echo "TESTING: private-etc (private-etc.exp)" ./private-etc.exp @@ -83,22 +64,6 @@ rm -fr auto2 rm -fr auto3 rm -fr auto4 - -echo "TESTING: version (option_version.exp)" -./option_version.exp - -echo "TESTING: help (option_help.exp)" -./option_help.exp - -echo "TESTING: man (option_man.exp)" -./option_man.exp - -echo "TESTING: list (option_list.exp)" -./option_list.exp - -echo "TESTING: tree (option_tree.exp)" -./option_tree.exp - if [ -f /proc/self/uid_map ]; then echo "TESTING: noroot (noroot.exp)" diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp new file mode 100755 index 000000000..9cc4b1872 --- /dev/null +++ b/test/utils/caps-print.exp @@ -0,0 +1,32 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --caps.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "setgid - disabled" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "setuid - disabled" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "net_raw - disabled" +} +sleep 1 +puts "\nall done\n" diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp new file mode 100755 index 000000000..4a9ffa0ac --- /dev/null +++ b/test/utils/cpu-print.exp @@ -0,0 +1,24 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --cpu=1,2\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --cpu.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Cpus_allowed_list: 1-2" +} +sleep 1 +puts "\nall done\n" diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp new file mode 100755 index 000000000..51dcab508 --- /dev/null +++ b/test/utils/dns-print.exp @@ -0,0 +1,24 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --dns=1.2.3.4\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --dns.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "nameserver 1.2.3.4" +} +sleep 1 +puts "\nall done\n" diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp new file mode 100755 index 000000000..fa0eab95b --- /dev/null +++ b/test/utils/fs-print.exp @@ -0,0 +1,32 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --fs.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "blacklist /boot" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "blacklist /dev/kmsg" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "blacklist /proc/kmsg" +} +sleep 1 +puts "\nall done\n" diff --git a/test/utils/help.exp b/test/utils/help.exp new file mode 100755 index 000000000..5b9864578 --- /dev/null +++ b/test/utils/help.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --help\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "License GPL version 2 or later" +} +after 100 + +send -- "firejail -?\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "License GPL version 2 or later" +} +after 100 + +puts "\n" + diff --git a/test/utils/list.exp b/test/utils/list.exp new file mode 100755 index 000000000..69db1f568 --- /dev/null +++ b/test/utils/list.exp @@ -0,0 +1,51 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +after 100 + +spawn $env(SHELL) +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +after 100 + +spawn $env(SHELL) +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +after 100 + + +puts "\n" + diff --git a/test/utils/man.exp b/test/utils/man.exp new file mode 100755 index 000000000..d29f760b0 --- /dev/null +++ b/test/utils/man.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "man firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Linux namespaces sandbox program" +} +after 100 + +send -- "q\r" +after 100 +puts "\n" + diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp new file mode 100755 index 000000000..152a64467 --- /dev/null +++ b/test/utils/protocol-print.exp @@ -0,0 +1,24 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --protocol.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "unix,inet,inet6" +} +sleep 1 +puts "\nall done\n" diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp new file mode 100755 index 000000000..d0531a9c3 --- /dev/null +++ b/test/utils/seccomp-print.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --seccomp.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "EXAMINE_SYSCAL" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "init_module" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "delete_module" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "RETURN_ALLOW" +} +sleep 1 +puts "\nall done\n" diff --git a/test/utils/tree.exp b/test/utils/tree.exp new file mode 100755 index 000000000..a8ef763f1 --- /dev/null +++ b/test/utils/tree.exp @@ -0,0 +1,63 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +after 100 + +spawn $env(SHELL) +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +after 100 + +spawn $env(SHELL) +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --tree\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + ":/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + ":/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + ":/bin/bash" +} +after 100 + + +puts "\n" + diff --git a/test/utils/utils.sh b/test/utils/utils.sh new file mode 100755 index 000000000..02aaa57c0 --- /dev/null +++ b/test/utils/utils.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: version (test/utils/version.exp)" +./version.exp + +echo "TESTING: help (test/utils/help.exp)" +./help.exp + +echo "TESTING: man (test/utils/man.exp)" +./man.exp + +echo "TESTING: list (test/utils/list.exp)" +./list.exp + +echo "TESTING: tree (test/utils/tree.exp)" +./tree.exp + +echo "TESTING: cpu.print (test/utils/cpu-print.exp)" +echo "TESTING: failing under VirtualBox where there is only one CPU" +./cpu-print.exp + +echo "TESTING: fs.print (test/utils/fs-print.exp)" +./fs-print.exp + +echo "TESTING: dns.print (test/utils/dns-print.exp)" +./dns-print.exp + +echo "TESTING: caps.print (test/utils/caps-print.exp)" +./caps-print.exp + +echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" +./seccomp-print.exp + +echo "TESTING: protocol.print (test/utils/protocol-print.exp)" +./protocol-print.exp + diff --git a/test/utils/version.exp b/test/utils/version.exp new file mode 100755 index 000000000..2ce6f1680 --- /dev/null +++ b/test/utils/version.exp @@ -0,0 +1,18 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --version\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "firejail version " +} +after 100 + +puts "\n" + -- cgit v1.2.3-70-g09d2 From 2169eadad84e98926fd01f4f85cd8497b62c28ac Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 23 Apr 2016 09:09:37 -0400 Subject: hexchat profile --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index f2a9cef35..069a6e664 100644 --- a/README +++ b/README @@ -18,6 +18,8 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +Ruan (https://github.com/ruany) + - fixed hexchat profile Vasya Novikov (https://github.com/vn971) - Wesnoth profile - Hedegewars profile -- cgit v1.2.3-70-g09d2 From 7e1c057aeda3b598838cb66b9e827fc087f70c54 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 23 Apr 2016 16:16:51 -0400 Subject: make testing --- Makefile.in | 10 +- test/apps-x11/apps-x11.sh | 53 ++++++++++ test/apps-x11/chromium.exp | 85 ++++++++++++++++ test/apps-x11/firefox.exp | 90 +++++++++++++++++ test/apps-x11/icedove.exp | 85 ++++++++++++++++ test/apps-x11/transmission-gtk.exp | 85 ++++++++++++++++ test/apps-x11/xterm.exp | 85 ++++++++++++++++ test/auto/autotest.sh | 202 ------------------------------------- test/caps1.profile | 1 - test/caps2.profile | 1 - test/chromium-x11.exp | 82 --------------- test/firefox-x11.exp | 87 ---------------- test/firemon-caps.exp | 126 ----------------------- test/firemon-seccomp.exp | 45 --------- test/firemon/caps.exp | 129 +++++++++++++++++++++++ test/firemon/caps1.profile | 1 + test/firemon/caps2.profile | 1 + test/firemon/firemon.sh | 10 ++ test/firemon/seccomp.exp | 48 +++++++++ test/icedove-x11.exp | 82 --------------- test/test-apps-x11.sh | 47 --------- test/test.sh | 2 - test/transmission-gtk-x11.exp | 82 --------------- test/xterm-x11.exp | 82 --------------- 24 files changed, 681 insertions(+), 840 deletions(-) create mode 100755 test/apps-x11/apps-x11.sh create mode 100755 test/apps-x11/chromium.exp create mode 100755 test/apps-x11/firefox.exp create mode 100755 test/apps-x11/icedove.exp create mode 100755 test/apps-x11/transmission-gtk.exp create mode 100755 test/apps-x11/xterm.exp delete mode 100755 test/auto/autotest.sh delete mode 100644 test/caps1.profile delete mode 100644 test/caps2.profile delete mode 100755 test/chromium-x11.exp delete mode 100755 test/firefox-x11.exp delete mode 100755 test/firemon-caps.exp delete mode 100755 test/firemon-seccomp.exp create mode 100755 test/firemon/caps.exp create mode 100644 test/firemon/caps1.profile create mode 100644 test/firemon/caps2.profile create mode 100755 test/firemon/firemon.sh create mode 100755 test/firemon/seccomp.exp delete mode 100755 test/icedove-x11.exp delete mode 100755 test/test-apps-x11.sh delete mode 100755 test/transmission-gtk-x11.exp delete mode 100755 test/xterm-x11.exp diff --git a/Makefile.in b/Makefile.in index 93104bc02..c93fc401d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -243,6 +243,8 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/utils test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps-x11 test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/firemon test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -271,8 +273,14 @@ test-profiles: test-apps: cd test/apps; ./apps.sh | grep TESTING +test-apps-x11: + cd test/apps-x11; ./apps-x11.sh | grep TESTING + +test-firemon: + cd test/firemon; ./firemon.sh | grep TESTING + test-utils: cd test/utils; ./utils.sh | grep TESTING -test: test-profiles test-utils test-apps +test: test-profiles test-utils test-apps test-apps-x11 test-firemon echo "TEST COMPLETE" diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh new file mode 100755 index 000000000..938d4c993 --- /dev/null +++ b/test/apps-x11/apps-x11.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +which xterm +if [ "$?" -eq 0 ]; +then + echo "TESTING: xterm x11" + ./xterm.exp +else + echo "TESTING: xterm not found" +fi + +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: firefox x11" + ./firefox.exp +else + echo "TESTING: firefox not found" +fi + +which chromium +if [ "$?" -eq 0 ]; +then + echo "TESTING: chromium x11" + ./chromium.exp +else + echo "TESTING: chromium not found" +fi + +which transmission-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: transmission-gtk x11" + ./transmission-gtk.exp +else + echo "TESTING: transmission-gtk not found" +fi + +which icedove +if [ "$?" -eq 0 ]; +then + echo "TESTING: icedove x11" + ./icedove.exp +else + echo "TESTING: icedovenot found" +fi + diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp new file mode 100755 index 000000000..11677a28f --- /dev/null +++ b/test/apps-x11/chromium.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "chromium" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "chromium" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "Seccomp: 0" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "chromium" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "fffffffff" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + + +puts "\nall done\n" + diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp new file mode 100755 index 000000000..f7c128690 --- /dev/null +++ b/test/apps-x11/firefox.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "firefox" {puts "firefox detected\n";} + "iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} +sleep 1 +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp new file mode 100755 index 000000000..ca6a49978 --- /dev/null +++ b/test/apps-x11/icedove.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --net=br0 --x11 icedove\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "icedove" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "icedove" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 2 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "icedove" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp new file mode 100755 index 000000000..67b3fd202 --- /dev/null +++ b/test/apps-x11/transmission-gtk.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "transmission-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "transmission-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "transmission-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm.exp new file mode 100755 index 000000000..26e58953e --- /dev/null +++ b/test/apps-x11/xterm.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --net=br0 --x11 xterm\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "xterm" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/auto/autotest.sh b/test/auto/autotest.sh deleted file mode 100755 index 0fb7565af..000000000 --- a/test/auto/autotest.sh +++ /dev/null @@ -1,202 +0,0 @@ -#!/bin/bash - -arr[1]="TEST 1: svn and standard compilation" -arr[2]="TEST 2: cppcheck" -arr[3]="TEST 3: compile seccomp disabled, chroot disabled, bind disabled" -arr[4]="TEST 4: rvtest" -arr[5]="TEST 5: expect test as root, no malloc perturb" -arr[6]="TEST 6: expect test as user, no malloc perturb" -arr[7]="TEST 7: expect test as root, malloc perturb" -arr[8]="TEST 8: expect test as user, malloc perturb" - - -# remove previous reports and output file -cleanup() { - rm -f out-test - rm -f output* - rm -f report* - rm -fr firejail-trunk -} - -print_title() { - echo - echo - echo - echo "**************************************************" - echo $1 - echo "**************************************************" -} - -while [ $# -gt 0 ]; do # Until you run out of parameters . . . - case "$1" in - --clean) - cleanup - exit - ;; - --help) - echo "./autotest.sh [--clean|--help]" - exit - ;; - esac - shift # Check next set of parameters. -done - -cleanup -# enable sudo -sudo ls -al - -#***************************************************************** -# TEST 1 -#***************************************************************** -# - checkout source code -# - check compilation -# - install -#***************************************************************** -print_title "${arr[1]}" -svn checkout svn://svn.code.sf.net/p/firejail/code-0/trunk firejail-trunk -cd firejail-trunk -./configure --prefix=/usr 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -sudo make install 2>&1 | tee ../output-install -cd src/tools -gcc -o rvtest rvtest.c -cd ../.. -cd test -sudo ./configure > /dev/null -cd ../.. -grep warning output-configure output-make output-install > ./report-test1 -grep error output-configure output-make output-install >> ./report-test1 -cat report-test1 > out-test1 - -#***************************************************************** -# TEST 2 -#***************************************************************** -# - run cppcheck -#***************************************************************** -print_title "${arr[2]}" -cd firejail-trunk -cp /home/netblue/bin/cfg/std.cfg . -cppcheck --force . 2>&1 | tee ../output-cppcheck -cd .. -grep error output-cppcheck > report-test2 -cat report-test2 > out-test2 - -#***************************************************************** -# TEST 3 -#***************************************************************** -# - disable seccomp configuration -# - check compilation -#***************************************************************** -print_title "${arr[3]}" -# seccomp -cd firejail-trunk -make distclean -./configure --prefix=/usr --disable-seccomp 2>&1 | tee ../output-configure-noseccomp -make -j4 2>&1 | tee ../output-make-noseccomp -cd .. -grep warning output-configure-noseccomp output-make-noseccomp > ./report-test3 -grep error output-configure-noseccomp output-make-noseccomp >> ./report-test3 -# chroot -cd firejail-trunk -make distclean -./configure --prefix=/usr --disable-chroot 2>&1 | tee ../output-configure-nochroot -make -j4 2>&1 | tee ../output-make-nochroot -cd .. -grep warning output-configure-nochroot output-make-nochroot >> ./report-test3 -grep error output-configure-nochroot output-make-nochroot >> ./report-test3 -# bind -cd firejail-trunk -make distclean -./configure --prefix=/usr --disable-bind 2>&1 | tee ../output-configure-nobind -make -j4 2>&1 | tee ../output-make-nobind -cd .. -grep warning output-configure-nobind output-make-nobind >> ./report-test3 -grep error output-configure-nobind output-make-nobind >> ./report-test3 -# save result -cat report-test3 > out-test3 - -#***************************************************************** -# TEST 4 -#***************************************************************** -# - rvtest -#***************************************************************** -print_title "${arr[4]}" -cd firejail-trunk -cd test -../src/tools/rvtest test.rv 2>/dev/null | tee ../../output-test4 | grep TESTING -cd ../.. -grep TESTING output-test4 > ./report-test4 -grep ERROR report-test4 > out-test4 - - -#***************************************************************** -# TEST 5 -#***************************************************************** -# - expect test as root, no malloc perturb -#***************************************************************** -print_title "${arr[5]}" -cd firejail-trunk/test -sudo ./test-root.sh 2>&1 | tee ../../output-test5 | grep TESTING -cd ../.. -grep TESTING output-test5 > ./report-test5 -grep ERROR report-test5 > out-test5 - -#***************************************************************** -# TEST 6 -#***************************************************************** -# - expect test as user, no malloc perturb -#***************************************************************** -print_title "${arr[6]}" -cd firejail-trunk/test -./test.sh 2>&1 | tee ../../output-test6 | grep TESTING -cd ../.. -grep TESTING output-test6 > ./report-test6 -grep ERROR report-test6 > out-test6 - - - -#***************************************************************** -# TEST 7 -#***************************************************************** -# - expect test as root, malloc perturb -#***************************************************************** -print_title "${arr[7]}" -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -cd firejail-trunk/test -sudo ./test-root.sh 2>&1 | tee ../../output-test7 | grep TESTING -cd ../.. -grep TESTING output-test7 > ./report-test7 -grep ERROR report-test7 > out-test7 - -#***************************************************************** -# TEST 8 -#***************************************************************** -# - expect test as user, malloc perturb -#***************************************************************** -print_title "${arr[8]}" -cd firejail-trunk/test -./test.sh 2>&1 | tee ../../output-test8| grep TESTING -cd ../.. -grep TESTING output-test8 > ./report-test8 -grep ERROR report-test8 > out-test8 - -#***************************************************************** -# PRINT REPORTS -#***************************************************************** -echo -echo -echo -echo -echo "**********************************************************" -echo "TEST RESULTS" -echo "**********************************************************" - -wc -l out-test* -rm out-test* -echo - - - - -exit diff --git a/test/caps1.profile b/test/caps1.profile deleted file mode 100644 index e14655b2e..000000000 --- a/test/caps1.profile +++ /dev/null @@ -1 +0,0 @@ -caps.drop chown,kill \ No newline at end of file diff --git a/test/caps2.profile b/test/caps2.profile deleted file mode 100644 index cb2258c52..000000000 --- a/test/caps2.profile +++ /dev/null @@ -1 +0,0 @@ -caps.keep chown,kill \ No newline at end of file diff --git a/test/chromium-x11.exp b/test/chromium-x11.exp deleted file mode 100755 index bcac3233c..000000000 --- a/test/chromium-x11.exp +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "chromium" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "chromium" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Seccomp: 0" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "chromium" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "fffffffff" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - - -puts "\nall done\n" - diff --git a/test/firefox-x11.exp b/test/firefox-x11.exp deleted file mode 100755 index 7e30437db..000000000 --- a/test/firefox-x11.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -sleep 1 -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" - diff --git a/test/firemon-caps.exp b/test/firemon-caps.exp deleted file mode 100755 index 3dd6384db..000000000 --- a/test/firemon-caps.exp +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=bingo1 --noprofile --caps\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo2 --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo6 --profile=caps1.profile\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo7 --profile=caps2.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 8.1\n";exit} - "bingo1" -} -expect { - timeout {puts "TESTING ERROR 8.2\n";exit} - "31cffff" -} -expect { - timeout {puts "TESTING ERROR 8.3\n";exit} - "bingo2" -} -expect { - timeout {puts "TESTING ERROR 8.4\n";exit} - "fffffff" -} -expect { - timeout {puts "TESTING ERROR 8.5\n";exit} - "bingo3" -} -expect { - timeout {puts "TESTING ERROR 8.6\n";exit} - "000000000000" -} - -expect { - timeout {puts "TESTING ERROR 8.7\n";exit} - "bingo4" -} -expect { - timeout {puts "TESTING ERROR 8.8\n";exit} - "ffffffde" -} -expect { - timeout {puts "TESTING ERROR 8.9\n";exit} - "bingo5" -} -expect { - timeout {puts "TESTING ERROR 8.10\n";exit} - "0000000000000021" -} - -expect { - timeout {puts "TESTING ERROR 8.11\n";exit} - "bingo6" -} -expect { - timeout {puts "TESTING ERROR 8.12\n";exit} - "ffffffde" -} -expect { - timeout {puts "TESTING ERROR 8.13\n";exit} - "bingo7" -} -expect { - timeout {puts "TESTING ERROR 8.14\n";exit} - "0000000000000021" -} - -after 100 - -puts "all done\n" - diff --git a/test/firemon-seccomp.exp b/test/firemon-seccomp.exp deleted file mode 100755 index 55817faf3..000000000 --- a/test/firemon-seccomp.exp +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --name=bingo1 --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo2\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" -} -sleep 1 - - - - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "bingo1" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bingo2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Seccomp: 0" -} -after 100 - -puts "all done\n" diff --git a/test/firemon/caps.exp b/test/firemon/caps.exp new file mode 100755 index 000000000..ab1067921 --- /dev/null +++ b/test/firemon/caps.exp @@ -0,0 +1,129 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=bingo1 --noprofile --caps\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo2 --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo6 --profile=caps1.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo7 --profile=caps2.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 8.1\n";exit} + "bingo1" +} +expect { + timeout {puts "TESTING ERROR 8.2\n";exit} + "31cffff" +} +expect { + timeout {puts "TESTING ERROR 8.3\n";exit} + "bingo2" +} +expect { + timeout {puts "TESTING ERROR 8.4\n";exit} + "fffffff" +} +expect { + timeout {puts "TESTING ERROR 8.5\n";exit} + "bingo3" +} +expect { + timeout {puts "TESTING ERROR 8.6\n";exit} + "000000000000" +} + +expect { + timeout {puts "TESTING ERROR 8.7\n";exit} + "bingo4" +} +expect { + timeout {puts "TESTING ERROR 8.8\n";exit} + "ffffffde" +} +expect { + timeout {puts "TESTING ERROR 8.9\n";exit} + "bingo5" +} +expect { + timeout {puts "TESTING ERROR 8.10\n";exit} + "0000000000000021" +} + +expect { + timeout {puts "TESTING ERROR 8.11\n";exit} + "bingo6" +} +expect { + timeout {puts "TESTING ERROR 8.12\n";exit} + "ffffffde" +} +expect { + timeout {puts "TESTING ERROR 8.13\n";exit} + "bingo7" +} +expect { + timeout {puts "TESTING ERROR 8.14\n";exit} + "0000000000000021" +} + +after 100 + +puts "all done\n" + diff --git a/test/firemon/caps1.profile b/test/firemon/caps1.profile new file mode 100644 index 000000000..e14655b2e --- /dev/null +++ b/test/firemon/caps1.profile @@ -0,0 +1 @@ +caps.drop chown,kill \ No newline at end of file diff --git a/test/firemon/caps2.profile b/test/firemon/caps2.profile new file mode 100644 index 000000000..cb2258c52 --- /dev/null +++ b/test/firemon/caps2.profile @@ -0,0 +1 @@ +caps.keep chown,kill \ No newline at end of file diff --git a/test/firemon/firemon.sh b/test/firemon/firemon.sh new file mode 100755 index 000000000..edd548526 --- /dev/null +++ b/test/firemon/firemon.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +echo "TESTING: firemon --seccomp (test/firemon/seccomp.exp)" +./seccomp.exp + +echo "TESTING: firemon --caps (test/firemon/caps.exp)" +./caps.exp diff --git a/test/firemon/seccomp.exp b/test/firemon/seccomp.exp new file mode 100755 index 000000000..a318e39b1 --- /dev/null +++ b/test/firemon/seccomp.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --name=bingo1 --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo2\r" +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "Child process initialized" +} +sleep 1 + + + + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "bingo1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bingo2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Seccomp: 0" +} +after 100 + +puts "all done\n" diff --git a/test/icedove-x11.exp b/test/icedove-x11.exp deleted file mode 100755 index 6f8eee90d..000000000 --- a/test/icedove-x11.exp +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --net=br0 --x11 icedove\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "icedove" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "icedove" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 2 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "icedove" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" - diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh deleted file mode 100755 index 93d984501..000000000 --- a/test/test-apps-x11.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -which xterm -if [ "$?" -eq 0 ]; -then - echo "TESTING: xterm x11" - ./xterm-x11.exp -else - echo "TESTING: xterm not found" -fi - -which firefox -if [ "$?" -eq 0 ]; -then - echo "TESTING: firefox x11" - ./firefox-x11.exp -else - echo "TESTING: firefox not found" -fi - -which chromium -if [ "$?" -eq 0 ]; -then - echo "TESTING: chromium x11" - ./chromium-x11.exp -else - echo "TESTING: chromium not found" -fi - -which transmission-gtk -if [ "$?" -eq 0 ]; -then - echo "TESTING: transmission-gtk x11" - ./transmission-gtk-x11.exp -else - echo "TESTING: transmission-gtk not found" -fi - -which icedove -if [ "$?" -eq 0 ]; -then - echo "TESTING: icedove x11" - ./icedove-x11.exp -else - echo "TESTING: chromium not found" -fi - diff --git a/test/test.sh b/test/test.sh index 24827de9f..c88b8d486 100755 --- a/test/test.sh +++ b/test/test.sh @@ -171,8 +171,6 @@ else echo "TESTING: dash not found" fi -./test-apps-x11.sh - echo "TESTING: PID (pid.exp)" ./pid.exp diff --git a/test/transmission-gtk-x11.exp b/test/transmission-gtk-x11.exp deleted file mode 100755 index 4ee3de701..000000000 --- a/test/transmission-gtk-x11.exp +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "transmission-gtk" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" - diff --git a/test/xterm-x11.exp b/test/xterm-x11.exp deleted file mode 100755 index 592f77659..000000000 --- a/test/xterm-x11.exp +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --net=br0 --x11 xterm\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xterm" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" - -- cgit v1.2.3-70-g09d2 From c729d5927d5db964e71bfe30a269acf26786fef7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 23 Apr 2016 20:35:52 -0400 Subject: testing --- test/catchsignal-master.sh | 4 --- test/catchsignal.sh | 27 ---------------- test/catchsignal2.sh | 49 ---------------------------- test/name.profile | 1 - test/option-join-profile.exp | 39 ----------------------- test/option-join.exp | 39 ----------------------- test/option-join2.exp | 39 ----------------------- test/option-join3.exp | 39 ----------------------- test/option-shutdown.exp | 30 ----------------- test/option-shutdown2.exp | 42 ------------------------ test/option-shutdown3.exp | 62 ------------------------------------ test/option-shutdown4.exp | 66 -------------------------------------- test/test.sh | 27 ++-------------- test/utils/catchsignal-master.sh | 4 +++ test/utils/catchsignal.sh | 27 ++++++++++++++++ test/utils/catchsignal2.sh | 49 ++++++++++++++++++++++++++++ test/utils/join-profile.exp | 39 +++++++++++++++++++++++ test/utils/join.exp | 42 ++++++++++++++++++++++++ test/utils/join2.exp | 42 ++++++++++++++++++++++++ test/utils/join3.exp | 42 ++++++++++++++++++++++++ test/utils/name.profile | 1 + test/utils/shutdown.exp | 33 +++++++++++++++++++ test/utils/shutdown2.exp | 45 ++++++++++++++++++++++++++ test/utils/shutdown3.exp | 65 +++++++++++++++++++++++++++++++++++++ test/utils/shutdown4.exp | 69 ++++++++++++++++++++++++++++++++++++++++ test/utils/utils.sh | 24 ++++++++++++++ 26 files changed, 485 insertions(+), 461 deletions(-) delete mode 100755 test/catchsignal-master.sh delete mode 100755 test/catchsignal.sh delete mode 100755 test/catchsignal2.sh delete mode 100644 test/name.profile delete mode 100755 test/option-join-profile.exp delete mode 100755 test/option-join.exp delete mode 100755 test/option-join2.exp delete mode 100755 test/option-join3.exp delete mode 100755 test/option-shutdown.exp delete mode 100755 test/option-shutdown2.exp delete mode 100755 test/option-shutdown3.exp delete mode 100755 test/option-shutdown4.exp create mode 100755 test/utils/catchsignal-master.sh create mode 100755 test/utils/catchsignal.sh create mode 100755 test/utils/catchsignal2.sh create mode 100755 test/utils/join-profile.exp create mode 100755 test/utils/join.exp create mode 100755 test/utils/join2.exp create mode 100755 test/utils/join3.exp create mode 100644 test/utils/name.profile create mode 100755 test/utils/shutdown.exp create mode 100755 test/utils/shutdown2.exp create mode 100755 test/utils/shutdown3.exp create mode 100755 test/utils/shutdown4.exp diff --git a/test/catchsignal-master.sh b/test/catchsignal-master.sh deleted file mode 100755 index 62a1801cc..000000000 --- a/test/catchsignal-master.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -./catchsignal.sh & -./catchsignal.sh & diff --git a/test/catchsignal.sh b/test/catchsignal.sh deleted file mode 100755 index 87a1d0adf..000000000 --- a/test/catchsignal.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -_term() { - echo "Caught Signal" - echo 1 - sleep 1 - echo 2 - sleep 1 - echo 3 - sleep 1 - echo 4 - sleep 1 - echo 5 - sleep 1 - - kill $pid - exit -} - -trap _term SIGTERM -trap _term SIGINT - -echo "Sleeping..." - -sleep inf & -pid=$! -wait $pid diff --git a/test/catchsignal2.sh b/test/catchsignal2.sh deleted file mode 100755 index 424350397..000000000 --- a/test/catchsignal2.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -_term() { - echo "Caught Signal" - echo 1 - sleep 1 - echo 2 - sleep 1 - echo 3 - sleep 1 - echo 4 - sleep 1 - echo 5 - sleep 1 - - echo 10 - sleep 1 - echo 20 - sleep 1 - echo 30 - sleep 1 - echo 40 - sleep 1 - echo 50 - sleep 1 - - echo 100 - sleep 1 - echo 200 - sleep 1 - echo 300 - sleep 1 - echo 400 - sleep 1 - echo 500 - sleep 1 - - kill $pid - exit -} - -trap _term SIGTERM -trap _term SIGINT - -echo "Sleeping..." - -sleep inf & -pid=$! -wait $pid diff --git a/test/name.profile b/test/name.profile deleted file mode 100644 index 1aa9f2d64..000000000 --- a/test/name.profile +++ /dev/null @@ -1 +0,0 @@ -name jointesting diff --git a/test/option-join-profile.exp b/test/option-join-profile.exp deleted file mode 100755 index 9200980a1..000000000 --- a/test/option-join-profile.exp +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=name.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --join=jointesting;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Switching to pid" -} -sleep 3 - - -spawn $env(SHELL) -send -- "firejail --shutdown=jointesting;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 5 - -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "jointesting" {puts "TESTING ERROR 5\n";exit} - "home" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/option-join.exp b/test/option-join.exp deleted file mode 100755 index 6250e87a2..000000000 --- a/test/option-join.exp +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=svntesting\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --join=svntesting;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Switching to pid" -} -sleep 1 - - -spawn $env(SHELL) -send -- "firejail --shutdown=svntesting;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 - -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "svntesting" {puts "TESTING ERROR 5\n";exit} - "home" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/option-join2.exp b/test/option-join2.exp deleted file mode 100755 index 630b62d9e..000000000 --- a/test/option-join2.exp +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=\"svn testing\"\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --join=\"svn testing\";pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Switching to pid" -} -sleep 1 - - -spawn $env(SHELL) -send -- "firejail --shutdown=\"svn testing\";pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 - -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "svn testing" {puts "TESTING ERROR 5\n";exit} - "home" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/option-join3.exp b/test/option-join3.exp deleted file mode 100755 index aa8a445df..000000000 --- a/test/option-join3.exp +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=svn\\ testing\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --join=svn\\ testing;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Switching to pid" -} -sleep 1 - - -spawn $env(SHELL) -send -- "firejail --shutdown=svn\\ testing;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 - -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "svn testing" {puts "TESTING ERROR 5\n";exit} - "home" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/option-shutdown.exp b/test/option-shutdown.exp deleted file mode 100755 index e869f7611..000000000 --- a/test/option-shutdown.exp +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=shutdowntesting\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --shutdown=shutdowntesting;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "shutdowntesting" {puts "TESTING ERROR 6\n";exit} - "home" -} -sleep 1 - -puts "\nalldone\n" diff --git a/test/option-shutdown2.exp b/test/option-shutdown2.exp deleted file mode 100755 index 403bc30be..000000000 --- a/test/option-shutdown2.exp +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -set firstspawn $spawn_id - -send -- "firejail --name=shutdowntesting ./catchsignal.sh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --shutdown=shutdowntesting\r" - -set spawn_id $firstspawn -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "1" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "3" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "4" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "5" -} -sleep 1 - -puts "\nalldone\n" diff --git a/test/option-shutdown3.exp b/test/option-shutdown3.exp deleted file mode 100755 index 0ef371cd8..000000000 --- a/test/option-shutdown3.exp +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -set firstspawn $spawn_id - -send -- "firejail --name=shutdowntesting ./catchsignal-master.sh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --shutdown=shutdowntesting\r" - -set spawn_id $firstspawn -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "1" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "1" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "2" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "2" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "3" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "3" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "4" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "4" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "5" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "5" -} -sleep 1 - -puts "\nalldone\n" diff --git a/test/option-shutdown4.exp b/test/option-shutdown4.exp deleted file mode 100755 index f188ec66d..000000000 --- a/test/option-shutdown4.exp +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -set firstspawn $spawn_id - -send -- "firejail --name=shutdowntesting ./catchsignal2.sh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --shutdown=shutdowntesting\r" - -set spawn_id $firstspawn -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "1" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "3" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "4" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "5" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "10" -} -expect { - timeout {puts "TESTING ERROR 20\n";exit} - "20" -} -expect { - timeout {puts "TESTING ERROR 30\n";exit} - "30" -} -expect { - timeout {puts "TESTING ERROR 40\n";exit} - "40" -} -expect { - timeout {puts "TESTING ERROR 50\n";exit} - "50" -} -expect { - timeout {puts "TESTING ERROR 60\n";exit} - "Killed" -} -sleep 1 - -puts "\nalldone\n" diff --git a/test/test.sh b/test/test.sh index c88b8d486..ba5268036 100755 --- a/test/test.sh +++ b/test/test.sh @@ -1,4 +1,7 @@ #!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 ./chk_config.exp @@ -96,30 +99,6 @@ echo "TESTING: kmsg access (kmsg.exp)" echo "TESTING: rlimit (option_rlimit.exp)" ./option_rlimit.exp -echo "TESTING: shutdown (option_shutdown.exp)" -./option-shutdown.exp - -echo "TESTING: shutdown2 (option_shutdown2.exp)" -./option-shutdown2.exp - -echo "TESTING: shutdown3 (option_shutdown3.exp)" -./option-shutdown3.exp - -echo "TESTING: shutdown4 (option_shutdown4.exp)" -./option-shutdown4.exp - -echo "TESTING: join (option-join.exp)" -./option-join.exp - -echo "TESTING: join2 (option-join2.exp)" -./option-join2.exp - -echo "TESTING: join3 (option-join3.exp)" -./option-join3.exp - -echo "TESTING: join profile (option-join-profile.exp)" -./option-join-profile.exp - echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)" ./firejail-in-firejail.exp diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh new file mode 100755 index 000000000..62a1801cc --- /dev/null +++ b/test/utils/catchsignal-master.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +./catchsignal.sh & +./catchsignal.sh & diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh new file mode 100755 index 000000000..87a1d0adf --- /dev/null +++ b/test/utils/catchsignal.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +_term() { + echo "Caught Signal" + echo 1 + sleep 1 + echo 2 + sleep 1 + echo 3 + sleep 1 + echo 4 + sleep 1 + echo 5 + sleep 1 + + kill $pid + exit +} + +trap _term SIGTERM +trap _term SIGINT + +echo "Sleeping..." + +sleep inf & +pid=$! +wait $pid diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh new file mode 100755 index 000000000..424350397 --- /dev/null +++ b/test/utils/catchsignal2.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +_term() { + echo "Caught Signal" + echo 1 + sleep 1 + echo 2 + sleep 1 + echo 3 + sleep 1 + echo 4 + sleep 1 + echo 5 + sleep 1 + + echo 10 + sleep 1 + echo 20 + sleep 1 + echo 30 + sleep 1 + echo 40 + sleep 1 + echo 50 + sleep 1 + + echo 100 + sleep 1 + echo 200 + sleep 1 + echo 300 + sleep 1 + echo 400 + sleep 1 + echo 500 + sleep 1 + + kill $pid + exit +} + +trap _term SIGTERM +trap _term SIGINT + +echo "Sleeping..." + +sleep inf & +pid=$! +wait $pid diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp new file mode 100755 index 000000000..9200980a1 --- /dev/null +++ b/test/utils/join-profile.exp @@ -0,0 +1,39 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=name.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --join=jointesting;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 3 + + +spawn $env(SHELL) +send -- "firejail --shutdown=jointesting;pwd\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "home" +} +sleep 5 + +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "jointesting" {puts "TESTING ERROR 5\n";exit} + "home" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/utils/join.exp b/test/utils/join.exp new file mode 100755 index 000000000..fc94a22c3 --- /dev/null +++ b/test/utils/join.exp @@ -0,0 +1,42 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=svntesting\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --join=svntesting;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 + + +spawn $env(SHELL) +send -- "firejail --shutdown=svntesting;pwd\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "home" +} +sleep 1 + +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "svntesting" {puts "TESTING ERROR 5\n";exit} + "home" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/utils/join2.exp b/test/utils/join2.exp new file mode 100755 index 000000000..749e8900f --- /dev/null +++ b/test/utils/join2.exp @@ -0,0 +1,42 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=\"svn testing\"\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --join=\"svn testing\";pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 + + +spawn $env(SHELL) +send -- "firejail --shutdown=\"svn testing\";pwd\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "home" +} +sleep 1 + +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "svn testing" {puts "TESTING ERROR 5\n";exit} + "home" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/utils/join3.exp b/test/utils/join3.exp new file mode 100755 index 000000000..0a686bc36 --- /dev/null +++ b/test/utils/join3.exp @@ -0,0 +1,42 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=svn\\ testing\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --join=svn\\ testing;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 + + +spawn $env(SHELL) +send -- "firejail --shutdown=svn\\ testing;pwd\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "home" +} +sleep 1 + +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "svn testing" {puts "TESTING ERROR 5\n";exit} + "home" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/utils/name.profile b/test/utils/name.profile new file mode 100644 index 000000000..1aa9f2d64 --- /dev/null +++ b/test/utils/name.profile @@ -0,0 +1 @@ +name jointesting diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp new file mode 100755 index 000000000..135f42d28 --- /dev/null +++ b/test/utils/shutdown.exp @@ -0,0 +1,33 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=shutdowntesting\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --shutdown=shutdowntesting;pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "home" +} +sleep 1 + +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "shutdowntesting" {puts "TESTING ERROR 6\n";exit} + "home" +} +sleep 1 + +puts "\nalldone\n" diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp new file mode 100755 index 000000000..7857b919c --- /dev/null +++ b/test/utils/shutdown2.exp @@ -0,0 +1,45 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +set firstspawn $spawn_id + +send -- "firejail --name=shutdowntesting ./catchsignal.sh\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --shutdown=shutdowntesting\r" + +set spawn_id $firstspawn +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "3" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "4" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "5" +} +sleep 1 + +puts "\nalldone\n" diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp new file mode 100755 index 000000000..02b68c4ce --- /dev/null +++ b/test/utils/shutdown3.exp @@ -0,0 +1,65 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +set firstspawn $spawn_id + +send -- "firejail --name=shutdowntesting ./catchsignal-master.sh\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --shutdown=shutdowntesting\r" + +set spawn_id $firstspawn +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "1" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "2" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "2" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "3" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "3" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "4" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "4" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "5" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "5" +} +sleep 1 + +puts "\nalldone\n" diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp new file mode 100755 index 000000000..613f3fbc8 --- /dev/null +++ b/test/utils/shutdown4.exp @@ -0,0 +1,69 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +set firstspawn $spawn_id + +send -- "firejail --name=shutdowntesting ./catchsignal2.sh\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --shutdown=shutdowntesting\r" + +set spawn_id $firstspawn +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "3" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "4" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "5" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "10" +} +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "20" +} +expect { + timeout {puts "TESTING ERROR 30\n";exit} + "30" +} +expect { + timeout {puts "TESTING ERROR 40\n";exit} + "40" +} +expect { + timeout {puts "TESTING ERROR 50\n";exit} + "50" +} +expect { + timeout {puts "TESTING ERROR 60\n";exit} + "Killed" +} +sleep 1 + +puts "\nalldone\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 02aaa57c0..a40845a5f 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -40,3 +40,27 @@ echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" echo "TESTING: protocol.print (test/utils/protocol-print.exp)" ./protocol-print.exp +echo "TESTING: shutdown (test/utils/shutdown.exp)" +./shutdown.exp + +echo "TESTING: shutdown2 (test/utils/shutdown2.exp)" +./shutdown2.exp + +echo "TESTING: shutdown3 (test/utils/shutdown3.exp)" +./shutdown3.exp + +echo "TESTING: shutdown4 (test/utils/shutdown4.exp)" +./shutdown4.exp + +echo "TESTING: join test/utils/(join.exp)" +./join.exp + +echo "TESTING: join2 test/utils/(join2.exp)" +.join2.exp + +echo "TESTING: join3 (test/utils/join3.exp)" +./join3.exp + +echo "TESTING: join profile (test/utils/join-profile.exp)" +./join-profile.exp + -- cgit v1.2.3-70-g09d2 From 020c5449036c461ea1829e854da43429322059d6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 06:32:15 -0400 Subject: testing --- Makefile.in | 5 ++- test/env.exp | 55 ---------------------------- test/env.profile | 2 -- test/environment/csh.exp | 43 ++++++++++++++++++++++ test/environment/dash.exp | 41 +++++++++++++++++++++ test/environment/env.exp | 58 ++++++++++++++++++++++++++++++ test/environment/env.profile | 2 ++ test/environment/environment.sh | 47 ++++++++++++++++++++++++ test/environment/firejail-in-firejail.exp | 24 +++++++++++++ test/environment/firejail-in-firejail2.exp | 24 +++++++++++++ test/environment/rlimit-profile.exp | 36 +++++++++++++++++++ test/environment/rlimit.exp | 36 +++++++++++++++++++ test/environment/rlimit.profile | 4 +++ test/environment/shell-none.exp | 48 +++++++++++++++++++++++++ test/environment/shell-none.profile | 1 + test/environment/zsh.exp | 43 ++++++++++++++++++++++ test/firejail-in-firejail.exp | 21 ----------- test/firejail-in-firejail2.exp | 21 ----------- test/option_rlimit.exp | 36 ------------------- test/profile_rlimit.exp | 36 ------------------- test/rlimit.profile | 4 --- test/shell_csh.exp | 40 --------------------- test/shell_dash.exp | 41 --------------------- test/shell_zsh.exp | 40 --------------------- test/test.sh | 29 --------------- test/utils/utils.sh | 4 +-- 26 files changed, 413 insertions(+), 328 deletions(-) delete mode 100755 test/env.exp delete mode 100644 test/env.profile create mode 100755 test/environment/csh.exp create mode 100755 test/environment/dash.exp create mode 100755 test/environment/env.exp create mode 100644 test/environment/env.profile create mode 100755 test/environment/environment.sh create mode 100755 test/environment/firejail-in-firejail.exp create mode 100755 test/environment/firejail-in-firejail2.exp create mode 100755 test/environment/rlimit-profile.exp create mode 100755 test/environment/rlimit.exp create mode 100644 test/environment/rlimit.profile create mode 100755 test/environment/shell-none.exp create mode 100644 test/environment/shell-none.profile create mode 100755 test/environment/zsh.exp delete mode 100755 test/firejail-in-firejail.exp delete mode 100755 test/firejail-in-firejail2.exp delete mode 100755 test/option_rlimit.exp delete mode 100755 test/profile_rlimit.exp delete mode 100644 test/rlimit.profile delete mode 100755 test/shell_csh.exp delete mode 100755 test/shell_dash.exp delete mode 100755 test/shell_zsh.exp diff --git a/Makefile.in b/Makefile.in index c93fc401d..da339b7ed 100644 --- a/Makefile.in +++ b/Makefile.in @@ -282,5 +282,8 @@ test-firemon: test-utils: cd test/utils; ./utils.sh | grep TESTING -test: test-profiles test-utils test-apps test-apps-x11 test-firemon +test-environment: + cd test/environment; ./environment.sh | grep TESTING + +test: test-profiles test-utils test-environment test-apps test-apps-x11 test-firemon echo "TEST COMPLETE" diff --git a/test/env.exp b/test/env.exp deleted file mode 100755 index d7aee3c64..000000000 --- a/test/env.exp +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -#*********************************************** -send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "env | grep ENV1\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "ENV1" -} -send -- "env | grep ENV2\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "ENV2" -} -send -- "env | grep ENV3\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ENV3" -} -send -- "exit\r" -sleep 1 - -#*********************************************** -send -- "firejail --profile=env.profile\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 -send -- "env | grep LD_LIBRARY_PATH\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "/opt/test/lib" -} -send -- "env | grep CFLAGS\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Wall" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Werror" -} - -puts "\nall done\n" diff --git a/test/env.profile b/test/env.profile deleted file mode 100644 index ba66e6210..000000000 --- a/test/env.profile +++ /dev/null @@ -1,2 +0,0 @@ -env LD_LIBRARY_PATH=/opt/test/lib -env CFLAGS="-W -Wall -Werror" diff --git a/test/environment/csh.exp b/test/environment/csh.exp new file mode 100755 index 000000000..10ad3607e --- /dev/null +++ b/test/environment/csh.exp @@ -0,0 +1,43 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private --tracelog --csh\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + ".cshrc" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "home" +} +send -- "env | grep SHELL;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "SHELL" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "/bin/csh" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "home" +} +send -- "exit\r" +sleep 1 + +puts "\n" + diff --git a/test/environment/dash.exp b/test/environment/dash.exp new file mode 100755 index 000000000..f5a60719e --- /dev/null +++ b/test/environment/dash.exp @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private --tracelog --shell=/bin/dash\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +#send -- "ls -al;pwd\r" +#expect { +# timeout {puts "TESTING ERROR 1\n";exit} +# ".zshrc" +#} +#expect { +# timeout {puts "TESTING ERROR 1.1\n";exit} +# "home" +#} + +send -- "env | grep SHELL;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "SHELL" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "/bin/dash" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "home" +} +send -- "exit\r" +sleep 1 + +puts "\n" + diff --git a/test/environment/env.exp b/test/environment/env.exp new file mode 100755 index 000000000..a09c3f9c5 --- /dev/null +++ b/test/environment/env.exp @@ -0,0 +1,58 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +#*********************************************** +send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "env | grep ENV1\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "ENV1" +} +send -- "env | grep ENV2\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "ENV2" +} +send -- "env | grep ENV3\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "ENV3" +} +send -- "exit\r" +sleep 1 + +#*********************************************** +send -- "firejail --profile=env.profile\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 +send -- "env | grep LD_LIBRARY_PATH\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "/opt/test/lib" +} +send -- "env | grep CFLAGS\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Wall" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Werror" +} + +puts "\nall done\n" diff --git a/test/environment/env.profile b/test/environment/env.profile new file mode 100644 index 000000000..ba66e6210 --- /dev/null +++ b/test/environment/env.profile @@ -0,0 +1,2 @@ +env LD_LIBRARY_PATH=/opt/test/lib +env CFLAGS="-W -Wall -Werror" diff --git a/test/environment/environment.sh b/test/environment/environment.sh new file mode 100755 index 000000000..3041fcc12 --- /dev/null +++ b/test/environment/environment.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: environment variables (test/environment/env.exp)" +./env.exp + +echo "TESTING: shell none(test/environment/shell-none.exp)" +./shell-none.exp + +which dash +if [ "$?" -eq 0 ]; +then + echo "TESTING: dash (test/environment/dash.exp)" + ./dash.exp +else + echo "TESTING: dash not found" +fi + +which csh +if [ "$?" -eq 0 ]; +then + echo "TESTING: csh (test/environment/csh.exp)" + ./csh.exp +else + echo "TESTING: csh not found" +fi + +which zsh +if [ "$?" -eq 0 ]; +then + echo "TESTING: zsh (test/environment/zsh.exp)" + ./csh.exp +else + echo "TESTING: zsh not found" +fi + +echo "TESTING: rlimit (test/environment/rlimit.exp)" +./rlimit.exp + +echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" +./rlimit-profile.exp + diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp new file mode 100755 index 000000000..7e7f4fd17 --- /dev/null +++ b/test/environment/firejail-in-firejail.exp @@ -0,0 +1,24 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Warning: an existing sandbox was detected" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp new file mode 100755 index 000000000..5a2213074 --- /dev/null +++ b/test/environment/firejail-in-firejail2.exp @@ -0,0 +1,24 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "firejail --force\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp new file mode 100755 index 000000000..7d2637444 --- /dev/null +++ b/test/environment/rlimit-profile.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=rlimit.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/limits; pwd\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Max file size 1024 1024" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Max processes 1000 1000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "Max open files 500 500" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Max pending signals 200 200" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "home" +} +sleep 1 +puts "\n" diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp new file mode 100755 index 000000000..17d2bd9d1 --- /dev/null +++ b/test/environment/rlimit.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/limits; pwd\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Max file size 1024 1024" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Max processes 1000 1000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "Max open files 500 500" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Max pending signals 200 200" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "home" +} +sleep 1 +puts "\n" diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile new file mode 100644 index 000000000..271891c03 --- /dev/null +++ b/test/environment/rlimit.profile @@ -0,0 +1,4 @@ + rlimit-fsize 1024 +rlimit-nproc 1000 + rlimit-nofile 500 +rlimit-sigpending 200 \ No newline at end of file diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp new file mode 100755 index 000000000..e30008f83 --- /dev/null +++ b/test/environment/shell-none.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --shell=none\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "shell=none configured, but no program specified" +} +sleep 1 + +send -- "firejail --profile=shell-none.profile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "shell=none configured, but no program specified" +} +sleep 1 + +send -- "firejail --shell=none ls\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "environment.sh" +} +sleep 1 + +send -- "firejail --profile=shell-none.profile ls\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "environment.sh" +} +sleep 1 + + +puts "\nall done\n" + diff --git a/test/environment/shell-none.profile b/test/environment/shell-none.profile new file mode 100644 index 000000000..f16ebe3a0 --- /dev/null +++ b/test/environment/shell-none.profile @@ -0,0 +1 @@ +shell none diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp new file mode 100755 index 000000000..2604b2be5 --- /dev/null +++ b/test/environment/zsh.exp @@ -0,0 +1,43 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private --tracelog --zsh\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + ".zshrc" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "home" +} +send -- "env | grep SHELL;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "SHELL" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "/usr/bin/zsh" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "home" +} +send -- "exit\r" +sleep 1 + +puts "\n" + diff --git a/test/firejail-in-firejail.exp b/test/firejail-in-firejail.exp deleted file mode 100755 index 5ba18d1fa..000000000 --- a/test/firejail-in-firejail.exp +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Warning: an existing sandbox was detected" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/firejail-in-firejail2.exp b/test/firejail-in-firejail2.exp deleted file mode 100755 index b0fed0dae..000000000 --- a/test/firejail-in-firejail2.exp +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "firejail --force\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/option_rlimit.exp b/test/option_rlimit.exp deleted file mode 100755 index 17d2bd9d1..000000000 --- a/test/option_rlimit.exp +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/limits; pwd\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Max file size 1024 1024" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Max processes 1000 1000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "Max open files 500 500" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Max pending signals 200 200" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "home" -} -sleep 1 -puts "\n" diff --git a/test/profile_rlimit.exp b/test/profile_rlimit.exp deleted file mode 100755 index 7d2637444..000000000 --- a/test/profile_rlimit.exp +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=rlimit.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/limits; pwd\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Max file size 1024 1024" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Max processes 1000 1000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "Max open files 500 500" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Max pending signals 200 200" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "home" -} -sleep 1 -puts "\n" diff --git a/test/rlimit.profile b/test/rlimit.profile deleted file mode 100644 index 271891c03..000000000 --- a/test/rlimit.profile +++ /dev/null @@ -1,4 +0,0 @@ - rlimit-fsize 1024 -rlimit-nproc 1000 - rlimit-nofile 500 -rlimit-sigpending 200 \ No newline at end of file diff --git a/test/shell_csh.exp b/test/shell_csh.exp deleted file mode 100755 index a2634f633..000000000 --- a/test/shell_csh.exp +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --tracelog --csh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - ".cshrc" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "home" -} -send -- "env | grep SHELL;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "SHELL" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "/bin/csh" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "home" -} -send -- "exit\r" -sleep 1 - -puts "\n" - diff --git a/test/shell_dash.exp b/test/shell_dash.exp deleted file mode 100755 index f5a60719e..000000000 --- a/test/shell_dash.exp +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --tracelog --shell=/bin/dash\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -#send -- "ls -al;pwd\r" -#expect { -# timeout {puts "TESTING ERROR 1\n";exit} -# ".zshrc" -#} -#expect { -# timeout {puts "TESTING ERROR 1.1\n";exit} -# "home" -#} - -send -- "env | grep SHELL;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "SHELL" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "/bin/dash" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "home" -} -send -- "exit\r" -sleep 1 - -puts "\n" - diff --git a/test/shell_zsh.exp b/test/shell_zsh.exp deleted file mode 100755 index 1d73fd926..000000000 --- a/test/shell_zsh.exp +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --tracelog --zsh\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - ".zshrc" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "home" -} -send -- "env | grep SHELL;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "SHELL" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "/usr/bin/zsh" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "home" -} -send -- "exit\r" -sleep 1 - -puts "\n" - diff --git a/test/test.sh b/test/test.sh index ba5268036..e92a0f902 100755 --- a/test/test.sh +++ b/test/test.sh @@ -34,9 +34,6 @@ echo "TESTING: protocol (protocol.exp)" echo "TESTING: invalid filename (invalid_filename.exp)" ./invalid_filename.exp -echo "TESTING: environment variables (env.exp)" -./env.exp - echo "TESTING: whitelist empty (whitelist-empty.exp)" ./whitelist-empty.exp @@ -96,15 +93,6 @@ echo "TESTING: extract command (extract_command.exp)" echo "TESTING: kmsg access (kmsg.exp)" ./kmsg.exp -echo "TESTING: rlimit (option_rlimit.exp)" -./option_rlimit.exp - -echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)" -./firejail-in-firejail.exp - -echo "TESTING: firejail in firejail - force new sandbox (firejail-in-firejail2.exp)" -./firejail-in-firejail2.exp - echo "TESTING: chroot overlay (option_chroot_overlay.exp)" ./option_chroot_overlay.exp @@ -135,20 +123,6 @@ ls -al > tmpreadonly sleep 5 rm -f tmpreadonly -echo "TESTING: zsh (shell_zsh.exp)" -./shell_zsh.exp - -echo "TESTING: csh (shell_csh.exp)" -./shell_csh.exp - -which dash -if [ "$?" -eq 0 ]; -then - echo "TESTING: dash (shell_dash.exp)" - ./shell_dash.exp -else - echo "TESTING: dash not found" -fi echo "TESTING: PID (pid.exp)" ./pid.exp @@ -159,9 +133,6 @@ echo "TESTING: output (output.exp)" echo "TESTING: profile no permissions (profile_noperm.exp)" ./profile_noperm.exp -echo "TESTING: profile rlimit (profile_rlimit.exp)" -./profile_rlimit.exp - echo "TESTING: profile read-only (profile_readonly.exp)" ./profile_readonly.exp diff --git a/test/utils/utils.sh b/test/utils/utils.sh index a40845a5f..9a1b6601a 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -55,8 +55,8 @@ echo "TESTING: shutdown4 (test/utils/shutdown4.exp)" echo "TESTING: join test/utils/(join.exp)" ./join.exp -echo "TESTING: join2 test/utils/(join2.exp)" -.join2.exp +echo "TESTING: join2 (test/utils/join2.exp)" +./join2.exp echo "TESTING: join3 (test/utils/join3.exp)" ./join3.exp -- cgit v1.2.3-70-g09d2 From 63f6b072c55afb89d71d00d6a6a377f0dafee178 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 06:33:13 -0400 Subject: testing --- test/environment/environment.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 3041fcc12..ef9b49d64 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -45,3 +45,8 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)" echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" ./rlimit-profile.exp +echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" +./firejail-in-firejail.exp + +echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)" +./firejail-in-firejail2.exp -- cgit v1.2.3-70-g09d2 From 1724b3bd7fd86876b244cbaf3e4e3a1d005b843d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 06:37:12 -0400 Subject: testing --- test/option-trace.exp | 25 -------------- test/trace.exp | 94 --------------------------------------------------- test/utils/trace.exp | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++ test/utils/trace2.exp | 25 ++++++++++++++ 4 files changed, 119 insertions(+), 119 deletions(-) delete mode 100755 test/option-trace.exp delete mode 100755 test/trace.exp create mode 100755 test/utils/trace.exp create mode 100755 test/utils/trace2.exp diff --git a/test/option-trace.exp b/test/option-trace.exp deleted file mode 100755 index 38038b58e..000000000 --- a/test/option-trace.exp +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --trace\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "bash:open /dev/tty" {puts "64bit\n"} - "bash:open64 /dev/tty" {puts "32bit\n"} -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bash:access /etc/terminfo/x/xterm" {puts "debian\n"} - "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"} -} - -sleep 1 - -puts "\nall done\n" diff --git a/test/trace.exp b/test/trace.exp deleted file mode 100755 index 21dd6a559..000000000 --- a/test/trace.exp +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 30 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --trace mkdir ttt\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "mkdir:mkdir ttt" -} -sleep 1 - -send -- "firejail --trace rmdir ttt\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "rmdir:rmdir ttt" -} -sleep 1 - -send -- "firejail --trace touch ttt\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "touch:open ttt" {puts "OK\n";} - "touch:open64 ttt" {puts "OK\n";} -} -sleep 1 - -send -- "firejail --trace rm ttt\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "rm:unlinkat ttt" -} -sleep 1 - -send -- "firejail --trace wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 8.1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 8.2\n";exit} - "bash:open /dev/tty" {puts "OK\n";} - "bash:open64 /dev/tty" {puts "OK\n";} -} -expect { - timeout {puts "TESTING ERROR 8.3\n";exit} - "wget:fopen64 /etc/wgetrc" {puts "OK\n";} - "wget:fopen /etc/wgetrc" {puts "OK\n";} -} -expect { - timeout {puts "TESTING ERROR 8.4\n";exit} - "wget:fopen /etc/hosts" -} -expect { - timeout {puts "TESTING ERROR 8.5\n";exit} - "wget:connect" -} -expect { - timeout {puts "TESTING ERROR 8.6\n";exit} - "wget:fopen64 index.html" {puts "OK\n";} - "wget:fopen index.html" {puts "OK\n";} -} -sleep 1 - -send -- "firejail --trace rm index.html\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "rm:unlinkat index.html" -} -sleep 1 - - -puts "\nall done\n" diff --git a/test/utils/trace.exp b/test/utils/trace.exp new file mode 100755 index 000000000..21dd6a559 --- /dev/null +++ b/test/utils/trace.exp @@ -0,0 +1,94 @@ +#!/usr/bin/expect -f + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --trace mkdir ttt\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "mkdir:mkdir ttt" +} +sleep 1 + +send -- "firejail --trace rmdir ttt\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "rmdir:rmdir ttt" +} +sleep 1 + +send -- "firejail --trace touch ttt\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "touch:open ttt" {puts "OK\n";} + "touch:open64 ttt" {puts "OK\n";} +} +sleep 1 + +send -- "firejail --trace rm ttt\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "rm:unlinkat ttt" +} +sleep 1 + +send -- "firejail --trace wget -q debian.org\r" +expect { + timeout {puts "TESTING ERROR 8.1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 8.2\n";exit} + "bash:open /dev/tty" {puts "OK\n";} + "bash:open64 /dev/tty" {puts "OK\n";} +} +expect { + timeout {puts "TESTING ERROR 8.3\n";exit} + "wget:fopen64 /etc/wgetrc" {puts "OK\n";} + "wget:fopen /etc/wgetrc" {puts "OK\n";} +} +expect { + timeout {puts "TESTING ERROR 8.4\n";exit} + "wget:fopen /etc/hosts" +} +expect { + timeout {puts "TESTING ERROR 8.5\n";exit} + "wget:connect" +} +expect { + timeout {puts "TESTING ERROR 8.6\n";exit} + "wget:fopen64 index.html" {puts "OK\n";} + "wget:fopen index.html" {puts "OK\n";} +} +sleep 1 + +send -- "firejail --trace rm index.html\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "rm:unlinkat index.html" +} +sleep 1 + + +puts "\nall done\n" diff --git a/test/utils/trace2.exp b/test/utils/trace2.exp new file mode 100755 index 000000000..38038b58e --- /dev/null +++ b/test/utils/trace2.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --trace\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "bash:open /dev/tty" {puts "64bit\n"} + "bash:open64 /dev/tty" {puts "32bit\n"} +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bash:access /etc/terminfo/x/xterm" {puts "debian\n"} + "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"} +} + +sleep 1 + +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 83f626d79489985152156eee6ecca52c7da8b5ba Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 06:41:28 -0400 Subject: testing --- Makefile.in | 1 + test/utils/trace.exp | 18 ++++++++++++++++++ test/utils/trace2.exp | 25 ------------------------- test/utils/utils.sh | 5 +++++ 4 files changed, 24 insertions(+), 25 deletions(-) delete mode 100755 test/utils/trace2.exp diff --git a/Makefile.in b/Makefile.in index da339b7ed..4f777583c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -46,6 +46,7 @@ clean: $(MAKE) -C $$dir clean; \ done rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm + rm -f test/utils/index.html* distclean: clean for dir in $(APPS); do \ diff --git a/test/utils/trace.exp b/test/utils/trace.exp index 21dd6a559..c08925101 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 30 spawn $env(SHELL) @@ -90,5 +93,20 @@ expect { } sleep 1 +send -- "firejail --trace\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "bash:open /dev/tty" {puts "64bit\n"} + "bash:open64 /dev/tty" {puts "32bit\n"} +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bash:access /etc/terminfo/x/xterm" {puts "debian\n"} + "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"} +} puts "\nall done\n" diff --git a/test/utils/trace2.exp b/test/utils/trace2.exp deleted file mode 100755 index 38038b58e..000000000 --- a/test/utils/trace2.exp +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --trace\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "bash:open /dev/tty" {puts "64bit\n"} - "bash:open64 /dev/tty" {puts "32bit\n"} -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bash:access /etc/terminfo/x/xterm" {puts "debian\n"} - "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"} -} - -sleep 1 - -puts "\nall done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 9a1b6601a..8c53feab3 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -64,3 +64,8 @@ echo "TESTING: join3 (test/utils/join3.exp)" echo "TESTING: join profile (test/utils/join-profile.exp)" ./join-profile.exp +echo "TESTING: trace (test/utils/trace.exp)" +rm -f index.html* +./trace.exp +rm -f index.html* + -- cgit v1.2.3-70-g09d2 From 46113d48c480249363081ce75086d275948bd644 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 06:49:25 -0400 Subject: testing --- Makefile.in | 5 +- test/firemon/caps.exp | 129 --------------------------------------------- test/firemon/caps1.profile | 1 - test/firemon/caps2.profile | 1 - test/firemon/firemon.sh | 10 ---- test/firemon/seccomp.exp | 48 ----------------- test/utils/caps.exp | 129 +++++++++++++++++++++++++++++++++++++++++++++ test/utils/caps1.profile | 1 + test/utils/caps2.profile | 1 + test/utils/seccomp.exp | 48 +++++++++++++++++ test/utils/utils.sh | 6 +++ 11 files changed, 186 insertions(+), 193 deletions(-) delete mode 100755 test/firemon/caps.exp delete mode 100644 test/firemon/caps1.profile delete mode 100644 test/firemon/caps2.profile delete mode 100755 test/firemon/firemon.sh delete mode 100755 test/firemon/seccomp.exp create mode 100755 test/utils/caps.exp create mode 100644 test/utils/caps1.profile create mode 100644 test/utils/caps2.profile create mode 100755 test/utils/seccomp.exp diff --git a/Makefile.in b/Makefile.in index 4f777583c..d33ff0aff 100644 --- a/Makefile.in +++ b/Makefile.in @@ -277,14 +277,11 @@ test-apps: test-apps-x11: cd test/apps-x11; ./apps-x11.sh | grep TESTING -test-firemon: - cd test/firemon; ./firemon.sh | grep TESTING - test-utils: cd test/utils; ./utils.sh | grep TESTING test-environment: cd test/environment; ./environment.sh | grep TESTING -test: test-profiles test-utils test-environment test-apps test-apps-x11 test-firemon +test: test-profiles test-utils test-environment test-apps test-apps-x11 echo "TEST COMPLETE" diff --git a/test/firemon/caps.exp b/test/firemon/caps.exp deleted file mode 100755 index ab1067921..000000000 --- a/test/firemon/caps.exp +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=bingo1 --noprofile --caps\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo2 --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo6 --profile=caps1.profile\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo7 --profile=caps2.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 8.1\n";exit} - "bingo1" -} -expect { - timeout {puts "TESTING ERROR 8.2\n";exit} - "31cffff" -} -expect { - timeout {puts "TESTING ERROR 8.3\n";exit} - "bingo2" -} -expect { - timeout {puts "TESTING ERROR 8.4\n";exit} - "fffffff" -} -expect { - timeout {puts "TESTING ERROR 8.5\n";exit} - "bingo3" -} -expect { - timeout {puts "TESTING ERROR 8.6\n";exit} - "000000000000" -} - -expect { - timeout {puts "TESTING ERROR 8.7\n";exit} - "bingo4" -} -expect { - timeout {puts "TESTING ERROR 8.8\n";exit} - "ffffffde" -} -expect { - timeout {puts "TESTING ERROR 8.9\n";exit} - "bingo5" -} -expect { - timeout {puts "TESTING ERROR 8.10\n";exit} - "0000000000000021" -} - -expect { - timeout {puts "TESTING ERROR 8.11\n";exit} - "bingo6" -} -expect { - timeout {puts "TESTING ERROR 8.12\n";exit} - "ffffffde" -} -expect { - timeout {puts "TESTING ERROR 8.13\n";exit} - "bingo7" -} -expect { - timeout {puts "TESTING ERROR 8.14\n";exit} - "0000000000000021" -} - -after 100 - -puts "all done\n" - diff --git a/test/firemon/caps1.profile b/test/firemon/caps1.profile deleted file mode 100644 index e14655b2e..000000000 --- a/test/firemon/caps1.profile +++ /dev/null @@ -1 +0,0 @@ -caps.drop chown,kill \ No newline at end of file diff --git a/test/firemon/caps2.profile b/test/firemon/caps2.profile deleted file mode 100644 index cb2258c52..000000000 --- a/test/firemon/caps2.profile +++ /dev/null @@ -1 +0,0 @@ -caps.keep chown,kill \ No newline at end of file diff --git a/test/firemon/firemon.sh b/test/firemon/firemon.sh deleted file mode 100755 index edd548526..000000000 --- a/test/firemon/firemon.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -echo "TESTING: firemon --seccomp (test/firemon/seccomp.exp)" -./seccomp.exp - -echo "TESTING: firemon --caps (test/firemon/caps.exp)" -./caps.exp diff --git a/test/firemon/seccomp.exp b/test/firemon/seccomp.exp deleted file mode 100755 index a318e39b1..000000000 --- a/test/firemon/seccomp.exp +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --name=bingo1 --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo2\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" -} -sleep 1 - - - - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "bingo1" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bingo2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Seccomp: 0" -} -after 100 - -puts "all done\n" diff --git a/test/utils/caps.exp b/test/utils/caps.exp new file mode 100755 index 000000000..ab1067921 --- /dev/null +++ b/test/utils/caps.exp @@ -0,0 +1,129 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=bingo1 --noprofile --caps\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo2 --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo6 --profile=caps1.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo7 --profile=caps2.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 8.1\n";exit} + "bingo1" +} +expect { + timeout {puts "TESTING ERROR 8.2\n";exit} + "31cffff" +} +expect { + timeout {puts "TESTING ERROR 8.3\n";exit} + "bingo2" +} +expect { + timeout {puts "TESTING ERROR 8.4\n";exit} + "fffffff" +} +expect { + timeout {puts "TESTING ERROR 8.5\n";exit} + "bingo3" +} +expect { + timeout {puts "TESTING ERROR 8.6\n";exit} + "000000000000" +} + +expect { + timeout {puts "TESTING ERROR 8.7\n";exit} + "bingo4" +} +expect { + timeout {puts "TESTING ERROR 8.8\n";exit} + "ffffffde" +} +expect { + timeout {puts "TESTING ERROR 8.9\n";exit} + "bingo5" +} +expect { + timeout {puts "TESTING ERROR 8.10\n";exit} + "0000000000000021" +} + +expect { + timeout {puts "TESTING ERROR 8.11\n";exit} + "bingo6" +} +expect { + timeout {puts "TESTING ERROR 8.12\n";exit} + "ffffffde" +} +expect { + timeout {puts "TESTING ERROR 8.13\n";exit} + "bingo7" +} +expect { + timeout {puts "TESTING ERROR 8.14\n";exit} + "0000000000000021" +} + +after 100 + +puts "all done\n" + diff --git a/test/utils/caps1.profile b/test/utils/caps1.profile new file mode 100644 index 000000000..e14655b2e --- /dev/null +++ b/test/utils/caps1.profile @@ -0,0 +1 @@ +caps.drop chown,kill \ No newline at end of file diff --git a/test/utils/caps2.profile b/test/utils/caps2.profile new file mode 100644 index 000000000..cb2258c52 --- /dev/null +++ b/test/utils/caps2.profile @@ -0,0 +1 @@ +caps.keep chown,kill \ No newline at end of file diff --git a/test/utils/seccomp.exp b/test/utils/seccomp.exp new file mode 100755 index 000000000..a318e39b1 --- /dev/null +++ b/test/utils/seccomp.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --name=bingo1 --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo2\r" +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "Child process initialized" +} +sleep 1 + + + + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "bingo1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bingo2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Seccomp: 0" +} +after 100 + +puts "all done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 8c53feab3..23cbc6b35 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -69,3 +69,9 @@ rm -f index.html* ./trace.exp rm -f index.html* +echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)" +./seccomp.exp + +echo "TESTING: firemon --caps (test/ustil/caps.exp)" +./caps.exp + -- cgit v1.2.3-70-g09d2 From 9366b9ddd35168f9a42f374a887f3669ffbab234 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 07:42:47 -0400 Subject: testing --- Makefile.in | 1 + src/firejail/ls.c | 1 + test/ls.exp | 41 ----------------------------------------- test/test.sh | 3 --- test/utils/ls.exp | 41 +++++++++++++++++++++++++++++++++++++++++ test/utils/utils.sh | 3 +++ 6 files changed, 46 insertions(+), 44 deletions(-) delete mode 100755 test/ls.exp create mode 100755 test/utils/ls.exp diff --git a/Makefile.in b/Makefile.in index d33ff0aff..fc341aab5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -47,6 +47,7 @@ clean: done rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm rm -f test/utils/index.html* + rm -f test/utils/lstesting distclean: clean for dir in $(APPS); do \ diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 444b5b69e..09577fb0c 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -379,6 +379,7 @@ void sandboxfs(int op, pid_t pid, const char *path) { errExit("chown"); if (chmod(dest_fname, 0644) == -1) errExit("chmod"); + printf("Transfer complete\n"); EUID_USER(); } diff --git a/test/ls.exp b/test/ls.exp deleted file mode 100755 index 5fe6d79c6..000000000 --- a/test/ls.exp +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "rm -f lstesting\r" -sleep 1 -send -- "firejail --private --name=test\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 -send -- "echo my_testing > lstesting\r" -sleep 2 - - -spawn $env(SHELL) -send -- "firejail --ls=test ~/.\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "lstesting" -} -sleep 1 -send -- "firejail --get=test ~/lstesting\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "lstesting" -} -sleep 1 -send -- "cat lstesting\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "my_testing" -} -sleep 1 -send -- "rm -f lstesting\r" - -sleep 1 -puts "\nall done\n" diff --git a/test/test.sh b/test/test.sh index e92a0f902..df46101a8 100755 --- a/test/test.sh +++ b/test/test.sh @@ -13,9 +13,6 @@ echo "TESTING: network profile (net_profile.exp)" echo "TESTING: bandwidth (bandwidth.exp)" ./bandwidth.exp -echo "TESTING: file transfer (ls.exp)" -./ls.exp - echo "TESTING: protocol.print (protocol-print.exp)" ./protocol-print.exp diff --git a/test/utils/ls.exp b/test/utils/ls.exp new file mode 100755 index 000000000..1936c0aff --- /dev/null +++ b/test/utils/ls.exp @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -f lstesting\r" +sleep 1 +send -- "firejail --private --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 +send -- "echo my_testing > lstesting\r" +sleep 2 + + +spawn $env(SHELL) +send -- "firejail --ls=test ~/.\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "lstesting" +} +sleep 1 +send -- "firejail --get=test ~/lstesting\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Transfer complete" +} +sleep 1 +send -- "cat lstesting\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "my_testing" +} +sleep 1 +send -- "rm -f lstesting\r" + +sleep 1 +puts "\nall done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 23cbc6b35..474c026d1 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -75,3 +75,6 @@ echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)" echo "TESTING: firemon --caps (test/ustil/caps.exp)" ./caps.exp +echo "TESTING: file transfer (test/ustil/ls.exp)" +./ls.exp + -- cgit v1.2.3-70-g09d2 From a3207cdca569d78ee6a9723c7c0dfdf10cd15845 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 07:50:35 -0400 Subject: testing --- test/environment/environment.sh | 6 +++ test/environment/nice.exp | 83 +++++++++++++++++++++++++++++++++++++++++ test/environment/nice.profile | 1 + test/environment/sound.exp | 83 +++++++++++++++++++++++++++++++++++++++++ test/environment/sound.profile | 1 + test/nice.exp | 80 --------------------------------------- test/nice.profile | 1 - test/notes | 13 ------- test/sound.exp | 79 --------------------------------------- test/sound.profile | 1 - 10 files changed, 174 insertions(+), 174 deletions(-) create mode 100755 test/environment/nice.exp create mode 100644 test/environment/nice.profile create mode 100755 test/environment/sound.exp create mode 100644 test/environment/sound.profile delete mode 100755 test/nice.exp delete mode 100644 test/nice.profile delete mode 100644 test/notes delete mode 100755 test/sound.exp delete mode 100644 test/sound.profile diff --git a/test/environment/environment.sh b/test/environment/environment.sh index ef9b49d64..f737d284b 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -50,3 +50,9 @@ echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail- echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)" ./firejail-in-firejail2.exp + +echo "TESTING: sound (test/environment/sound.exp)" +./sound.exp + +echo "TESTING: nice ((test/environment/nice.exp)" +./nice.exp diff --git a/test/environment/nice.exp b/test/environment/nice.exp new file mode 100755 index 000000000..7e5731c63 --- /dev/null +++ b/test/environment/nice.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --nice=15\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "top -b -n 1\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "netblue" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "netblu" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "top" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=nice.profile\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "top -b -n 1\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "netblue" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "netblu" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "15" +} +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "top" +} + + + +puts "\nall done\n" + diff --git a/test/environment/nice.profile b/test/environment/nice.profile new file mode 100644 index 000000000..d02c8f58b --- /dev/null +++ b/test/environment/nice.profile @@ -0,0 +1 @@ +nice 15 diff --git a/test/environment/sound.exp b/test/environment/sound.exp new file mode 100755 index 000000000..e2e8fb610 --- /dev/null +++ b/test/environment/sound.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --nosound speaker-test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Parent is shutting down" +} +sleep 2 + +send -- "firejail --nosound aplay -l\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "List of PLAYBACK" {puts "TESTING ERROR 3\n";exit} + "no soundcards found" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Parent is shutting down" +} +sleep 2 + + +send -- "firejail --profile=sound.profile speaker-test\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Parent is shutting down" +} +sleep 2 + +send -- "firejail --profile=sound.profile aplay -l\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "List of PLAYBACK" {puts "TESTING ERROR 3\n";exit} + "no soundcards found" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "Parent is shutting down" +} +sleep 2 + + +send -- "firejail aplay -l\r" +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "List of PLAYBACK" +} +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "Parent is shutting down" +} +sleep 2 + +puts "\nall done\n" + diff --git a/test/environment/sound.profile b/test/environment/sound.profile new file mode 100644 index 000000000..2f83a0bbb --- /dev/null +++ b/test/environment/sound.profile @@ -0,0 +1 @@ +nosound diff --git a/test/nice.exp b/test/nice.exp deleted file mode 100755 index f4afb547d..000000000 --- a/test/nice.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --nice=15\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "top -b -n 1\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "netblue" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "15" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "netblu" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "15" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "top" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --profile=nice.profile\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "top -b -n 1\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "netblue" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "15" -} -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "netblu" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "15" -} -expect { - timeout {puts "TESTING ERROR 16\n";exit} - "top" -} - - - -puts "\nall done\n" - diff --git a/test/nice.profile b/test/nice.profile deleted file mode 100644 index d02c8f58b..000000000 --- a/test/nice.profile +++ /dev/null @@ -1 +0,0 @@ -nice 15 diff --git a/test/notes b/test/notes deleted file mode 100644 index 864cd5519..000000000 --- a/test/notes +++ /dev/null @@ -1,13 +0,0 @@ -Testing --nosound - -Get a list of active PulseAudio clients: -$ pacmd info | grep application.process.binary - application.process.binary = "lxpanel" - application.process.binary = "plugin-container" - application.process.binary = "plugin-container" - -Find active PulseAudio socket: -$ netstat -l | grep pulse -unix 2 [ ACC ] STREAM LISTENING 10669 /tmp/pulse-WwG6ohxIJmGO/cli -unix 2 [ ACC ] STREAM LISTENING 12584 /tmp/pulse-WwG6ohxIJmGO/dbus-socket -unix 2 [ ACC ] STREAM LISTENING 12581 /tmp/pulse-WwG6ohxIJmGO/native diff --git a/test/sound.exp b/test/sound.exp deleted file mode 100755 index 078f8b416..000000000 --- a/test/sound.exp +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --nosound speaker-test\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Parent is shutting down" -} -sleep 2 - -send -- "firejail --nosound aplay -l\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "List of PLAYBACK" {puts "TESTING ERROR 3\n";exit} - "no soundcards found" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Parent is shutting down" -} -sleep 2 - - -send -- "firejail --profile=sound.profile speaker-test\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "Parent is shutting down" -} -sleep 2 - -send -- "firejail --profile=sound.profile aplay -l\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "List of PLAYBACK" {puts "TESTING ERROR 3\n";exit} - "no soundcards found" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "Parent is shutting down" -} -sleep 2 - - -send -- "firejail aplay -l\r" -expect { - timeout {puts "TESTING ERROR 23\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 24\n";exit} - "List of PLAYBACK" -} -expect { - timeout {puts "TESTING ERROR 25\n";exit} - "Parent is shutting down" -} -sleep 2 - -puts "\n" - diff --git a/test/sound.profile b/test/sound.profile deleted file mode 100644 index 2f83a0bbb..000000000 --- a/test/sound.profile +++ /dev/null @@ -1 +0,0 @@ -nosound -- cgit v1.2.3-70-g09d2 From 722de2c35e508e52c7af8e8f6524244c205a0802 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 07:51:39 -0400 Subject: testing --- test/environment/environment.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/environment/environment.sh b/test/environment/environment.sh index f737d284b..ede5735c6 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -54,5 +54,5 @@ echo "TESTING: firejail in firejail - force new sandbox (test/environment/fireja echo "TESTING: sound (test/environment/sound.exp)" ./sound.exp -echo "TESTING: nice ((test/environment/nice.exp)" +echo "TESTING: nice (test/environment/nice.exp)" ./nice.exp -- cgit v1.2.3-70-g09d2 From 2971ce53728d8b7b9d6e92948a5924aa74184926 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 08:13:40 -0400 Subject: testing --- test/test.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/test/test.sh b/test/test.sh index df46101a8..0509afdfb 100755 --- a/test/test.sh +++ b/test/test.sh @@ -255,9 +255,4 @@ echo "TESTING: firemon --arp (firemon-arp.exp)" echo "TESTING: firemon --route (firemon-route.exp)" ./firemon-route.exp -echo "TESTING: firemon --seccomp (firemon-seccomp.exp)" -./firemon-seccomp.exp - -echo "TESTING: firemon --caps (firemon-caps.exp)" -./firemon-caps.exp -- cgit v1.2.3-70-g09d2 From 5bcafbe5efc7117e4631ec2cf50dd3a77f1839bc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 08:19:49 -0400 Subject: make github-compile --- Makefile.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Makefile.in b/Makefile.in index fc341aab5..b4933439c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -48,6 +48,7 @@ clean: rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm rm -f test/utils/index.html* rm -f test/utils/lstesting + cd test/compile; ./compile.sh --clean; cd ../.. distclean: clean for dir in $(APPS); do \ @@ -247,6 +248,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/utils test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps-x11 test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/firemon test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -284,5 +286,8 @@ test-utils: test-environment: cd test/environment; ./environment.sh | grep TESTING +github-compile: + cd test/compile; ./compile.sh + test: test-profiles test-utils test-environment test-apps test-apps-x11 echo "TEST COMPLETE" -- cgit v1.2.3-70-g09d2 From ff9ebdd99245ca9bf52c2fa38e12a97386e266a7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 08:24:32 -0400 Subject: compile cleanup --- src/firejail/profile.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d358594d9..d564cd39c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -427,7 +427,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { else if (strncmp(ptr, "defaultgw ", 10) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { - Bridge *br = last_bridge_configured(); if (atoip(ptr + 10, &cfg.defaultgw)) { fprintf(stderr, "Error: invalid IP address\n"); exit(1); -- cgit v1.2.3-70-g09d2 From 03443a4b88e3a2cc32b30b1124fde7399c9a138e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 08:45:06 -0400 Subject: compile tests --- Makefile.in | 11 +- test/dist-compile/compile.sh | 251 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 259 insertions(+), 3 deletions(-) create mode 100755 test/dist-compile/compile.sh diff --git a/Makefile.in b/Makefile.in index b4933439c..5ae9a3a54 100644 --- a/Makefile.in +++ b/Makefile.in @@ -49,6 +49,7 @@ clean: rm -f test/utils/index.html* rm -f test/utils/lstesting cd test/compile; ./compile.sh --clean; cd ../.. + cd test/dist-compile; ./compile.sh --clean; cd ../.. distclean: clean for dir in $(APPS); do \ @@ -249,6 +250,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps-x11 test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/firemon test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -256,6 +258,12 @@ dist: deb: dist ./mkdeb.sh $(NAME) $(VERSION) +github-compile: + cd test/compile; ./compile.sh + +dist-compile: dist + cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION) + .PHONY: rpms rpms: ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) @@ -286,8 +294,5 @@ test-utils: test-environment: cd test/environment; ./environment.sh | grep TESTING -github-compile: - cd test/compile; ./compile.sh - test: test-profiles test-utils test-environment test-apps test-apps-x11 echo "TEST COMPLETE" diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh new file mode 100755 index 000000000..a9c1656ee --- /dev/null +++ b/test/dist-compile/compile.sh @@ -0,0 +1,251 @@ +#!/bin/bash + +arr[1]="TEST 1: standard compilation" +arr[2]="TEST 2: compile seccomp disabled" +arr[3]="TEST 3: compile chroot disabled" +arr[4]="TEST 4: compile bind disabled" +arr[5]="TEST 5: compile user namespace disabled" +arr[6]="TEST 6: compile network disabled" +arr[7]="TEST 7: compile X11 disabled" +arr[8]="TEST 8: compile network restricted" +arr[9]="TEST 9: compile file transfer disabled" + + +# remove previous reports and output file +cleanup() { + rm -f report* + rm -fr firejail + rm oc* om* +} + +print_title() { + echo + echo + echo + echo "**************************************************" + echo $1 + echo "**************************************************" +} + +DIST="$1" +while [ $# -gt 0 ]; do # Until you run out of parameters . . . + case "$1" in + --clean) + cleanup + exit + ;; + --help) + echo "./compile.sh [--clean|--help]" + exit + ;; + esac + shift # Check next set of parameters. +done + +cleanup +# enable sudo +sudo ls -al + + +#***************************************************************** +# TEST 1 +#***************************************************************** +# - checkout source code +# - check compilation +# - install +#***************************************************************** +print_title "${arr[1]}" +echo "$DIST" +tar -xjvf ../../$DIST.tar.bz2 +mv $DIST firejail + +cd firejail +./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +sudo make install 2>&1 | tee ../output-install +cd .. +grep Warning output-configure output-make output-install > ./report-test1 +grep Error output-configure output-make output-install >> ./report-test1 +cp output-configure oc1 +cp output-make om1 +rm output-configure output-make output-install + + +#***************************************************************** +# TEST 2 +#***************************************************************** +# - disable seccomp configuration +# - check compilation +#***************************************************************** +print_title "${arr[2]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test2 +grep Error output-configure output-make >> ./report-test2 +cp output-configure oc2 +cp output-make om2 +rm output-configure output-make + +#***************************************************************** +# TEST 3 +#***************************************************************** +# - disable chroot configuration +# - check compilation +#***************************************************************** +print_title "${arr[3]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test3 +grep Error output-configure output-make >> ./report-test3 +cp output-configure oc3 +cp output-make om3 +rm output-configure output-make + +#***************************************************************** +# TEST 4 +#***************************************************************** +# - disable bind configuration +# - check compilation +#***************************************************************** +print_title "${arr[4]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test4 +grep Error output-configure output-make >> ./report-test4 +cp output-configure oc4 +cp output-make om4 +rm output-configure output-make + +#***************************************************************** +# TEST 5 +#***************************************************************** +# - disable user namespace configuration +# - check compilation +#***************************************************************** +print_title "${arr[5]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test5 +grep Error output-configure output-make >> ./report-test5 +cp output-configure oc5 +cp output-make om5 +rm output-configure output-make + +#***************************************************************** +# TEST 6 +#***************************************************************** +# - disable user namespace configuration +# - check compilation +#***************************************************************** +print_title "${arr[6]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test6 +grep Error output-configure output-make >> ./report-test6 +cp output-configure oc6 +cp output-make om6 +rm output-configure output-make + +#***************************************************************** +# TEST 7 +#***************************************************************** +# - disable X11 support +# - check compilation +#***************************************************************** +print_title "${arr[7]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test7 +grep Error output-configure output-make >> ./report-test7 +cp output-configure oc7 +cp output-make om7 +rm output-configure output-make + + +#***************************************************************** +# TEST 8 +#***************************************************************** +# - enable network restricted +# - check compilation +#***************************************************************** +print_title "${arr[8]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test8 +grep Error output-configure output-make >> ./report-test8 +cp output-configure oc8 +cp output-make om8 +rm output-configure output-make + + +#***************************************************************** +# TEST 9 +#***************************************************************** +# - disable file transfer +# - check compilation +#***************************************************************** +print_title "${arr[9]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test9 +grep Error output-configure output-make >> ./report-test9 +cp output-configure oc9 +cp output-make om9 +rm output-configure output-make + + +#***************************************************************** +# PRINT REPORTS +#***************************************************************** +echo +echo +echo +echo +echo "**********************************************************" +echo "TEST RESULTS" +echo "**********************************************************" + +wc -l report-test* +echo +echo "Legend:" +echo ${arr[1]} +echo ${arr[2]} +echo ${arr[3]} +echo ${arr[4]} +echo ${arr[5]} +echo ${arr[6]} +echo ${arr[7]} +echo ${arr[8]} +echo ${arr[9]} -- cgit v1.2.3-70-g09d2 From 67f5e3ca811fcb7fc6d9fbf47a4ae84c12c5a616 Mon Sep 17 00:00:00 2001 From: Joan Figueras Date: Sun, 24 Apr 2016 15:18:23 +0200 Subject: cyberfox profile --- etc/cyberfox.profile | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 etc/cyberfox.profile diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile new file mode 100644 index 000000000..cef9ad464 --- /dev/null +++ b/etc/cyberfox.profile @@ -0,0 +1,52 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +noblacklist ~/.8pecxstudios/cyberfox +noblacklist ~/.cache/8pecxstudios +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +tracelog +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.8pecxstudios +whitelist ~/.8pecxstudios +mkdir ~/.cache +mkdir ~/.cache/8pecxstudios +mkdir ~/.cache/8pecxstudios/cyberfox +whitelist ~/.cache/8pecxstudios/cyberfox +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + -- cgit v1.2.3-70-g09d2 From 5836a8892ea1cbeb6fddab71ced4634ba1d1bbcd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 10:53:36 -0400 Subject: testing --- test/apps-x11/chromium.exp | 2 +- test/apps-x11/firefox.exp | 2 +- test/apps-x11/icedove.exp | 2 +- test/apps-x11/transmission-gtk.exp | 2 +- test/apps-x11/xterm.exp | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 11677a28f..38c932aca 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --x11 --net=br0 chromium www.gentoo.org\r" +send -- "firejail --name=test --x11 chromium www.gentoo.org\r" sleep 10 spawn $env(SHELL) diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp index f7c128690..e82fc6e72 100755 --- a/test/apps-x11/firefox.exp +++ b/test/apps-x11/firefox.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --x11 --net=br0 firefox -no-remote www.gentoo.org\r" +send -- "firejail --name=test --x11 firefox -no-remote www.gentoo.org\r" sleep 10 spawn $env(SHELL) diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp index ca6a49978..a07344f36 100755 --- a/test/apps-x11/icedove.exp +++ b/test/apps-x11/icedove.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --net=br0 --x11 icedove\r" +send -- "firejail --name=test --x11 icedove\r" sleep 10 spawn $env(SHELL) diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp index 67b3fd202..6391a3717 100755 --- a/test/apps-x11/transmission-gtk.exp +++ b/test/apps-x11/transmission-gtk.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --net=br0 --x11 transmission-gtk\r" +send -- "firejail --name=test --x11 transmission-gtk\r" sleep 10 spawn $env(SHELL) diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm.exp index 26e58953e..7d61da542 100755 --- a/test/apps-x11/xterm.exp +++ b/test/apps-x11/xterm.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test --net=br0 --x11 xterm\r" +send -- "firejail --name=test --x11 xterm\r" sleep 10 spawn $env(SHELL) -- cgit v1.2.3-70-g09d2 From b72b5caa9c641f0230103977c9fcdbbdc5b2ea0c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 11:30:33 -0400 Subject: cyberfox profile --- Makefile.in | 1 + README | 2 ++ RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 5ae9a3a54..b80dbe15b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -177,6 +177,7 @@ realinstall: install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 069a6e664..99cd08a5e 100644 --- a/README +++ b/README @@ -18,6 +18,7 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) + Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) @@ -36,6 +37,7 @@ Matthew Gyurgyik (https://github.com/pyther) Joan Figueras (https://github.com/figue) - added abrowser profile - added Google-Play-Music-Desktop-Player + - added cyberfox profile Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/RELNOTES b/RELNOTES index 91b41abcf..0a5cc926d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -22,7 +22,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player - * new profiles: Aweather, Stellarium, gpredict, quiterss + * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 317ac082f..297d25bf2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -45,6 +45,7 @@ blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.config/epiphany blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/qutebrowser +blacklist ${HOME}/.8pecxstudios # Instant Messaging blacklist ${HOME}/.config/hexchat @@ -93,6 +94,7 @@ blacklist ${HOME}/.cache/icedove blacklist ${HOME}/.cache/transmission blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios # share blacklist ${HOME}/.local/share/epiphany diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 8297f96eb..2456d8a90 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -92,3 +92,4 @@ /etc/firejail/stellarium.profile /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/quiterss.profile +/etc/firejail/cyberfox.profile -- cgit v1.2.3-70-g09d2 From df1e582e0b8810c7ea3c454be31770fe4a8732dd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 11:31:53 -0400 Subject: cyberfox profile --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 68ae3118a..8172a1798 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,7 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss +Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, +cyberfox + -- cgit v1.2.3-70-g09d2 From c92dc59bef0d34541c10fd535d91d876d214a5d8 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 25 Apr 2016 09:54:17 -0400 Subject: fixed interface/defaultgw problem --- src/firejail/sandbox.c | 25 ++++++++++++++++--------- test/compile/compile.sh | 2 +- test/dist-compile/compile.sh | 2 +- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3f3564295..4473e306c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -539,6 +539,7 @@ int sandbox(void* sandbox_arg) { //**************************** // networking //**************************** + int gw_cfg_failed = 0; // default gw configuration flag if (arg_nonetwork) { net_if_up("lo"); if (arg_debug) @@ -564,13 +565,6 @@ int sandbox(void* sandbox_arg) { net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); sandbox_if_up(&cfg.bridge3); - // add a default route - if (cfg.defaultgw) { - // set the default route - if (net_add_route(0, 0, cfg.defaultgw)) - fprintf(stderr, "Warning: cannot configure default route\n"); - } - // enable interfaces if (cfg.interface0.configured && cfg.interface0.ip) { if (arg_debug) @@ -597,6 +591,15 @@ int sandbox(void* sandbox_arg) { net_if_up(cfg.interface3.dev); } + // add a default route + if (cfg.defaultgw) { + // set the default route + if (net_add_route(0, 0, cfg.defaultgw)) { + fprintf(stderr, "Warning: cannot configure default route\n"); + gw_cfg_failed = 1; + } + } + if (arg_debug) printf("Network namespace enabled\n"); } @@ -612,8 +615,12 @@ int sandbox(void* sandbox_arg) { printf("\n"); if (any_bridge_configured() || any_interface_configured()) net_ifprint(); - if (cfg.defaultgw != 0) - printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); + if (cfg.defaultgw != 0) { + if (gw_cfg_failed) + printf("Default gateway configuration failed\n"); + else + printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); + } if (cfg.dns1 != 0) printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); if (cfg.dns2 != 0) diff --git a/test/compile/compile.sh b/test/compile/compile.sh index e3e9bef2b..c6b1d1928 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -15,7 +15,7 @@ arr[9]="TEST 9: compile file transfer disabled" cleanup() { rm -f report* rm -fr firejail - rm oc* om* + rm -f oc* om* } print_title() { diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index a9c1656ee..e0d29281b 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -15,7 +15,7 @@ arr[9]="TEST 9: compile file transfer disabled" cleanup() { rm -f report* rm -fr firejail - rm oc* om* + rm -f oc* om* } print_title() { -- cgit v1.2.3-70-g09d2 From f9f01f4f143818c033c7ad077131332b53de6fd2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 25 Apr 2016 10:15:19 -0400 Subject: fix --- README | 1 - 1 file changed, 1 deletion(-) diff --git a/README b/README index 99cd08a5e..7779ebf4e 100644 --- a/README +++ b/README @@ -18,7 +18,6 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) - Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) -- cgit v1.2.3-70-g09d2 From 34539b96d0f01d0483bd756bde5da4b43ac82a63 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 25 Apr 2016 13:36:55 -0400 Subject: testing --- src/lib/libnetlink.c | 4 ++-- test/utils/shutdown4.exp | 4 ---- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 07457eefe..836cf417d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c @@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data) int len = RTA_LENGTH(4); struct rtattr *subrta; - if (RTA_ALIGN(rta->rta_len) + len > maxlen) { + if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) { fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen); return -1; } @@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type, struct rtattr *subrta; int len = RTA_LENGTH(alen); - if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) { + if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) { fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen); return -1; } diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index 613f3fbc8..0f2e0e7fe 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp @@ -60,10 +60,6 @@ expect { timeout {puts "TESTING ERROR 50\n";exit} "50" } -expect { - timeout {puts "TESTING ERROR 60\n";exit} - "Killed" -} sleep 1 puts "\nalldone\n" -- cgit v1.2.3-70-g09d2 From dbb0b361a3abb95745372ba626c4427277b72ccc Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Thu, 28 Apr 2016 00:02:53 +0200 Subject: Make some tests more robust --- test/apps-x11/apps-x11.sh | 2 +- test/environment/csh.exp | 1 + test/environment/dash.exp | 1 + test/environment/environment.sh | 10 ++++++++-- test/environment/nice.exp | 8 ++++---- test/environment/rlimit-profile.exp | 1 + test/environment/rlimit.exp | 1 + test/environment/zsh.exp | 1 + test/utils/join.exp | 1 + test/utils/join2.exp | 1 + test/utils/join3.exp | 1 + test/utils/shutdown.exp | 1 + test/utils/utils.sh | 26 ++++++++++++++++++-------- 13 files changed, 40 insertions(+), 15 deletions(-) diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 938d4c993..2182c90a2 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -48,6 +48,6 @@ then echo "TESTING: icedove x11" ./icedove.exp else - echo "TESTING: icedovenot found" + echo "TESTING: icedove not found" fi diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 10ad3607e..7fd69ed43 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp @@ -4,6 +4,7 @@ # License GPL v2 set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/environment/dash.exp b/test/environment/dash.exp index f5a60719e..d727d302e 100755 --- a/test/environment/dash.exp +++ b/test/environment/dash.exp @@ -1,6 +1,7 @@ #!/usr/bin/expect -f set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/environment/environment.sh b/test/environment/environment.sh index ede5735c6..9164b43a2 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -51,8 +51,14 @@ echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail- echo "TESTING: firejail in firejail - force new sandbox (test/environment/firejail-in-firejail2.exp)" ./firejail-in-firejail2.exp -echo "TESTING: sound (test/environment/sound.exp)" -./sound.exp +which aplay +if [ "$?" -eq 0 ]; +then + echo "TESTING: sound (test/environment/sound.exp)" + ./sound.exp +else + echo "TESTING: aplay not found" +fi echo "TESTING: nice (test/environment/nice.exp)" ./nice.exp diff --git a/test/environment/nice.exp b/test/environment/nice.exp index 7e5731c63..3a5db71c8 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp @@ -17,7 +17,7 @@ sleep 1 send -- "top -b -n 1\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "netblue" + $env(USER) } expect { timeout {puts "TESTING ERROR 2\n";exit} @@ -29,7 +29,7 @@ expect { } expect { timeout {puts "TESTING ERROR 4\n";exit} - "netblu" + $env(USER) } expect { timeout {puts "TESTING ERROR 5\n";exit} @@ -54,7 +54,7 @@ sleep 1 send -- "top -b -n 1\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "netblue" + $env(USER) } expect { timeout {puts "TESTING ERROR 12\n";exit} @@ -66,7 +66,7 @@ expect { } expect { timeout {puts "TESTING ERROR 14\n";exit} - "netblu" + $env(USER) } expect { timeout {puts "TESTING ERROR 15\n";exit} diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index 7d2637444..aed634201 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp @@ -1,6 +1,7 @@ #!/usr/bin/expect -f set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp index 17d2bd9d1..680520b33 100755 --- a/test/environment/rlimit.exp +++ b/test/environment/rlimit.exp @@ -1,6 +1,7 @@ #!/usr/bin/expect -f set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 2604b2be5..96fa84dfe 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -4,6 +4,7 @@ # License GPL v2 set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/utils/join.exp b/test/utils/join.exp index fc94a22c3..e1cd37fcb 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -4,6 +4,7 @@ # License GPL v2 set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 749e8900f..820c43174 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp @@ -4,6 +4,7 @@ # License GPL v2 set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/utils/join3.exp b/test/utils/join3.exp index 0a686bc36..96d3e5186 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp @@ -4,6 +4,7 @@ # License GPL v2 set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 135f42d28..ca321b3c9 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp @@ -4,6 +4,7 @@ # License GPL v2 set timeout 10 +cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 474c026d1..1e010147d 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -12,8 +12,14 @@ echo "TESTING: version (test/utils/version.exp)" echo "TESTING: help (test/utils/help.exp)" ./help.exp -echo "TESTING: man (test/utils/man.exp)" -./man.exp +which man +if [ "$?" -eq 0 ]; +then + echo "TESTING: man (test/utils/man.exp)" + ./man.exp +else + echo "TESTING: man not found" +fi echo "TESTING: list (test/utils/list.exp)" ./list.exp @@ -21,9 +27,13 @@ echo "TESTING: list (test/utils/list.exp)" echo "TESTING: tree (test/utils/tree.exp)" ./tree.exp -echo "TESTING: cpu.print (test/utils/cpu-print.exp)" -echo "TESTING: failing under VirtualBox where there is only one CPU" -./cpu-print.exp +if [ $(grep -c ^processor /proc/cpuinfo) -gt 1 ]; +then + echo "TESTING: cpu.print (test/utils/cpu-print.exp)" + ./cpu-print.exp +else + echo "TESTING: cpu.print, not enough CPUs" +fi echo "TESTING: fs.print (test/utils/fs-print.exp)" ./fs-print.exp @@ -52,7 +62,7 @@ echo "TESTING: shutdown3 (test/utils/shutdown3.exp)" echo "TESTING: shutdown4 (test/utils/shutdown4.exp)" ./shutdown4.exp -echo "TESTING: join test/utils/(join.exp)" +echo "TESTING: join (test/utils/join.exp)" ./join.exp echo "TESTING: join2 (test/utils/join2.exp)" @@ -72,9 +82,9 @@ rm -f index.html* echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)" ./seccomp.exp -echo "TESTING: firemon --caps (test/ustil/caps.exp)" +echo "TESTING: firemon --caps (test/utils/caps.exp)" ./caps.exp -echo "TESTING: file transfer (test/ustil/ls.exp)" +echo "TESTING: file transfer (test/utils/ls.exp)" ./ls.exp -- cgit v1.2.3-70-g09d2 From d90ab9882554c396a15e17b0b0d5bf98f415b791 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Apr 2016 08:57:21 -0400 Subject: removed sudo from make dist-compile and make github-compile --- test/compile/compile.sh | 10 +++------- test/dist-compile/compile.sh | 9 +++------ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/test/compile/compile.sh b/test/compile/compile.sh index c6b1d1928..1207ef518 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -42,9 +42,6 @@ while [ $# -gt 0 ]; do # Until you run out of parameters . . . done cleanup -# enable sudo -sudo ls -al - #***************************************************************** # TEST 1 @@ -58,13 +55,12 @@ git clone https://github.com/netblue30/firejail.git cd firejail ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make -sudo make install 2>&1 | tee ../output-install cd .. -grep Warning output-configure output-make output-install > ./report-test1 -grep Error output-configure output-make output-install >> ./report-test1 +grep Warning output-configure output-make > ./report-test1 +grep Error output-configure output-make >> ./report-test1 cp output-configure oc1 cp output-make om1 -rm output-configure output-make output-install +rm output-configure output-make #***************************************************************** diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index e0d29281b..64c99133a 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -43,8 +43,6 @@ while [ $# -gt 0 ]; do # Until you run out of parameters . . . done cleanup -# enable sudo -sudo ls -al #***************************************************************** @@ -62,13 +60,12 @@ mv $DIST firejail cd firejail ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make -sudo make install 2>&1 | tee ../output-install cd .. -grep Warning output-configure output-make output-install > ./report-test1 -grep Error output-configure output-make output-install >> ./report-test1 +grep Warning output-configure output-make > ./report-test1 +grep Error output-configure output-make >> ./report-test1 cp output-configure oc1 cp output-make om1 -rm output-configure output-make output-install +rm output-configure output-make #***************************************************************** -- cgit v1.2.3-70-g09d2 From be76f23be0b770fe52afd0a7ea359c0c3217dc9e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Apr 2016 14:11:22 -0400 Subject: removed cd home from /test/environment/* files --- test/environment/csh.exp | 2 +- test/environment/rlimit-profile.exp | 2 +- test/environment/zsh.exp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 7fd69ed43..6511214c0 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp @@ -4,7 +4,7 @@ # License GPL v2 set timeout 10 -cd /home +#cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index aed634201..8ed97e760 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp @@ -1,7 +1,7 @@ #!/usr/bin/expect -f set timeout 10 -cd /home +#cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 96fa84dfe..e625c4793 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -4,7 +4,7 @@ # License GPL v2 set timeout 10 -cd /home +#cd /home spawn $env(SHELL) match_max 100000 -- cgit v1.2.3-70-g09d2 From c4f10394ab24327b1f303cba493723def9ab99ba Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Apr 2016 15:22:09 -0400 Subject: fixed make test-envirnment for running under /tmp --- test/environment/csh.exp | 14 +++----------- test/environment/rlimit-profile.exp | 8 ++------ test/environment/zsh.exp | 14 +++----------- test/profiles/profile_syntax.exp | 16 ++-------------- 4 files changed, 10 insertions(+), 42 deletions(-) diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 6511214c0..2f1ae17b9 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp @@ -4,7 +4,6 @@ # License GPL v2 set timeout 10 -#cd /home spawn $env(SHELL) match_max 100000 @@ -15,16 +14,13 @@ expect { } sleep 1 -send -- "ls -al;pwd\r" +send -- "find /home\r" expect { timeout {puts "TESTING ERROR 1\n";exit} ".cshrc" } -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "home" -} -send -- "env | grep SHELL;pwd\r" + +send -- "env | grep SHELL\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "SHELL" @@ -33,10 +29,6 @@ expect { timeout {puts "TESTING ERROR 2.1\n";exit} "/bin/csh" } -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "home" -} send -- "exit\r" sleep 1 diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index 8ed97e760..7ee828bf2 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp @@ -12,7 +12,7 @@ expect { } sleep 1 -send -- "cat /proc/self/limits; pwd\r" +send -- "cat /proc/self/limits\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} "Max file size 1024 1024" @@ -29,9 +29,5 @@ expect { timeout {puts "TESTING ERROR 1.4\n";exit} "Max pending signals 200 200" } -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "home" -} sleep 1 -puts "\n" +puts "\nall done\n" diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index e625c4793..7ab7faa76 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -4,7 +4,6 @@ # License GPL v2 set timeout 10 -#cd /home spawn $env(SHELL) match_max 100000 @@ -15,15 +14,12 @@ expect { } sleep 1 -send -- "ls -al;pwd\r" +send -- "find /home\r" expect { timeout {puts "TESTING ERROR 1\n";exit} ".zshrc" } -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "home" -} + send -- "env | grep SHELL;pwd\r" expect { timeout {puts "TESTING ERROR 2\n";exit} @@ -33,12 +29,8 @@ expect { timeout {puts "TESTING ERROR 2.1\n";exit} "/usr/bin/zsh" } -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "home" -} send -- "exit\r" sleep 1 -puts "\n" +puts "\nall done\n" diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index ecad1043b..2b1ec7797 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -34,32 +34,20 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Permission denied" } -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "home" -} sleep 1 -send -- "mount;pwd\r" +send -- "mount\r" expect { timeout {puts "TESTING ERROR 6\n";exit} "Permission denied" } -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "home" -} sleep 1 -send -- "umount;pwd\r" +send -- "umount\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "Permission denied" } -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "home" -} send -- "exit\r" sleep 1 -- cgit v1.2.3-70-g09d2 From b6c003afba364756f4e70d7cea4e5ac91177f578 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Thu, 28 Apr 2016 22:22:36 +0200 Subject: Fixes for ls.exp and trace.exp --- test/utils/ls.exp | 2 +- test/utils/trace.exp | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/utils/ls.exp b/test/utils/ls.exp index 1936c0aff..3a99be0d5 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp @@ -12,7 +12,7 @@ expect { "Child process initialized" } sleep 2 -send -- "echo my_testing > lstesting\r" +send -- "echo my_testing > ~/lstesting\r" sleep 2 diff --git a/test/utils/trace.exp b/test/utils/trace.exp index c08925101..41058fd74 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -95,18 +95,18 @@ sleep 1 send -- "firejail --trace\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 11\n";exit} "Child process initialized" } expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 12\n";exit} "bash:open /dev/tty" {puts "64bit\n"} "bash:open64 /dev/tty" {puts "32bit\n"} } expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bash:access /etc/terminfo/x/xterm" {puts "debian\n"} - "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"} + timeout {puts "TESTING ERROR 13\n";exit} + "bash:access /etc/terminfo/" {puts "debian\n"} + "bash:access /usr/share/terminfo/" {puts "arch\n"} } puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 051e84a0068a503a4531712ab7f882240b003b15 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Apr 2016 20:47:36 -0400 Subject: removed pwd from test/utils --- test/utils/join-profile.exp | 26 +++++++++++--------------- test/utils/join.exp | 25 ++++++++++--------------- test/utils/join2.exp | 25 ++++++++++--------------- test/utils/join3.exp | 25 ++++++++++--------------- test/utils/shutdown.exp | 15 ++++++++------- 5 files changed, 49 insertions(+), 67 deletions(-) diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp index 9200980a1..a4262b999 100755 --- a/test/utils/join-profile.exp +++ b/test/utils/join-profile.exp @@ -4,36 +4,32 @@ set timeout 10 spawn $env(SHELL) match_max 100000 + send -- "firejail --profile=name.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 3 +sleep 2 spawn $env(SHELL) -send -- "firejail --join=jointesting;pwd\r" +send -- "firejail --join=jointesting\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } -sleep 3 - - -spawn $env(SHELL) -send -- "firejail --shutdown=jointesting;pwd\r" +sleep 1 +send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" } -sleep 5 - -send -- "firejail --list;pwd\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "jointesting" {puts "TESTING ERROR 5\n";exit} - "home" + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" } + +send -- "exit" sleep 1 puts "\nall done\n" diff --git a/test/utils/join.exp b/test/utils/join.exp index e1cd37fcb..ab4917f7d 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -8,36 +8,31 @@ cd /home spawn $env(SHELL) match_max 100000 -send -- "firejail --name=svntesting\r" +send -- "firejail --name=jointesting\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 3 +sleep 2 spawn $env(SHELL) -send -- "firejail --join=svntesting;pwd\r" +send -- "firejail --join=jointesting\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } sleep 1 - - -spawn $env(SHELL) -send -- "firejail --shutdown=svntesting;pwd\r" +send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" } -sleep 1 - -send -- "firejail --list;pwd\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "svntesting" {puts "TESTING ERROR 5\n";exit} - "home" + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" } + +send -- "exit" sleep 1 puts "\nall done\n" diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 820c43174..82540fe39 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp @@ -8,36 +8,31 @@ cd /home spawn $env(SHELL) match_max 100000 -send -- "firejail --name=\"svn testing\"\r" +send -- "firejail --name=\"join testing\"\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 3 +sleep 2 spawn $env(SHELL) -send -- "firejail --join=\"svn testing\";pwd\r" +send -- "firejail --join=\"join testing\"\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } sleep 1 - - -spawn $env(SHELL) -send -- "firejail --shutdown=\"svn testing\";pwd\r" +send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" } -sleep 1 - -send -- "firejail --list;pwd\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "svn testing" {puts "TESTING ERROR 5\n";exit} - "home" + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" } + +send -- "exit" sleep 1 puts "\nall done\n" diff --git a/test/utils/join3.exp b/test/utils/join3.exp index 96d3e5186..e92045dd1 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp @@ -8,36 +8,31 @@ cd /home spawn $env(SHELL) match_max 100000 -send -- "firejail --name=svn\\ testing\r" +send -- "firejail --name=join\\ testing\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 3 +sleep 2 spawn $env(SHELL) -send -- "firejail --join=svn\\ testing;pwd\r" +send -- "firejail --join=join\\ testing\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Switching to pid" } sleep 1 - - -spawn $env(SHELL) -send -- "firejail --shutdown=svn\\ testing;pwd\r" +send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" } -sleep 1 - -send -- "firejail --list;pwd\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "svn testing" {puts "TESTING ERROR 5\n";exit} - "home" + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" } + +send -- "exit" sleep 1 puts "\nall done\n" diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index ca321b3c9..15a9a62c8 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp @@ -13,22 +13,23 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 3 +sleep 2 spawn $env(SHELL) -send -- "firejail --shutdown=shutdowntesting;pwd\r" +send -- "firejail --shutdown=shutdowntesting; echo done\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "home" + "done" } -sleep 1 +sleep 5 -send -- "firejail --list;pwd\r" +spawn $env(SHELL) +send -- "firejail --list;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "shutdowntesting" {puts "TESTING ERROR 6\n";exit} - "home" + "done" } sleep 1 -puts "\nalldone\n" +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 1fd6be4f67955f765d63f0c4956166cff47c108b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Apr 2016 20:55:46 -0400 Subject: removed pwd from test/profiles --- test/profiles/profile_syntax.exp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index 2b1ec7797..dd6b637ed 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -29,7 +29,7 @@ expect { } sleep 1 -send -- "rmdir;pwd\r" +send -- "rmdir\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "Permission denied" @@ -51,4 +51,4 @@ expect { send -- "exit\r" sleep 1 -puts "\n" +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 32bb5d61c0b465c206967181e9adea1ca50657c8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Apr 2016 21:02:45 -0400 Subject: fix make dist --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index b80dbe15b..44b5cec83 100644 --- a/Makefile.in +++ b/Makefile.in @@ -249,7 +249,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/utils test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps-x11 test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/firemon test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/environment test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. -- cgit v1.2.3-70-g09d2 From 70318ee8bfef2f72ec692c11d4627183f51a4007 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 29 Apr 2016 20:42:15 +0200 Subject: Mark skipped tests differently --- test/apps-x11/apps-x11.sh | 10 +++++----- test/apps/apps.sh | 32 ++++++++++++++++---------------- test/environment/environment.sh | 8 ++++---- test/utils/utils.sh | 4 ++-- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 2182c90a2..b01c37d0f 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -12,7 +12,7 @@ then echo "TESTING: xterm x11" ./xterm.exp else - echo "TESTING: xterm not found" + echo "TESTING SKIP: xterm not found" fi which firefox @@ -21,7 +21,7 @@ then echo "TESTING: firefox x11" ./firefox.exp else - echo "TESTING: firefox not found" + echo "TESTING SKIP: firefox not found" fi which chromium @@ -30,7 +30,7 @@ then echo "TESTING: chromium x11" ./chromium.exp else - echo "TESTING: chromium not found" + echo "TESTING SKIP: chromium not found" fi which transmission-gtk @@ -39,7 +39,7 @@ then echo "TESTING: transmission-gtk x11" ./transmission-gtk.exp else - echo "TESTING: transmission-gtk not found" + echo "TESTING SKIP: transmission-gtk not found" fi which icedove @@ -48,6 +48,6 @@ then echo "TESTING: icedove x11" ./icedove.exp else - echo "TESTING: icedove not found" + echo "TESTING SKIP: icedove not found" fi diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 2410a0d92..37d66d609 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -12,7 +12,7 @@ then echo "TESTING: firefox" ./firefox.exp else - echo "TESTING: firefox not found" + echo "TESTING SKIP: firefox not found" fi which midori @@ -21,7 +21,7 @@ then echo "TESTING: midori" ./midori.exp else - echo "TESTING: midori not found" + echo "TESTING SKIP: midori not found" fi which chromium @@ -30,7 +30,7 @@ then echo "TESTING: chromium" ./chromium.exp else - echo "TESTING: chromium not found" + echo "TESTING SKIP: chromium not found" fi which opera @@ -39,7 +39,7 @@ then echo "TESTING: opera" ./opera.exp else - echo "TESTING: opera not found" + echo "TESTING SKIP: opera not found" fi which transmission-gtk @@ -48,7 +48,7 @@ then echo "TESTING: transmission-gtk" ./transmission-gtk.exp else - echo "TESTING: transmission-gtk not found" + echo "TESTING SKIP: transmission-gtk not found" fi which transmission-qt @@ -57,7 +57,7 @@ then echo "TESTING: transmission-qt" ./transmission-qt.exp else - echo "TESTING: transmission-qt not found" + echo "TESTING SKIP: transmission-qt not found" fi which evince @@ -66,7 +66,7 @@ then echo "TESTING: evince" ./evince.exp else - echo "TESTING: evince not found" + echo "TESTING SKIP: evince not found" fi which icedove @@ -75,7 +75,7 @@ then echo "TESTING: icedove" ./icedove.exp else - echo "TESTING: icedove not found" + echo "TESTING SKIP: icedove not found" fi which vlc @@ -84,7 +84,7 @@ then echo "TESTING: vlc" ./vlc.exp else - echo "TESTING: vlc not found" + echo "TESTING SKIP: vlc not found" fi which fbreader @@ -93,7 +93,7 @@ then echo "TESTING: fbreader" ./fbreader.exp else - echo "TESTING: fbreader not found" + echo "TESTING SKIP: fbreader not found" fi which deluge @@ -102,7 +102,7 @@ then echo "TESTING: deluge" ./deluge.exp else - echo "TESTING: deluge not found" + echo "TESTING SKIP: deluge not found" fi which gnome-mplayer @@ -111,7 +111,7 @@ then echo "TESTING: gnome-mplayer" ./gnome-mplayer.exp else - echo "TESTING: gnome-mplayer not found" + echo "TESTING SKIP: gnome-mplayer not found" fi which xchat @@ -120,7 +120,7 @@ then echo "TESTING: xchat" ./xchat.exp else - echo "TESTING: xchat not found" + echo "TESTING SKIP: xchat not found" fi which hexchat @@ -129,7 +129,7 @@ then echo "TESTING: hexchat" ./hexchat.exp else - echo "TESTING: hexchat not found" + echo "TESTING SKIP: hexchat not found" fi which weechat-curses @@ -138,7 +138,7 @@ then echo "TESTING: weechat" ./weechat.exp else - echo "TESTING: weechat not found" + echo "TESTING SKIP: weechat not found" fi which wine @@ -147,6 +147,6 @@ then echo "TESTING: wine" ./wine.exp else - echo "TESTING: wine not found" + echo "TESTING SKIP: wine not found" fi diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 9164b43a2..7b29a3482 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -18,7 +18,7 @@ then echo "TESTING: dash (test/environment/dash.exp)" ./dash.exp else - echo "TESTING: dash not found" + echo "TESTING SKIP: dash not found" fi which csh @@ -27,7 +27,7 @@ then echo "TESTING: csh (test/environment/csh.exp)" ./csh.exp else - echo "TESTING: csh not found" + echo "TESTING SKIP: csh not found" fi which zsh @@ -36,7 +36,7 @@ then echo "TESTING: zsh (test/environment/zsh.exp)" ./csh.exp else - echo "TESTING: zsh not found" + echo "TESTING SKIP: zsh not found" fi echo "TESTING: rlimit (test/environment/rlimit.exp)" @@ -57,7 +57,7 @@ then echo "TESTING: sound (test/environment/sound.exp)" ./sound.exp else - echo "TESTING: aplay not found" + echo "TESTING SKIP: aplay not found" fi echo "TESTING: nice (test/environment/nice.exp)" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 1e010147d..0428c4807 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -18,7 +18,7 @@ then echo "TESTING: man (test/utils/man.exp)" ./man.exp else - echo "TESTING: man not found" + echo "TESTING SKIP: man not found" fi echo "TESTING: list (test/utils/list.exp)" @@ -32,7 +32,7 @@ then echo "TESTING: cpu.print (test/utils/cpu-print.exp)" ./cpu-print.exp else - echo "TESTING: cpu.print, not enough CPUs" + echo "TESTING SKIP: cpu.print, not enough CPUs" fi echo "TESTING: fs.print (test/utils/fs-print.exp)" -- cgit v1.2.3-70-g09d2 From a1272742cfbdbfe999a701f804b58ceb4605713d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:27:31 -0400 Subject: added make test-filters --- Makefile.in | 4 + src/tools/syscall_test | Bin 9552 -> 0 bytes src/tools/syscall_test.c | 78 -------------- src/tools/syscall_test32 | Bin 6868 -> 0 bytes test/filters/caps.exp | 72 +++++++++++++ test/filters/noroot.exp | 156 +++++++++++++++++++++++++++ test/filters/protocol.exp | 180 +++++++++++++++++++++++++++++++ test/filters/protocol1.profile | 1 + test/filters/protocol2.profile | 1 + test/filters/seccomp-bad-empty.exp | 38 +++++++ test/filters/seccomp-bad-empty.profile | 1 + test/filters/seccomp-bad-empty2.profile | 1 + test/filters/seccomp.profile | 1 + test/filters/syscall_test | Bin 0 -> 9552 bytes test/filters/syscall_test.c | 82 ++++++++++++++ test/filters/syscall_test32 | Bin 0 -> 6868 bytes test/noroot.exp | 117 -------------------- test/protocol.exp | 184 -------------------------------- test/protocol1.profile | 1 - test/protocol2.profile | 1 - test/seccomp-bad-empty.exp | 38 ------- test/seccomp-bad-empty.profile | 1 - test/seccomp-bad-empty2.profile | 1 - test/seccomp-chmod-profile.exp | 46 -------- test/seccomp-chmod.exp | 46 -------- test/seccomp-chown.exp | 46 -------- test/seccomp-debug.exp | 28 ----- test/seccomp-dualfilter.exp | 38 ------- test/seccomp-empty.exp | 145 ------------------------- test/seccomp-empty.profile | 1 - test/seccomp-errno.exp | 87 --------------- test/seccomp-ptrace.exp | 23 ---- test/seccomp-su.exp | 34 ------ test/seccomp-umount.exp | 28 ----- test/seccomp.profile | 1 - 35 files changed, 537 insertions(+), 944 deletions(-) delete mode 100755 src/tools/syscall_test delete mode 100644 src/tools/syscall_test.c delete mode 100755 src/tools/syscall_test32 create mode 100755 test/filters/caps.exp create mode 100755 test/filters/noroot.exp create mode 100755 test/filters/protocol.exp create mode 100644 test/filters/protocol1.profile create mode 100644 test/filters/protocol2.profile create mode 100755 test/filters/seccomp-bad-empty.exp create mode 100644 test/filters/seccomp-bad-empty.profile create mode 100644 test/filters/seccomp-bad-empty2.profile create mode 100644 test/filters/seccomp.profile create mode 100755 test/filters/syscall_test create mode 100644 test/filters/syscall_test.c create mode 100755 test/filters/syscall_test32 delete mode 100755 test/noroot.exp delete mode 100755 test/protocol.exp delete mode 100644 test/protocol1.profile delete mode 100644 test/protocol2.profile delete mode 100755 test/seccomp-bad-empty.exp delete mode 100644 test/seccomp-bad-empty.profile delete mode 100644 test/seccomp-bad-empty2.profile delete mode 100755 test/seccomp-chmod-profile.exp delete mode 100755 test/seccomp-chmod.exp delete mode 100755 test/seccomp-chown.exp delete mode 100755 test/seccomp-debug.exp delete mode 100755 test/seccomp-dualfilter.exp delete mode 100755 test/seccomp-empty.exp delete mode 100644 test/seccomp-empty.profile delete mode 100755 test/seccomp-errno.exp delete mode 100755 test/seccomp-ptrace.exp delete mode 100755 test/seccomp-su.exp delete mode 100755 test/seccomp-umount.exp delete mode 100644 test/seccomp.profile diff --git a/Makefile.in b/Makefile.in index 44b5cec83..6c70e5360 100644 --- a/Makefile.in +++ b/Makefile.in @@ -252,6 +252,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/environment test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/filters test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -295,5 +296,8 @@ test-utils: test-environment: cd test/environment; ./environment.sh | grep TESTING +test-filters: + cd test/filters; ./filters.sh | grep TESTING + test: test-profiles test-utils test-environment test-apps test-apps-x11 echo "TEST COMPLETE" diff --git a/src/tools/syscall_test b/src/tools/syscall_test deleted file mode 100755 index bf29c5b99..000000000 Binary files a/src/tools/syscall_test and /dev/null differ diff --git a/src/tools/syscall_test.c b/src/tools/syscall_test.c deleted file mode 100644 index b3f43c755..000000000 --- a/src/tools/syscall_test.c +++ /dev/null @@ -1,78 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include - -int main(int argc, char **argv) { - if (argc != 2) { - printf("Usage: test [sleep|socket|mkdir|mount]\n"); - return 1; - } - - if (strcmp(argv[1], "sleep") == 0) { - printf("before sleep\n"); - sleep(1); - printf("after sleep\n"); - } - else if (strcmp(argv[1], "socket") == 0) { - int sock; - - printf("testing socket AF_INET\n"); - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror("socket"); - } - else - close(sock); - - printf("testing socket AF_INET6\n"); - if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { - perror("socket"); - } - else - close(sock); - - printf("testing socket AF_NETLINK\n"); - if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { - perror("socket"); - } - else - close(sock); - - printf("testing socket AF_UNIX\n"); - if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { - perror("socket"); - } - else - close(sock); - - // root needed to be able to handle this - printf("testing socket AF_PACKETX\n"); - if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { - perror("socket"); - } - else - close(sock); - printf("after socket\n"); - } - else if (strcmp(argv[1], "mkdir") == 0) { - printf("before mkdir\n"); - mkdir("tmp", 0777); - printf("after mkdir\n"); - } - else if (strcmp(argv[1], "mount") == 0) { - printf("before mount\n"); - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) { - perror("mount"); - } - printf("after mount\n"); - } - else { - fprintf(stderr, "Error: invalid argument\n"); - return 1; - } - return 0; -} diff --git a/src/tools/syscall_test32 b/src/tools/syscall_test32 deleted file mode 100755 index 8d72f58c4..000000000 Binary files a/src/tools/syscall_test32 and /dev/null differ diff --git a/test/filters/caps.exp b/test/filters/caps.exp new file mode 100755 index 000000000..034d6a733 --- /dev/null +++ b/test/filters/caps.exp @@ -0,0 +1,72 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --caps.keep=chown,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "CapBnd: 0000000000000009" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=all --noprofile\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "CapBnd: 0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp new file mode 100755 index 000000000..a1f6ce88d --- /dev/null +++ b/test/filters/noroot.exp @@ -0,0 +1,156 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "CapBnd: 0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Seccomp:" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "2" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Cpus_allowed:" +} +puts "\n" + +send -- "ping 0\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Operation not permitted" +} +send -- "whoami\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + $env(USER) +} +send -- "sudo -s\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} +} +send -- "cat /proc/self/uid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "1" +} +send -- "cat /proc/self/gid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "3" +} + +puts "\n" +send -- "exit\r" +sleep 2 + + + +send -- "firejail --name=test --noroot --noprofile\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "ffffffff" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Seccomp:" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "0" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "Cpus_allowed:" +} +puts "\n" + +send -- "whoami\r" +expect { + timeout {puts "TESTING ERROR 15\n";exit} + $env(USER) +} +send -- "sudo -s\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} +} +send -- "ping 0\r" +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Operation not permitted" +} +send -- "cat /proc/self/uid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + "1" +} +send -- "cat /proc/self/gid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "3" +} + + + +spawn $env(SHELL) +send -- "firejail --debug --join=test\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "User namespace detected" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Joining user namespace" +} +sleep 1 + +send -- "sudo -s\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} +} +send -- "cat /proc/self/uid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "1" +} +send -- "cat /proc/self/gid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "3" +} +puts "\nall done\n" diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp new file mode 100755 index 000000000..cf552da56 --- /dev/null +++ b/test/filters/protocol.exp @@ -0,0 +1,180 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 1.6\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 1.7\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 1.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 1.9\n";exit} + "Operation not supported" +} +sleep 1 + +send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 2.5\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 2.6\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 2.7\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 2.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 2.9\n";exit} + "after socket" +} +sleep 1 + +# profile testing +send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 3.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 3.4\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 3.5\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 3.6\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 3.7\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 3.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 3.9\n";exit} + "Operation not supported" +} +sleep 1 + +send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 4.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 4.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 4.4\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 4.5\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 4.6\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 4.7\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 4.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 4.9\n";exit} + "after socket" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/filters/protocol1.profile b/test/filters/protocol1.profile new file mode 100644 index 000000000..3e1ea2a29 --- /dev/null +++ b/test/filters/protocol1.profile @@ -0,0 +1 @@ +protocol unix diff --git a/test/filters/protocol2.profile b/test/filters/protocol2.profile new file mode 100644 index 000000000..b7eb4ab91 --- /dev/null +++ b/test/filters/protocol2.profile @@ -0,0 +1 @@ +protocol inet6,packet diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp new file mode 100755 index 000000000..631d67743 --- /dev/null +++ b/test/filters/seccomp-bad-empty.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error: empty syscall lists are not allowed" +} + +send -- "firejail --seccomp.drop=\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Error: empty syscall lists are not allowed" +} + +send -- "firejail --seccomp.keep=\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Error: empty syscall lists are not allowed" +} + +send -- "firejail --profile=seccomp-bad-empty.profile\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Error: line 1 in seccomp-bad-empty.profile is invalid" +} + +send -- "firejail --profile=seccomp-bad-empty2.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Error: line 1 in seccomp-bad-empty2.profile is invalid" +} +sleep 1 +puts "\nall done\n" + diff --git a/test/filters/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile new file mode 100644 index 000000000..2d4fcde7c --- /dev/null +++ b/test/filters/seccomp-bad-empty.profile @@ -0,0 +1 @@ +seccomp.drop diff --git a/test/filters/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile new file mode 100644 index 000000000..c4e6c9f74 --- /dev/null +++ b/test/filters/seccomp-bad-empty2.profile @@ -0,0 +1 @@ +seccomp.keep diff --git a/test/filters/seccomp.profile b/test/filters/seccomp.profile new file mode 100644 index 000000000..cb0b15aee --- /dev/null +++ b/test/filters/seccomp.profile @@ -0,0 +1 @@ +seccomp chmod,fchmod,fchmodat diff --git a/test/filters/syscall_test b/test/filters/syscall_test new file mode 100755 index 000000000..bf29c5b99 Binary files /dev/null and b/test/filters/syscall_test differ diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c new file mode 100644 index 000000000..422af619d --- /dev/null +++ b/test/filters/syscall_test.c @@ -0,0 +1,82 @@ +// This file is part of Firejail project +// Copyright (C) 2014-2016 Firejail Authors +// License GPL v2 + +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) { + if (argc != 2) { + printf("Usage: test [sleep|socket|mkdir|mount]\n"); + return 1; + } + + if (strcmp(argv[1], "sleep") == 0) { + printf("before sleep\n"); + sleep(1); + printf("after sleep\n"); + } + else if (strcmp(argv[1], "socket") == 0) { + int sock; + + printf("testing socket AF_INET\n"); + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { + perror("socket"); + } + else + close(sock); + + printf("testing socket AF_INET6\n"); + if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { + perror("socket"); + } + else + close(sock); + + printf("testing socket AF_NETLINK\n"); + if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { + perror("socket"); + } + else + close(sock); + + printf("testing socket AF_UNIX\n"); + if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { + perror("socket"); + } + else + close(sock); + + // root needed to be able to handle this + printf("testing socket AF_PACKETX\n"); + if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { + perror("socket"); + } + else + close(sock); + printf("after socket\n"); + } + else if (strcmp(argv[1], "mkdir") == 0) { + printf("before mkdir\n"); + mkdir("tmp", 0777); + printf("after mkdir\n"); + } + else if (strcmp(argv[1], "mount") == 0) { + printf("before mount\n"); + if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) { + perror("mount"); + } + printf("after mount\n"); + } + else { + fprintf(stderr, "Error: invalid argument\n"); + return 1; + } + return 0; +} diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32 new file mode 100755 index 000000000..8d72f58c4 Binary files /dev/null and b/test/filters/syscall_test32 differ diff --git a/test/noroot.exp b/test/noroot.exp deleted file mode 100755 index 37d55fe78..000000000 --- a/test/noroot.exp +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "0000000000000000" -} - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Cpus_allowed:" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "3" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Cpus_allowed_list:" -} -puts "\n" - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp:" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "2" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Cpus_allowed:" -} -puts "\n" - -send -- "ping 0\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Operation not permitted" -} -puts "\n" - -send -- "whoami\r" -expect { - timeout {puts "TESTING ERROR 55\\n";exit} - "netblue" -} -puts "\n" -send -- "exit\r" -sleep 2 - - -send -- "firejail --noroot --noprofile\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} -sleep 1 -send -- "whoami\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "netblue" -} -send -- "sudo -s\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} -} -puts "\n" -send -- "exit\r" -sleep 2 - -send -- "firejail --name=test --noroot --noprofile\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --debug --join=test\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "User namespace detected" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Joining user namespace" -} -sleep 1 - -send -- "sudo -s\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} -} -puts "all done\n" diff --git a/test/protocol.exp b/test/protocol.exp deleted file mode 100755 index 018f4cd9b..000000000 --- a/test/protocol.exp +++ /dev/null @@ -1,184 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 1.6\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.7\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 1.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 1.9\n";exit} - "Operation not supported" -} -sleep 1 - -send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 2.5\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.6\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 2.7\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 2.9\n";exit} - "after socket" -} -sleep 1 - -# profile testing -send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 3.4\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.5\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 3.6\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.7\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 3.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 3.9\n";exit} - "Operation not supported" -} -sleep 1 - -send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 4.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 4.4\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 4.5\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.6\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 4.7\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 4.9\n";exit} - "after socket" -} -sleep 1 - - - - - -puts "\nall done\n" diff --git a/test/protocol1.profile b/test/protocol1.profile deleted file mode 100644 index 3e1ea2a29..000000000 --- a/test/protocol1.profile +++ /dev/null @@ -1 +0,0 @@ -protocol unix diff --git a/test/protocol2.profile b/test/protocol2.profile deleted file mode 100644 index b7eb4ab91..000000000 --- a/test/protocol2.profile +++ /dev/null @@ -1 +0,0 @@ -protocol inet6,packet diff --git a/test/seccomp-bad-empty.exp b/test/seccomp-bad-empty.exp deleted file mode 100755 index 631d67743..000000000 --- a/test/seccomp-bad-empty.exp +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp=\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error: empty syscall lists are not allowed" -} - -send -- "firejail --seccomp.drop=\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Error: empty syscall lists are not allowed" -} - -send -- "firejail --seccomp.keep=\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Error: empty syscall lists are not allowed" -} - -send -- "firejail --profile=seccomp-bad-empty.profile\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Error: line 1 in seccomp-bad-empty.profile is invalid" -} - -send -- "firejail --profile=seccomp-bad-empty2.profile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Error: line 1 in seccomp-bad-empty2.profile is invalid" -} -sleep 1 -puts "\nall done\n" - diff --git a/test/seccomp-bad-empty.profile b/test/seccomp-bad-empty.profile deleted file mode 100644 index 2d4fcde7c..000000000 --- a/test/seccomp-bad-empty.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp.drop diff --git a/test/seccomp-bad-empty2.profile b/test/seccomp-bad-empty2.profile deleted file mode 100644 index c4e6c9f74..000000000 --- a/test/seccomp-bad-empty2.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp.keep diff --git a/test/seccomp-chmod-profile.exp b/test/seccomp-chmod-profile.exp deleted file mode 100755 index 098328cea..000000000 --- a/test/seccomp-chmod-profile.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=seccomp.profile --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "touch testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "ls -l testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "testfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "chmod +x testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Bad system call" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp-chmod.exp b/test/seccomp-chmod.exp deleted file mode 100755 index b4a213206..000000000 --- a/test/seccomp-chmod.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "touch testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "ls -l testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "testfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "chmod +x testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Bad system call" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp-chown.exp b/test/seccomp-chown.exp deleted file mode 100755 index 69b896700..000000000 --- a/test/seccomp-chown.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "touch testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "ls -l testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "testfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "chown netblue:netblue testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Bad system call" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp-debug.exp b/test/seccomp-debug.exp deleted file mode 100755 index 1034f040e..000000000 --- a/test/seccomp-debug.exp +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "SECCOMP Filter" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "BLACKLIST" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "open_by_handle_at" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "exit\r" -after 100 -puts "all done\n" diff --git a/test/seccomp-dualfilter.exp b/test/seccomp-dualfilter.exp deleted file mode 100755 index afdf8a53a..000000000 --- a/test/seccomp-dualfilter.exp +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail ../src/tools/syscall_test mount\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "before mount" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "after mount" {puts "TESTING ERROR 2.1\n";exit} - "Parent is shutting down" -} -sleep 1 - -send -- "firejail ../src/tools/syscall_test32 mount\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "before mount" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "after mount" {puts "TESTING ERROR 5.1\n";exit} - "Parent is shutting down" -} - -puts "\nall done\n" diff --git a/test/seccomp-empty.exp b/test/seccomp-empty.exp deleted file mode 100755 index 11abf2e00..000000000 --- a/test/seccomp-empty.exp +++ /dev/null @@ -1,145 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "mount" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "ptrace" -} -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 0.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 0.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 0.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 3 -puts "\n" - -send -- "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "mount" {puts "TESTING ERROR 1.2\n";exit} - "ptrace" {puts "TESTING ERROR 1.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 1.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 1.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -puts "\n" - -sleep 2 -send -- "firejail --debug --profile=seccomp.profile --private\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mount" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "ptrace" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 2.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 2.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 2.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 3 -puts "\n" - -send -- "firejail --debug --profile=seccomp-empty.profile --private\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "mount" {puts "TESTING ERROR 3.2\n";exit} - "ptrace" {puts "TESTING ERROR 3.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 3.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 3.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 3.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 3.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -puts "\n" - diff --git a/test/seccomp-empty.profile b/test/seccomp-empty.profile deleted file mode 100644 index 8f71f55a5..000000000 --- a/test/seccomp-empty.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp.drop chmod,fchmod,fchmodat diff --git a/test/seccomp-errno.exp b/test/seccomp-errno.exp deleted file mode 100755 index e6678ab8f..000000000 --- a/test/seccomp-errno.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "touch seccomp-test-file\r" -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "No such file or directory" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "unlinkat 2 ENOENT" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat,mkdir\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 -send -- "rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "mkdir seccomp-test-dir\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "exit\r" -sleep 1 - - -send -- "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "errno enoent already configured" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} -sleep 1 -send -- "rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "mkdir seccomp-test-dir\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Operation not permitted" -} -after 100 -puts "\n" - -send -- "exit\r" -sleep 1 - - - - -send -- "rm seccomp-test-file\r" -sleep 1 -puts "all done\n" diff --git a/test/seccomp-ptrace.exp b/test/seccomp-ptrace.exp deleted file mode 100755 index 9a9b7430e..000000000 --- a/test/seccomp-ptrace.exp +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "strace ls\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" {puts "version 1\n";} - " unexpected signal 31" {puts "version 2\n"} -} - -send -- "exit\r" -sleep 1 -puts "all done\n" diff --git a/test/seccomp-su.exp b/test/seccomp-su.exp deleted file mode 100755 index dcae6f869..000000000 --- a/test/seccomp-su.exp +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "sudo su -\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "effective uid is not 0" -} - -send -- "sudo ls\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "effective uid is not 0" -} - -send -- "ping google.com\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Operation not permitted" -} - -send -- "exit\r" -sleep 1 -puts "all done\n" diff --git a/test/seccomp-umount.exp b/test/seccomp-umount.exp deleted file mode 100755 index c0107a084..000000000 --- a/test/seccomp-umount.exp +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "umount /proc\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" -} - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp.profile b/test/seccomp.profile deleted file mode 100644 index cb0b15aee..000000000 --- a/test/seccomp.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp chmod,fchmod,fchmodat -- cgit v1.2.3-70-g09d2 From 0bebfab52fa77bae091f9c67f9b74ad73a429fff Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:27:48 -0400 Subject: added make test-filters --- test/filters/protocol.exp | 3 +++ test/filters/seccomp-bad-empty.exp | 3 +++ 2 files changed, 6 insertions(+) diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index cf552da56..10a13fe25 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 631d67743..53f06e632 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) -- cgit v1.2.3-70-g09d2 From ea774178f6d8f613c96c0d001fed200155b704b7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:31:21 -0400 Subject: added make test-filters --- test/filters/filters.sh | 48 +++++++++++ test/filters/seccomp-chmod-profile.exp | 49 +++++++++++ test/filters/seccomp-chmod.exp | 49 +++++++++++ test/filters/seccomp-chown.exp | 49 +++++++++++ test/filters/seccomp-debug.exp | 31 +++++++ test/filters/seccomp-dualfilter.exp | 41 +++++++++ test/filters/seccomp-empty.exp | 148 +++++++++++++++++++++++++++++++++ test/filters/seccomp-empty.profile | 1 + test/filters/seccomp-errno.exp | 90 ++++++++++++++++++++ test/filters/seccomp-ptrace.exp | 26 ++++++ test/filters/seccomp-su.exp | 37 +++++++++ test/filters/seccomp-umount.exp | 31 +++++++ 12 files changed, 600 insertions(+) create mode 100755 test/filters/filters.sh create mode 100755 test/filters/seccomp-chmod-profile.exp create mode 100755 test/filters/seccomp-chmod.exp create mode 100755 test/filters/seccomp-chown.exp create mode 100755 test/filters/seccomp-debug.exp create mode 100755 test/filters/seccomp-dualfilter.exp create mode 100755 test/filters/seccomp-empty.exp create mode 100644 test/filters/seccomp-empty.profile create mode 100755 test/filters/seccomp-errno.exp create mode 100755 test/filters/seccomp-ptrace.exp create mode 100755 test/filters/seccomp-su.exp create mode 100755 test/filters/seccomp-umount.exp diff --git a/test/filters/filters.sh b/test/filters/filters.sh new file mode 100755 index 000000000..c21243a0f --- /dev/null +++ b/test/filters/filters.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: noroot (test/filters/noroot.exp)" +./noroot.exp + +echo "TESTING: capabilities (test/filters/caps.exp)" +./caps.exp + +echo "TESTING: protocol (test/filters/protocol.exp)" +./protocol.exp + +echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" +./seccomp-bad-empty.exp + +echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" +./seccomp-debug.exp + +echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" +./seccomp-errno.exp + +echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" +./seccomp-su.exp + +echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" +./seccomp-ptrace.exp + +echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" +./seccomp-chmod.exp + +echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" +./seccomp-chmod-profile.exp + +echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" +./seccomp-empty.exp + +echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" +./seccomp-bad-empty.exp + +echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" +./seccomp-dualfilter.exp + + diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp new file mode 100755 index 000000000..9683fad90 --- /dev/null +++ b/test/filters/seccomp-chmod-profile.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=seccomp.profile --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chmod +x testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +sleep 1 +puts "\n" diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp new file mode 100755 index 000000000..0d52122d3 --- /dev/null +++ b/test/filters/seccomp-chmod.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chmod +x testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +sleep 1 +puts "\n" diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp new file mode 100755 index 000000000..4e393fea2 --- /dev/null +++ b/test/filters/seccomp-chown.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chown netblue:netblue testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +sleep 1 +puts "\n" diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp new file mode 100755 index 000000000..dbc0d37a9 --- /dev/null +++ b/test/filters/seccomp-debug.exp @@ -0,0 +1,31 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "SECCOMP Filter" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "BLACKLIST" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "open_by_handle_at" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "exit\r" +after 100 +puts "all done\n" diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp new file mode 100755 index 000000000..26b36236a --- /dev/null +++ b/test/filters/seccomp-dualfilter.exp @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail ./syscall_test mount\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "before mount" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "after mount" {puts "TESTING ERROR 2.1\n";exit} + "Parent is shutting down" +} +sleep 1 + +send -- "firejail ./syscall_test32 mount\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "before mount" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "after mount" {puts "TESTING ERROR 5.1\n";exit} + "Parent is shutting down" +} + +puts "\nall done\n" diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp new file mode 100755 index 000000000..11b275c7d --- /dev/null +++ b/test/filters/seccomp-empty.exp @@ -0,0 +1,148 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "mount" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "ptrace" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 0.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 0.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 0.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 3 +puts "\n" + +send -- "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "mount" {puts "TESTING ERROR 1.2\n";exit} + "ptrace" {puts "TESTING ERROR 1.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 1.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 1.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +puts "\n" + +sleep 2 +send -- "firejail --debug --profile=seccomp.profile --private\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "mount" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "ptrace" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 2.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 2.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 2.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 3 +puts "\n" + +send -- "firejail --debug --profile=seccomp-empty.profile --private\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "mount" {puts "TESTING ERROR 3.2\n";exit} + "ptrace" {puts "TESTING ERROR 3.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 3.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 3.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 3.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 3.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +puts "\n" + diff --git a/test/filters/seccomp-empty.profile b/test/filters/seccomp-empty.profile new file mode 100644 index 000000000..8f71f55a5 --- /dev/null +++ b/test/filters/seccomp-empty.profile @@ -0,0 +1 @@ +seccomp.drop chmod,fchmod,fchmodat diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp new file mode 100755 index 000000000..aefe816e1 --- /dev/null +++ b/test/filters/seccomp-errno.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch seccomp-test-file\r" +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "No such file or directory" +} +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "unlinkat 2 ENOENT" +} +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat,mkdir\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 +send -- "rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "No such file or directory" +} +after 100 +puts "\n" + +send -- "mkdir seccomp-test-dir\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "No such file or directory" +} +after 100 +puts "\n" + +send -- "exit\r" +sleep 1 + + +send -- "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "errno enoent already configured" +} +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Child process initialized" +} +sleep 1 +send -- "rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "No such file or directory" +} +after 100 +puts "\n" + +send -- "mkdir seccomp-test-dir\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Operation not permitted" +} +after 100 +puts "\n" + +send -- "exit\r" +sleep 1 + + + + +send -- "rm seccomp-test-file\r" +sleep 1 +puts "all done\n" diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp new file mode 100755 index 000000000..fba9ea92f --- /dev/null +++ b/test/filters/seccomp-ptrace.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "strace ls\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Bad system call" {puts "version 1\n";} + " unexpected signal 31" {puts "version 2\n"} +} + +send -- "exit\r" +sleep 1 +puts "all done\n" diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp new file mode 100755 index 000000000..003f3df99 --- /dev/null +++ b/test/filters/seccomp-su.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "sudo su -\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "effective uid is not 0" +} + +send -- "sudo ls\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "effective uid is not 0" +} + +send -- "ping google.com\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Operation not permitted" +} + +send -- "exit\r" +sleep 1 +puts "all done\n" diff --git a/test/filters/seccomp-umount.exp b/test/filters/seccomp-umount.exp new file mode 100755 index 000000000..6e2f8c6c2 --- /dev/null +++ b/test/filters/seccomp-umount.exp @@ -0,0 +1,31 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "sudo ls; sudo whoami; sudo pwd\r" +expect { + timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} + "root" +} + +send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "umount /proc\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Bad system call" +} + +send -- "exit\r" +sleep 1 +puts "\n" -- cgit v1.2.3-70-g09d2 From 4290471c98c799586a9533738c88c985139caff0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:38:28 -0400 Subject: added make test-filters --- test/filters/filters.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/test/filters/filters.sh b/test/filters/filters.sh index c21243a0f..11d90b011 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -30,11 +30,16 @@ echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" ./seccomp-ptrace.exp -echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" -./seccomp-chmod.exp +# todo: fix pwd +#echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" +#./seccomp-chmod.exp + +# todo: fix pwd +#echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" +#./seccomp-chmod-profile.exp + +# todo: fix pwd and add seccomp-chown.exp and seccomp-umount.exp -echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" -./seccomp-chmod-profile.exp echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" ./seccomp-empty.exp -- cgit v1.2.3-70-g09d2 From 2bd593cbeb17f109f8f53c811671fa8166411421 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 12:19:53 -0400 Subject: make test-filters fixes --- test/filters/filters.sh | 13 +++++-------- test/filters/seccomp-chmod-profile.exp | 30 ++++++++++++++++-------------- test/filters/seccomp-chmod.exp | 30 ++++++++++++++++-------------- 3 files changed, 37 insertions(+), 36 deletions(-) diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 11d90b011..1e64a6373 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -27,20 +27,17 @@ echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" ./seccomp-su.exp -echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" +echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" ./seccomp-ptrace.exp -# todo: fix pwd -#echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" -#./seccomp-chmod.exp +echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" +./seccomp-chmod.exp -# todo: fix pwd -#echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" -#./seccomp-chmod-profile.exp +echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" +./seccomp-chmod-profile.exp # todo: fix pwd and add seccomp-chown.exp and seccomp-umount.exp - echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" ./seccomp-empty.exp diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 9683fad90..e5d16f524 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp @@ -14,36 +14,38 @@ expect { } sleep 2 -send -- "touch testfile;pwd\r" +send -- "cd ~; echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" + "done" } -send -- "ls -l testfile;pwd\r" +send -- "touch testfile; echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "testfile" + "done" } + +send -- "ls -l testfile; echo done\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" + "testfile" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" } -send -- "chmod +x testfile;pwd\r" +send -- "chmod +x testfile; echo done\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "Bad system call" } expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" + timeout {puts "TESTING ERROR 6\n";exit} + "done" } - send -- "exit\r" sleep 1 -puts "\n" +puts "\nall done\n" diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index 0d52122d3..9ca084e7f 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp @@ -14,36 +14,38 @@ expect { } sleep 2 -send -- "touch testfile;pwd\r" +send -- "cd ~; echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" + "done" } -send -- "ls -l testfile;pwd\r" +send -- "touch testfile; echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "testfile" + "done" } + +send -- "ls -l testfile; echo done\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" + "testfile" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" } -send -- "chmod +x testfile;pwd\r" +send -- "chmod +x testfile; echo done\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "Bad system call" } expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" + timeout {puts "TESTING ERROR 6\n";exit} + "done" } - send -- "exit\r" sleep 1 -puts "\n" +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From c1b25cefcc009dc9445342f486fa03c8757a5f74 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 30 Apr 2016 21:00:04 +0200 Subject: test/filters: some additional checks about testing environment --- test/filters/filters.sh | 27 +++++++++++++++++++-------- test/filters/seccomp-dualfilter.exp | 11 +++++++---- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 1e64a6373..67b9f2c0d 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -12,8 +12,12 @@ echo "TESTING: noroot (test/filters/noroot.exp)" echo "TESTING: capabilities (test/filters/caps.exp)" ./caps.exp -echo "TESTING: protocol (test/filters/protocol.exp)" -./protocol.exp +if [ "$(uname -m)" = "x86_64" ]; then + echo "TESTING: protocol (test/filters/protocol.exp)" + ./protocol.exp +else + echo "TESTING SKIP: protocol, not running on x86_64" +fi echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" ./seccomp-bad-empty.exp @@ -27,8 +31,13 @@ echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" ./seccomp-su.exp -echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" -./seccomp-ptrace.exp +which strace +if [ $? -eq 0 ]; then + echo "TESTING: seccomp ptrace (test/filters/seccomp-ptrace.exp)" + ./seccomp-ptrace.exp +else + echo "TESTING SKIP: ptrace, strace not found" +fi echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" ./seccomp-chmod.exp @@ -44,7 +53,9 @@ echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" ./seccomp-bad-empty.exp -echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" -./seccomp-dualfilter.exp - - +if [ "$(uname -m)" = "x86_64" ]; then + echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" + ./seccomp-dualfilter.exp +else + echo "TESTING SKIP: seccomp dual, not running on x86_64" +fi diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 26b36236a..7c964d5c3 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -25,16 +25,19 @@ sleep 1 send -- "firejail ./syscall_test32 mount\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + "syscall_test32: No such file or directory" {puts "\nTESTING SKIP 3: can't execute 32 bit binary\n"; exit} } expect { timeout {puts "TESTING ERROR 4\n";exit} - "before mount" + "Child process initialized" } expect { timeout {puts "TESTING ERROR 5\n";exit} - "after mount" {puts "TESTING ERROR 5.1\n";exit} + "before mount" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "after mount" {puts "TESTING ERROR 6.1\n";exit} "Parent is shutting down" } -- cgit v1.2.3-70-g09d2 From 61b09428c5e92121d4192f480701f7a92a02634b Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 1 May 2016 13:18:47 +0200 Subject: noblacklist python3 --- etc/cherrytree.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 77fa79e11..1f69f61c6 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,6 +1,6 @@ # cherrytree note taking application noblacklist /usr/bin/python2* -noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From f374c79aa7d8248cc8a44d773f140966030f30a8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 1 May 2016 17:59:16 -0400 Subject: cleanup --- README | 37 +++++++++++++++++++------------------ etc/disable-devel.inc | 24 +++++++++++++----------- src/firejail/fs.c | 2 ++ 3 files changed, 34 insertions(+), 29 deletions(-) diff --git a/README b/README index 7779ebf4e..0ae06b5ed 100644 --- a/README +++ b/README @@ -18,6 +18,25 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +Reiner Herrmann + - a number of build patches + - man page fixes + - Debian and Ubuntu integration + - clang-analyzer fixes + - Debian reproducible build + - unit testing framework +avoidr (https://github.com/avoidr) + - whitelist fix + - recently-used.xbel fix + - added parole profile + - blacklist ncat, manpage fixes, + - hostname support in profile file + - Google Chrome profile rework + - added cmus profile + - man page fixes + - add net iface support in profile files + - paths fix + - lots of profile fixes Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) @@ -50,18 +69,6 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc -avoidr (https://github.com/avoidr) - - whitelist fix - - recently-used.xbel fix - - added parole profile - - blacklist ncat, manpage fixes, - - hostname support in profile file - - Google Chrome profile rework - - added cmus profile - - man page fixes - - add net iface support in profile files - - paths fix - - lots of profile fixes Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) @@ -166,12 +173,6 @@ sarneaud (https://github.com/sarneaud) - various enhancements and bug fixes Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) - user namespace implementation -Reiner Herrmann - - a number of build patches - - man page fixes - - Debian and Ubuntu integration - - clang-analyzer fixes - - Debian reproducible build sshirokov (http://sourceforge.net/u/yshirokov/profile/) - Patch to output "Reading profile" to stderr instead of stdout G4JC (http://sourceforge.net/u/gaming4jc/profile/) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index fa77ed8d1..2805938d7 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -35,17 +35,19 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby +# disabled temporarily pending globbing implementation +# in noblacklist command and firefox profile fix # Python 2 -blacklist /usr/bin/python2* -blacklist /usr/lib/python2* -blacklist /usr/local/lib/python2* -blacklist /usr/include/python2* -blacklist /usr/share/python2* - +#blacklist /usr/bin/python2* +#blacklist /usr/lib/python2* +#blacklist /usr/local/lib/python2* +#blacklist /usr/include/python2* +#blacklist /usr/share/python2* +# # Python 3 -blacklist /usr/bin/python3* -blacklist /usr/lib/python3* -blacklist /usr/local/lib/python3* -blacklist /usr/share/python3* -blacklist /usr/include/python3* +#blacklist /usr/bin/python3* +#blacklist /usr/lib/python3* +#blacklist /usr/local/lib/python3* +#blacklist /usr/share/python3* +#blacklist /usr/include/python3* diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 171b4848c..4dff6fce8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -729,9 +729,11 @@ void fs_basic_fs(void) { printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); if (!arg_writable_etc) { fs_rdonly("/etc"); + if (arg_debug) printf(", /etc"); } if (!arg_writable_var) { fs_rdonly("/var"); + if (arg_debug) printf(", /var"); } if (arg_debug) printf("\n"); fs_rdonly("/bin"); -- cgit v1.2.3-70-g09d2 From 7bd26cefd0b43c2fa43a60d87ccec134e854f521 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 2 May 2016 09:08:07 -0400 Subject: don't allow negative values for nice when running as regular user --- src/firejail/main.c | 2 ++ src/firejail/profile.c | 2 ++ src/man/firejail.txt | 3 ++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 54b9c05f0..3ba3dd531 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1023,6 +1023,8 @@ int main(int argc, char **argv) { read_cpu_list(argv[i] + 6); else if (strncmp(argv[i], "--nice=", 7) == 0) { cfg.nice = atoi(argv[i] + 7); + if (getuid() != 0 &&cfg.nice < 0) + cfg.nice = 0; arg_nice = 1; } else if (strncmp(argv[i], "--cgroup=", 9) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d564cd39c..2b3984a99 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -559,6 +559,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // nice value if (strncmp(ptr, "nice ", 4) == 0) { cfg.nice = atoi(ptr + 5); + if (getuid() != 0 &&cfg.nice < 0) + cfg.nice = 0; arg_nice = 1; return 0; } diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 19415a332..6be278063 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -800,12 +800,13 @@ PID User RX(KB/s) TX(KB/s) Command .TP \fB\-\-nice=value Set nice value for all processes running inside the sandbox. +Only root may specify a negative value. .br .br Example: .br -$ firejail --nice=-5 firefox +$ firejail --nice=2 firefox .TP -- cgit v1.2.3-70-g09d2 From 7a00b97bf0073dd7fefc7f8ffebe25bdf431e153 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 3 May 2016 06:14:49 +1000 Subject: blacklisted g++ --- README | 1 + etc/disable-devel.inc | 2 ++ 2 files changed, 3 insertions(+) diff --git a/README b/README index 0ae06b5ed..c40f99210 100644 --- a/README +++ b/README @@ -69,6 +69,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc + - blacklisted g++ Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 2805938d7..0c9d21d39 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -9,6 +9,8 @@ blacklist /usr/bin/c8* blacklist /usr/bin/c++* blacklist /usr/bin/ld blacklist /usr/bin/gdb +blacklist /usr/bin/g++* +blacklist /usr/bin/x86_64-linux-gnu-g++* # clang/llvm blacklist /usr/bin/clang* -- cgit v1.2.3-70-g09d2 From 87ae8e4cd596040c75009efeea1ed726d6a53c8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 2 May 2016 17:25:24 -0400 Subject: add Ubuntu snap application profile --- Makefile.in | 1 + README.md | 2 +- RELNOTES | 1 + etc/snap.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + 5 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 etc/snap.profile diff --git a/Makefile.in b/Makefile.in index 6c70e5360..8a6e8fa01 100644 --- a/Makefile.in +++ b/Makefile.in @@ -178,6 +178,7 @@ realinstall: install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README.md b/README.md index 8172a1798..c148608d9 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,6 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox +cyberfox, generic Ubuntu snap application profile diff --git a/RELNOTES b/RELNOTES index 0a5cc926d..b6304249f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -23,6 +23,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox + * new profiles: generic Ubuntu snap application profile * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/snap.profile b/etc/snap.profile new file mode 100644 index 000000000..b7e6d9b19 --- /dev/null +++ b/etc/snap.profile @@ -0,0 +1,13 @@ +################################ +# Generic Ubuntu snap application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ~/snap +include /etc/firejail/whitelist-common.inc + +caps.keep chown,sys_admin + + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2456d8a90..11d583ec3 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -93,3 +93,4 @@ /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/quiterss.profile /etc/firejail/cyberfox.profile +/etc/firejail/snap.profile -- cgit v1.2.3-70-g09d2 From 57bea6c8c4d1bd666ce57057b1cbb681b3cc4afc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 May 2016 08:41:24 -0400 Subject: networking features testing --- test/4bridges_arp.exp | 170 ----------------------------------- test/4bridges_ip.exp | 174 ------------------------------------ test/bandwidth.exp | 62 ------------- test/hostname.exp | 25 ------ test/ip6.exp | 43 --------- test/ipv6.net | 8 -- test/net-profile.profile | 10 --- test/net_arp.exp | 71 --------------- test/net_badip.exp | 16 ---- test/net_defaultgw.exp | 46 ---------- test/net_defaultgw2.exp | 40 --------- test/net_defaultgw3.exp | 17 ---- test/net_interface.exp | 88 ------------------ test/net_ip.exp | 72 --------------- test/net_local.exp | 45 ---------- test/net_mac.exp | 36 -------- test/net_macvlan.exp | 88 ------------------ test/net_mtu.exp | 30 ------- test/net_netfilter.exp | 88 ------------------ test/net_noip.exp | 41 --------- test/net_noip2.exp | 41 --------- test/net_none.exp | 68 -------------- test/net_none.profile | 1 - test/net_profile.exp | 73 --------------- test/netfilter.filter | 6 -- test/netfilter.profile | 1 - test/network/4bridges_arp.exp | 170 +++++++++++++++++++++++++++++++++++ test/network/4bridges_ip.exp | 174 ++++++++++++++++++++++++++++++++++++ test/network/bandwidth.exp | 62 +++++++++++++ test/network/hostname.exp | 25 ++++++ test/network/ip6.exp | 43 +++++++++ test/network/ipv6.net | 8 ++ test/network/net-profile.profile | 10 +++ test/network/net_arp.exp | 71 +++++++++++++++ test/network/net_badip.exp | 16 ++++ test/network/net_defaultgw.exp | 46 ++++++++++ test/network/net_defaultgw2.exp | 40 +++++++++ test/network/net_defaultgw3.exp | 17 ++++ test/network/net_interface.exp | 88 ++++++++++++++++++ test/network/net_ip.exp | 72 +++++++++++++++ test/network/net_local.exp | 45 ++++++++++ test/network/net_mac.exp | 36 ++++++++ test/network/net_macvlan.exp | 88 ++++++++++++++++++ test/network/net_mtu.exp | 30 +++++++ test/network/net_netfilter.exp | 88 ++++++++++++++++++ test/network/net_noip.exp | 41 +++++++++ test/network/net_noip2.exp | 41 +++++++++ test/network/net_none.exp | 68 ++++++++++++++ test/network/net_none.profile | 1 + test/network/net_profile.exp | 73 +++++++++++++++ test/network/netfilter.filter | 6 ++ test/network/netfilter.profile | 1 + test/profile_followlnk.exp | 68 -------------- test/profile_noperm.exp | 13 --- test/profile_readonly.exp | 64 ------------- test/profiles/profile_followlnk.exp | 37 ++++++++ test/profiles/profile_noperm.exp | 13 +++ test/profiles/profile_readonly.exp | 36 ++++++++ test/profiles/profiles.sh | 9 ++ test/profiles/readonly-lnk.profile | 2 + test/profiles/readonly.profile | 2 + test/readonly-lnk.profile | 2 - test/readonly.profile | 2 - test/test.sh | 11 --- 64 files changed, 1459 insertions(+), 1520 deletions(-) delete mode 100755 test/4bridges_arp.exp delete mode 100755 test/4bridges_ip.exp delete mode 100755 test/bandwidth.exp delete mode 100755 test/hostname.exp delete mode 100755 test/ip6.exp delete mode 100644 test/ipv6.net delete mode 100644 test/net-profile.profile delete mode 100755 test/net_arp.exp delete mode 100755 test/net_badip.exp delete mode 100755 test/net_defaultgw.exp delete mode 100755 test/net_defaultgw2.exp delete mode 100755 test/net_defaultgw3.exp delete mode 100755 test/net_interface.exp delete mode 100755 test/net_ip.exp delete mode 100755 test/net_local.exp delete mode 100755 test/net_mac.exp delete mode 100755 test/net_macvlan.exp delete mode 100755 test/net_mtu.exp delete mode 100755 test/net_netfilter.exp delete mode 100755 test/net_noip.exp delete mode 100755 test/net_noip2.exp delete mode 100755 test/net_none.exp delete mode 100644 test/net_none.profile delete mode 100755 test/net_profile.exp delete mode 100644 test/netfilter.filter delete mode 100644 test/netfilter.profile create mode 100755 test/network/4bridges_arp.exp create mode 100755 test/network/4bridges_ip.exp create mode 100755 test/network/bandwidth.exp create mode 100755 test/network/hostname.exp create mode 100755 test/network/ip6.exp create mode 100644 test/network/ipv6.net create mode 100644 test/network/net-profile.profile create mode 100755 test/network/net_arp.exp create mode 100755 test/network/net_badip.exp create mode 100755 test/network/net_defaultgw.exp create mode 100755 test/network/net_defaultgw2.exp create mode 100755 test/network/net_defaultgw3.exp create mode 100755 test/network/net_interface.exp create mode 100755 test/network/net_ip.exp create mode 100755 test/network/net_local.exp create mode 100755 test/network/net_mac.exp create mode 100755 test/network/net_macvlan.exp create mode 100755 test/network/net_mtu.exp create mode 100755 test/network/net_netfilter.exp create mode 100755 test/network/net_noip.exp create mode 100755 test/network/net_noip2.exp create mode 100755 test/network/net_none.exp create mode 100644 test/network/net_none.profile create mode 100755 test/network/net_profile.exp create mode 100644 test/network/netfilter.filter create mode 100644 test/network/netfilter.profile delete mode 100755 test/profile_followlnk.exp delete mode 100755 test/profile_noperm.exp delete mode 100755 test/profile_readonly.exp create mode 100755 test/profiles/profile_followlnk.exp create mode 100755 test/profiles/profile_noperm.exp create mode 100755 test/profiles/profile_readonly.exp create mode 100644 test/profiles/readonly-lnk.profile create mode 100644 test/profiles/readonly.profile delete mode 100644 test/readonly-lnk.profile delete mode 100644 test/readonly.profile diff --git a/test/4bridges_arp.exp b/test/4bridges_arp.exp deleted file mode 100755 index 6a3e6db2a..000000000 --- a/test/4bridges_arp.exp +++ /dev/null @@ -1,170 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check eth0 -send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 0.0\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "10.10.20" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "255.255.255.248" -} -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - -# check eth1 -send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 1.0\n";exit} - "eth1" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "10.10.30" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "255.255.255.0" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - - -# check eth2 -send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 2.0\n";exit} - "eth2" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "10.10.40" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "255.255.255.0" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - - - -# check eth3 -send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 3.0\n";exit} - "eth3" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "10.10.50" -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "255.255.255.0" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - - - - -# check loopback -send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "lo" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "127.0.0.1" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "255.0.0.0" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} -sleep 1 - -# check default gateway -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "default via 10.10.20.1 dev eth0" -} -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.20.0/29 dev eth0 proto kernel scope link" -} -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.30.0/24 dev eth1 proto kernel scope link" -} -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.40.0/24 dev eth2 proto kernel scope link" -} -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.50.0/24 dev eth3 proto kernel scope link" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/4bridges_ip.exp b/test/4bridges_ip.exp deleted file mode 100755 index 8068aeebb..000000000 --- a/test/4bridges_ip.exp +++ /dev/null @@ -1,174 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check eth0 -send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 0.0\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "10.10.20" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "255.255.255.248" -} -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - -# check eth1 -send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 1.0\n";exit} - "eth1" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "10.10.30.50" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "255.255.255.0" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - - -# check eth2 -send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 2.0\n";exit} - "eth2" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "10.10.40.100" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "255.255.255.0" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - - - -# check eth3 -send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" -expect { - timeout {puts "TESTING ERROR 3.0\n";exit} - "eth3" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "10.10.50" -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "255.255.255.0" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - - - - -# check loopback -send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "lo" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "127.0.0.1" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "255.0.0.0" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} - -# check default gateway -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "default via 10.10.20.1 dev eth0" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.20.0/29 dev eth0 proto kernel scope link" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.3\n";exit} - "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.4\n";exit} - "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.5\n";exit} - "10.10.50.0/24 dev eth3 proto kernel scope link" -} - -sleep 1 - -puts "\nall done\n" - diff --git a/test/bandwidth.exp b/test/bandwidth.exp deleted file mode 100755 index 33b351296..000000000 --- a/test/bandwidth.exp +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --net=br0\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --bandwidth=test status\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "qdisc noqueue 0: dev eth0" -} -sleep 1 - -send -- "firejail --bandwidth=test set br0 50 10\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Configuring interface eth0" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "configuring tc ingress" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "configuring tc egress" -} - -send -- "firejail --bandwidth=test status\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "dev eth0" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "rate 80Kbit burst 10Kb" -} -sleep 1 - -send -- "firejail --bandwidth=test clear br0\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Removing bandwith limits" -} -sleep 1 - -send -- "firejail --bandwidth=test status; pwd\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit} - "home" {puts "ok\n"} -} -sleep 1 - -puts "\nall done\n" diff --git a/test/hostname.exp b/test/hostname.exp deleted file mode 100755 index 4e5c7e073..000000000 --- a/test/hostname.exp +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --hostname=baluba --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ping -c 3 baluba;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "3 packets transmitted, 3 received" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 - -puts "all done\n" diff --git a/test/ip6.exp b/test/ip6.exp deleted file mode 100755 index fba47d095..000000000 --- a/test/ip6.exp +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Installing network filter" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "DROP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "2001:db8:1f0a:3ec::2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "/sbin/ifconfig\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "inet6" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "2001:db8:0:f101::1" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Scope:Global" { puts "Debian\n"} - "scopeid 0x0" { puts "Arch\n"} -} - - -puts "\nall done\n" - diff --git a/test/ipv6.net b/test/ipv6.net deleted file mode 100644 index cc8f22943..000000000 --- a/test/ipv6.net +++ /dev/null @@ -1,8 +0,0 @@ -# Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016 -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP -COMMIT -# Completed on Wed Jan 13 10:53:40 2016 diff --git a/test/net-profile.profile b/test/net-profile.profile deleted file mode 100644 index 05052b6dc..000000000 --- a/test/net-profile.profile +++ /dev/null @@ -1,10 +0,0 @@ -net br0 -mac 00:11:22:33:44:55 -mtu 1000 -net br1 -ip 10.10.30.50 -net br2 -ip 10.10.40.100 -net br3 -defaultgw 10.10.20.2 - diff --git a/test/net_arp.exp b/test/net_arp.exp deleted file mode 100755 index 9e07744f3..000000000 --- a/test/net_arp.exp +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} - -# will fail -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 5n";exit} - "cannot assign an IP address" -} - -send -- "firejail --net=br0 sleep 20 &\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "cannot assign an IP address" -} - -# check firejail --list -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 7.1\n";exit} - "sleep 20" -} -expect { - timeout {puts "TESTING ERROR 7.2\n";exit} - "sleep 20" -} -expect { - timeout {puts "TESTING ERROR 7.3\n";exit} - "sleep 20" -} -expect { - timeout {puts "TESTING ERROR 7.4\n";exit} - "sleep 20" -} -expect { - timeout {puts "TESTING ERROR 7.5\n";exit} - "sleep 20" -} - -# wait for snadboxes to be shutdown -sleep 30 -puts "\n" diff --git a/test/net_badip.exp b/test/net_badip.exp deleted file mode 100755 index 71b69e104..000000000 --- a/test/net_badip.exp +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check eth0 -send -- "firejail --net=br0 --net=br1 --ip=10.100.10.47\r" -expect { - timeout {puts "TESTING ERROR 0.0\n";exit} - "the IP address is not" -} -sleep 1 - -puts "\n" - diff --git a/test/net_defaultgw.exp b/test/net_defaultgw.exp deleted file mode 100755 index 840f2ccac..000000000 --- a/test/net_defaultgw.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "10.10.20.5" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "255.255.255.248" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 - -# check default gateway -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "default via 10.10.20.2 dev eth0" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.20.0/29 dev eth0 proto kernel scope link" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/net_defaultgw2.exp b/test/net_defaultgw2.exp deleted file mode 100755 index db14e17cb..000000000 --- a/test/net_defaultgw2.exp +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth1" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 - -# check default gateway -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "default via 10.10.30.89 dev eth1" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "10.10.20.0/29 dev eth0 proto kernel scope link" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.3\n";exit} - "10.10.30.0/24 dev eth1 proto kernel scope link" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/net_defaultgw3.exp b/test/net_defaultgw3.exp deleted file mode 100755 index 64da9dfca..000000000 --- a/test/net_defaultgw3.exp +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.95.89\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "default gateway 10.10.95.89 is not in the range of any network" -} - -sleep 1 - -puts "\n" - diff --git a/test/net_interface.exp b/test/net_interface.exp deleted file mode 100755 index 4b55187ff..000000000 --- a/test/net_interface.exp +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "ip link add link eth0 name eth0.100 type vlan id 100\r" -sleep 1 -send -- "ip link add link eth0 name eth0.101 type vlan id 101\r" -sleep 1 -send -- "ip link add link eth0 name eth0.102 type vlan id 102\r" -sleep 1 -send -- "ip link add link eth0 name eth0.103 type vlan id 103\r" -sleep 1 -send -- "ip link add link eth0 name eth0.104 type vlan id 104\r" -sleep 1 -puts "\n" - -send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r" -sleep 1 -puts "\n" - - - -send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "maximum 4 interfaces are allowed" -} -sleep 1 - -send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "eth0.100" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "eth0.101" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "eth0.102" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "eth0.103" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "UP" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --noprofile --interface=eth0.104\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0.104" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "UP" -} - -puts "all done\n" - diff --git a/test/net_ip.exp b/test/net_ip.exp deleted file mode 100755 index f5d487ecc..000000000 --- a/test/net_ip.exp +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --ip=10.10.20.5\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "10.10.20.5" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "255.255.255.248" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - -# check loopback -send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "lo" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "127.0.0.1" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "255.0.0.0" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} -sleep 1 - -# check default gateway -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "default via 10.10.20.1 dev eth0" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "10.10.20.0/29 dev eth0 proto kernel scope link" -} -sleep 1 - -puts "\n" - diff --git a/test/net_local.exp b/test/net_local.exp deleted file mode 100755 index 642213658..000000000 --- a/test/net_local.exp +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --noprofile --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Using the local network stack" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 2 - -# check loopback -send -- "firejail --noprofile\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} -sleep 1 - - -send -- "/sbin/ifconfig\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "lo" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "127.0.0.1" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "255.0.0.0" -} - -puts "all done\n" - diff --git a/test/net_mac.exp b/test/net_mac.exp deleted file mode 100755 index 076634730..000000000 --- a/test/net_mac.exp +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --ip=10.10.20.5 --mac=00:11:22:33:44:55\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "00:11:22:33:44:55" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "10.10.20.5" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "255.255.255.248" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/net_macvlan.exp b/test/net_macvlan.exp deleted file mode 100755 index 20d022de9..000000000 --- a/test/net_macvlan.exp +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check the existing address -spawn $env(SHELL) -send -- "firejail --net=eth0 --ip=192.168.1.60\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit} - "the address 192.168.1.60 is already in use" -} - - - -# grab 30 ip addresses -set MAXi 229 -set i 200 -while { $i <= $MAXi } { - spawn $env(SHELL) - send -- "firejail --net=eth0 --ip=192.168.1.$i\r" - expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" - } - incr i - after 100 -} - - -# check an existing address -spawn $env(SHELL) -send -- "firejail --net=eth0 --ip=192.168.1.200\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "the address 192.168.1.200 is already in use" -} - - -set MAXi 254 -set i 2 -while { $i <= $MAXi } { - spawn $env(SHELL) - send -- "firejail --net=eth0\r" - expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "192.168.1.60" {puts "TESTING ERROR 2.2\n";exit} - "192.168.1.200" {puts "TESTING ERROR 3\n";exit} - "192.168.1.201" {puts "TESTING ERROR 3\n";exit} - "192.168.1.202" {puts "TESTING ERROR 3\n";exit} - "192.168.1.203" {puts "TESTING ERROR 3\n";exit} - "192.168.1.204" {puts "TESTING ERROR 3\n";exit} - "192.168.1.205" {puts "TESTING ERROR 3\n";exit} - "192.168.1.206" {puts "TESTING ERROR 3\n";exit} - "192.168.1.207" {puts "TESTING ERROR 3\n";exit} - "192.168.1.208" {puts "TESTING ERROR 3\n";exit} - "192.168.1.209" {puts "TESTING ERROR 3\n";exit} - "192.168.1.210" {puts "TESTING ERROR 3\n";exit} - "192.168.1.211" {puts "TESTING ERROR 3\n";exit} - "192.168.1.212" {puts "TESTING ERROR 3\n";exit} - "192.168.1.213" {puts "TESTING ERROR 3\n";exit} - "192.168.1.214" {puts "TESTING ERROR 3\n";exit} - "192.168.1.215" {puts "TESTING ERROR 3\n";exit} - "192.168.1.216" {puts "TESTING ERROR 3\n";exit} - "192.168.1.217" {puts "TESTING ERROR 3\n";exit} - "192.168.1.218" {puts "TESTING ERROR 3\n";exit} - "192.168.1.219" {puts "TESTING ERROR 3\n";exit} - "192.168.1.220" {puts "TESTING ERROR 3\n";exit} - "192.168.1.221" {puts "TESTING ERROR 3\n";exit} - "192.168.1.222" {puts "TESTING ERROR 3\n";exit} - "192.168.1.223" {puts "TESTING ERROR 3\n";exit} - "192.168.1.224" {puts "TESTING ERROR 3\n";exit} - "192.168.1.225" {puts "TESTING ERROR 3\n";exit} - "192.168.1.226" {puts "TESTING ERROR 3\n";exit} - "192.168.1.227" {puts "TESTING ERROR 3\n";exit} - "192.168.1.228" {puts "TESTING ERROR 3\n";exit} - "192.168.1.229" {puts "TESTING ERROR 3\n";exit} - "Child process initialized" - } - puts "************ $i ******************\n" - incr i - after 100 -# sleep 1 -} - -puts "\n" - diff --git a/test/net_mtu.exp b/test/net_mtu.exp deleted file mode 100755 index 7943b2866..000000000 --- a/test/net_mtu.exp +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --mtu=1000 --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ip link show\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "mtu 1000" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "state UP" -} - -puts "\nall done\n" - diff --git a/test/net_netfilter.exp b/test/net_netfilter.exp deleted file mode 100755 index 989fcc407..000000000 --- a/test/net_netfilter.exp +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check default netfilter on br0 -send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Installing network filter" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Chain INPUT (policy DROP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "ACCEPT all -- any any anywhere" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ACCEPT icmp -- any any anywhere" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 1 - -# check default netfilter no new network -send -- "firejail --debug --noprofile --netfilter\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Installing network filter" {puts "TESTING ERROR 5.1\n";exit} - "Chain INPUT (policy DROP" {puts "TESTING ERROR 5.1\n";exit} - "ACCEPT all -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} - "ACCEPT icmp -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 1 - -# check file filter netfilter on br0 -send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Installing network filter" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "Child process initialized" -} -sleep 2 -send -- "ping -c 1 -w 3 10.10.20.1\r" -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0 received, 100% packet loss" -} - -send -- "exit\r" -sleep 1 - -# check profile netfilter on br0 -send -- "firejail --debug --net=br0 --ip=10.10.20.5 --profile=netfilter.profile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Installing network filter" -} -expect { - timeout {puts "TESTING ERROR 7.1\n";exit} - "Child process initialized" -} -sleep 2 -send -- "ping -c 1 -w 3 10.10.20.1\r" -expect { - timeout {puts "TESTING ERROR 7.2\n";exit} - "0 received, 100% packet loss" -} - -send -- "exit\r" -after 100 - -puts "all done\n" - diff --git a/test/net_noip.exp b/test/net_noip.exp deleted file mode 100755 index 8d28adb39..000000000 --- a/test/net_noip.exp +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --noprofile --net=br0 --ip=none\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth0" {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 -send -- "bash\r" -sleep 1 - -# no default gateway configured -send -- "netstat -rn;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "0.0.0.0" {puts "TESTING ERROR 3\n";exit} - "eth0" {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - -# eth0 configured -send -- "/sbin/ifconfig;pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "home" -} -after 100 - -puts "all done\n" - diff --git a/test/net_noip2.exp b/test/net_noip2.exp deleted file mode 100755 index 58f90422b..000000000 --- a/test/net_noip2.exp +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --noprofile --net=br1 --ip=none --defaultgw=10.10.30.78\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth0" {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 -send -- "bash\r" -sleep 1 - -# no default gateway configured -send -- "netstat -rn;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "0.0.0.0" {puts "TESTING ERROR 3\n";exit} - "eth0" {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - -# eth0 configured -send -- "/sbin/ifconfig;pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "home" -} -after 100 - -puts "all done\n" - diff --git a/test/net_none.exp b/test/net_none.exp deleted file mode 100755 index 54b6cb946..000000000 --- a/test/net_none.exp +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# options -send -- "firejail --net=none\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "eth0" {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" -} -sleep 1 - -# test default gw -send -- "bash\r" -sleep 1 -send -- "netstat -rn; pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit} - "home" -} -sleep 1 - -# check again devices -send -- "cat /proc/1/net/dev;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "eth0" {puts "TESTING ERROR 2.1\n";exit} - "home" -} -send -- "exit\r" -sleep 1 -send -- "exit\r" -sleep 1 - -# profile -send -- "firejail --profile=net_none.profile\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "eth0" {puts "TESTING ERROR 3.1\n";exit} - "Child process initialized" -} -sleep 1 - -# test default gw -send -- "bash\r" -sleep 1 -send -- "netstat -rn; pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} - "home" -} -sleep 1 - -# check again devices -send -- "cat /proc/1/net/dev;pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0" {puts "TESTING ERROR 5.1\n";exit} - "home" -} -sleep 1 - -puts "\n" diff --git a/test/net_none.profile b/test/net_none.profile deleted file mode 100644 index 079c08ea8..000000000 --- a/test/net_none.profile +++ /dev/null @@ -1 +0,0 @@ -net none diff --git a/test/net_profile.exp b/test/net_profile.exp deleted file mode 100755 index 37043c906..000000000 --- a/test/net_profile.exp +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check eth0 -send -- "firejail --profile=net-profile.profile\r" -expect { - timeout {puts "TESTING ERROR 0.0\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "00:11:22:33:44:55" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "10.10.20" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "255.255.255.248" -} -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" -} - -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" -} - - -# check default gw -send -- "ip route show\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "default via 10.10.20.2 dev eth0" -} - -# check mtu -send -- "ip link show\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "eth0" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "mtu 1000" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "state UP" -} - -sleep 1 - -puts "\nall done\n" - diff --git a/test/netfilter.filter b/test/netfilter.filter deleted file mode 100644 index 3e232065c..000000000 --- a/test/netfilter.filter +++ /dev/null @@ -1,6 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -i lo -j ACCEPT -COMMIT diff --git a/test/netfilter.profile b/test/netfilter.profile deleted file mode 100644 index 824c6cd0f..000000000 --- a/test/netfilter.profile +++ /dev/null @@ -1 +0,0 @@ -netfilter netfilter.filter diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp new file mode 100755 index 000000000..6a3e6db2a --- /dev/null +++ b/test/network/4bridges_arp.exp @@ -0,0 +1,170 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check eth0 +send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 0.0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "10.10.20" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + +# check eth1 +send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 1.0\n";exit} + "eth1" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "10.10.30" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + + +# check eth2 +send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 2.0\n";exit} + "eth2" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "10.10.40" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + + + +# check eth3 +send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 3.0\n";exit} + "eth3" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "10.10.50" +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + + + + +# check loopback +send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "lo" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "127.0.0.1" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "255.0.0.0" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +# check default gateway +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "default via 10.10.20.1 dev eth0" +} +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.20.0/29 dev eth0 proto kernel scope link" +} +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.30.0/24 dev eth1 proto kernel scope link" +} +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.40.0/24 dev eth2 proto kernel scope link" +} +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.50.0/24 dev eth3 proto kernel scope link" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp new file mode 100755 index 000000000..8068aeebb --- /dev/null +++ b/test/network/4bridges_ip.exp @@ -0,0 +1,174 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check eth0 +send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 0.0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "10.10.20" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + +# check eth1 +send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 1.0\n";exit} + "eth1" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + + +# check eth2 +send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 2.0\n";exit} + "eth2" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "10.10.40.100" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + + + +# check eth3 +send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" +expect { + timeout {puts "TESTING ERROR 3.0\n";exit} + "eth3" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "10.10.50" +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + + + + +# check loopback +send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "lo" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "127.0.0.1" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "255.0.0.0" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} + +# check default gateway +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "default via 10.10.20.1 dev eth0" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.20.0/29 dev eth0 proto kernel scope link" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.3\n";exit} + "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.4\n";exit} + "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.5\n";exit} + "10.10.50.0/24 dev eth3 proto kernel scope link" +} + +sleep 1 + +puts "\nall done\n" + diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp new file mode 100755 index 000000000..33b351296 --- /dev/null +++ b/test/network/bandwidth.exp @@ -0,0 +1,62 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --net=br0\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --bandwidth=test status\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "qdisc noqueue 0: dev eth0" +} +sleep 1 + +send -- "firejail --bandwidth=test set br0 50 10\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Configuring interface eth0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "configuring tc ingress" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "configuring tc egress" +} + +send -- "firejail --bandwidth=test status\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "dev eth0" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "rate 80Kbit burst 10Kb" +} +sleep 1 + +send -- "firejail --bandwidth=test clear br0\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Removing bandwith limits" +} +sleep 1 + +send -- "firejail --bandwidth=test status; pwd\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit} + "home" {puts "ok\n"} +} +sleep 1 + +puts "\nall done\n" diff --git a/test/network/hostname.exp b/test/network/hostname.exp new file mode 100755 index 000000000..4e5c7e073 --- /dev/null +++ b/test/network/hostname.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --hostname=baluba --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ping -c 3 baluba;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "3 packets transmitted, 3 received" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "home" +} +sleep 1 + +puts "all done\n" diff --git a/test/network/ip6.exp b/test/network/ip6.exp new file mode 100755 index 000000000..fba47d095 --- /dev/null +++ b/test/network/ip6.exp @@ -0,0 +1,43 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Installing network filter" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "DROP" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "2001:db8:1f0a:3ec::2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "inet6" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "2001:db8:0:f101::1" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Scope:Global" { puts "Debian\n"} + "scopeid 0x0" { puts "Arch\n"} +} + + +puts "\nall done\n" + diff --git a/test/network/ipv6.net b/test/network/ipv6.net new file mode 100644 index 000000000..cc8f22943 --- /dev/null +++ b/test/network/ipv6.net @@ -0,0 +1,8 @@ +# Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016 +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP +COMMIT +# Completed on Wed Jan 13 10:53:40 2016 diff --git a/test/network/net-profile.profile b/test/network/net-profile.profile new file mode 100644 index 000000000..05052b6dc --- /dev/null +++ b/test/network/net-profile.profile @@ -0,0 +1,10 @@ +net br0 +mac 00:11:22:33:44:55 +mtu 1000 +net br1 +ip 10.10.30.50 +net br2 +ip 10.10.40.100 +net br3 +defaultgw 10.10.20.2 + diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp new file mode 100755 index 000000000..9e07744f3 --- /dev/null +++ b/test/network/net_arp.exp @@ -0,0 +1,71 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} + +# will fail +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 5n";exit} + "cannot assign an IP address" +} + +send -- "firejail --net=br0 sleep 20 &\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "cannot assign an IP address" +} + +# check firejail --list +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 7.1\n";exit} + "sleep 20" +} +expect { + timeout {puts "TESTING ERROR 7.2\n";exit} + "sleep 20" +} +expect { + timeout {puts "TESTING ERROR 7.3\n";exit} + "sleep 20" +} +expect { + timeout {puts "TESTING ERROR 7.4\n";exit} + "sleep 20" +} +expect { + timeout {puts "TESTING ERROR 7.5\n";exit} + "sleep 20" +} + +# wait for snadboxes to be shutdown +sleep 30 +puts "\n" diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp new file mode 100755 index 000000000..71b69e104 --- /dev/null +++ b/test/network/net_badip.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check eth0 +send -- "firejail --net=br0 --net=br1 --ip=10.100.10.47\r" +expect { + timeout {puts "TESTING ERROR 0.0\n";exit} + "the IP address is not" +} +sleep 1 + +puts "\n" + diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp new file mode 100755 index 000000000..840f2ccac --- /dev/null +++ b/test/network/net_defaultgw.exp @@ -0,0 +1,46 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.20.5" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +# check default gateway +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "default via 10.10.20.2 dev eth0" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.20.0/29 dev eth0 proto kernel scope link" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp new file mode 100755 index 000000000..db14e17cb --- /dev/null +++ b/test/network/net_defaultgw2.exp @@ -0,0 +1,40 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth1" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +# check default gateway +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "default via 10.10.30.89 dev eth1" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "10.10.20.0/29 dev eth0 proto kernel scope link" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.3\n";exit} + "10.10.30.0/24 dev eth1 proto kernel scope link" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp new file mode 100755 index 000000000..64da9dfca --- /dev/null +++ b/test/network/net_defaultgw3.exp @@ -0,0 +1,17 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.95.89\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "default gateway 10.10.95.89 is not in the range of any network" +} + +sleep 1 + +puts "\n" + diff --git a/test/network/net_interface.exp b/test/network/net_interface.exp new file mode 100755 index 000000000..4b55187ff --- /dev/null +++ b/test/network/net_interface.exp @@ -0,0 +1,88 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "ip link add link eth0 name eth0.100 type vlan id 100\r" +sleep 1 +send -- "ip link add link eth0 name eth0.101 type vlan id 101\r" +sleep 1 +send -- "ip link add link eth0 name eth0.102 type vlan id 102\r" +sleep 1 +send -- "ip link add link eth0 name eth0.103 type vlan id 103\r" +sleep 1 +send -- "ip link add link eth0 name eth0.104 type vlan id 104\r" +sleep 1 +puts "\n" + +send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r" +sleep 1 +puts "\n" + + + +send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "maximum 4 interfaces are allowed" +} +sleep 1 + +send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "eth0.100" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "eth0.101" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "eth0.102" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "eth0.103" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "UP" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --noprofile --interface=eth0.104\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0.104" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "UP" +} + +puts "all done\n" + diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp new file mode 100755 index 000000000..f5d487ecc --- /dev/null +++ b/test/network/net_ip.exp @@ -0,0 +1,72 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --net=br0 --ip=10.10.20.5\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.20.5" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + +# check loopback +send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "lo" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "127.0.0.1" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "255.0.0.0" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +# check default gateway +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "default via 10.10.20.1 dev eth0" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "10.10.20.0/29 dev eth0 proto kernel scope link" +} +sleep 1 + +puts "\n" + diff --git a/test/network/net_local.exp b/test/network/net_local.exp new file mode 100755 index 000000000..642213658 --- /dev/null +++ b/test/network/net_local.exp @@ -0,0 +1,45 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --noprofile --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Using the local network stack" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 2 + +# check loopback +send -- "firejail --noprofile\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "lo" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "127.0.0.1" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "255.0.0.0" +} + +puts "all done\n" + diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp new file mode 100755 index 000000000..076634730 --- /dev/null +++ b/test/network/net_mac.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --net=br0 --ip=10.10.20.5 --mac=00:11:22:33:44:55\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "00:11:22:33:44:55" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.20.5" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/network/net_macvlan.exp b/test/network/net_macvlan.exp new file mode 100755 index 000000000..20d022de9 --- /dev/null +++ b/test/network/net_macvlan.exp @@ -0,0 +1,88 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check the existing address +spawn $env(SHELL) +send -- "firejail --net=eth0 --ip=192.168.1.60\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit} + "the address 192.168.1.60 is already in use" +} + + + +# grab 30 ip addresses +set MAXi 229 +set i 200 +while { $i <= $MAXi } { + spawn $env(SHELL) + send -- "firejail --net=eth0 --ip=192.168.1.$i\r" + expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" + } + incr i + after 100 +} + + +# check an existing address +spawn $env(SHELL) +send -- "firejail --net=eth0 --ip=192.168.1.200\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "the address 192.168.1.200 is already in use" +} + + +set MAXi 254 +set i 2 +while { $i <= $MAXi } { + spawn $env(SHELL) + send -- "firejail --net=eth0\r" + expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "192.168.1.60" {puts "TESTING ERROR 2.2\n";exit} + "192.168.1.200" {puts "TESTING ERROR 3\n";exit} + "192.168.1.201" {puts "TESTING ERROR 3\n";exit} + "192.168.1.202" {puts "TESTING ERROR 3\n";exit} + "192.168.1.203" {puts "TESTING ERROR 3\n";exit} + "192.168.1.204" {puts "TESTING ERROR 3\n";exit} + "192.168.1.205" {puts "TESTING ERROR 3\n";exit} + "192.168.1.206" {puts "TESTING ERROR 3\n";exit} + "192.168.1.207" {puts "TESTING ERROR 3\n";exit} + "192.168.1.208" {puts "TESTING ERROR 3\n";exit} + "192.168.1.209" {puts "TESTING ERROR 3\n";exit} + "192.168.1.210" {puts "TESTING ERROR 3\n";exit} + "192.168.1.211" {puts "TESTING ERROR 3\n";exit} + "192.168.1.212" {puts "TESTING ERROR 3\n";exit} + "192.168.1.213" {puts "TESTING ERROR 3\n";exit} + "192.168.1.214" {puts "TESTING ERROR 3\n";exit} + "192.168.1.215" {puts "TESTING ERROR 3\n";exit} + "192.168.1.216" {puts "TESTING ERROR 3\n";exit} + "192.168.1.217" {puts "TESTING ERROR 3\n";exit} + "192.168.1.218" {puts "TESTING ERROR 3\n";exit} + "192.168.1.219" {puts "TESTING ERROR 3\n";exit} + "192.168.1.220" {puts "TESTING ERROR 3\n";exit} + "192.168.1.221" {puts "TESTING ERROR 3\n";exit} + "192.168.1.222" {puts "TESTING ERROR 3\n";exit} + "192.168.1.223" {puts "TESTING ERROR 3\n";exit} + "192.168.1.224" {puts "TESTING ERROR 3\n";exit} + "192.168.1.225" {puts "TESTING ERROR 3\n";exit} + "192.168.1.226" {puts "TESTING ERROR 3\n";exit} + "192.168.1.227" {puts "TESTING ERROR 3\n";exit} + "192.168.1.228" {puts "TESTING ERROR 3\n";exit} + "192.168.1.229" {puts "TESTING ERROR 3\n";exit} + "Child process initialized" + } + puts "************ $i ******************\n" + incr i + after 100 +# sleep 1 +} + +puts "\n" + diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp new file mode 100755 index 000000000..7943b2866 --- /dev/null +++ b/test/network/net_mtu.exp @@ -0,0 +1,30 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --net=br0 --mtu=1000 --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "mtu 1000" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "state UP" +} + +puts "\nall done\n" + diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp new file mode 100755 index 000000000..989fcc407 --- /dev/null +++ b/test/network/net_netfilter.exp @@ -0,0 +1,88 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check default netfilter on br0 +send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Installing network filter" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Chain INPUT (policy DROP" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "ACCEPT all -- any any anywhere" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "ACCEPT icmp -- any any anywhere" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 1 + +# check default netfilter no new network +send -- "firejail --debug --noprofile --netfilter\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Installing network filter" {puts "TESTING ERROR 5.1\n";exit} + "Chain INPUT (policy DROP" {puts "TESTING ERROR 5.1\n";exit} + "ACCEPT all -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} + "ACCEPT icmp -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 1 + +# check file filter netfilter on br0 +send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Installing network filter" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "Child process initialized" +} +sleep 2 +send -- "ping -c 1 -w 3 10.10.20.1\r" +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0 received, 100% packet loss" +} + +send -- "exit\r" +sleep 1 + +# check profile netfilter on br0 +send -- "firejail --debug --net=br0 --ip=10.10.20.5 --profile=netfilter.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Installing network filter" +} +expect { + timeout {puts "TESTING ERROR 7.1\n";exit} + "Child process initialized" +} +sleep 2 +send -- "ping -c 1 -w 3 10.10.20.1\r" +expect { + timeout {puts "TESTING ERROR 7.2\n";exit} + "0 received, 100% packet loss" +} + +send -- "exit\r" +after 100 + +puts "all done\n" + diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp new file mode 100755 index 000000000..8d28adb39 --- /dev/null +++ b/test/network/net_noip.exp @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --noprofile --net=br0 --ip=none\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 +send -- "bash\r" +sleep 1 + +# no default gateway configured +send -- "netstat -rn;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "0.0.0.0" {puts "TESTING ERROR 3\n";exit} + "eth0" {puts "TESTING ERROR 4\n";exit} + "home" +} +sleep 1 + +# eth0 configured +send -- "/sbin/ifconfig;pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "home" +} +after 100 + +puts "all done\n" + diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp new file mode 100755 index 000000000..58f90422b --- /dev/null +++ b/test/network/net_noip2.exp @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --noprofile --net=br1 --ip=none --defaultgw=10.10.30.78\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 +send -- "bash\r" +sleep 1 + +# no default gateway configured +send -- "netstat -rn;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "0.0.0.0" {puts "TESTING ERROR 3\n";exit} + "eth0" {puts "TESTING ERROR 4\n";exit} + "home" +} +sleep 1 + +# eth0 configured +send -- "/sbin/ifconfig;pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "home" +} +after 100 + +puts "all done\n" + diff --git a/test/network/net_none.exp b/test/network/net_none.exp new file mode 100755 index 000000000..54b6cb946 --- /dev/null +++ b/test/network/net_none.exp @@ -0,0 +1,68 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# options +send -- "firejail --net=none\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" {puts "TESTING ERROR 0.1\n";exit} + "Child process initialized" +} +sleep 1 + +# test default gw +send -- "bash\r" +sleep 1 +send -- "netstat -rn; pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit} + "home" +} +sleep 1 + +# check again devices +send -- "cat /proc/1/net/dev;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "eth0" {puts "TESTING ERROR 2.1\n";exit} + "home" +} +send -- "exit\r" +sleep 1 +send -- "exit\r" +sleep 1 + +# profile +send -- "firejail --profile=net_none.profile\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "eth0" {puts "TESTING ERROR 3.1\n";exit} + "Child process initialized" +} +sleep 1 + +# test default gw +send -- "bash\r" +sleep 1 +send -- "netstat -rn; pwd\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} + "home" +} +sleep 1 + +# check again devices +send -- "cat /proc/1/net/dev;pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0" {puts "TESTING ERROR 5.1\n";exit} + "home" +} +sleep 1 + +puts "\n" diff --git a/test/network/net_none.profile b/test/network/net_none.profile new file mode 100644 index 000000000..079c08ea8 --- /dev/null +++ b/test/network/net_none.profile @@ -0,0 +1 @@ +net none diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp new file mode 100755 index 000000000..37043c906 --- /dev/null +++ b/test/network/net_profile.exp @@ -0,0 +1,73 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check eth0 +send -- "firejail --profile=net-profile.profile\r" +expect { + timeout {puts "TESTING ERROR 0.0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "00:11:22:33:44:55" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "10.10.20" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "255.255.255.248" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" +} + +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" +} + + +# check default gw +send -- "ip route show\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "default via 10.10.20.2 dev eth0" +} + +# check mtu +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mtu 1000" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "state UP" +} + +sleep 1 + +puts "\nall done\n" + diff --git a/test/network/netfilter.filter b/test/network/netfilter.filter new file mode 100644 index 000000000..3e232065c --- /dev/null +++ b/test/network/netfilter.filter @@ -0,0 +1,6 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i lo -j ACCEPT +COMMIT diff --git a/test/network/netfilter.profile b/test/network/netfilter.profile new file mode 100644 index 000000000..824c6cd0f --- /dev/null +++ b/test/network/netfilter.profile @@ -0,0 +1 @@ +netfilter netfilter.filter diff --git a/test/profile_followlnk.exp b/test/profile_followlnk.exp deleted file mode 100755 index e2ede2865..000000000 --- a/test/profile_followlnk.exp +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "mkdir /tmp/firejailtestdir\r" -sleep 1 -send -- "ln -s /tmp/firejailtestdir /tmp/firejailtestdirlnk\r" -sleep 1 -send -- "touch /tmp/firejailtestfile\r" -sleep 1 -send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r" -sleep 1 - -send -- "firejail --profile=readonly-lnk.profile --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} - -# testing private only -send -- "bash\r" -sleep 1 - - -send -- "ls > /tmp/firejailtestdirlnk/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Read-only file system" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "home" -} -sleep 1 - -send -- "ls > /tmp/firejailtestfilelnk;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Read-only file system" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "home" -} -sleep 1 - -send -- "exit\r" -sleep 1 -send -- "pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 -send -- "exit\r" -sleep 1 -send -- "pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 2 -send -- "rm -fr /tmp/firejailtest*\r" -sleep 1 - -puts "\n" diff --git a/test/profile_noperm.exp b/test/profile_noperm.exp deleted file mode 100755 index b3ed558bc..000000000 --- a/test/profile_noperm.exp +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=/etc/shadow\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "cannot access profile" -} -sleep 1 -puts "\n" diff --git a/test/profile_readonly.exp b/test/profile_readonly.exp deleted file mode 100755 index 046b0d738..000000000 --- a/test/profile_readonly.exp +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "mkdir /tmp/firejailtestdir\r" -sleep 1 -send -- "touch /tmp/firejailtestfile\r" -sleep 1 - -send -- "firejail --profile=readonly.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} - -# testing private only -send -- "bash\r" -sleep 1 - - -send -- "ls > /tmp/firejailtestdir/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Read-only file system" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "home" -} -sleep 1 - -send -- "ls > /tmp/firejailtestfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Read-only file system" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "home" -} -sleep 1 - -send -- "exit\r" -sleep 1 -send -- "pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 -send -- "exit\r" -sleep 1 -send -- "pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 2 -send -- "rm -fr /tmp/firejailtest*\r" -sleep 1 - -puts "\n" diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp new file mode 100755 index 000000000..4d89de26b --- /dev/null +++ b/test/profiles/profile_followlnk.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "mkdir /tmp/firejailtestdir\r" +send -- "ln -s /tmp/firejailtestdir /tmp/firejailtestdirlnk\r" +send -- "touch /tmp/firejailtestfile\r" +send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r" +sleep 1 + +send -- "firejail --profile=readonly-lnk.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} + +send -- "ls > /tmp/firejailtestdirlnk/ttt\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "ls > /tmp/firejailtestfilelnk;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "exit\r" +send -- "rm -fr /tmp/firejailtest*\r" +sleep 1 + +puts "\nall done\n" diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp new file mode 100755 index 000000000..25ec580bd --- /dev/null +++ b/test/profiles/profile_noperm.exp @@ -0,0 +1,13 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=/etc/shadow\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "cannot access profile" +} +sleep 1 +puts "\nall done\n" diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp new file mode 100755 index 000000000..e8e78d6ad --- /dev/null +++ b/test/profiles/profile_readonly.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "mkdir /tmp/firejailtestdir\r" +send -- "touch /tmp/firejailtestfile\r" +sleep 1 + +send -- "firejail --profile=readonly.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "ls > /tmp/firejailtestdir/ttt\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "ls > /tmp/firejailtestfile\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Read-only file system" +} +send -- "exit\r" +sleep 1 + +send -- "rm -fr /tmp/firejailtest*\r" +sleep 1 + +puts "\nall done\n" diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index e3adc8a4f..ca0b9fb29 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -23,3 +23,12 @@ echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" echo "TESTING: ignore command (test/profiles/ignore.exp)" ./ignore.exp +echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" +./profile_readonly.exp + +echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" +./profile_followlnk.exp + +echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" +./profile_noperm.exp + diff --git a/test/profiles/readonly-lnk.profile b/test/profiles/readonly-lnk.profile new file mode 100644 index 000000000..71ffb1a26 --- /dev/null +++ b/test/profiles/readonly-lnk.profile @@ -0,0 +1,2 @@ +read-only /tmp/firejailtestdirlnk +read-only /tmp/firejailtestfilelnk diff --git a/test/profiles/readonly.profile b/test/profiles/readonly.profile new file mode 100644 index 000000000..55d89e3d7 --- /dev/null +++ b/test/profiles/readonly.profile @@ -0,0 +1,2 @@ +read-only /tmp/firejailtestdir +read-only /tmp/firejailtestfile \ No newline at end of file diff --git a/test/readonly-lnk.profile b/test/readonly-lnk.profile deleted file mode 100644 index 71ffb1a26..000000000 --- a/test/readonly-lnk.profile +++ /dev/null @@ -1,2 +0,0 @@ -read-only /tmp/firejailtestdirlnk -read-only /tmp/firejailtestfilelnk diff --git a/test/readonly.profile b/test/readonly.profile deleted file mode 100644 index 55d89e3d7..000000000 --- a/test/readonly.profile +++ /dev/null @@ -1,2 +0,0 @@ -read-only /tmp/firejailtestdir -read-only /tmp/firejailtestfile \ No newline at end of file diff --git a/test/test.sh b/test/test.sh index 0509afdfb..9d7dba4fa 100755 --- a/test/test.sh +++ b/test/test.sh @@ -7,11 +7,6 @@ ./fscheck.sh -echo "TESTING: network profile (net_profile.exp)" -./net_profile.exp - -echo "TESTING: bandwidth (bandwidth.exp)" -./bandwidth.exp echo "TESTING: protocol.print (protocol-print.exp)" ./protocol-print.exp @@ -127,12 +122,6 @@ echo "TESTING: PID (pid.exp)" echo "TESTING: output (output.exp)" ./output.exp -echo "TESTING: profile no permissions (profile_noperm.exp)" -./profile_noperm.exp - -echo "TESTING: profile read-only (profile_readonly.exp)" -./profile_readonly.exp - echo "TESTING: private (private.exp)" ./private.exp `whoami` -- cgit v1.2.3-70-g09d2 From f36842dfdf11412dadee89d2e32ebbecc2f8a37e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 May 2016 09:27:26 -0400 Subject: networking features testing --- test/network/configure | 24 +++++++++++++++++++ test/network/network.sh | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ test/test.sh | 49 -------------------------------------- 3 files changed, 86 insertions(+), 49 deletions(-) create mode 100755 test/network/configure create mode 100755 test/network/network.sh diff --git a/test/network/configure b/test/network/configure new file mode 100755 index 000000000..788c5a9a0 --- /dev/null +++ b/test/network/configure @@ -0,0 +1,24 @@ +#!/bin/bash + +brctl addbr br0 +ifconfig br0 10.10.20.1/29 up +# NAT masquerade +iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE +# port forwarding +# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80 + +brctl addbr br1 +ifconfig br1 10.10.30.1/24 up +brctl addbr br2 +ifconfig br2 10.10.40.1/24 up +brctl addbr br3 +ifconfig br3 10.10.50.1/24 up +brctl addbr br4 +ifconfig br4 10.10.60.1/24 up +ip link add link eth0 name eth0.5 type vlan id 5 +/sbin/ifconfig eth0.5 10.10.205.10/24 up +ip link add link eth0 name eth0.6 type vlan id 6 +/sbin/ifconfig eth0.6 10.10.206.10/24 up +ip link add link eth0 name eth0.7 type vlan id 7 +/sbin/ifconfig eth0.7 10.10.207.10/24 up + diff --git a/test/network/network.sh b/test/network/network.sh new file mode 100755 index 000000000..7b6d66e34 --- /dev/null +++ b/test/network/network.sh @@ -0,0 +1,62 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: network profile (net_profile.exp)" +./net_profile.exp + +echo "TESTING: bandwidth (bandwidth.exp)" +./bandwidth.exp + +echo "TESTING: IPv6 support (ip6.exp)" +./ip6.exp + +echo "TESTING: local network (net_local.exp)" +./net_local.exp + +echo "TESTING: no network (net_none.exp)" +./net_none.exp + +echo "TESTING: network IP (net_ip.exp)" +./net_ip.exp + +echo "TESTING: network MAC (net_mac.exp)" +sleep 2 +./net_mac.exp + +echo "TESTING: network MTU (net_mtu.exp)" +./net_mtu.exp + +echo "TESTING: network hostname (hostname.exp)" +./hostname.exp + +echo "TESTING: network bad IP (net_badip.exp)" +./net_badip.exp + +echo "TESTING: network no IP test 1 (net_noip.exp)" +./net_noip.exp + +echo "TESTING: network no IP test 2 (net_noip2.exp)" +./net_noip2.exp + +echo "TESTING: network default gateway test 1 (net_defaultgw.exp)" +./net_defaultgw.exp + +echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" +./net_defaultgw2.exp + +echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" +./net_defaultgw3.exp + +echo "TESTING: netfilter (net_netfilter.exp)" +./net_netfilter.exp + +echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" +./4bridges_arp.exp + +echo "TESTING: 4 bridges IP (4bridges_ip.exp)" +./4bridges_ip.exp diff --git a/test/test.sh b/test/test.sh index 9d7dba4fa..78a6adc43 100755 --- a/test/test.sh +++ b/test/test.sh @@ -179,55 +179,6 @@ echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)" echo "TESTING: quiet (quiet.exp)" ./quiet.exp -echo "TESTING: IPv6 support (ip6.exp)" -echo "TESTING: broken on Centos - todo" -./ip6.exp - -echo "TESTING: local network (net_local.exp)" -./net_local.exp - -echo "TESTING: no network (net_none.exp)" -./net_none.exp - -echo "TESTING: network IP (net_ip.exp)" -./net_ip.exp - -echo "TESTING: network MAC (net_mac.exp)" -sleep 2 -./net_mac.exp - -echo "TESTING: network MTU (net_mtu.exp)" -./net_mtu.exp - -echo "TESTING: network hostname (hostname.exp)" -./hostname.exp - -echo "TESTING: network bad IP (net_badip.exp)" -./net_badip.exp - -echo "TESTING: network no IP test 1 (net_noip.exp)" -./net_noip.exp - -echo "TESTING: network no IP test 2 (net_noip2.exp)" -./net_noip2.exp - -echo "TESTING: network default gateway test 1 (net_defaultgw.exp)" -./net_defaultgw.exp - -echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" -./net_defaultgw2.exp - -echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" -./net_defaultgw3.exp - -echo "TESTING: netfilter (net_netfilter.exp)" -./net_netfilter.exp - -echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" -./4bridges_arp.exp - -echo "TESTING: 4 bridges IP (4bridges_ip.exp)" -./4bridges_ip.exp echo "TESTING: login SSH (login_ssh.exp)" ./login_ssh.exp -- cgit v1.2.3-70-g09d2 From 723dde8d085f6b2510fcf210721d0de8e8f14a86 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 May 2016 10:33:10 -0400 Subject: networking features testing --- Makefile.in | 4 ++++ test/network/4bridges_arp.exp | 3 +++ test/network/4bridges_ip.exp | 3 +++ test/network/README | 15 +++++++++++++++ test/network/bandwidth.exp | 7 +++++-- test/network/configure | 3 +++ test/network/hostname.exp | 9 ++++++--- test/network/ip6.exp | 3 +++ test/network/net_arp.exp | 3 +++ test/network/net_badip.exp | 3 +++ test/network/net_defaultgw.exp | 3 +++ test/network/net_defaultgw2.exp | 3 +++ test/network/net_defaultgw3.exp | 3 +++ test/network/net_interface.exp | 3 +++ test/network/net_ip.exp | 3 +++ test/network/net_local.exp | 3 +++ test/network/net_mac.exp | 3 +++ test/network/net_macvlan.exp | 3 +++ test/network/net_mtu.exp | 3 +++ test/network/net_netfilter.exp | 3 +++ test/network/net_noip.exp | 11 +++++++---- test/network/net_noip2.exp | 11 +++++++---- test/network/net_none.exp | 21 ++++++++++++--------- test/network/net_profile.exp | 3 +++ 24 files changed, 107 insertions(+), 22 deletions(-) create mode 100644 test/network/README diff --git a/Makefile.in b/Makefile.in index 8a6e8fa01..3f937b532 100644 --- a/Makefile.in +++ b/Makefile.in @@ -254,6 +254,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/filters test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/network test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -300,5 +301,8 @@ test-environment: test-filters: cd test/filters; ./filters.sh | grep TESTING +test-network: + echo "Please read test/netwok/README file and run the test manually" + test: test-profiles test-utils test-environment test-apps test-apps-x11 echo "TEST COMPLETE" diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index 6a3e6db2a..f769df43b 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index 8068aeebb..db7a61867 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/README b/test/network/README new file mode 100644 index 000000000..27e5667a2 --- /dev/null +++ b/test/network/README @@ -0,0 +1,15 @@ +Warning: this test requires root access to configure a number of bridge, macvlan and +vlan devices. Please take a look at configure file. By the time you are finished testing, +you'll probably have to reboot the computer to get your networking subsytem +back to normal. + +Limitations - to be investigated and fixed: + - the test is assuming an eth0 wired interface to be present + - using netstat and ifconfig - this needs to be moved to iproute2 utilities + - configure script inserts an entry in system netfilter configuration + - the test will probably not work on grsecurity settings + - macvlan interfaces don't seem to work correctly under VirtualBox + +Run the test: + $ sudo ./configure + $ ./network.sh | grep TESTING diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index 33b351296..a3dc9b55f 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) @@ -51,11 +54,11 @@ expect { } sleep 1 -send -- "firejail --bandwidth=test status; pwd\r" +send -- "firejail --bandwidth=test status; echo done\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit} - "home" {puts "ok\n"} + "done" } sleep 1 diff --git a/test/network/configure b/test/network/configure index 788c5a9a0..35d938340 100755 --- a/test/network/configure +++ b/test/network/configure @@ -1,4 +1,7 @@ #!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 brctl addbr br0 ifconfig br0 10.10.20.1/29 up diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 4e5c7e073..53f24f7b1 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp @@ -1,24 +1,27 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --hostname=baluba --noprofile\r" +send -- "firejail --hostname=bingo --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } sleep 1 -send -- "ping -c 3 baluba;pwd\r" +send -- "ping -c 3 bingo; echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "3 packets transmitted, 3 received" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "home" + "done" } sleep 1 diff --git a/test/network/ip6.exp b/test/network/ip6.exp index fba47d095..2cd756a1d 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp index 9e07744f3..f27f85814 100755 --- a/test/network/net_arp.exp +++ b/test/network/net_arp.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index 71b69e104..8003252d6 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 840f2ccac..5534b7706 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index db14e17cb..86f204e8c 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index 64da9dfca..30150938f 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_interface.exp b/test/network/net_interface.exp index 4b55187ff..2e6619938 100755 --- a/test/network/net_interface.exp +++ b/test/network/net_interface.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index f5d487ecc..0eff212dd 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_local.exp b/test/network/net_local.exp index 642213658..60ab2af05 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index 076634730..5c48be9fd 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_macvlan.exp b/test/network/net_macvlan.exp index 20d022de9..ca503c26a 100755 --- a/test/network/net_macvlan.exp +++ b/test/network/net_macvlan.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index 7943b2866..21b9aa5cb 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index 989fcc407..f011f3746 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index 8d28adb39..3fb53d860 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) @@ -16,24 +19,24 @@ send -- "bash\r" sleep 1 # no default gateway configured -send -- "netstat -rn;pwd\r" +send -- "netstat -rn;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "0.0.0.0" {puts "TESTING ERROR 3\n";exit} "eth0" {puts "TESTING ERROR 4\n";exit} - "home" + "done" } sleep 1 # eth0 configured -send -- "/sbin/ifconfig;pwd\r" +send -- "/sbin/ifconfig;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "eth0" } expect { timeout {puts "TESTING ERROR 6\n";exit} - "home" + "done" } after 100 diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index 58f90422b..cf86d7f6b 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) @@ -16,24 +19,24 @@ send -- "bash\r" sleep 1 # no default gateway configured -send -- "netstat -rn;pwd\r" +send -- "netstat -rn;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "0.0.0.0" {puts "TESTING ERROR 3\n";exit} "eth0" {puts "TESTING ERROR 4\n";exit} - "home" + "done" } sleep 1 # eth0 configured -send -- "/sbin/ifconfig;pwd\r" +send -- "/sbin/ifconfig;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "eth0" } expect { timeout {puts "TESTING ERROR 6\n";exit} - "home" + "done" } after 100 diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 54b6cb946..1c1577d76 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) @@ -16,20 +19,20 @@ sleep 1 # test default gw send -- "bash\r" sleep 1 -send -- "netstat -rn; pwd\r" +send -- "netstat -rn; echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit} - "home" + "done" } sleep 1 # check again devices -send -- "cat /proc/1/net/dev;pwd\r" +send -- "cat /proc/1/net/dev;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "eth0" {puts "TESTING ERROR 2.1\n";exit} - "home" + "done" } send -- "exit\r" sleep 1 @@ -48,21 +51,21 @@ sleep 1 # test default gw send -- "bash\r" sleep 1 -send -- "netstat -rn; pwd\r" +send -- "netstat -rn; echo done\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} - "home" + "done" } sleep 1 # check again devices -send -- "cat /proc/1/net/dev;pwd\r" +send -- "cat /proc/1/net/dev;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "eth0" {puts "TESTING ERROR 5.1\n";exit} - "home" + "done" } sleep 1 -puts "\n" +puts "\nall done\n" diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index 37043c906..7e88193cc 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp @@ -1,4 +1,7 @@ #!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 set timeout 10 spawn $env(SHELL) -- cgit v1.2.3-70-g09d2 From d568d2958f627bffaf1d250128da74ae2e4a5c74 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 May 2016 11:29:08 -0400 Subject: testing --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 3f937b532..39766a8b0 100644 --- a/Makefile.in +++ b/Makefile.in @@ -304,5 +304,5 @@ test-filters: test-network: echo "Please read test/netwok/README file and run the test manually" -test: test-profiles test-utils test-environment test-apps test-apps-x11 +test: test-profiles test-utils test-environment test-apps test-apps-x11 test-filters test-network echo "TEST COMPLETE" -- cgit v1.2.3-70-g09d2 From f2f331553c5fe3c78a44e9a0b0b9026fcb59745a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 May 2016 13:16:33 -0400 Subject: test fixes --- src/firejail/sandbox.c | 2 +- test/filters/noroot.exp | 1 + test/filters/seccomp-dualfilter.exp | 7 +++---- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 4473e306c..5cfee44d8 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -722,7 +722,7 @@ int sandbox(void* sandbox_arg) { if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { - fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it...\n"); + fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); drop_privs(arg_nogroups); arg_noroot = 0; } diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index a1f6ce88d..7f4f189ee 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -10,6 +10,7 @@ match_max 100000 send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" expect { timeout {puts "TESTING ERROR 1\n";exit} + "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit} "Child process initialized" } sleep 1 diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 7c964d5c3..7efc117da 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -25,10 +25,9 @@ sleep 1 send -- "firejail ./syscall_test32 mount\r" expect { - "syscall_test32: No such file or directory" {puts "\nTESTING SKIP 3: can't execute 32 bit binary\n"; exit} -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} + "No such file or directory" {puts "\nTESTING SKIP 3: can't execute 32 bit binary\n"; exit} + "Parent is shutting down, bye" {puts "\nTESTING SKIP 3: can't execute 32 bit binary\n"; exit} "Child process initialized" } expect { -- cgit v1.2.3-70-g09d2 From c3354382c92b386da5ed76f5b12643412a2d32ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 May 2016 12:18:50 -0400 Subject: rename generic.profile as default.profile --- Makefile.in | 2 +- RELNOTES | 1 + etc/default.profile | 15 +++++++++++++++ etc/generic.profile | 15 --------------- platform/debian/conffiles | 2 +- src/firejail/firejail.h | 2 +- src/firejail/main.c | 4 ++-- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 4 ++-- test/extract_command.exp | 2 +- test/private.exp | 2 +- 11 files changed, 26 insertions(+), 25 deletions(-) create mode 100644 etc/default.profile delete mode 100644 etc/generic.profile diff --git a/Makefile.in b/Makefile.in index 39766a8b0..92254fbc0 100644 --- a/Makefile.in +++ b/Makefile.in @@ -113,7 +113,7 @@ realinstall: install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/generic.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/RELNOTES b/RELNOTES index b6304249f..8ccbeed0d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,6 +24,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile + * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/default.profile b/etc/default.profile new file mode 100644 index 000000000..f2c7d4114 --- /dev/null +++ b/etc/default.profile @@ -0,0 +1,15 @@ +################################ +# Generic GUI application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +#blacklist ${HOME}/.wine + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot + diff --git a/etc/generic.profile b/etc/generic.profile deleted file mode 100644 index f2c7d4114..000000000 --- a/etc/generic.profile +++ /dev/null @@ -1,15 +0,0 @@ -################################ -# Generic GUI application profile -################################ -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - -#blacklist ${HOME}/.wine - -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot - diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 11d583ec3..109af24d7 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -27,7 +27,7 @@ /etc/firejail/totem.profile /etc/firejail/deluge.profile /etc/firejail/qbittorrent.profile -/etc/firejail/generic.profile +/etc/firejail/default.profile /etc/firejail/xchat.profile /etc/firejail/server.profile /etc/firejail/quassel.profile diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 302883310..f4a176caf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -68,7 +68,7 @@ #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" // profiles -#define DEFAULT_USER_PROFILE "generic" +#define DEFAULT_USER_PROFILE "default" #define DEFAULT_ROOT_PROFILE "server" #define MAX_INCLUDE_LEVEL 6 // include levels in profile files diff --git a/src/firejail/main.c b/src/firejail/main.c index 3ba3dd531..7aa81a9c5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -696,7 +696,7 @@ int main(int argc, char **argv) { int option_force = 0; int custom_profile = 0; // custom profile loaded char *custom_profile_dir = NULL; // custom profile directory - int arg_noprofile = 0; // use generic.profile if none other found/specified + int arg_noprofile = 0; // use default.profile if none other found/specified #ifdef HAVE_SECCOMP int highest_errno = errno_highest_nr(); #endif @@ -1920,7 +1920,7 @@ int main(int argc, char **argv) { } } - // use generic.profile as the default + // use default.profile as the default if (!custom_profile && !arg_noprofile) { if (cfg.chrootdir) fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 19063f5ef..0e9614ab6 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example: .RS $ firejail .br -Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/default.profile .br Parent pid 8553, child pid 8554 .br diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6be278063..995aee809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -868,7 +868,7 @@ Example: .br $ firejail .br -Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/default.profile .br Parent pid 8553, child pid 8554 .br @@ -1786,7 +1786,7 @@ To disable default profile loading, use --noprofile command option. Example: .RS $ firejail .br -Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/default.profile .br Parent pid 8553, child pid 8554 .br diff --git a/test/extract_command.exp b/test/extract_command.exp index 99c1cc134..851b793c9 100755 --- a/test/extract_command.exp +++ b/test/extract_command.exp @@ -7,7 +7,7 @@ match_max 100000 send -- "firejail --debug ls -al\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/generic.profile" + "Reading profile /etc/firejail/default.profile" } expect { timeout {puts "TESTING ERROR 2\n";exit} diff --git a/test/private.exp b/test/private.exp index a5920c37b..80a921529 100755 --- a/test/private.exp +++ b/test/private.exp @@ -12,7 +12,7 @@ if { $argc != 1 } { } # testing profile and private -send -- "firejail --private --profile=/etc/firejail/generic.profile\r" +send -- "firejail --private --profile=/etc/firejail/default.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" -- cgit v1.2.3-70-g09d2 From 37a5a3545ef6d8d03dad8bbd888f53e13274c9e5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 5 May 2016 10:22:18 -0400 Subject: testing --- Makefile.in | 6 +- test/environment/environment.sh | 5 + test/environment/quiet.exp | 21 ++++ test/fs/fs.sh | 50 +++++++++ test/fs/fs_dev_shm.exp | 90 +++++++++++++++++ test/fs/fs_var_lock.exp | 90 +++++++++++++++++ test/fs/fs_var_tmp.exp | 90 +++++++++++++++++ test/fs/invalid_filename.exp | 189 ++++++++++++++++++++++++++++++++++ test/fs/kmsg.exp | 32 ++++++ test/fs/option_bind_user.exp | 15 +++ test/fs/option_blacklist.exp | 38 +++++++ test/fs/option_blacklist_file.exp | 26 +++++ test/fs/private-bin.exp | 71 +++++++++++++ test/fs/private-bin.profile | 1 + test/fs/private-etc.exp | 45 +++++++++ test/fs/private-whitelist.exp | 39 +++++++ test/fs/private.exp | 100 ++++++++++++++++++ test/fs/whitelist-empty.exp | 53 ++++++++++ test/fs_dev_shm.exp | 87 ---------------- test/fs_var_lock.exp | 87 ---------------- test/fs_var_tmp.exp | 87 ---------------- test/invalid_filename.exp | 207 -------------------------------------- test/kmsg.exp | 29 ------ test/option_bind_user.exp | 15 --- test/option_blacklist.exp | 35 ------- test/option_blacklist_file.exp | 26 ----- test/pid.exp | 49 --------- test/private-bin.exp | 71 ------------- test/private-bin.profile | 1 - test/private-etc.exp | 42 -------- test/private-whitelist.exp | 36 ------- test/private.exp | 97 ------------------ test/quiet.exp | 17 ---- test/test-nonet.sh | 44 -------- test/test.sh | 112 --------------------- test/whitelist-empty.exp | 50 --------- 36 files changed, 960 insertions(+), 1093 deletions(-) create mode 100755 test/environment/quiet.exp create mode 100755 test/fs/fs.sh create mode 100755 test/fs/fs_dev_shm.exp create mode 100755 test/fs/fs_var_lock.exp create mode 100755 test/fs/fs_var_tmp.exp create mode 100755 test/fs/invalid_filename.exp create mode 100755 test/fs/kmsg.exp create mode 100755 test/fs/option_bind_user.exp create mode 100755 test/fs/option_blacklist.exp create mode 100755 test/fs/option_blacklist_file.exp create mode 100755 test/fs/private-bin.exp create mode 100644 test/fs/private-bin.profile create mode 100755 test/fs/private-etc.exp create mode 100755 test/fs/private-whitelist.exp create mode 100755 test/fs/private.exp create mode 100755 test/fs/whitelist-empty.exp delete mode 100755 test/fs_dev_shm.exp delete mode 100755 test/fs_var_lock.exp delete mode 100755 test/fs_var_tmp.exp delete mode 100755 test/invalid_filename.exp delete mode 100755 test/kmsg.exp delete mode 100755 test/option_bind_user.exp delete mode 100755 test/option_blacklist.exp delete mode 100755 test/option_blacklist_file.exp delete mode 100755 test/pid.exp delete mode 100755 test/private-bin.exp delete mode 100644 test/private-bin.profile delete mode 100755 test/private-etc.exp delete mode 100755 test/private-whitelist.exp delete mode 100755 test/private.exp delete mode 100755 test/quiet.exp delete mode 100755 test/test-nonet.sh delete mode 100755 test/whitelist-empty.exp diff --git a/Makefile.in b/Makefile.in index 92254fbc0..9a6044fcb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -255,6 +255,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/filters test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/network test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/fs test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -304,5 +305,8 @@ test-filters: test-network: echo "Please read test/netwok/README file and run the test manually" -test: test-profiles test-utils test-environment test-apps test-apps-x11 test-filters test-network +test-fs: + cd test/fs; ./fs.sh | grep TESTING + +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters test-network echo "TEST COMPLETE" diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 7b29a3482..49b50797a 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -62,3 +62,8 @@ fi echo "TESTING: nice (test/environment/nice.exp)" ./nice.exp + +echo "TESTING: quiet (test/environment/quiet.exp)" +./quiet.exp + + diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp new file mode 100755 index 000000000..38da4673e --- /dev/null +++ b/test/environment/quiet.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 4 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --quiet echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile" {puts "TESTING ERROR 2\n";exit} + "Child process initialized" {puts "TESTING ERROR 3\n";exit} + "done" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/fs/fs.sh b/test/fs/fs.sh new file mode 100755 index 000000000..425af45a6 --- /dev/null +++ b/test/fs/fs.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: kmsg access (test/fs/kmsg.exp)" +./kmsg.exp + +echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" +./fs_var_tmp.exp + +echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" +./fs_var_lock.exp + +echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" +./fs_dev_shm.exp + +echo "TESTING: private (test/fs/private.exp)" +./private.exp `whoami` + +echo "TESTING: private-etc (test/fs/private-etc.exp)" +./private-etc.exp + +echo "TESTING: private-bin (test/fs/private-bin.exp)" +./private-bin.exp + +echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" +./whitelist-empty.exp + +echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" +echo "TESTING: (failing on OpenSUSE)" +./private-whitelist.exp + +echo "TESTING: invalid filename (test/fs/invalid_filename.exp)" +./invalid_filename.exp + +echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)" +./option_blacklist.exp + +echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)" +./option_blacklist_file.exp + +echo "TESTING: bind as user (test/fs/option_bind_user.exp)" +./option_bind_user.exp + + + diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp new file mode 100755 index 000000000..6d27978e2 --- /dev/null +++ b/test/fs/fs_dev_shm.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# testing read-write /dev/shm +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} + +send -- "rm /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" {puts "TESTING ERROR 6\n";exit} + "done" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +# redo the test with --private +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "done" +} + +send -- "rm /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mytest" {puts "TESTING ERROR 13\n";exit} + "done" +} + +sleep 1 + +puts "\nall done\n" diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp new file mode 100755 index 000000000..0e2b3181a --- /dev/null +++ b/test/fs/fs_var_lock.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# testing read-write /var/lock +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} + +send -- "rm /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" {puts "TESTING ERROR 6\n";exit} + "done" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +# redo the test with --private +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "done" +} + +send -- "rm /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mytest" {puts "TESTING ERROR 13\n";exit} + "done" +} + +sleep 1 + +puts "\nall done\n" diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp new file mode 100755 index 000000000..811baac68 --- /dev/null +++ b/test/fs/fs_var_tmp.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# testing read-write /var/tmp +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} + +send -- "rm /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" {puts "TESTING ERROR 6\n";exit} + "done" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +# redo the test with --private +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "done" +} + +send -- "rm /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mytest" {puts "TESTING ERROR 13\n";exit} + "done" +} + +sleep 1 + +puts "\nall done\n" diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp new file mode 100755 index 000000000..1acc85491 --- /dev/null +++ b/test/fs/invalid_filename.exp @@ -0,0 +1,189 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "Checking filename bla&&bla" {puts "normal system\n"} + "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 3.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 4.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 4.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 5.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 5.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 7.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 7.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 7.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 9.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 9.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 9.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 10.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 11.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 11.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 11.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 12.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 12.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 12.3\n";exit} + "is an invalid filename" +} +after 100 + + +send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 14.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 14.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 14.3\n";exit} + "is an invalid filename" +} +after 100 + +puts "\nall done\n" + diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp new file mode 100755 index 000000000..abc711aee --- /dev/null +++ b/test/fs/kmsg.exp @@ -0,0 +1,32 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /dev/kmsg\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "cat /proc/kmsg\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Permission denied" +} +after 100 + +puts "\nall done\n" + diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp new file mode 100755 index 000000000..9d2d17d7f --- /dev/null +++ b/test/fs/option_bind_user.exp @@ -0,0 +1,15 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --bind=/tmp/chroot,mntpoint\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "bind option is available only if running as root" +} +sleep 1 + +puts "\n" + diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp new file mode 100755 index 000000000..38fd19237 --- /dev/null +++ b/test/fs/option_blacklist.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --blacklist=/var\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /var;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +send -- "cd /var;echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} +sleep 1 + +puts "\n" + diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp new file mode 100755 index 000000000..846735d9e --- /dev/null +++ b/test/fs/option_blacklist_file.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --blacklist=/etc/passwd\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/passwd;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +sleep 1 + +puts "\n" + diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp new file mode 100755 index 000000000..c19702e77 --- /dev/null +++ b/test/fs/private-bin.exp @@ -0,0 +1,71 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private-bin=bash,ls,sh\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "ls" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "sh" +} + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "ping" {puts "TESTING ERROR 6\n";exit} + "sh" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=private-bin.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "ls" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "sh" +} + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "ping" {puts "TESTING ERROR 6\n";exit} + "sh" +} +send -- "exit\r" + +sleep 1 +puts "\nall done\n" + diff --git a/test/fs/private-bin.profile b/test/fs/private-bin.profile new file mode 100644 index 000000000..24cf5929a --- /dev/null +++ b/test/fs/private-bin.profile @@ -0,0 +1 @@ +private-bin bash,ls,sh diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp new file mode 100755 index 000000000..e5a006585 --- /dev/null +++ b/test/fs/private-etc.exp @@ -0,0 +1,45 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# directory with ~ +send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /etc\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "group" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "passwd" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "resolv.conf" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "X11" +} + +send -- "ls -al /etc\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "shadow" {puts "TESTING ERROR 8\n";exit} + "X11" +} + +sleep 1 +puts "\nall done\n" + diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp new file mode 100755 index 000000000..a3d60369a --- /dev/null +++ b/test/fs/private-whitelist.exp @@ -0,0 +1,39 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private --whitelist=/tmp/.X11-unix\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /tmp\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + ".X11-unix" +} +sleep 1 + +send -- "ls -a /tmp | wc -l\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "3" +} +sleep 1 + +send -- "ls -a ~ | wc -l\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "5" +} + +sleep 1 +puts "\nall done\n" + diff --git a/test/fs/private.exp b/test/fs/private.exp new file mode 100755 index 000000000..01f04d3cb --- /dev/null +++ b/test/fs/private.exp @@ -0,0 +1,100 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +if { $argc != 1 } { + puts "TESTING ERROR: argument missing" + puts "Usage: private.exp username" + puts "where username is the name of the current user" + exit +} + +# testing profile and private +send -- "firejail --private --profile=/etc/firejail/default.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --private --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} + +sleep 1 +send -- "cd ~; ls -al; echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + ".bashrc" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + [lindex $argv 0] +} +send -- "ls -al; echo done\r" +expect { + timeout { + # OpenSUSE doesn't use .Xauthority from user done directory + send -- "env | grep XAUTHORITY\r" + + expect { + timeout {puts "TESTING ERROR 4\n";exit} + "/run/lightdm/netblue/xauthority" + } + } + ".Xauthority" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + [lindex $argv 0] +} + + +# testing private only +send -- "bash\r" +sleep 1 +# owner /done/netblue +send -- "ls -l /done;echo done\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + [lindex $argv 0] +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + [lindex $argv 0] +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + [lindex $argv 0] +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "done" +} +sleep 1 + +# owner /tmp +send -- "stat -c %U%a /tmp;echo done\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "root777" {puts "version 1\n";} + "root1777" {puts "version 2\n";} + "nobody777" {puts "version 3\n";} + "nobody1777" {puts "version 4\n";} +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} +sleep 1 + +puts "all done\n" diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp new file mode 100755 index 000000000..f44d4fb58 --- /dev/null +++ b/test/fs/whitelist-empty.exp @@ -0,0 +1,53 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0" +} + +send -- "ls -l /tmp | wc -l\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "0" +} + +send -- "ls -l /media | wc -l\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "0" +} + +send -- "ls -l /var | wc -l\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "0" +} + +send -- "ls -l /dev | wc -l\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "0" +} +send -- "ls -l /opt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "0" +} + + +puts "\nall done\n" diff --git a/test/fs_dev_shm.exp b/test/fs_dev_shm.exp deleted file mode 100755 index b54f24eb5..000000000 --- a/test/fs_dev_shm.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# testing read-write /dev/shm -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} - -send -- "rm /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "mytest" {puts "TESTING ERROR 4.1\n";exit} - "home" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -# redo the test with --private -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "home" -} - -send -- "rm /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "mytest" {puts "TESTING ERROR 14.1\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/fs_var_lock.exp b/test/fs_var_lock.exp deleted file mode 100755 index dfcf571f4..000000000 --- a/test/fs_var_lock.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# testing read-write /var/lock -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} - -send -- "rm /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "mytest" {puts "TESTING ERROR 4.1\n";exit} - "home" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -# redo the test with --private -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "home" -} - -send -- "rm /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "mytest" {puts "TESTING ERROR 14.1\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/fs_var_tmp.exp b/test/fs_var_tmp.exp deleted file mode 100755 index 95ceeb2a4..000000000 --- a/test/fs_var_tmp.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# testing read-write /var/tmp -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} - -send -- "rm /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "mytest" {puts "TESTING ERROR 4.1\n";exit} - "home" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -# redo the test with --private -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "home" -} - -send -- "rm /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "mytest" {puts "TESTING ERROR 14.1\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp deleted file mode 100755 index fe8bd8c25..000000000 --- a/test/invalid_filename.exp +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/expect -f - -#invalid_filename checks: -# -#--bind (two files) - profile.c - Note: The test is not implemented here, need to be root to test it -#--blacklist - profile.c -#--cgroup - cgroup.c -#--chroot - main.c -#--netfilter - netfilter.c -#--output - output.c -#--private - fs_home.c -#--privte-bin (list) - fs_bin.c -#--private-home (list) - fs_home.c -#--private-etc (list) - fs_etc.c -#--profile - main.c -#--read_only - profile.c -#--shell - main.c -#--tmpfs - profile.c -#--white-list - - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "Checking filename bla&&bla" {puts "normal system\n"} - "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 4.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 4.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 5.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 5.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 7.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 7.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 7.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 9.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 9.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 9.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 10.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 11.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 11.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 11.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 12.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 12.3\n";exit} - "is an invalid filename" -} -after 100 - - -send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 14.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 14.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 14.3\n";exit} - "is an invalid filename" -} -after 100 - - - -puts "\nall done\n" - diff --git a/test/kmsg.exp b/test/kmsg.exp deleted file mode 100755 index 096bdb708..000000000 --- a/test/kmsg.exp +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /dev/kmsg\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Permission denied" -} -sleep 1 - -send -- "cat /proc/kmsg\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Permission denied" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/option_bind_user.exp b/test/option_bind_user.exp deleted file mode 100755 index 9d2d17d7f..000000000 --- a/test/option_bind_user.exp +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --bind=/tmp/chroot,mntpoint\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "bind option is available only if running as root" -} -sleep 1 - -puts "\n" - diff --git a/test/option_blacklist.exp b/test/option_blacklist.exp deleted file mode 100755 index b80d0cc60..000000000 --- a/test/option_blacklist.exp +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --blacklist=/var\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l /var;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} -send -- "cd /var;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - -puts "\n" - diff --git a/test/option_blacklist_file.exp b/test/option_blacklist_file.exp deleted file mode 100755 index ecdfe3b82..000000000 --- a/test/option_blacklist_file.exp +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --blacklist=/etc/passwd\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /etc/passwd;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} -sleep 1 - -puts "\n" - diff --git a/test/pid.exp b/test/pid.exp deleted file mode 100755 index cdeb9d5fb..000000000 --- a/test/pid.exp +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -# test processes -send -- "bash\r" -sleep 1 -send -- "ps aux; pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ps aux" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - - -send -- "ps aux |wc -l; pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "6" {puts "normal system\n"} - "5" {puts "grsecurity\n"} -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "home" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/private-bin.exp b/test/private-bin.exp deleted file mode 100755 index a82d2b213..000000000 --- a/test/private-bin.exp +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private-bin=bash,ls,sh\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ls" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "sh" -} - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "ping" {puts "TESTING ERROR 6\n";exit} - "sh" -} -send -- "exit\r" -sleep 1 - -send -- "firejail --profile=private-bin.profile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "ls" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "sh" -} - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "ping" {puts "TESTING ERROR 6\n";exit} - "sh" -} -send -- "exit\r" - - - - -sleep 1 -puts "\nall done\n" - diff --git a/test/private-bin.profile b/test/private-bin.profile deleted file mode 100644 index 24cf5929a..000000000 --- a/test/private-bin.profile +++ /dev/null @@ -1 +0,0 @@ -private-bin bash,ls,sh diff --git a/test/private-etc.exp b/test/private-etc.exp deleted file mode 100755 index db1d1df3a..000000000 --- a/test/private-etc.exp +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# directory with ~ -send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al /etc\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "group" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "passwd" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "resolv.conf" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "X11" -} - -send -- "ls -al /etc\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "shadow" {puts "TESTING ERROR 8\n";exit} - "X11" -} - -sleep 1 -puts "\nall done\n" - diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp deleted file mode 100755 index 7379241ef..000000000 --- a/test/private-whitelist.exp +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --whitelist=/tmp/.X11-unix\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al /tmp\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - ".X11-unix" -} -sleep 1 - -send -- "ls -a /tmp | wc -l\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "3" -} -sleep 1 - -send -- "ls -a ~ | wc -l\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "5" -} - -sleep 1 -puts "\nall done\n" - diff --git a/test/private.exp b/test/private.exp deleted file mode 100755 index 80a921529..000000000 --- a/test/private.exp +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -if { $argc != 1 } { - puts "TESTING ERROR: argument missing" - puts "Usage: private.exp username" - puts "where username is the name of the current user" - exit -} - -# testing profile and private -send -- "firejail --private --profile=/etc/firejail/default.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --private --noprofile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} - -sleep 1 -send -- "ls -al; pwd\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - ".bashrc" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - [lindex $argv 0] -} -send -- "ls -al; pwd\r" -expect { - timeout { - # OpenSUSE doesn't use .Xauthority from user home directory - send -- "env | grep XAUTHORITY\r" - - expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "/run/lightdm/netblue/xauthority" - } - } - ".Xauthority" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - [lindex $argv 0] -} - - -# testing private only -send -- "bash\r" -sleep 1 -# owner /home/netblue -send -- "ls -l /home;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "home" -} -sleep 1 - -# owner /tmp -send -- "stat -c %U%a /tmp;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "root777" {puts "version 1\n";} - "root1777" {puts "version 2\n";} - "nobody777" {puts "version 3\n";} - "nobody1777" {puts "version 4\n";} -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "home" -} -sleep 1 - -puts "all done\n" diff --git a/test/quiet.exp b/test/quiet.exp deleted file mode 100755 index fa46aebf2..000000000 --- a/test/quiet.exp +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 4 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --quiet\r" -expect { - "Child process initialized" {puts "TESTING ERROR 1\n";exit} - "Interface" {puts "TESTING ERROR 1\n";exit} -} -sleep 1 -send -- "\r" - -puts "\nall done\n" - diff --git a/test/test-nonet.sh b/test/test-nonet.sh deleted file mode 100755 index 3df8b2d4e..000000000 --- a/test/test-nonet.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -echo "TESTING: version" -./option_version.exp - -echo "TESTING: help" -./option_help.exp - -echo "TESTING: man" -./option_man.exp - -echo "TESTING: list" -./option_list.exp - -echo "TESTING: PID" -./pid.exp - -echo "TESTING: profile no permissions" -./profile_noperm.exp - -echo "TESTING: profile syntax" -./profile_syntax.exp - -echo "TESTING: profile read-only" -./profile_readonly.exp - -echo "TESTING: profile tmpfs" -./profile_tmpfs.exp - -echo "TESTING: private" -./private.exp `whoami` - -echo "TESTING: read/write /var/tmp" -./fs_var_tmp.exp - -echo "TESTING: read/write /var/run" -./fs_var_run.exp - -echo "TESTING: read/write /var/lock" -./fs_var_lock.exp - -echo "TESTING: read/write /dev/shm" -./fs_dev_shm.exp - diff --git a/test/test.sh b/test/test.sh index 78a6adc43..c4f0afd94 100755 --- a/test/test.sh +++ b/test/test.sh @@ -7,38 +7,9 @@ ./fscheck.sh - -echo "TESTING: protocol.print (protocol-print.exp)" -./protocol-print.exp - -echo "TESTING: sound (sound.exp)" -./sound.exp - -echo "TESTING: nice (nice.exp)" -./nice.exp - echo "TESTING: tty (tty.exp)" ./tty.exp -echo "TESTING: protocol (protocol.exp)" -./protocol.exp - -echo "TESTING: invalid filename (invalid_filename.exp)" -./invalid_filename.exp - -echo "TESTING: whitelist empty (whitelist-empty.exp)" -./whitelist-empty.exp - -echo "TESTING: private-etc (private-etc.exp)" -./private-etc.exp - -echo "TESTING: private-bin (private-bin.exp)" -./private-bin.exp - -echo "TESTING: private whitelist (private-whitelist.exp)" -echo "TESTING: failing on OpenSUSE" -./private-whitelist.exp - sleep 1 rm -fr dir\ with\ space mkdir dir\ with\ space @@ -56,14 +27,6 @@ rm -fr auto2 rm -fr auto3 rm -fr auto4 -if [ -f /proc/self/uid_map ]; -then - echo "TESTING: noroot (noroot.exp)" - ./noroot.exp -else - echo "TESTING: user namespaces not available" -fi - echo "TESTING: doubledash" mkdir -- -testdir touch -- -testdir/ttt @@ -71,38 +34,12 @@ cp -- /bin/bash -testdir/. ./doubledash.exp rm -fr -- -testdir -echo "TESTING: trace1 (option-trace.exp)" -./option-trace.exp - -echo "TESTING: trace2 (trace.exp)" -rm -f index.html* -./trace.exp -rm -f index.html* - echo "TESTING: extract command (extract_command.exp)" ./extract_command.exp -echo "TESTING: kmsg access (kmsg.exp)" -./kmsg.exp - echo "TESTING: chroot overlay (option_chroot_overlay.exp)" ./option_chroot_overlay.exp -echo "TESTING: blacklist directory (option_blacklist.exp)" -./option_blacklist.exp - -echo "TESTING: blacklist file (opiton_blacklist_file.exp)" -./option_blacklist_file.exp - -echo "TESTING: bind as user (option_bind_user.exp)" -./option_bind_user.exp - -if [ -d /home/bingo ]; -then - echo "TESTING: home sanitize (opiton_version.exp)" - ./option_version.exp -fi - echo "TESTING: chroot as user (fs_chroot.exp)" ./fs_chroot.exp @@ -116,15 +53,9 @@ sleep 5 rm -f tmpreadonly -echo "TESTING: PID (pid.exp)" -./pid.exp - echo "TESTING: output (output.exp)" ./output.exp -echo "TESTING: private (private.exp)" -./private.exp `whoami` - echo "TESTING: private directory (private_dir.exp)" rm -fr dirprivate mkdir dirprivate @@ -140,52 +71,9 @@ rm -fr dirprivate echo "TESTING: overlayfs (fs_overlay.exp)" ./fs_overlay.exp -echo "TESTING: seccomp debug (seccomp-debug.exp)" -./seccomp-debug.exp - -echo "TESTING: seccomp errno (seccomp-errno.exp)" -./seccomp-errno.exp - -echo "TESTING: seccomp su (seccomp-su.exp)" -./seccomp-su.exp - -echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" -./seccomp-ptrace.exp - -echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)" -./seccomp-chmod.exp - -echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)" -./seccomp-chmod-profile.exp - -echo "TESTING: seccomp empty (seccomp-empty.exp)" -./seccomp-empty.exp - -echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)" -./seccomp-bad-empty.exp - -echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)" -./seccomp-dualfilter.exp - -echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)" -./fs_var_tmp.exp - -echo "TESTING: read/write /var/lock (fs_var_lock.exp)" -./fs_var_lock.exp - -echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)" -./fs_dev_shm.exp - -echo "TESTING: quiet (quiet.exp)" -./quiet.exp - - echo "TESTING: login SSH (login_ssh.exp)" ./login_ssh.exp -echo "TESTING: ARP (net_arp.exp)" -./net_arp.exp - echo "TESTING: DNS (dns.exp)" ./dns.exp diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp deleted file mode 100755 index 226b019db..000000000 --- a/test/whitelist-empty.exp +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 30 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l ~/ | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "0" -} - -send -- "ls -l /tmp | wc -l\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "0" -} - -send -- "ls -l /media | wc -l\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "0" -} - -send -- "ls -l /var | wc -l\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "0" -} - -send -- "ls -l /dev | wc -l\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "0" -} -send -- "ls -l /opt | wc -l\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "0" -} - - -puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 0bf89d9be08e12b668c3ab57caf1a4a4fac4ce72 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Thu, 5 May 2016 21:41:34 +0200 Subject: Use locale-independent sorting On systems without installed/configured locales, the file list is sorted by byte comparison. On some locales it is sorted differently (e.g. X11 at the end). --- test/fs/private-etc.exp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index e5a006585..3b4f3eb2b 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp @@ -15,29 +15,29 @@ expect { } sleep 1 -send -- "ls -al /etc\r" +send -- "LC_ALL=C ls -al /etc\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "group" + "X11" } expect { timeout {puts "TESTING ERROR 4\n";exit} - "passwd" + "group" } expect { timeout {puts "TESTING ERROR 5\n";exit} - "resolv.conf" + "passwd" } expect { timeout {puts "TESTING ERROR 6\n";exit} - "X11" + "resolv.conf" } -send -- "ls -al /etc\r" +send -- "ls -al /etc; echo done\r" expect { timeout {puts "TESTING ERROR 7\n";exit} "shadow" {puts "TESTING ERROR 8\n";exit} - "X11" + "done" } sleep 1 -- cgit v1.2.3-70-g09d2 From f8ad9c20bbbc5018927598c23532e33851b74d60 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 5 May 2016 18:16:03 -0400 Subject: test fixes --- Makefile.in | 5 +++-- test/apps-x11/apps-x11.sh | 17 +++++++++++++++ test/filters/seccomp-dualfilter.exp | 21 +++++++++++++----- test/fs/fs.sh | 1 - test/fs/private-whitelist.exp | 10 +++++---- test/fs/private.exp | 43 +------------------------------------ 6 files changed, 43 insertions(+), 54 deletions(-) diff --git a/Makefile.in b/Makefile.in index 9a6044fcb..fdf247255 100644 --- a/Makefile.in +++ b/Makefile.in @@ -47,6 +47,7 @@ clean: done rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm rm -f test/utils/index.html* + rm -f test/utils/wget-log rm -f test/utils/lstesting cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. @@ -303,10 +304,10 @@ test-filters: cd test/filters; ./filters.sh | grep TESTING test-network: - echo "Please read test/netwok/README file and run the test manually" + echo "Please read test/network/README file and run the test manually" test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters test-network +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters echo "TEST COMPLETE" diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index b01c37d0f..a8556ab8f 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -6,6 +6,23 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +# check xpra/xephyr +which xpra +if [ "$?" -eq 0 ]; +then + echo "xpra found" +else + echo "xpra not found" + which xephyr + if [ "$?" -eq 0 ]; + then + echo "xephyr found" + else + echo "TESTING SKIP: xpra and/or xephyr not found" + exit + fi +fi + which xterm if [ "$?" -eq 0 ]; then diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 7efc117da..c75063672 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -3,10 +3,23 @@ # Copyright (C) 2014-2016 Firejail Authors # License GPL v2 -set timeout 10 +set timeout 1 spawn $env(SHELL) match_max 100000 +send -- "./syscall_test\r" +expect { + timeout {puts "TESTING SKIP: 64-bit support missing\n";exit} + "Usage" +} + +send -- "./syscall_test32\r" +expect { + timeout {puts "TESTING SKIP: 32-bit support missing\n";exit} + "Usage" +} + +set timeout 10 send -- "firejail ./syscall_test mount\r" expect { timeout {puts "TESTING ERROR 0\n";exit} @@ -18,7 +31,7 @@ expect { } expect { timeout {puts "TESTING ERROR 2\n";exit} - "after mount" {puts "TESTING ERROR 2.1\n";exit} + "after mount" {puts "TESTING ERROR 3\n";exit} "Parent is shutting down" } sleep 1 @@ -26,8 +39,6 @@ sleep 1 send -- "firejail ./syscall_test32 mount\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "No such file or directory" {puts "\nTESTING SKIP 3: can't execute 32 bit binary\n"; exit} - "Parent is shutting down, bye" {puts "\nTESTING SKIP 3: can't execute 32 bit binary\n"; exit} "Child process initialized" } expect { @@ -36,7 +47,7 @@ expect { } expect { timeout {puts "TESTING ERROR 6\n";exit} - "after mount" {puts "TESTING ERROR 6.1\n";exit} + "after mount" {puts "TESTING ERROR 7\n";exit} "Parent is shutting down" } diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 425af45a6..0fcffcb8e 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -31,7 +31,6 @@ echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" ./whitelist-empty.exp echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" -echo "TESTING: (failing on OpenSUSE)" ./private-whitelist.exp echo "TESTING: invalid filename (test/fs/invalid_filename.exp)" diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index a3d60369a..4dadeacb1 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp @@ -12,26 +12,28 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 1 +after 100 send -- "ls -al /tmp\r" expect { timeout {puts "TESTING ERROR 2\n";exit} ".X11-unix" } -sleep 1 +after 100 send -- "ls -a /tmp | wc -l\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "3" } -sleep 1 +after 100 send -- "ls -a ~ | wc -l\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "5" + "3" {puts "3\n"} + "4" {puts "4\n"} + "5" {puts "5\n"} } sleep 1 diff --git a/test/fs/private.exp b/test/fs/private.exp index 01f04d3cb..7eee0c82b 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp @@ -38,49 +38,8 @@ expect { } expect { timeout {puts "TESTING ERROR 3\n";exit} - [lindex $argv 0] + done } -send -- "ls -al; echo done\r" -expect { - timeout { - # OpenSUSE doesn't use .Xauthority from user done directory - send -- "env | grep XAUTHORITY\r" - - expect { - timeout {puts "TESTING ERROR 4\n";exit} - "/run/lightdm/netblue/xauthority" - } - } - ".Xauthority" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - [lindex $argv 0] -} - - -# testing private only -send -- "bash\r" -sleep 1 -# owner /done/netblue -send -- "ls -l /done;echo done\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "done" -} -sleep 1 # owner /tmp send -- "stat -c %U%a /tmp;echo done\r" -- cgit v1.2.3-70-g09d2 From 78fbedbe1199ce7914c021c376bb5752439f8c62 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 7 May 2016 14:20:03 +1000 Subject: added xapps && cleanup --- Makefile.in | 3 +++ README | 1 + README.md | 2 +- etc/disable-programs.inc | 17 ++++++++++++----- etc/xplayer.profile | 15 +++++++++++++++ etc/xreader.profile | 16 ++++++++++++++++ etc/xviewer.profile | 13 +++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 4 ++++ 9 files changed, 68 insertions(+), 6 deletions(-) create mode 100644 etc/xplayer.profile create mode 100644 etc/xreader.profile create mode 100644 etc/xviewer.profile diff --git a/Makefile.in b/Makefile.in index fdf247255..2d49f88e1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -180,6 +180,9 @@ realinstall: install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index c40f99210..fcd1c54cd 100644 --- a/README +++ b/README @@ -70,6 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc - blacklisted g++ + - added xplayer, xreader, and xviewer profiles Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index c148608d9..eb4b1af81 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,6 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile +cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 297d25bf2..1f3768693 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -12,17 +12,22 @@ blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/Gpredict blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/stellarium -blacklist ~/.kde/share/apps/okular -blacklist ~/.kde/share/config/okularrc -blacklist ~/.kde/share/config/okularpartrc -blacklist ~/.kde/share/apps/gwenview -blacklist ~/.kde/share/config/gwenviewrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/xreader +blacklist ${HOME}/.config/xviewer +blacklist ${HOME}/.kde/share/apps/okular +blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.kde/share/config/okularpartrc +blacklist ${HOME}/.kde/share/apps/gwenview +blacklist ${HOME}/.kde/share/config/gwenviewrc # Media players blacklist ${HOME}/.config/cmus blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/spotify blacklist ${HOME}/.config/vlc +blacklist ${HOME}/.config/totem +blacklist ${HOME}/.config/xplayer # HTTP / FTP / Mail blacklist ${HOME}/.icedove @@ -95,6 +100,7 @@ blacklist ${HOME}/.cache/transmission blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/xreader # share blacklist ${HOME}/.local/share/epiphany @@ -103,3 +109,4 @@ blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad +blacklist ${HOME}/.local/share/xplayer diff --git a/etc/xplayer.profile b/etc/xplayer.profile new file mode 100644 index 000000000..67a46a7da --- /dev/null +++ b/etc/xplayer.profile @@ -0,0 +1,15 @@ +# Xplayer profile +noblacklist ~/.config/xplayer +noblacklist ~/.local/share/xplayer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +noroot +tracelog +netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile new file mode 100644 index 000000000..7b72d41a6 --- /dev/null +++ b/etc/xreader.profile @@ -0,0 +1,16 @@ +# Xreader profile +noblacklist ~/.config/xreader +noblacklist ~/.cache/xreader +noblacklist ~/.local/share + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +noroot +tracelog +netfilter diff --git a/etc/xviewer.profile b/etc/xviewer.profile new file mode 100644 index 000000000..33e1e3c68 --- /dev/null +++ b/etc/xviewer.profile @@ -0,0 +1,13 @@ +noblacklist ~/.config/xviewer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +noroot +tracelog +netfilter diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 109af24d7..4f118d571 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -94,3 +94,6 @@ /etc/firejail/quiterss.profile /etc/firejail/cyberfox.profile /etc/firejail/snap.profile +/etc/firejail/xplayer.profile +/etc/firejail/xreader.profile +/etc/firejail/xviewer.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3812ee7d8..d019c3a5c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -60,6 +60,8 @@ Mathematica mathematica gwenview okular +atril +xreader # Media vlc @@ -70,6 +72,8 @@ parole rhythmbox totem cmus +xplayer +xviewer # chat/messaging bitlbee -- cgit v1.2.3-70-g09d2 From 43fc27396606a66de7948aeeaade550c0843b2f3 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 7 May 2016 14:48:38 +1000 Subject: forgot atril profile --- etc/atril.profile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/etc/atril.profile b/etc/atril.profile index c5b2abc48..d1a7b25f8 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -1,5 +1,6 @@ # Atril profile noblacklist ~/.config/atril +noblacklist ~/.local/share include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -8,10 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 -net none noroot tracelog - -mkdir ~/.config -mkdir ~/.config/atril -whitelist ~/.config/atril +netfilter -- cgit v1.2.3-70-g09d2 From d9b29db4d7b3dafc518b404d1fc8dea1b1b1c216 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 7 May 2016 14:52:55 +1000 Subject: ignorance is NOT bliss --- RELNOTES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 8ccbeed0d..339e2ee2d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -23,7 +23,8 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox - * new profiles: generic Ubuntu snap application profile + * new profiles: generic Ubuntu snap application profile, xplayer + * new profiles: xreader, xplayer * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes -- cgit v1.2.3-70-g09d2 From 571e8a53d6f083de8c6c90cdc9e6c48c31bb2702 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 7 May 2016 10:05:29 -0400 Subject: fix private-etc empty list --- src/firejail/fs_etc.c | 60 +++++++++++++++++++++------------------ src/firejail/main.c | 7 +---- src/firejail/profile.c | 7 +---- test/fs/fs.sh | 3 ++ test/fs/private-etc-empty.exp | 38 +++++++++++++++++++++++++ test/fs/private-etc-empty.profile | 1 + 6 files changed, 76 insertions(+), 40 deletions(-) create mode 100755 test/fs/private-etc-empty.exp create mode 100644 test/fs/private-etc-empty.profile diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 1a44b1305..2ff36f5d2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -129,40 +129,44 @@ void fs_private_etc_list(void) { errExit("chmod"); fs_logger("tmpfs /etc"); - // copy the list of files in the new etc directory - // using a new child process without root privileges fs_logger_print(); // save the current log - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Copying files in the new etc directory:\n"); - // elevate privileges - files in the new /etc directory belong to root - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); - - // copy the list of files in the new home directory - char *dlist = strdup(private_list); - if (!dlist) - errExit("strdup"); - - char *ptr = strtok(dlist, ","); - duplicate(ptr); + // copy the list of files in the new etc directory + // using a new child process without root privileges + if (*private_list != '\0') { + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + if (arg_debug) + printf("Copying files in the new etc directory:\n"); - while ((ptr = strtok(NULL, ",")) != NULL) + // elevate privileges - files in the new /etc directory belong to root + if (setreuid(0, 0) < 0) + errExit("setreuid"); + if (setregid(0, 0) < 0) + errExit("setregid"); + + // copy the list of files in the new home directory + char *dlist = strdup(private_list); + if (!dlist) + errExit("strdup"); + + + char *ptr = strtok(dlist, ","); duplicate(ptr); - free(dlist); - fs_logger_print(); - exit(0); + + while ((ptr = strtok(NULL, ",")) != NULL) + duplicate(ptr); + free(dlist); + fs_logger_print(); + exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); } - // wait for the child to finish - waitpid(child, NULL, 0); - + if (arg_debug) printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) diff --git a/src/firejail/main.c b/src/firejail/main.c index 7aa81a9c5..59f500e3a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1330,12 +1330,7 @@ int main(int argc, char **argv) { exit(1); } fs_check_etc_list(); - if (*cfg.etc_private_keep != '\0') - arg_private_etc = 1; - else { - arg_private_etc = 0; - fprintf(stderr, "Warning: private-etc disabled, no file found\n"); - } + arg_private_etc = 1; } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { // extract private bin list diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2b3984a99..095e5eecc 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -611,12 +611,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } cfg.etc_private_keep = ptr + 12; fs_check_etc_list(); - if (*cfg.etc_private_keep != '\0') - arg_private_etc = 1; - else { - arg_private_etc = 0; - fprintf(stderr, "Warning: private-etc disabled, no file found\n"); - } + arg_private_etc = 1; return 0; } diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0fcffcb8e..b49aadf02 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -24,6 +24,9 @@ echo "TESTING: private (test/fs/private.exp)" echo "TESTING: private-etc (test/fs/private-etc.exp)" ./private-etc.exp +echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" +./private-etc-empty.exp + echo "TESTING: private-bin (test/fs/private-bin.exp)" ./private-bin.exp diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp new file mode 100755 index 000000000..13e917a5c --- /dev/null +++ b/test/fs/private-etc-empty.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private-etc=blablabla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /etc | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=private-etc-empty.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /etc | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0" +} + +puts "\nall done\n" diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile new file mode 100644 index 000000000..38aa8cd68 --- /dev/null +++ b/test/fs/private-etc-empty.profile @@ -0,0 +1 @@ +private-etc blablabla -- cgit v1.2.3-70-g09d2 From 03e03b26c144b385fbe2dc2996882e1bb21e5f76 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 7 May 2016 10:49:07 -0400 Subject: fixed empty private-bin --- src/firejail/fs_bin.c | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index c3d24aaac..8ac9d4f3f 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -108,10 +108,10 @@ void fs_check_bin_list(void) { } if (*newlist == '\0') { - fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); - cfg.bin_private_keep = NULL; - arg_private_bin = 0; - free(newlist); +// fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); +// cfg.bin_private_keep = NULL; +// arg_private_bin = 0; +// free(newlist); } else { ptr = strrchr(newlist, ','); @@ -172,19 +172,6 @@ void fs_private_bin_list(void) { char *private_list = cfg.bin_private_keep; assert(private_list); - // check bin paths - int i = 0; -#if 0 - while (paths[i]) { - struct stat s; - if (stat(paths[i], &s) == -1) { - fprintf(stderr, "Error: cannot find %s directory\n", paths[i]); - exit(1); - } - i++; - } -#endif - // create /tmp/firejail/mnt/bin directory fs_build_mnt_dir(); int rv = mkdir(RUN_BIN_DIR, 0755); @@ -231,7 +218,7 @@ void fs_private_bin_list(void) { waitpid(child, NULL, 0); // mount-bind - i = 0; + int i = 0; while (paths[i]) { struct stat s; if (stat(paths[i], &s) == 0) { -- cgit v1.2.3-70-g09d2 From e1170a668adc5c504e544c21ae06e6dd31d5d9f8 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 8 May 2016 13:33:26 +1000 Subject: minor fixes --- RELNOTES | 2 +- etc/disable-programs.inc | 1 + etc/totem.profile | 12 ++++++++++++ etc/xplayer.profile | 8 ++++++++ etc/xviewer.profile | 4 ++++ 5 files changed, 26 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 339e2ee2d..9c6aeac24 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,7 +24,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer - * new profiles: xreader, xplayer + * new profiles: xreader, xviewer * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1f3768693..1e3f092fb 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -110,3 +110,4 @@ blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer +blacklsit ${HOME}/.local/share/totem diff --git a/etc/totem.profile b/etc/totem.profile index 4d87cbb85..416b0ef43 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -1,4 +1,7 @@ # Totem media player profile +noblacklist ~/.config/totem +noblacklist ~/.local/share/totem + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -9,3 +12,12 @@ seccomp protocol unix,inet,inet6 noroot netfilter + +mkdir ~/.config +mkdir ~/.config/totem +whitelist ~/.config/totme + +mkdir ~/.local +mkdir ~/.local/share +mkdir ~/.local/share/totem +whitelist ~/.local/share/totem diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 67a46a7da..e364a2a5d 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -13,3 +13,11 @@ protocol unix,inet,inet6 noroot tracelog netfilter + +mkdir ~/.config +mkdir ~/.config/xplayer +whitelist ~/.config/xplayer + +mkdir ~/.local +mkdir ~/.local/share +mkdir ~/.local/share/xplayer diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 33e1e3c68..5785ecabf 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -11,3 +11,7 @@ protocol unix,inet,inet6 noroot tracelog netfilter + +mkdir ~/.config +mkdir ~/.config/xviewer +whitelist ~/.config/xviewer -- cgit v1.2.3-70-g09d2 From 0e79ca99bb5fac8904de5136c33fb0c60d074808 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 8 May 2016 13:38:16 +1000 Subject: minor fixes --- etc/xplayer.profile | 8 -------- etc/xviewer.profile | 4 ---- 2 files changed, 12 deletions(-) diff --git a/etc/xplayer.profile b/etc/xplayer.profile index e364a2a5d..67a46a7da 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -13,11 +13,3 @@ protocol unix,inet,inet6 noroot tracelog netfilter - -mkdir ~/.config -mkdir ~/.config/xplayer -whitelist ~/.config/xplayer - -mkdir ~/.local -mkdir ~/.local/share -mkdir ~/.local/share/xplayer diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 5785ecabf..33e1e3c68 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -11,7 +11,3 @@ protocol unix,inet,inet6 noroot tracelog netfilter - -mkdir ~/.config -mkdir ~/.config/xviewer -whitelist ~/.config/xviewer -- cgit v1.2.3-70-g09d2 From d4d72e218e50548c4a36ee35fef3fdf5f1c41bcf Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 8 May 2016 13:41:58 +1000 Subject: undo change --- etc/totem.profile | 9 --------- 1 file changed, 9 deletions(-) diff --git a/etc/totem.profile b/etc/totem.profile index 416b0ef43..d23167b03 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -12,12 +12,3 @@ seccomp protocol unix,inet,inet6 noroot netfilter - -mkdir ~/.config -mkdir ~/.config/totem -whitelist ~/.config/totme - -mkdir ~/.local -mkdir ~/.local/share -mkdir ~/.local/share/totem -whitelist ~/.local/share/totem -- cgit v1.2.3-70-g09d2 From 95b4bd30d29d9e7f2b07c3f51ef311aaa62fbcd5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 8 May 2016 10:20:29 -0400 Subject: fixes --- etc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e3f092fb..a3fd0fe73 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -110,4 +110,4 @@ blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer -blacklsit ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/totem -- cgit v1.2.3-70-g09d2 From d2433893462007a8ba90f503cf6aaddb3ac56c27 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 16:17:57 +0200 Subject: update seccomp default list in firejail-profile --- src/man/firejail-profile.txt | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 0e9614ab6..8f9eedbd3 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -222,10 +222,15 @@ first argument to socket system call. Recognized values: \fBunix\fR, \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. .TP \fBseccomp -Enable default seccomp filter. The default list is as follows: -mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, -iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev, -sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. +Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: +mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, +iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, +sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, +add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, +io_destroy, io_getevents, io_submit, io_cancel, +remap_file_pages, mbind, get_mempolicy, set_mempolicy, +migrate_pages, move_pages, vmsplice, perf_event_open, chroot, +tuxcall, reboot, mfsservctl and get_kernel_syms. .TP \fBseccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. -- cgit v1.2.3-70-g09d2 From bf3ba3e577a6d7e58b55f88d3ab363aa75337ba8 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 17:28:25 +0200 Subject: add mcabber.profile --- etc/mcabber.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/mcabber.profile diff --git a/etc/mcabber.profile b/etc/mcabber.profile new file mode 100644 index 000000000..553672406 --- /dev/null +++ b/etc/mcabber.profile @@ -0,0 +1,19 @@ +# mcabber profile +noblacklist ${HOME}/.mcabber +noblacklist ${HOME}/.mcabberrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol inet,inet6 +netfilter +noroot + +private-bin mcabber +private-etc group +private-dev +shell none -- cgit v1.2.3-70-g09d2 From d32b616e41b8216e2573d80813d719ed6b714467 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 17:29:35 +0200 Subject: noblacklist mcabber --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a3fd0fe73..307ccaf6c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -55,6 +55,7 @@ blacklist ${HOME}/.8pecxstudios # Instant Messaging blacklist ${HOME}/.config/hexchat blacklist ${HOME}/.mcabber +blacklist ${HOME}/.mcabberrc blacklist ${HOME}/.purple blacklist ${HOME}/.config/psi+ blacklist ${HOME}/.retroshare -- cgit v1.2.3-70-g09d2 From 86fa3a51d76bbb62f7676dee106a5bd8c5c4fcc7 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 17:34:13 +0200 Subject: edit Makefile.in, conffiles, README{.md,} --- Makefile.in | 1 + README | 3 ++- README.md | 2 +- platform/debian/conffiles | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index 2d49f88e1..34daed387 100644 --- a/Makefile.in +++ b/Makefile.in @@ -183,6 +183,7 @@ realinstall: install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index fcd1c54cd..dd0c5a5b1 100644 --- a/README +++ b/README @@ -29,7 +29,7 @@ avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix - added parole profile - - blacklist ncat, manpage fixes, + - blacklist ncat - hostname support in profile file - Google Chrome profile rework - added cmus profile @@ -37,6 +37,7 @@ avoidr (https://github.com/avoidr) - add net iface support in profile files - paths fix - lots of profile fixes + - added mcabber profile Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) diff --git a/README.md b/README.md index eb4b1af81..4fa79d9f2 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,6 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer +cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 4f118d571..8cf8f165c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -97,3 +97,4 @@ /etc/firejail/xplayer.profile /etc/firejail/xreader.profile /etc/firejail/xviewer.profile +/etc/firejail/mcabber.profile -- cgit v1.2.3-70-g09d2 From 6cc91e438a5be38168b599529f046c35929d9c10 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 17:34:58 +0200 Subject: edit RELNOTES --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 9c6aeac24..be1612acf 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,7 +24,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer - * new profiles: xreader, xviewer + * new profiles: xreader, xviewer, mcabber * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes -- cgit v1.2.3-70-g09d2 From 9c9055d1bd49080f97a456e35a886a0ab624bb45 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 15 May 2016 12:13:45 +0200 Subject: mcabber.profile: use empty /etc --- etc/mcabber.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 553672406..1d753d7c3 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -14,6 +14,6 @@ netfilter noroot private-bin mcabber -private-etc group +private-etc null private-dev shell none -- cgit v1.2.3-70-g09d2 From 471bba3242b01d91e6b1f52b9b12d2e88b5cf533 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 15 May 2016 12:28:43 +0200 Subject: cmus.profile: use empty /etc --- etc/cmus.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/cmus.profile b/etc/cmus.profile index 72b43a70f..bb57ac149 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -13,5 +13,5 @@ netfilter noroot private-bin cmus -private-etc group +private-etc null shell none -- cgit v1.2.3-70-g09d2 From ca5516b72b57bd113b780a2d8c673c2b44e19cd4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 15 May 2016 08:47:09 -0400 Subject: documentation --- src/man/firejail.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 995aee809..807b3e39e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1004,7 +1004,9 @@ $ firejail \-\-private=/home/netblue/firefox-home firefox .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. +If no listed file is found, /bin directory will be empty. The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. +All modifications are discarded when the sandbox is closed. .br .br @@ -1043,7 +1045,8 @@ $ \fB\-\-private-etc=file,directory Build a new /etc in a temporary filesystem, and copy the files and directories in the list. -All modifications are discarded when the sandbox is closed. +If no listed file is found, /etc directory will be empty. +All modifications are discarded when the sandbox is closed. .br .br -- cgit v1.2.3-70-g09d2 From 689c89738a9c575b0088ef288013aaf743d93eca Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 15 May 2016 09:01:23 -0400 Subject: allow regular users to use --writable-var and --writable-etc --- src/firejail/main.c | 8 -------- src/firejail/profile.c | 8 -------- src/firejail/usage.c | 6 ++---- src/man/firejail-profile.txt | 6 ++---- src/man/firejail.txt | 4 ++-- 5 files changed, 6 insertions(+), 26 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 59f500e3a..a540d468b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1285,10 +1285,6 @@ int main(int argc, char **argv) { } #endif else if (strcmp(argv[i], "--writable-etc") == 0) { - if (getuid() != 0) { - fprintf(stderr, "Error: --writable-etc is available only for root user\n"); - exit(1); - } if (cfg.etc_private_keep) { fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); exit(1); @@ -1296,10 +1292,6 @@ int main(int argc, char **argv) { arg_writable_etc = 1; } else if (strcmp(argv[i], "--writable-var") == 0) { - if (getuid() != 0) { - fprintf(stderr, "Error: --writable-var is available only for root user\n"); - exit(1); - } arg_writable_var = 1; } else if (strcmp(argv[i], "--private") == 0) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 095e5eecc..3bf294e00 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -573,10 +573,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // writable-etc if (strcmp(ptr, "writable-etc") == 0) { - if (getuid() != 0) { - fprintf(stderr, "Error: writable-etc is available only for root user\n"); - exit(1); - } if (cfg.etc_private_keep) { fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); exit(1); @@ -587,10 +583,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // writable-var if (strcmp(ptr, "writable-var") == 0) { - if (getuid() != 0) { - fprintf(stderr, "Error: writable-var is available only for root user\n"); - exit(1); - } arg_writable_var = 1; return 0; } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 8c738a0fc..ef02c0d72 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -248,10 +248,8 @@ void usage(void) { printf(" --version - print program version and exit.\n\n"); printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); - printf(" --writable-etc - /etc directory is mounted read-write. This option is\n"); - printf("\tavailable only when running the sandbox as root user.\n\n"); - printf(" --writable-var - /var directory is mounted read-write. This option is\n"); - printf("\tavailable only when running the sandbox as root user.\n\n"); + printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); + printf(" --writable-var - /var directory is mounted read-write.\n\n"); printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); printf("\tthen it checks if Xephyr is installed.\n\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 8f9eedbd3..4d1de76f5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -194,12 +194,10 @@ The modifications to file_or_directory are persistent, everything else is discar when the sandbox is closed. .TP \fBwritable-etc -Mount /etc directory read-write. This option is available only -when running the sandbox as root user. +Mount /etc directory read-write. .TP \fBwritable-var -Mount /var directory read-write. This option is available only -when running the sandbox as root user. +Mount /var directory read-write. .SH Security filters The following security filters are currently implemented: diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 807b3e39e..29a84f71e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1480,7 +1480,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" .TP \fB\-\-writable-etc -Mount /etc directory read-write. This option is available only when running the sandbox as root user. +Mount /etc directory read-write. .br .br @@ -1490,7 +1490,7 @@ $ sudo firejail --writable-etc .TP \fB\-\-writable-var -Mount /var directory read-write. This option is available only when running the sandbox as root user. +Mount /var directory read-write. .br .br -- cgit v1.2.3-70-g09d2 From 3fde5ba7f094b92c01075426b3f54b1b44c31dd9 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 15 May 2016 22:43:59 +0200 Subject: Revert "cmus.profile: use empty /etc" This reverts commit 471bba3242b01d91e6b1f52b9b12d2e88b5cf533. --- etc/cmus.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/cmus.profile b/etc/cmus.profile index bb57ac149..72b43a70f 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -13,5 +13,5 @@ netfilter noroot private-bin cmus -private-etc null +private-etc group shell none -- cgit v1.2.3-70-g09d2 From dc6eb6ad5897634f2826fd7f055f75d3448b6236 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 17 May 2016 11:25:13 -0400 Subject: 0.9.40 testing --- configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/fs_bin.c | 2 +- test/configure | 2 +- test/test-root.sh | 8 ++++---- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/configure b/configure index 46e792f64..946fb99bc 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.40~rc2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.40. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.40~rc2' -PACKAGE_STRING='firejail 0.9.40~rc2' +PACKAGE_VERSION='0.9.40' +PACKAGE_STRING='firejail 0.9.40' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.40~rc2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.40 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1307,7 +1307,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.40~rc2:";; + short | recursive ) echo "Configuration of firejail 0.9.40:";; esac cat <<\_ACEOF @@ -1403,7 +1403,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.40~rc2 +firejail configure 0.9.40 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.40~rc2, which was +It was created by firejail $as_me 0.9.40, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.40~rc2, which was +This file was extended by firejail $as_me 0.9.40, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4238,7 +4238,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.40~rc2 +firejail config.status 0.9.40 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 09b1076c4..47048046b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.40~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.40, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 8ac9d4f3f..251a1cb8f 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -111,7 +111,7 @@ void fs_check_bin_list(void) { // fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); // cfg.bin_private_keep = NULL; // arg_private_bin = 0; -// free(newlist); + free(newlist); } else { ptr = strrchr(newlist, ','); diff --git a/test/configure b/test/configure index bdf36fcad..9acd021c8 100755 --- a/test/configure +++ b/test/configure @@ -28,7 +28,7 @@ ROOTDIR="/tmp/chroot" # default chroot directory DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc -DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" +DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" rm -fr $ROOTDIR mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} diff --git a/test/test-root.sh b/test/test-root.sh index 7e1a0b968..aca48d334 100755 --- a/test/test-root.sh +++ b/test/test-root.sh @@ -9,7 +9,7 @@ echo "TESTING: profile tmpfs (profile_tmpfs)" ./profile_tmpfs.exp echo "TESTING: network interfaces (net_interface.exp)" -./net_interface.exp +./network/net_interface.exp echo "TESTING: chroot (fs_chroot_asroot.exp)" ./fs_chroot_asroot.exp @@ -48,13 +48,13 @@ echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)" ./sysrq-trigger.exp echo "TESTING: seccomp umount (seccomp-umount.exp)" -./seccomp-umount.exp +./filters/seccomp-umount.exp echo "TESTING: seccomp chmod (seccomp-chmod.exp)" -./seccomp-chmod.exp +./filters/seccomp-chmod.exp echo "TESTING: seccomp chown (seccomp-chown.exp)" -./seccomp-chown.exp +./filters/seccomp-chown.exp echo "TESTING: bind directory (option_bind_directory.exp)" ./option_bind_directory.exp -- cgit v1.2.3-70-g09d2 From 2a57a24561e3382059e199cac8aa8bba1bab44a0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 18 May 2016 13:22:15 -0400 Subject: --read-only fix --- src/firejail/util.c | 2 +- src/man/firejail.txt | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/firejail/util.c b/src/firejail/util.c index da73bbfd5..3d5fc214d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -548,7 +548,7 @@ char *expand_home(const char *path, const char* homedir) { errExit("asprintf"); return new_name; } - else if (strncmp(path, "~/", 2) == 0) { + else if (*path == '~') { if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) errExit("asprintf"); return new_name; diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 29a84f71e..e3a660286 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -153,14 +153,7 @@ Example: .br $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\ setuid /etc/init.d/nginx start -.br -.br -A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories -should be made read-only independently. Making a parent directory read-only, will not -make the whitelist read-only. Example: -.br -$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work .TP \fB\-\-caps.print=name|pid Print the caps filter for the sandbox identified by name or by PID. @@ -1138,6 +1131,15 @@ Set directory or file read-only. Example: .br $ firejail \-\-read-only=~/.mozilla firefox +.br + +.br +A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories +should be made read-only independently. Making a parent directory read-only, will not +make the whitelist read-only. Example: +.br +$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work + .TP \fB\-\-rlimit-fsize=number Set the maximum file size that can be created by a process. -- cgit v1.2.3-70-g09d2 From d221aada89e79d92d758d508475c443064a9da48 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 19 May 2016 12:14:18 -0400 Subject: fixes --- src/firejail/list.c | 34 +++++++++++++++++++++++++++------- src/firejail/output.c | 2 +- src/firejail/run_symlink.c | 6 ++++++ src/firejail/util.c | 1 + src/firejail/x11.c | 2 ++ 5 files changed, 37 insertions(+), 8 deletions(-) diff --git a/src/firejail/list.c b/src/firejail/list.c index cd53264b6..d093a1f85 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c @@ -21,7 +21,7 @@ #include #include -static void grsec_elevate_privileges(void) { +static void set_privileges(void) { struct stat s; if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { EUID_ROOT(); @@ -32,49 +32,69 @@ static void grsec_elevate_privileges(void) { if (setregid(0, 0)) errExit("setregid"); } + else + drop_privs(1); +} + +static char *get_firemon_path(const char *cmd) { + assert(cmd); + + // start the argv[0] program in a new sandbox + char *firemon; + if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1) + errExit("asprintf"); + + return firemon; } void top(void) { EUID_ASSERT(); - + drop_privs(1); + char *cmd = get_firemon_path("--top"); + char *arg[4]; arg[0] = "bash"; arg[1] = "-c"; - arg[2] = "firemon --top"; + arg[2] = cmd; arg[3] = NULL; execvp("/bin/bash", arg); } void netstats(void) { EUID_ASSERT(); - grsec_elevate_privileges(); + set_privileges(); + char *cmd = get_firemon_path("--netstats"); char *arg[4]; arg[0] = "bash"; arg[1] = "-c"; - arg[2] = "firemon --netstats"; + arg[2] = cmd; arg[3] = NULL; execvp("/bin/bash", arg); } void list(void) { EUID_ASSERT(); + drop_privs(1); + char *cmd = get_firemon_path("--list"); char *arg[4]; arg[0] = "bash"; arg[1] = "-c"; - arg[2] = "firemon --list"; + arg[2] = cmd; arg[3] = NULL; execvp("/bin/bash", arg); } void tree(void) { EUID_ASSERT(); + drop_privs(1); + char *cmd = get_firemon_path("--tree"); char *arg[4]; arg[0] = "bash"; arg[1] = "-c"; - arg[2] = "firemon --tree"; + arg[2] = cmd; arg[3] = NULL; execvp("/bin/bash", arg); } diff --git a/src/firejail/output.c b/src/firejail/output.c index 269ac25ea..91fe7f164 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c @@ -27,7 +27,6 @@ void check_output(int argc, char **argv) { int i; char *outfile = NULL; -// drop_privs(0); int found = 0; for (i = 1; i < argc; i++) { @@ -91,6 +90,7 @@ void check_output(int argc, char **argv) { sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); // run command + drop_privs(0); char *a[4]; a[0] = "/bin/bash"; a[1] = "-c"; diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index d57816e12..cc6f6b3e9 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -91,6 +91,12 @@ void run_symlink(int argc, char **argv) { printf("Redirecting symlink to %s\n", program); + // drop privileges + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + // run command char *a[3 + argc]; a[0] = firejail; diff --git a/src/firejail/util.c b/src/firejail/util.c index 3d5fc214d..dc906532f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -29,6 +29,7 @@ // drop privileges // - for root group or if nogroups is set, supplementary groups are not configured void drop_privs(int nogroups) { + EUID_ROOT(); gid_t gid = getgid(); // configure supplementary groups diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 985ca9337..300078872 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -173,6 +173,7 @@ void x11_start_xephyr(int argc, char **argv) { fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); exit(1); } + drop_privs(0); // check xephyr if (x11_check_xephyr() == 0) { @@ -295,6 +296,7 @@ void x11_start_xpra(int argc, char **argv) { fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); exit(1); } + drop_privs(0); // check xpra if (x11_check_xpra() == 0) { -- cgit v1.2.3-70-g09d2 From cecd43784290fba972b2b1aa732d0f8531b8b846 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 May 2016 07:59:22 -0400 Subject: fixes --- src/man/firejail.txt | 2 +- test/filters/noroot.exp | 1 + test/filters/protocol.exp | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e3a660286..2ea15ff2b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1138,7 +1138,7 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d should be made read-only independently. Making a parent directory read-only, will not make the whitelist read-only. Example: .br -$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work +$ firejail --whitelist=~/work --read-only=~ --read-only=~/work .TP \fB\-\-rlimit-fsize=number diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 7f4f189ee..bbd2291c8 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -143,6 +143,7 @@ expect { timeout {puts "TESTING ERROR 22\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} + "Permission denied" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 10a13fe25..82e9a63eb 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp @@ -10,10 +10,12 @@ match_max 100000 send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" expect { timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} "Child process initialized" } expect { timeout {puts "TESTING ERROR 1.1\n";exit} + "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} "socket AF_INET" } expect { -- cgit v1.2.3-70-g09d2 From e21f5c16606e1613f56a297b7d09e1cb90c5b61d Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:17:56 +0300 Subject: Blacklist psi+ share directory. History and OTR keys are in there. --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 307ccaf6c..3474a6592 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -112,3 +112,4 @@ blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/psi+ -- cgit v1.2.3-70-g09d2 From e5de12f12c06c35b68bcaedc225bca8765f162f1 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:20:31 +0300 Subject: Whitelist ~/.XCompose to prevent breaking custom compose keys --- etc/whitelist-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9d5ef3d96..b3a1a1d30 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -1,5 +1,6 @@ # common whitelist for all profiles +whitelist ~/.XCompose whitelist ~/.config/mimeapps.list whitelist ~/.icons whitelist ~/.config/user-dirs.dirs -- cgit v1.2.3-70-g09d2 From 2cdbcfc830c23574a71b2caed39ffb72580e3de7 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:31:53 +0300 Subject: Blacklist ~/.cert where Fedora (and probably other distros with SELinux) encourage users to store certificates --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 479f32cb1..a61f1b210 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -93,6 +93,7 @@ read-only ${HOME}/bin # top secret blacklist ${HOME}/.ssh +blacklist ${HOME}/.cert blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/kde4/share/apps/kwallet blacklist ${HOME}/kde/share/apps/kwallet -- cgit v1.2.3-70-g09d2 From e87f299a89faa57128d289bedaa644a65bd830a2 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:23:21 +0300 Subject: Add Psi+ profile --- etc/psi-plus.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/psi-plus.profile diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile new file mode 100644 index 000000000..8194da74f --- /dev/null +++ b/etc/psi-plus.profile @@ -0,0 +1,27 @@ +# Firejail profile for Psi+ + +noblacklist ${HOME}/.config/psi+ +noblacklist ${HOME}/.local/share/psi+ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ${DOWNLOADS} +mkdir ~/.config +mkdir ~/.config/psi+ +whitelist ~/.config/psi+ +mkdir ~/.local +mkdir ~/.local/share +mkdir ~/.local/share/psi+ +whitelist ~/.local/share/psi+ +mkdir ~/.cache +mkdir ~/.cache/psi+ +whitelist ~/.cache/psi+ + +include /etc/firejail/whitelist-common.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot -- cgit v1.2.3-70-g09d2 From ae1f7b596acf4449369e87e755edc8a9073ad69e Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:29:43 +0300 Subject: Add generic Corebird profile --- etc/corebird.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 etc/corebird.profile diff --git a/etc/corebird.profile b/etc/corebird.profile new file mode 100644 index 000000000..f3f73a44f --- /dev/null +++ b/etc/corebird.profile @@ -0,0 +1,12 @@ +# Firejail corebird profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot -- cgit v1.2.3-70-g09d2 From 0d80553ab42d5451647ff0fcf2082b87a0b6aca6 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:30:10 +0300 Subject: Add generic Konversation profile --- etc/konversation.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 etc/konversation.profile diff --git a/etc/konversation.profile b/etc/konversation.profile new file mode 100644 index 000000000..d10decb8f --- /dev/null +++ b/etc/konversation.profile @@ -0,0 +1,12 @@ +# Firejail konversation profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot -- cgit v1.2.3-70-g09d2 From c40618b75d5ed928676a58098ad20fdb015a1608 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 24 May 2016 07:28:00 -0400 Subject: 0.9.40 testing --- RELNOTES | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index be1612acf..1d2d11c85 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,4 @@ -firejail (0.9.40-rc1) baseline; urgency=low +firejail (0.9.40) baseline; urgency=low * added --nice option * added --x11 option * added --x11=xpra option @@ -28,7 +28,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes - -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 + -- netblue30 Sun, 25 May 2016 08:00:00 -0500 firejail (0.9.38) baseline; urgency=low * IPv6 support (--ip6 and --netfilter6) -- cgit v1.2.3-70-g09d2 From 300af5c5996a2ec1d16b8acc0ad53f52b77e7b7b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 24 May 2016 08:41:56 -0400 Subject: 0.9.40 testing --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 1d2d11c85..e87cc9637 100644 --- a/RELNOTES +++ b/RELNOTES @@ -28,7 +28,7 @@ firejail (0.9.40) baseline; urgency=low * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes - -- netblue30 Sun, 25 May 2016 08:00:00 -0500 + -- netblue30 Wed, 25 May 2016 08:00:00 -0500 firejail (0.9.38) baseline; urgency=low * IPv6 support (--ip6 and --netfilter6) -- cgit v1.2.3-70-g09d2 From 0bc571120af013407e448d9935e8be5189bc2765 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 24 May 2016 11:12:03 -0400 Subject: 0.9.40 testing --- test/filters/noroot.exp | 1 + test/filters/seccomp-su.exp | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index bbd2291c8..1e08cee12 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -49,6 +49,7 @@ expect { timeout {puts "TESTING ERROR 8\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} + "Bad system call" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 003f3df99..e2ab050bf 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -17,13 +17,15 @@ sleep 2 send -- "sudo su -\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "effective uid is not 0" + "effective uid is not 0" {puts "OK\n"} + "Bad system call" {puts "OK\n"} } send -- "sudo ls\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "effective uid is not 0" + "effective uid is not 0" {puts "OK\n"} + "Bad system call" {puts "OK\n"} } send -- "ping google.com\r" -- cgit v1.2.3-70-g09d2 From 178f649ac21f1511db89c1bfcb617678b7bf2e2a Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Thu, 7 Apr 2016 18:22:24 +0200 Subject: sandbox: Add NO_NEW_PRIVS inconditionally This is just a first try --- src/firejail/sandbox.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5cfee44d8..109395b60 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -747,6 +747,16 @@ int sandbox(void* sandbox_arg) { set_caps(); } + //**************************************** + // Set NO_NEW_PRIVS if desired + //**************************************** + int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + if(no_new_privs != 0) { + errExit("NO_NEW_PRIVS"); + } else + printf("No new privileges from this point on\n"); + + //**************************************** // fork the application and monitor it //**************************************** -- cgit v1.2.3-70-g09d2 From 0688847fa8287752e2bdd209bde37029dff48dc5 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:19:02 +0200 Subject: Make NO_NEW_PRIVS configurable --- src/firejail/firejail.h | 1 + src/firejail/main.c | 4 ++++ src/firejail/profile.c | 4 ++++ src/firejail/sandbox.c | 13 ++++++++----- src/firejail/usage.c | 3 +++ 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4a176caf..c9c090a97 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -237,6 +237,7 @@ extern int arg_rlimit_nproc; // rlimit nproc extern int arg_rlimit_fsize; // rlimit fsize extern int arg_rlimit_sigpending;// rlimit sigpending extern int arg_nogroups; // disable supplementary groups +extern int arg_nonewprivs; // set the NO_NEW_PRIVS prctl extern int arg_noroot; // create a new user namespace and disable root user extern int arg_netfilter; // enable netfilter extern int arg_netfilter6; // enable netfilter6 diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..2f4a78d4b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -77,6 +77,7 @@ int arg_rlimit_nproc = 0; // rlimit nproc int arg_rlimit_fsize = 0; // rlimit fsize int arg_rlimit_sigpending = 0; // rlimit fsize int arg_nogroups = 0; // disable supplementary groups +int arg_nonewprivs = 0; // set the NO_NEW_PRIVS prctl int arg_noroot = 0; // create a new user namespace and disable root user int arg_netfilter; // enable netfilter int arg_netfilter6; // enable netfilter6 @@ -1367,6 +1368,9 @@ int main(int argc, char **argv) { } } #endif + else if (strcmp(argv[i], "--nonewprivs") == 0) { + arg_nonewprivs = 1; + } else if (strncmp(argv[i], "--env=", 6) == 0) env_store(argv[i] + 6); else if (strncmp(argv[i], "--nosound", 9) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3bf294e00..192f36974 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -131,6 +131,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + else if (strcmp(ptr, "nonewprivs") == 0) { + arg_nonewprivs = 1; + return 0; + } else if (strcmp(ptr, "seccomp") == 0) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 109395b60..843c1efe5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -750,11 +750,14 @@ int sandbox(void* sandbox_arg) { //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** - int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - if(no_new_privs != 0) { - errExit("NO_NEW_PRIVS"); - } else - printf("No new privileges from this point on\n"); + if (arg_nonewprivs) { + int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + + if(no_new_privs != 0) + errExit("NO_NEW_PRIVS"); + else if (arg_debug) + printf("NO_NEW_PRIVS set\n"); + } //**************************************** diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ef02c0d72..45bf2e3b1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -157,6 +157,9 @@ void usage(void) { printf("\tuser. root user does not exist in the new namespace. This option\n"); printf("\tis not supported for --chroot and --overlay configurations.\n\n"); #endif + printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n"); + printf("\tcannot gain privileges using execve(2); in particular, this prevents\n"); + printf("\tgaining privileges by calling a suid binary\n\n"); printf(" --nosound - disable sound system.\n\n"); printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); -- cgit v1.2.3-70-g09d2 From 2cecda837db48f92d5f6089ba680ae5292382e6c Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:26:31 +0200 Subject: Document nonewprivs --- src/man/firejail-profile.txt | 6 ++++++ src/man/firejail.txt | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4d1de76f5..1f7c8beac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -239,6 +239,12 @@ Enable seccomp filter and blacklist the system calls in the list. \fBseccomp.keep syscall,syscall,syscall Enable seccomp filter and whitelist the system calls in the list. .TP +\fBnonewprivs +Sets the NO_NEW_PRIVS prctl. This ensures that child processes +cannot acquire new privileges using execve(2); in particular, +this means that calling a suid binary (or one with file capabilities) +does not results in an increase of privilege. +.TP \fBnoroot Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2ea15ff2b..7b22a5bf2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -903,6 +903,13 @@ ping: icmp open socket: Operation not permitted .br $ +.TP +\fB\-\-nonewprivs +Sets the NO_NEW_PRIVS prctl. This ensures that child processes +cannot acquire new privileges using execve(2); in particular, +this means that calling a suid binary (or one with file capabilities) +does not results in an increase of privilege. + .TP \fB\-\-nosound Disable sound system. -- cgit v1.2.3-70-g09d2 From 4125505f2e632bc3f1358470c78e2f9bb88c368e Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:45:20 +0200 Subject: midori.profile: Use nonewprivs and noroot --- etc/midori.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/midori.profile b/etc/midori.profile index 7fc27e07c..568687058 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -8,4 +8,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter - +nonewprivs +noroot -- cgit v1.2.3-70-g09d2 From 1c0428dba28299b66380c8c05770d6619383d758 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 14:59:30 +0200 Subject: Add force-nonewprivs setting --- README.md | 7 +++++++ etc/firejail.config | 6 ++++++ src/firejail/checkcfg.c | 11 +++++++++++ src/firejail/firejail.h | 3 ++- src/firejail/sandbox.c | 2 +- src/man/firejail-config.txt | 8 ++++++++ 6 files changed, 35 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4fa79d9f2..6f05a010f 100644 --- a/README.md +++ b/README.md @@ -207,6 +207,13 @@ The following features can be enabled or disabled: x11 Enable or disable X11 sandboxing support, default enabled. + force-nonewprivs + Force use of theh NO_NEW_PRIVS prctl(2) flag. + This mitigates the possibility of a user abusing firejail's + features to trick a privileged (suid or file capabilities) + process into loading code or configuration that is partially + under their control. Default disabled + xephyr-screen Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for a full list of resolutions available on your diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..caaeb6792 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -30,6 +30,12 @@ # Enable or disable X11 sandboxing support, default enabled. # x11 yes +# Force use of nonewprivs. This mitigates the possibility of +# a user abusing firejail's features to trick a privileged (suid +# or file capabilities) process into loading code or configuration +# that is partially under their control. Default disabled +# force-nonewprivs no + # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 430b0c5a6..4fdbe1897 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -36,7 +36,9 @@ int checkcfg(int val) { int i; for (i = 0; i < CFG_MAX; i++) cfg_val[i] = 1; // most of them are enabled by default + cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default + cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default // open configuration file char *fname; @@ -106,6 +108,15 @@ int checkcfg(int val) { else goto errout; } + // nonewprivs + else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + cfg_val[CFG_SECCOMP] = 1; + else if (strcmp(ptr + 17, "no") == 0) + cfg_val[CFG_SECCOMP] = 0; + else + goto errout; + } // seccomp else if (strncmp(ptr, "seccomp ", 8) == 0) { if (strcmp(ptr + 8, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c9c090a97..661073730 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -566,7 +566,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_SECCOMP 5 #define CFG_NETWORK 6 #define CFG_RESTRICTED_NETWORK 7 -#define CFG_MAX 8 // this should always be the last entry +#define CFG_FORCE_NONEWPRIVS 8 +#define CFG_MAX 9 // this should always be the last entry int checkcfg(int val); // fs_rdwr.c diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 843c1efe5..6133a610d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -750,7 +750,7 @@ int sandbox(void* sandbox_arg) { //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** - if (arg_nonewprivs) { + if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) { int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if(no_new_privs != 0) diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..dcede2ec6 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -48,6 +48,14 @@ Enable or disable user namespace support, default enabled. \fBx11 Enable or disable X11 sandboxing support, default enabled. +.TP +\fBforce-nonewprivs +Force use of nonewprivs. This mitigates the possibility of +a user abusing firejail's features to trick a privileged (suid +or file capabilities) process into loading code or configuration +that is partially under their control. Default disabled. + + .TP \fBxephyr-screen Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for -- cgit v1.2.3-70-g09d2 From 845bd06665539af002b1bf74d2b7cb9e6cf11e0e Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:46:09 +0200 Subject: profiles: Add nonewprivs where sensible --- etc/0ad.profile | 1 + etc/Mathematica.profile | 1 + etc/abrowser.profile | 1 + etc/atril.profile | 1 + etc/audacious.profile | 1 + etc/aweather.profile | 1 + etc/bitlbee.profile | 1 + etc/cherrytree.profile | 1 + etc/clementine.profile | 1 + etc/cmus.profile | 1 + etc/conkeror.profile | 1 + etc/cyberfox.profile | 1 + etc/deadbeef.profile | 1 + etc/default.profile | 1 + etc/deluge.profile | 1 + etc/dillo.profile | 1 + etc/dnsmasq.profile | 1 + etc/dropbox.profile | 1 + etc/empathy.profile | 1 + etc/epiphany.profile | 2 +- etc/evince.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 1 + etc/firefox.profile | 1 + etc/flashpeak-slimjet.profile | 1 + etc/gnome-mplayer.profile | 1 + etc/google-play-music-desktop-player.profile | 1 + etc/gpredict.profile | 1 + etc/gwenview.profile | 1 + etc/hedgewars.profile | 1 + etc/hexchat.profile | 1 + etc/kmail.profile | 1 + etc/mcabber.profile | 1 + etc/mupen64plus.profile | 1 + etc/netsurf.profile | 1 + etc/okular.profile | 1 + etc/palemoon.profile | 1 + etc/parole.profile | 1 + etc/pidgin.profile | 1 + etc/polari.profile | 1 + etc/qbittorrent.profile | 1 + etc/qtox.profile | 1 + etc/quassel.profile | 1 + etc/quiterss.profile | 1 + etc/qutebrowser.profile | 1 + etc/rhythmbox.profile | 1 + etc/rtorrent.profile | 1 + etc/seamonkey.profile | 1 + etc/skype.profile | 1 + etc/spotify.profile | 1 + etc/ssh.profile | 1 + etc/steam.profile | 1 + etc/stellarium.profile | 1 + etc/telegram.profile | 1 + etc/totem.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 1 + etc/vivaldi.profile | 1 + etc/vlc.profile | 1 + etc/warzone2100.profile | 1 + etc/weechat.profile | 1 + etc/wesnoth.profile | 1 + etc/wine.profile | 1 + etc/xchat.profile | 1 + etc/xplayer.profile | 1 + etc/xreader.profile | 1 + etc/xviewer.profile | 1 + 68 files changed, 68 insertions(+), 1 deletion(-) diff --git a/etc/0ad.profile b/etc/0ad.profile index f8a3ce23d..e6540fb5d 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -12,6 +12,7 @@ protocol unix,inet,inet6,netlink netfilter tracelog noroot +nonewprivs # Whitelists noblacklist ~/.cache/0ad diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 05131df43..75dbebcf0 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -16,4 +16,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp +nonewprivs noroot diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 949635258..6a06ce76b 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/atril.profile b/etc/atril.profile index d1a7b25f8..c20a8c7b3 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot tracelog netfilter diff --git a/etc/audacious.profile b/etc/audacious.profile index 290faa260..0a1598dee 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/aweather.profile b/etc/aweather.profile index d7f510a7e..dd508e736 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index fb84c260a..b7ccd132e 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -9,3 +9,4 @@ private private-dev seccomp netfilter +nonewprivs diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 1f69f61c6..b3a34fc9a 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -19,6 +19,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot include /etc/firejail/whitelist-common.inc nosound diff --git a/etc/clementine.profile b/etc/clementine.profile index c6271e6e3..fb9dca2a9 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/cmus.profile b/etc/cmus.profile index 72b43a70f..16b9c112d 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -10,6 +10,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot private-bin cmus diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 007eef663..0a7966e4b 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -7,6 +7,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot whitelist ~/.conkeror.mozdev.org diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index cef9ad464..c5fb25e9a 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 2810e5323..9225ca16e 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -9,4 +9,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/default.profile b/etc/default.profile index f2c7d4114..d836a9f5d 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -11,5 +11,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot diff --git a/etc/deluge.profile b/etc/deluge.profile index 4043f58f5..f7a2b98e4 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -9,5 +9,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/dillo.profile b/etc/dillo.profile index 49c33fb7a..392000ade 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6 netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 474bc5aca..4459c40dd 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -11,3 +11,4 @@ protocol unix,inet,inet6,netlink netfilter private private-dev +nonewprivs diff --git a/etc/dropbox.profile b/etc/dropbox.profile index a0a944dce..568ab230a 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -6,4 +6,5 @@ include /etc/firejail/disable-passwdmgr.inc caps seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/empathy.profile b/etc/empathy.profile index 789bdda08..c08398e84 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -7,3 +7,4 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 95a673bf9..7783a05fd 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -23,4 +23,4 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter - +nonewprivs diff --git a/etc/evince.profile b/etc/evince.profile index c390dcaf3..3c883d43c 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -7,5 +7,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot nosound diff --git a/etc/fbreader.profile b/etc/fbreader.profile index cfbae1c74..7764a48c9 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -10,5 +10,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 8542de284..1ab08b568 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter nosound diff --git a/etc/firefox.profile b/etc/firefox.profile index 1ea94a2c7..6796ef7c4 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 94c672acf..77a95aa17 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -18,6 +18,7 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index ec3698ac8..010b19613 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 7fe43f1f6..fe2f79901 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6,netlink +nonewprivs noroot netfilter diff --git a/etc/gpredict.profile b/etc/gpredict.profile index f53cb1b4f..ba9fce37b 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/gwenview.profile b/etc/gwenview.profile index d61c57adc..87523d825 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix +nonewprivs noroot nogroups private-dev diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 5ab7cfe72..c5d863bd5 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nonewprivs noroot private-dev seccomp diff --git a/etc/hexchat.profile b/etc/hexchat.profile index b77555e55..3eb350660 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/kmail.profile b/etc/kmail.profile index a7079661b..a47945bc6 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -10,5 +10,6 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot tracelog diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 1d753d7c3..1536194b2 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -11,6 +11,7 @@ caps.drop all seccomp protocol inet,inet6 netfilter +nonewprivs noroot private-bin mcabber diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 7b38b411a..c9a99bede 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -16,6 +16,7 @@ mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ +nonewprivs noroot caps.drop all seccomp diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 26b621126..e01cace7f 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/okular.profile b/etc/okular.profile index 7929a8796..5179da787 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix +nonewprivs noroot nogroups private-dev diff --git a/etc/palemoon.profile b/etc/palemoon.profile index fc4ea453b..4db9b7adc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -16,6 +16,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/parole.profile b/etc/parole.profile index 0c9a72143..c0be0453b 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -11,5 +11,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index fd497f082..767da5f55 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -8,4 +8,5 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/polari.profile b/etc/polari.profile index 0bc46f3f7..7910f4e9b 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 8bdc745fb..858fdda4d 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -8,5 +8,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/qtox.profile b/etc/qtox.profile index 80acc3873..ca34e932a 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -12,4 +12,5 @@ include /etc/firejail/whitelist-common.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/quassel.profile b/etc/quassel.profile index 72004da7f..e68315c1c 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -6,5 +6,6 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 411d37dbd..5ad7ead1a 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -20,6 +20,7 @@ seccomp protocol unix,inet,inet6 netfilter tracelog +nonewprivs noroot nogroups shell none diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 934a374de..09d10b0bb 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 782cd3832..ee0832863 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -7,5 +7,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index ae0430830..9ae2206c1 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -8,5 +8,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index a10d5b0ec..886af0f67 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -10,6 +10,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/skype.profile b/etc/skype.profile index 26feac1a4..4c4a34980 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs noroot seccomp protocol unix,inet,inet6 diff --git a/etc/spotify.profile b/etc/spotify.profile index fd4586dd5..1ee379dea 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -26,5 +26,6 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot diff --git a/etc/ssh.profile b/etc/ssh.profile index 7b282bde6..0c4621f66 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -9,4 +9,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot diff --git a/etc/steam.profile b/etc/steam.profile index 4c96e8258..ae5e93829 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nonewprivs noroot seccomp protocol unix,inet,inet6 diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 7cb74eeaa..148ec949d 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/telegram.profile b/etc/telegram.profile index df6b6a270..62a0fa404 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/totem.profile b/etc/totem.profile index d23167b03..f2bce5dee 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -10,5 +10,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index d61d36a8c..e27873f88 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -11,6 +11,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot tracelog nosound diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 3db7a5452..2caa923d8 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -11,6 +11,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot tracelog nosound diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index ef5aa7d4a..86e7be6fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -9,6 +9,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 449d9a168..2049d2bd9 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc netfilter +nonewprivs whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/vlc.profile b/etc/vlc.profile index 061ae6f78..d26034748 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -9,5 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 7588da657..ceeaca012 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/weechat.profile b/etc/weechat.profile index 280a5f9d8..11b5bd10f 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -7,5 +7,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot netfilter diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 340ba0db5..61a87d994 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot private-dev diff --git a/etc/wine.profile b/etc/wine.profile index ea6db8511..18e5346af 100644 --- a/etc/wine.profile +++ b/etc/wine.profile @@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs noroot seccomp diff --git a/etc/xchat.profile b/etc/xchat.profile index fcea4245e..f4b273693 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -8,4 +8,5 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 67a46a7da..fb0e3c910 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -10,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot tracelog netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index 7b72d41a6..4b7ed41be 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot tracelog netfilter diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 33e1e3c68..a0c91f0f3 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -9,5 +9,6 @@ caps.drop all seccomp protocol unix,inet,inet6 noroot +nonewprivs tracelog netfilter -- cgit v1.2.3-70-g09d2 From 99d9a32bfabe97a6eeeccb024a68feed331d8f74 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 15:51:26 +0200 Subject: Make `restricted-network` prevent use of netfilter --- src/firejail/main.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..a2342843b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1675,6 +1675,18 @@ int main(int argc, char **argv) { #ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netfilter") == 0) { +#ifdef HAVE_NETWORK_RESTRICTED + // compile time restricted networking + if (getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } +#endif + // run time restricted networking + if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; } @@ -1685,6 +1697,18 @@ int main(int argc, char **argv) { } else if (strncmp(argv[i], "--netfilter=", 12) == 0) { +#ifdef HAVE_NETWORK_RESTRICTED + // compile time restricted networking + if (getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } +#endif + // run time restricted networking + if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { + fprintf(stderr, "Error: --netfilter is only allowed for root\n"); + exit(1); + } if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; arg_netfilter_file = argv[i] + 12; -- cgit v1.2.3-70-g09d2 From 10bf7d9418fb2d5aabaa5de6ffa8638e75bcbbdd Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 15:59:46 +0200 Subject: Document the restricted-network change --- README.md | 6 +++--- etc/firejail.config | 4 ++-- src/man/firejail-config.txt | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4fa79d9f2..ce4aa4073 100644 --- a/README.md +++ b/README.md @@ -197,9 +197,9 @@ The following features can be enabled or disabled: restricted-network Enable or disable restricted network support, default disabled. If enabled, networking features should also be enabled (network - yes). Restricted networking grants access to --interface and - --net=ethXXX only to root user. Regular users are only allowed - --net=none. + yes). Restricted networking grants access to --interface, + --net=ethXXX and --netfilter only to root user. Regular users + are only allowed --net=none. Default disabled secomp Enable or disable seccomp support, default enabled. diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..fc09f1a0a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -17,8 +17,8 @@ # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). -# Restricted networking grants access to --interface and --net=ethXXX -# only to root user. Regular users are only allowed --net=none. +# Restricted networking grants access to --interface, --net=ethXXX and +# --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Enable or disable seccomp support, default enabled. diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..de89ff3eb 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -33,8 +33,8 @@ Enable or disable networking features, default enabled. \fBrestricted-network Enable or disable restricted network support, default disabled. If enabled, networking features should also be enabled (network yes). -Restricted networking grants access to --interface and --net=ethXXX -only to root user. Regular users are only allowed --net=none. +Restricted networking grants access to --interface, --net=ethXXX and +\-\-netfilter only to root user. Regular users are only allowed --net=none. .TP \fBsecomp -- cgit v1.2.3-70-g09d2 From 8d14f1e157f06543e6f7799a25f19367da95ed8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 25 May 2016 13:48:51 -0400 Subject: fixes --- Makefile.in | 3 +++ README | 5 +++++ README.md | 2 +- RELNOTES | 2 +- platform/debian/conffiles | 3 +++ src/firejail/checkcfg.c | 2 +- src/firejail/main.c | 7 ++++++- src/firejail/sandbox.c | 2 +- 8 files changed, 21 insertions(+), 5 deletions(-) diff --git a/Makefile.in b/Makefile.in index 34daed387..edcf09225 100644 --- a/Makefile.in +++ b/Makefile.in @@ -184,6 +184,9 @@ realinstall: install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index dd0c5a5b1..390fbb84f 100644 --- a/README +++ b/README @@ -25,6 +25,11 @@ Reiner Herrmann - clang-analyzer fixes - Debian reproducible build - unit testing framework +KellerFuchs (https://github.com/KellerFuchs) + - nonewpriv support +ValdikSS (https://github.com/ValdikSS) + - Psi+, Corebird, Konversation profiles + - various profile fixes avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index 6f05a010f..4f90b6f27 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,6 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber +cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation diff --git a/RELNOTES b/RELNOTES index e87cc9637..b791048e7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,7 +24,7 @@ firejail (0.9.40) baseline; urgency=low * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer - * new profiles: xreader, xviewer, mcabber + * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 8cf8f165c..eff859cc5 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -98,3 +98,6 @@ /etc/firejail/xreader.profile /etc/firejail/xviewer.profile /etc/firejail/mcabber.profile +/etc/firejail/corebird.profile +/etc/firejail/konversation.profile +/etc/firejail/psi-plus.profile diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 4fdbe1897..3ea8caf5b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -47,7 +47,7 @@ int checkcfg(int val) { FILE *fp = fopen(fname, "r"); if (!fp) { - fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); + fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname); exit(1); } diff --git a/src/firejail/main.c b/src/firejail/main.c index 2f4a78d4b..cda9e788e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -806,7 +806,7 @@ int main(int argc, char **argv) { } } - // is this a login shell, or a command passed by sshd insert command line options from /etc/firejail/login.users + // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users if (*argv[0] == '-' || parent_sshd) { fullargc = restricted_shell(cfg.username); if (fullargc) { @@ -825,6 +825,11 @@ int main(int argc, char **argv) { check_user(argc, argv); // the function will not return if --user option was found } + + // check for force-nonewprivs in /etc/firejail/firejail.config file + if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS)) + arg_nonewprivs = 1; + // parse arguments for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6133a610d..843c1efe5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -750,7 +750,7 @@ int sandbox(void* sandbox_arg) { //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** - if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) { + if (arg_nonewprivs) { int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if(no_new_privs != 0) -- cgit v1.2.3-70-g09d2 From 51cf1544128a69183f918661244e9104bae8cc16 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 26 May 2016 08:14:46 +1000 Subject: extra Brave files --- Makefile.in | 1 + README | 2 ++ README.md | 4 +--- RELNOTES | 1 + etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Makefile.in b/Makefile.in index edcf09225..6699ab732 100644 --- a/Makefile.in +++ b/Makefile.in @@ -187,6 +187,7 @@ realinstall: install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 390fbb84f..07f49c7d1 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - blacklisted escape-happy terminals in disable-common.inc - blacklisted g++ - added xplayer, xreader, and xviewer profiles + - added Brave profile + - added "shutdown" filter for x86_64 arch to seccomp Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index 4f90b6f27..8440d00a6 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,4 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation - - +cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave diff --git a/RELNOTES b/RELNOTES index b791048e7..c9201cf38 100644 --- a/RELNOTES +++ b/RELNOTES @@ -25,6 +25,7 @@ firejail (0.9.40) baseline; urgency=low * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation + * new profiles: Brave * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3474a6592..633f9c548 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -51,6 +51,7 @@ blacklist ${HOME}/.config/epiphany blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios +blacklist ${HOME}/.config/brave # Instant Messaging blacklist ${HOME}/.config/hexchat diff --git a/platform/debian/conffiles b/platform/debian/conffiles index eff859cc5..7da95eb68 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -101,3 +101,4 @@ /etc/firejail/corebird.profile /etc/firejail/konversation.profile /etc/firejail/psi-plus.profile +/etc/firejail/brave.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d019c3a5c..567f97c69 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -35,6 +35,7 @@ vivaldi-beta vivaldi dillo netsurf +brave # bittorrent/ftp deluge -- cgit v1.2.3-70-g09d2 From 0a502c19891d0ade26f6a7229f0d9c966d40cbf8 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 26 May 2016 08:15:17 +1000 Subject: added Brave profile --- etc/brave.profile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 etc/brave.profile diff --git a/etc/brave.profile b/etc/brave.profile new file mode 100644 index 000000000..24a0a31c9 --- /dev/null +++ b/etc/brave.profile @@ -0,0 +1,18 @@ +# Profile for Brave browser + +noblacklist ~/.config/brave +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +noroot + +whitelist ${DOWNLOADS} + +mkdir ~/.config +mkdir ~/.config/brave +whitelist ~/.config/brave -- cgit v1.2.3-70-g09d2 From c59274d82fa8e16ad6842a15d9a1280660c481da Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 26 May 2016 08:16:32 +1000 Subject: nosound xreader and atril --- etc/atril.profile | 1 + etc/xreader.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/atril.profile b/etc/atril.profile index d1a7b25f8..91a97e826 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -12,3 +12,4 @@ protocol unix,inet,inet6 noroot tracelog netfilter +nosound diff --git a/etc/xreader.profile b/etc/xreader.profile index 7b72d41a6..a3871a7d3 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -14,3 +14,4 @@ protocol unix,inet,inet6 noroot tracelog netfilter +nosound -- cgit v1.2.3-70-g09d2 From 7f16261377e526bb87a29f09db9b20e49c0d910e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 26 May 2016 09:34:19 -0400 Subject: fixes --- README | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README b/README index 07f49c7d1..ee0c65242 100644 --- a/README +++ b/README @@ -26,7 +26,8 @@ Reiner Herrmann - Debian reproducible build - unit testing framework KellerFuchs (https://github.com/KellerFuchs) - - nonewpriv support + - nonewpriv support, extended profiles for this feature + - make `restricted-network` prevent use of netfilter ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes -- cgit v1.2.3-70-g09d2 From 22a9d046d10614d8fa706ae09f9483fb1d42e6e7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 27 May 2016 09:21:30 -0400 Subject: fixes for Debian wheezy --- src/firejail/sandbox.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 843c1efe5..7518477b7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -34,6 +34,13 @@ #define CLONE_NEWUSER 0x10000000 #endif +#include +#ifndef PR_SET_NO_NEW_PRIVS +# define PR_SET_NO_NEW_PRIVS 38 +#endif + + + static int monitored_pid = 0; static void sandbox_handler(int sig){ if (!arg_quiet) { @@ -746,7 +753,7 @@ int sandbox(void* sandbox_arg) { printf("noroot user namespace installed\n"); set_caps(); } - + //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** @@ -759,7 +766,6 @@ int sandbox(void* sandbox_arg) { printf("NO_NEW_PRIVS set\n"); } - //**************************************** // fork the application and monitor it //**************************************** -- cgit v1.2.3-70-g09d2 From a09353fb4a378e9897888eb9895a4d7bb15b0d16 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 27 May 2016 09:26:48 -0400 Subject: wheezy fixes --- src/firejail/sandbox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7518477b7..0e3d722b7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -761,7 +761,7 @@ int sandbox(void* sandbox_arg) { int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if(no_new_privs != 0) - errExit("NO_NEW_PRIVS"); + fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); else if (arg_debug) printf("NO_NEW_PRIVS set\n"); } -- cgit v1.2.3-70-g09d2 From 429fd12cd9362f761b0c04781b664c115966fafe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 29 May 2016 10:09:37 -0400 Subject: 0.9.40 testing --- README | 2 +- RELNOTES | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index ee0c65242..d926c8abe 100644 --- a/README +++ b/README @@ -18,7 +18,7 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) -Reiner Herrmann +Reiner Herrmann (https://github.com/reinerh) - a number of build patches - man page fixes - Debian and Ubuntu integration diff --git a/RELNOTES b/RELNOTES index c9201cf38..6c6bdb526 100644 --- a/RELNOTES +++ b/RELNOTES @@ -29,7 +29,7 @@ firejail (0.9.40) baseline; urgency=low * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes - -- netblue30 Wed, 25 May 2016 08:00:00 -0500 + -- netblue30 Sun, 29 May 2016 08:00:00 -0500 firejail (0.9.38) baseline; urgency=low * IPv6 support (--ip6 and --netfilter6) -- cgit v1.2.3-70-g09d2 From e5f50c1dd0ef13c49f20579ae2047c255a4d6451 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 30 May 2016 09:55:03 -0400 Subject: todo --- todo | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/todo b/todo index 56cc3dc0b..cd36b5f11 100644 --- a/todo +++ b/todo @@ -82,3 +82,22 @@ https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/ 12. check for --chroot why .config/pulse dir is not created 13. print error line number for profile files in profile_check_line() + +14. make rpms problems +$ firejail --version +firejail version 0.9.40 +User namespace support is disabled. + +$ rpmlint firejail-0.9.40-1.x86_64.rpm +firejail.x86_64: E: no-changelogname-tag +firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so +firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so +firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so +firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile +firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi + +$ rpmlint firejail-0.9.40-1.src.rpm +firejail.src: E: no-changelogname-tag +firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found +1 packages and 0 specfiles checked; 1 errors, 1 warnings. + -- cgit v1.2.3-70-g09d2 From d3965324d298d60c1f2ac59790e8f9b983aeb7ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 06:51:49 -0400 Subject: 0.9.41 development starting --- README.md | 258 +---------------------------------------------------------- configure | 18 ++--- configure.ac | 2 +- 3 files changed, 11 insertions(+), 267 deletions(-) diff --git a/README.md b/README.md index b08be89c9..c61543452 100644 --- a/README.md +++ b/README.md @@ -34,260 +34,4 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` -# Current development version: 0.9.40~rc2 -Version 0.9.40-rc1 released! - -## X11 sandboxing support - -X11 support is built around Xpra (http://xpra.org/) or Xephyr. -````` - --x11 Start a new X11 server using Xpra or Xephyr and attach the sand‐ - box to this server. The regular X11 server (display 0) is not - visible in the sandbox. This prevents screenshot and keylogger - applications started in the sandbox from accessing other X11 - displays. A network namespace needs to be instantiated in order - to deny access to X11 abstract Unix domain socket. - - Firejail will try first Xpra, and if Xpra is not installed on - the system, it will try to find Xephyr. This feature is not - available when running as root. - - Example: - $ firejail --x11 --net=eth0 firefox - - --x11=xpra - Start a new X11 server using Xpra (http://xpra.org) and attach - the sandbox to this server. Xpra is a persistent remote display - server and client for forwarding X11 applications and desktop - screens. On Debian platforms Xpra is installed with the command - sudo apt-get install xpra. This feature is not available when - running as root. - - Example: - $ firejail --x11 --net=eth0 firefox - - --x11=xephyr - Start a new X11 server using Xephyr and attach the sandbox to - this server. Xephyr is a display server implementing the X11 - display server protocol. It runs in a window just like other X - applications, but it is an X server itself in which you can run - other software. The default Xephyr window size is 800x600. This - can be modified in /etc/firejail/firejail.config file, see man 5 - firejail-config for more details. - - The recommended way to use this feature is to run a window man‐ - ager inside the sandbox. A security profile for OpenBox is pro‐ - vided. On Debian platforms Xephyr is installed with the command - sudo apt-get install xserver-xephyr. This feature is not avail‐ - able when running as root. - - Example: - $ firejail --x11 --net=eth0 openbox -````` -More information here: https://firejail.wordpress.com/documentation-2/x11-guide/ - -## File transfers -````` -FILE TRANSFER - These features allow the user to inspect the filesystem container of an - existing sandbox and transfer files from the container to the host - filesystem. - - --get=name filename - Retrieve the container file and store it on the host in the cur‐ - rent working directory. The container is specified by name - (--name option). Full path is needed for filename. - - --get=pid filename - Retrieve the container file and store it on the host in the cur‐ - rent working directory. The container is specified by process - ID. Full path is needed for filename. - - --ls=name dir_or_filename - List container files. The container is specified by name - (--name option). Full path is needed for dir_or_filename. - - --ls=pid dir_or_filename - List container files. The container is specified by process ID. - Full path is needed for dir_or_filename. - - Examples: - - $ firejail --name=mybrowser --private firefox - - $ firejail --ls=mybrowser ~/Downloads - drwxr-xr-x netblue netblue 4096 . - drwxr-xr-x netblue netblue 4096 .. - -rw-r--r-- netblue netblue 7847 x11-x305.png - -rw-r--r-- netblue netblue 6800 x11-x642.png - -rw-r--r-- netblue netblue 34139 xpra-clipboard.png - - $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png -````` - -## Firecfg -````` -NAME - Firecfg - Desktop configuration program for Firejail software. - -SYNOPSIS - firecfg [OPTIONS] - -DESCRIPTION - Firecfg is the desktop configuration utility for Firejail software. The - utility creates several symbolic links to firejail executable. This - allows the user to sandbox applications automatically, just by clicking - on a regular desktop menus and icons. - - The symbolic links are placed in /usr/local/bin. For more information, - see DESKTOP INTEGRATION section in man 1 firejail. - -OPTIONS - --clean - Remove all firejail symbolic links - - -?, --help - Print options end exit. - - --list List all firejail symbolic links - - --version - Print program version and exit. - - Example: - - $ sudo firecfg - /usr/local/bin/firefox created - /usr/local/bin/vlc created - [...] - $ firecfg --list - /usr/local/bin/firefox - /usr/local/bin/vlc - [...] - $ sudo firecfg --clean - /usr/local/bin/firefox removed - /usr/local/bin/vlc removed - [...] -````` - - -## Compile time and run time configuration support - -Most Linux kernel security features require root privileges during configuration. -The same is true for kernel networking features. Firejail (SUID binary) opens the -access to these features to regular users. The privilege escalation is restricted -to the sandbox being configured, and is not extended to the rest of the system. -This arrangement works fine for user desktops or servers where the access is already limited. - -If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, -or at run time by editing /etc/firejail/firejail.config file. - -The following features can be enabled or disabled: -````` - bind Enable or disable bind support, default enabled. - - chroot Enable or disable chroot support, default enabled. - - file-transfer - Enable or disable file transfer support, default enabled. - - network - Enable or disable networking features, default enabled. - - restricted-network - Enable or disable restricted network support, default disabled. - If enabled, networking features should also be enabled (network - yes). Restricted networking grants access to --interface, - --net=ethXXX and --netfilter only to root user. Regular users - are only allowed --net=none. Default disabled - - secomp Enable or disable seccomp support, default enabled. - - userns Enable or disable user namespace support, default enabled. - - x11 Enable or disable X11 sandboxing support, default enabled. - - force-nonewprivs - Force use of theh NO_NEW_PRIVS prctl(2) flag. - This mitigates the possibility of a user abusing firejail's - features to trick a privileged (suid or file capabilities) - process into loading code or configuration that is partially - under their control. Default disabled - - xephyr-screen - Screen size for --x11=xephyr, default 800x600. Run - /usr/bin/xrandr for a full list of resolutions available on your - specific setup. Examples: - - xephyr-screen 640x480 - xephyr-screen 800x600 - xephyr-screen 1024x768 - xephyr-screen 1280x1024 -````` - -## Default seccomp filter update - -Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). - -## STUN/WebRTC disabled in default netfilter configuration - -The current netfilter configuration (--netfilter option) looks like this: -````` - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - -A INPUT -i lo -j ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - # allow ping - -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT - -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT - -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - # drop STUN (WebRTC) requests - -A OUTPUT -p udp --dport 3478 -j DROP - -A OUTPUT -p udp --dport 3479 -j DROP - -A OUTPUT -p tcp --dport 3478 -j DROP - -A OUTPUT -p tcp --dport 3479 -j DROP - COMMIT -````` - -The filter is loaded by default for Firefox if a network namespace is configured: -````` -$ firejail --net=eth0 firefox -````` - -## Set sandbox nice value -````` - --nice=value - Set nice value for all processes running inside the sandbox. - - Example: - $ firejail --nice=-5 firefox -````` - -## mkdir - -````` -$ man firejail-profile -[...] - mkdir directory - Create a directory in user home. Use this command for - whitelisted directories you need to preserve when the sandbox is - closed. Subdirectories also need to be created using mkdir. - Example from firefox profile: - - mkdir ~/.mozilla - whitelist ~/.mozilla - mkdir ~/.cache - mkdir ~/.cache/mozilla - mkdir ~/.cache/mozilla/firefox - whitelist ~/.cache/mozilla/firefox - -[...] -````` - -## New security profiles -lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, -OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave +# Current development version: 0.9.41 diff --git a/configure b/configure index 946fb99bc..66b1663f9 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.40. +# Generated by GNU Autoconf 2.69 for firejail 0.9.41. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.40' -PACKAGE_STRING='firejail 0.9.40' +PACKAGE_VERSION='0.9.41' +PACKAGE_STRING='firejail 0.9.41' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.40 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.41 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1307,7 +1307,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.40:";; + short | recursive ) echo "Configuration of firejail 0.9.41:";; esac cat <<\_ACEOF @@ -1403,7 +1403,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.40 +firejail configure 0.9.41 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.40, which was +It was created by firejail $as_me 0.9.41, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.40, which was +This file was extended by firejail $as_me 0.9.41, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4238,7 +4238,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.40 +firejail config.status 0.9.41 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 47048046b..ef6a11af5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.40, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.41, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From a81568d4f03a12817ab2b0ad6d52159eb5a9eb10 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 18:30:31 -0400 Subject: fixed --net and --overlay problem --- src/firejail/fs.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4dff6fce8..cfb724696 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -966,6 +966,19 @@ void fs_overlayfs(void) { errExit("mounting /run"); fs_logger("whitelist /run"); + // mount-bind /tmp/.X11-unix directory + if (arg_debug) + printf("Mounting /tmp/.X11-unix\n"); + char *x11; + if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) + errExit("asprintf"); + if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /tmp/.X11-unix"); + fs_logger("whitelist /tmp/.X11-unix"); + + + + // chroot in the new filesystem if (chroot(oroot) == -1) errExit("chroot"); -- cgit v1.2.3-70-g09d2 From 58df5c0605ba63fb435836cde9f8614c968fe648 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 20:55:14 -0400 Subject: fix --quiet --- src/firejail/main.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 955bd36bf..607637802 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -710,6 +710,20 @@ int main(int argc, char **argv) { if (*argv[0] != '-') run_symlink(argc, argv); + // detect --quiet + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--quiet") == 0) { + arg_quiet = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } + // check if we already have a sandbox running EUID_ROOT(); int rv = check_kernel_procs(); @@ -752,6 +766,8 @@ int main(int argc, char **argv) { found = 1; break; } + + // detect end of firejail params if (strcmp(argv[i], "--") == 0) break; if (strncmp(argv[i], "--", 2) != 0) -- cgit v1.2.3-70-g09d2 From 3597df9bc04fe4ab6eb891d267b0a08121416018 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 21:40:55 -0400 Subject: merged Various #542 pull request from Fred-Barclay --- Makefile.in | 1 + README | 3 +- README.md | 4 + RELNOTES | 7 +- etc/0ad.profile | 6 +- etc/Mathematica.profile | 2 +- etc/abrowser.profile | 13 ++- etc/atril.profile | 8 +- etc/audacious.profile | 4 +- etc/bitlbee.profile | 6 +- etc/brave.profile | 5 +- etc/cherrytree.profile | 9 +- etc/clementine.profile | 4 +- etc/cmus.profile | 4 +- etc/conkeror.profile | 4 +- etc/corebird.profile | 4 +- etc/cyberfox.profile | 13 ++- etc/deadbeef.profile | 4 +- etc/default.profile | 5 +- etc/deluge.profile | 4 +- etc/dillo.profile | 9 +- etc/disable-programs.inc | 1 + etc/dnsmasq.profile | 7 +- etc/dropbox.profile | 4 +- etc/empathy.profile | 4 +- etc/epiphany.profile | 5 +- etc/evince.profile | 4 +- etc/fbreader.profile | 4 +- etc/filezilla.profile | 6 +- etc/firefox.profile | 14 ++- etc/flashpeak-slimjet.profile | 4 +- etc/gitter.profile | 13 +++ etc/gnome-mplayer.profile | 4 +- etc/google-play-music-desktop-player.profile | 4 +- etc/gwenview.profile | 6 +- etc/hexchat.profile | 4 +- etc/kmail.profile | 4 +- etc/konversation.profile | 4 +- etc/lxterminal.profile | 4 +- etc/mcabber.profile | 4 +- etc/midori.profile | 4 +- etc/mupen64plus.profile | 4 +- etc/netsurf.profile | 9 +- etc/okular.profile | 8 +- etc/openbox.profile | 5 +- etc/palemoon.profile | 12 +-- etc/parole.profile | 4 +- etc/pidgin.profile | 4 +- etc/polari.profile | 7 +- etc/psi-plus.profile | 4 +- etc/qbittorrent.profile | 4 +- etc/qtox.profile | 4 +- etc/quassel.profile | 4 +- etc/quiterss.profile | 13 +-- etc/qutebrowser.profile | 6 +- etc/rhythmbox.profile | 6 +- etc/rtorrent.profile | 4 +- etc/seamonkey.profile | 13 ++- etc/skype.profile | 2 +- etc/spotify.profile | 9 +- etc/ssh.profile | 4 +- etc/steam.profile | 2 +- etc/telegram.profile | 6 +- etc/totem.profile | 4 +- etc/transmission-gtk.profile | 6 +- etc/transmission-qt.profile | 6 +- etc/uget-gtk.profile | 4 +- etc/vlc.profile | 6 +- etc/weechat.profile | 5 +- etc/wesnoth.profile | 4 +- etc/xchat.profile | 4 +- etc/xplayer.profile | 6 +- etc/xreader.profile | 8 +- etc/xviewer.profile | 6 +- platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 128 ++++++++++++++++----------- 76 files changed, 293 insertions(+), 252 deletions(-) create mode 100644 etc/gitter.profile diff --git a/Makefile.in b/Makefile.in index 6699ab732..ea6299b3e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -188,6 +188,7 @@ realinstall: install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index d926c8abe..437703b9b 100644 --- a/README +++ b/README @@ -79,7 +79,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - blacklisted g++ - added xplayer, xreader, and xviewer profiles - added Brave profile - - added "shutdown" filter for x86_64 arch to seccomp + - added Gitter profile + - various organising Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index c61543452..543565fe4 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` # Current development version: 0.9.41 + +## New security profiles + +Gitter diff --git a/RELNOTES b/RELNOTES index 6c6bdb526..db3828354 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,8 @@ +firejail (0.9.41) baseline; urgency=low + * work in progress... + * new profiles: Gitter + -- netblue30 Tue, 31 May 2016 08:00:00 -0500 + firejail (0.9.40) baseline; urgency=low * added --nice option * added --x11 option @@ -25,7 +30,7 @@ firejail (0.9.40) baseline; urgency=low * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation - * new profiles: Brave + * new profiles: Brave, Gitter * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/etc/0ad.profile b/etc/0ad.profile index e6540fb5d..3797ae5cd 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog noroot nonewprivs +protocol unix,inet,inet6,netlink +seccomp +tracelog # Whitelists noblacklist ~/.cache/0ad diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 75dbebcf0..e719f070f 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -15,6 +15,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp nonewprivs noroot +seccomp diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 6a06ce76b..65247e7d3 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -41,13 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/atril.profile b/etc/atril.profile index b55f99cdd..8ee7da173 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,10 +7,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -tracelog -netfilter nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/audacious.profile b/etc/audacious.profile index 0a1598dee..e5275213c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b7ccd132e..e63802c8a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -4,9 +4,9 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -protocol unix,inet,inet6 +netfilter +nonewprivs private private-dev +protocol unix,inet,inet6 seccomp -netfilter -nonewprivs diff --git a/etc/brave.profile b/etc/brave.profile index 24a0a31c9..4c42e9faa 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -6,10 +6,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp whitelist ${DOWNLOADS} diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index b3a34fc9a..bc6fe1d86 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -15,11 +15,12 @@ mkdir ~/.local/share whitelist ${HOME}/.local/share/ caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot -include /etc/firejail/whitelist-common.inc nosound +seccomp +protocol unix,inet,inet6,netlink +tracelog + +include /etc/firejail/whitelist-common.inc diff --git a/etc/clementine.profile b/etc/clementine.profile index fb9dca2a9..5ce085358 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/cmus.profile b/etc/cmus.profile index 16b9c112d..2e2a6940c 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp private-bin cmus private-etc group diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 0a7966e4b..e82eeec4c 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -4,11 +4,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp whitelist ~/.conkeror.mozdev.org whitelist ~/Downloads diff --git a/etc/corebird.profile b/etc/corebird.profile index f3f73a44f..077ae30d0 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index c5fb25e9a..0035b6be6 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.8pecxstudios @@ -41,13 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 9225ca16e..04abd0a92 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -7,7 +7,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/default.profile b/etc/default.profile index d836a9f5d..a2de72695 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -8,9 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc #blacklist ${HOME}/.wine caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot - +protocol unix,inet,inet6 +seccomp diff --git a/etc/deluge.profile b/etc/deluge.profile index f7a2b98e4..277ecc15e 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -6,9 +6,9 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/dillo.profile b/etc/dillo.profile index 392000ade..2ddd363cb 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6 +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.dillo @@ -21,6 +21,3 @@ mkdir ~/.fltk whitelist ~/.fltk include /etc/firejail/whitelist-common.inc - - - diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 633f9c548..1f86a0ebe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -65,6 +65,7 @@ blacklist ${HOME}/.config/xchat blacklist ${HOME}/.Skype blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.config/Gitter # Games blacklist ${HOME}/.hedgewars diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 4459c40dd..6b199c34b 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -5,10 +5,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc + caps -seccomp -protocol unix,inet,inet6,netlink netfilter +nonewprivs private private-dev -nonewprivs +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 568ab230a..2427c6af8 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -4,7 +4,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/empathy.profile b/etc/empathy.profile index c08398e84..371100814 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -4,7 +4,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 7783a05fd..57191429a 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -19,8 +19,9 @@ mkdir ${HOME}/.cache mkdir ${HOME}/.cache/epiphany whitelist ${HOME}/.cache/epiphany include /etc/firejail/whitelist-common.inc + caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/etc/evince.profile b/etc/evince.profile index 3c883d43c..8c84a1daa 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 7764a48c9..c4d84691c 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 1ab08b568..3cb4890e2 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/firefox.profile b/etc/firefox.profile index 6796ef7c4..2cc4d3cd8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -41,14 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - - diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 77a95aa17..f248c385a 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -15,11 +15,11 @@ include /etc/firejail/disable-programs.inc # caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/gitter.profile b/etc/gitter.profile new file mode 100644 index 000000000..0c2bd1353 --- /dev/null +++ b/etc/gitter.profile @@ -0,0 +1,13 @@ +# Firejail profile for Gitter +noblacklist ~/.config/Gitter + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 010b19613..f15778534 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index fe2f79901..b4cf8d9ac 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink nonewprivs noroot netfilter +protocol unix,inet,inet6,netlink +seccomp #whitelist ~/.pulse #whitelist ~/.config/pulse diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 87523d825..65cc084e6 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -5,16 +5,16 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc + caps.drop all -seccomp -protocol unix nonewprivs noroot nogroups private-dev +protocol unix +seccomp #Experimental: #shell none #private-bin gwenview #private-etc X11 - diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 3eb350660..a584d25c5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp mkdir ~/.config mkdir ~/.config/hexchat diff --git a/etc/kmail.profile b/etc/kmail.profile index a47945bc6..44a53e258 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp tracelog diff --git a/etc/konversation.profile b/etc/konversation.profile index d10decb8f..190061618 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +seccomp +protocol unix,inet,inet6 diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index b6acf2587..d1d0b8a0d 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter +protocol unix,inet,inet6 +seccomp #noroot - somehow this breaks on Debian Jessie! diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 1536194b2..6b236a9a7 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -8,11 +8,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol inet,inet6 netfilter nonewprivs noroot +protocol inet,inet6 +seccomp private-bin mcabber private-etc null diff --git a/etc/midori.profile b/etc/midori.profile index 568687058..c4055fa83 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index c9a99bede..d4b442df8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -16,8 +16,8 @@ mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ +caps.drop all +net none nonewprivs noroot -caps.drop all seccomp -net none diff --git a/etc/netsurf.profile b/etc/netsurf.profile index e01cace7f..3de6be238 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.config @@ -30,6 +30,3 @@ whitelist ~/.lastpass whitelist ~/.config/lastpass include /etc/firejail/whitelist-common.inc - - - diff --git a/etc/okular.profile b/etc/okular.profile index 5179da787..b1efc4753 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -6,17 +6,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc + caps.drop all -seccomp -protocol unix nonewprivs -noroot nogroups +noroot private-dev +protocol unix +seccomp #Experimental: #net none #shell none #private-bin okular,kbuildsycoca4,kbuildsycoca5 #private-etc X11 - diff --git a/etc/openbox.profile b/etc/openbox.profile index 6e2e5d6fd..f812768a1 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile @@ -5,8 +5,7 @@ include /etc/firejail/disable-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot - +protocol unix,inet,inet6 +seccomp diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 4db9b7adc..a74954ddb 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -12,12 +12,12 @@ include /etc/firejail/whitelist-common.inc # Options caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.moonchild productions @@ -41,9 +41,9 @@ whitelist ~/.cache/moonchild productions/pale moon #whitelist ~/.pki # For silverlight -#whitelist ~/.wine-pipelight -#whitelist ~/.wine-pipelight64 -#whitelist ~/.config/pipelight-widevine +#whitelist ~/.wine-pipelight +#whitelist ~/.wine-pipelight64 +#whitelist ~/.config/pipelight-widevine #whitelist ~/.config/pipelight-silverlight5.1 diff --git a/etc/parole.profile b/etc/parole.profile index c0be0453b..1440a9ef7 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -8,9 +8,9 @@ private-etc passwd,group,fonts private-bin parole,dbus-launch caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 767da5f55..091456d76 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/polari.profile b/etc/polari.profile index 7910f4e9b..366883c83 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -22,9 +22,8 @@ whitelist ${HOME}/.purple include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter - +protocol unix,inet,inet6 +seccomp diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 8194da74f..9380237be 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -21,7 +21,7 @@ whitelist ~/.cache/psi+ include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 858fdda4d..cbf898502 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -5,9 +5,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/qtox.profile b/etc/qtox.profile index ca34e932a..3a19efa3a 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -10,7 +10,7 @@ whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/quassel.profile b/etc/quassel.profile index e68315c1c..f92dfeb9f 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -4,8 +4,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 5ad7ead1a..3e5dde36e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -16,15 +16,16 @@ mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss caps.drop all -seccomp -protocol unix,inet,inet6 netfilter -tracelog nonewprivs -noroot nogroups -shell none -private-dev +noroot private-bin quiterss +private-dev #private-etc X11,ssl +protocol unix,inet,inet6 +seccomp +shell none +tracelog + include /etc/firejail/whitelist-common.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 09d10b0bb..b590f0ef1 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index ee0832863..0782a653d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 9ae2206c1..0be5e15d1 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -5,9 +5,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 886af0f67..9ce4164c1 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -42,11 +42,10 @@ whitelist ~/.lastpass whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/skype.profile b/etc/skype.profile index 4c4a34980..9cbcd5117 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -8,5 +8,5 @@ caps.drop all netfilter nonewprivs noroot -seccomp protocol unix,inet,inet6 +seccomp diff --git a/etc/spotify.profile b/etc/spotify.profile index 1ee379dea..9ba25b818 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# Whitelist the folders needed by Spotify - This is more restrictive -# than a blacklist though, but this is all spotify requires for +# Whitelist the folders needed by Spotify - This is more restrictive +# than a blacklist though, but this is all spotify requires for # streaming audio mkdir ${HOME}/.config mkdir ${HOME}/.config/spotify @@ -23,9 +23,8 @@ whitelist ${HOME}/.cache/spotify include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot - +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/ssh.profile b/etc/ssh.profile index 0c4621f66..a6d52c5a5 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/steam.profile b/etc/steam.profile index ae5e93829..b15a54be9 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -10,5 +10,5 @@ caps.drop all netfilter nonewprivs noroot -seccomp protocol unix,inet,inet6 +seccomp diff --git a/etc/telegram.profile b/etc/telegram.profile index 62a0fa404..819cd8f3a 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -5,11 +5,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp whitelist ~/Downloads/Telegram Desktop mkdir ${HOME}/.TelegramDesktop diff --git a/etc/totem.profile b/etc/totem.profile index f2bce5dee..252b46979 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e27873f88..5aef32d45 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -8,10 +8,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -tracelog nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 2caa923d8..d8ab1c60d 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -8,10 +8,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -tracelog nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 86e7be6fd..02c7f56bf 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -6,11 +6,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/vlc.profile b/etc/vlc.profile index d26034748..f8eebd376 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/weechat.profile b/etc/weechat.profile index 11b5bd10f..6cfe58420 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -4,9 +4,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 61a87d994..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -9,10 +9,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp private-dev diff --git a/etc/xchat.profile b/etc/xchat.profile index f4b273693..061c4f3da 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index fb0e3c910..cd9cbed45 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -8,9 +8,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp tracelog -netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index 267330c1f..2cf109f09 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,10 +9,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -tracelog -netfilter nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/xviewer.profile b/etc/xviewer.profile index a0c91f0f3..51949526d 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,9 +6,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter noroot nonewprivs +protocol unix,inet,inet6 +seccomp tracelog -netfilter diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7da95eb68..7ae5ca1b9 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -102,3 +102,4 @@ /etc/firejail/konversation.profile /etc/firejail/psi-plus.profile /etc/firejail/brave.profile +/etc/firejail/gitter.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 567f97c69..566fb156f 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -6,88 +6,114 @@ gpredict stellarium -# weather/climate -aweather +# bittorrent/ftp +deluge +dropbox +filezilla +qbittorrent +rtorrent +transmission-gtk +transmission-qt +uget-gtk # browsers/email -firefox -iceweasel -chromium-browser +abrowser +brave chromium +chromium-browser conkeror -thunderbird -epiphany +cyberfox +firefox flashpeak-slimjet +epiphany +dillo +google-chrome google-chrome-beta google-chrome-stable google-chrome-unstable -google-chrome +iceweasel icecat icedove kmail midori +netsurf opera-beta opera qutebrowser seamonkey seamonkey-bin +thunderbird vivaldi-beta vivaldi -dillo -netsurf -brave - -# bittorrent/ftp -deluge -filezilla -qbittorrent -rtorrent -transmission-gtk -transmission-qt - -# office -cherrytree -evince -fbreader -localc -lodraw -loffice -lofromtemplate -loimpress -lomath -loweb -lowriter -Mathematica -mathematica -gwenview -okular -atril -xreader - -# Media -vlc -audacious -clementine -deadbeef -parole -rhythmbox -totem -cmus -xplayer -xviewer # chat/messaging bitlbee +corebird empathy -gnome-mplayer +gitter hexchat +konversation pidgin +polari +psi-plus qtox quassel +skype +telegram +weechat +weechat-curses xchat +# dns +dnscrypt-proxy +dnsmaq +unbound + +# emulators/compatibility layers +mupen64plus +wine + # games 0ad hedgewars +steam wesnot warzone2100 + +# Media +audacious +clementine +cmus +deadbeef +gnome-mplayer +google-play-music-desktop-player +parole +rhythmbox +spotify +totem +vlc +xplayer +xviewer + +# news readers +quiterss + +# office +atril +cherrytree +evince +fbreader +gwenview +Mathematica +mathematica +okular +xreader + +# other +lxterminal +openbox +snap +ssh + +# weather/climate +aweather -- cgit v1.2.3-70-g09d2 From 0c47e3585f3e4a2f365ad83c81f9095712fc34f3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 1 Jun 2016 11:40:24 -0400 Subject: fixed globbing dot files --- src/firejail/fs.c | 2 +- test/fs/fs.sh | 3 +++ test/fs/option_blacklist_glob.exp | 32 ++++++++++++++++++++++++++++++++ test/fs/testdir1/.directory/file | 0 test/fs/testdir1/.file | 0 5 files changed, 36 insertions(+), 1 deletion(-) create mode 100755 test/fs/option_blacklist_glob.exp create mode 100644 test/fs/testdir1/.directory/file create mode 100644 test/fs/testdir1/.file diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cfb724696..c38a9a32e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -361,7 +361,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ glob_t globbuf; // Profiles contain blacklists for files that might not exist on a user's machine. // GLOB_NOCHECK makes that okay. - int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf); + int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); if (globerr) { fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); exit(1); diff --git a/test/fs/fs.sh b/test/fs/fs.sh index b49aadf02..08888020c 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -45,6 +45,9 @@ echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)" echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)" ./option_blacklist_file.exp +echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" +./option_blacklist_glob.exp + echo "TESTING: bind as user (test/fs/option_bind_user.exp)" ./option_bind_user.exp diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp new file mode 100755 index 000000000..01939736d --- /dev/null +++ b/test/fs/option_blacklist_glob.exp @@ -0,0 +1,32 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --blacklist=testdir1/*\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 +send -- "cd testdir1\r" +sleep 1 + +send -- "cat .file\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" +} + +send -- "ls .directory\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} + +puts "\n" + diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file new file mode 100644 index 000000000..e69de29bb diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file new file mode 100644 index 000000000..e69de29bb -- cgit v1.2.3-70-g09d2 From 28641d918e696b03f5c0c4deecac458986f35dec Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 2 Jun 2016 13:39:20 -0400 Subject: lxc fixes --- src/firejail/firejail.h | 1 + src/firejail/main.c | 120 ++++++++++++++++++++++++---------------------- src/firejail/no_sandbox.c | 13 +++++ 3 files changed, 77 insertions(+), 57 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 661073730..b0a3ac90d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -483,6 +483,7 @@ void fs_check_etc_list(void); void fs_private_etc_list(void); // no_sandbox.c +int check_namespace_virt(void); int check_kernel_procs(void); void run_no_sandbox(int argc, char **argv); diff --git a/src/firejail/main.c b/src/firejail/main.c index 607637802..0c843de9c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -725,65 +725,71 @@ int main(int argc, char **argv) { } // check if we already have a sandbox running - EUID_ROOT(); - int rv = check_kernel_procs(); - EUID_USER(); - if (rv == 0) { - // if --force option is passed to the program, disregard the existing sandbox - int found = 0; - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--force") == 0 || - strcmp(argv[i], "--list") == 0 || - strcmp(argv[i], "--netstats") == 0 || - strcmp(argv[i], "--tree") == 0 || - strcmp(argv[i], "--top") == 0 || - strncmp(argv[i], "--ls=", 5) == 0 || - strncmp(argv[i], "--get=", 6) == 0 || - strcmp(argv[i], "--debug-caps") == 0 || - strcmp(argv[i], "--debug-errnos") == 0 || - strcmp(argv[i], "--debug-syscalls") == 0 || - strcmp(argv[i], "--debug-protocols") == 0 || - strcmp(argv[i], "--help") == 0 || - strcmp(argv[i], "--version") == 0 || - strncmp(argv[i], "--dns.print=", 12) == 0 || - strncmp(argv[i], "--bandwidth=", 12) == 0 || - strncmp(argv[i], "--caps.print=", 13) == 0 || - strncmp(argv[i], "--cpu.print=", 12) == 0 || -//******************************************************************************** -// todo: fix the following problems - strncmp(argv[i], "--join=", 7) == 0 || -//[netblue@debian Downloads]$ firejail --join=896 -//Switching to pid 897, the first child process inside the sandbox -//Error: seccomp file not found -//******************************************************************************** - - strncmp(argv[i], "--join-filesystem=", 18) == 0 || - strncmp(argv[i], "--join-network=", 15) == 0 || - strncmp(argv[i], "--fs.print=", 11) == 0 || - strncmp(argv[i], "--protocol.print=", 17) == 0 || - strncmp(argv[i], "--seccomp.print", 15) == 0 || - strncmp(argv[i], "--shutdown=", 11) == 0) { - found = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } - - if (found == 0) { - // start the program directly without sandboxing - run_no_sandbox(argc, argv); - // it will never get here! - assert(0); + // If LXC is detected, start firejail sandbox + // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: + // - if --force flag is set, start firejail sandbox + // -- if --force flag is not set, start the application in a /bin/bash shell + if (check_namespace_virt() == 0) { + EUID_ROOT(); + int rv = check_kernel_procs(); + EUID_USER(); + if (rv == 0) { + // if --force option is passed to the program, disregard the existing sandbox + int found = 0; + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--force") == 0 || + strcmp(argv[i], "--list") == 0 || + strcmp(argv[i], "--netstats") == 0 || + strcmp(argv[i], "--tree") == 0 || + strcmp(argv[i], "--top") == 0 || + strncmp(argv[i], "--ls=", 5) == 0 || + strncmp(argv[i], "--get=", 6) == 0 || + strcmp(argv[i], "--debug-caps") == 0 || + strcmp(argv[i], "--debug-errnos") == 0 || + strcmp(argv[i], "--debug-syscalls") == 0 || + strcmp(argv[i], "--debug-protocols") == 0 || + strcmp(argv[i], "--help") == 0 || + strcmp(argv[i], "--version") == 0 || + strncmp(argv[i], "--dns.print=", 12) == 0 || + strncmp(argv[i], "--bandwidth=", 12) == 0 || + strncmp(argv[i], "--caps.print=", 13) == 0 || + strncmp(argv[i], "--cpu.print=", 12) == 0 || + //******************************************************************************** + // todo: fix the following problems + strncmp(argv[i], "--join=", 7) == 0 || + //[netblue@debian Downloads]$ firejail --join=896 + //Switching to pid 897, the first child process inside the sandbox + //Error: seccomp file not found + //******************************************************************************** + + strncmp(argv[i], "--join-filesystem=", 18) == 0 || + strncmp(argv[i], "--join-network=", 15) == 0 || + strncmp(argv[i], "--fs.print=", 11) == 0 || + strncmp(argv[i], "--protocol.print=", 17) == 0 || + strncmp(argv[i], "--seccomp.print", 15) == 0 || + strncmp(argv[i], "--shutdown=", 11) == 0) { + found = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } + + if (found == 0) { + // start the program directly without sandboxing + run_no_sandbox(argc, argv); + // it will never get here! + assert(0); + } + else + option_force = 1; } - else - option_force = 1; } - + // check root/suid EUID_ROOT(); if (geteuid()) { diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index a9242f035..cc7f6d234 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -23,6 +23,19 @@ #include #include +// returns 1 if we are running under LXC +int check_namespace_virt(void) { + char *container = getenv("container"); + if (container && + (strcmp(container, "lxc") == 0 || + strcmp(container, "docker") == 0 || + strcmp(container, "lxc-libvirt") == 0 || + strcmp(container, "systemd-nspawn") == 0 || + strcmp(container, "rkt") == 0)) + return 1; + return 0; +} + // check process space for kernel processes // return 1 if found, 0 if not found int check_kernel_procs(void) { -- cgit v1.2.3-70-g09d2 From 8db3aea8599540ba750fdc328320986a581d24f0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 2 Jun 2016 17:42:50 -0400 Subject: lxc test fixes --- test/filters/seccomp-su.exp | 3 ++- test/utils/trace.exp | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index e2ab050bf..3f1f2e732 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -31,7 +31,8 @@ expect { send -- "ping google.com\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "Operation not permitted" + "Operation not permitted" {puts "OK\n"} + "unknown host" {puts "OK\n"} } send -- "exit\r" diff --git a/test/utils/trace.exp b/test/utils/trace.exp index 41058fd74..b562a6b49 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -79,6 +79,7 @@ expect { timeout {puts "TESTING ERROR 8.6\n";exit} "wget:fopen64 index.html" {puts "OK\n";} "wget:fopen index.html" {puts "OK\n";} + "Parent is shutting down" {puts "OK\n";} } sleep 1 @@ -89,7 +90,8 @@ expect { } expect { timeout {puts "TESTING ERROR 10\n";exit} - "rm:unlinkat index.html" + "rm:unlinkat index.html" {puts "OK\n";} + "Parent is shutting down" {puts "OK\n";} } sleep 1 -- cgit v1.2.3-70-g09d2 From ae906b1042ee87166f43488adf4910d8d1b60af4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 3 Jun 2016 09:20:55 -0400 Subject: fixed firejail symlink problem for --private-bin option --- src/firejail/fs_bin.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 251a1cb8f..8c1fd8e81 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -48,8 +48,25 @@ static char *check_dir_or_file(const char *name) { errExit("asprintf"); if (arg_debug) printf("Checking %s/%s\n", paths[i], name); - if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories + if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories + // check symlink to firejail executable in /usr/local/bin + if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { + char *actual_path = realpath(fname, NULL); + if (actual_path) { + char *ptr = strstr(actual_path, "/firejail"); + if (ptr && strlen(ptr) == strlen("/firejail")) { + if (arg_debug) + printf("firejail exec symlink detected\n"); + free(fname); + fname = NULL; + i++; + continue; + } + } + + } break; // file found + } free(fname); fname = NULL; -- cgit v1.2.3-70-g09d2 From f55a3c47e29283a407e83a8e25257207d6c34325 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 3 Jun 2016 09:23:12 -0400 Subject: fixed firejail symlink problem for --private-bin option --- src/firejail/fs_bin.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 8c1fd8e81..ac731c246 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -57,11 +57,13 @@ static char *check_dir_or_file(const char *name) { if (ptr && strlen(ptr) == strlen("/firejail")) { if (arg_debug) printf("firejail exec symlink detected\n"); + free(actual_path); free(fname); fname = NULL; i++; continue; } + free(actual_path); } } -- cgit v1.2.3-70-g09d2 From c8a8d07348ebce017f75b5a2682f056e8c661f5b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 4 Jun 2016 11:55:09 -0400 Subject: networking fixes --- src/firejail/network_main.c | 7 +++++-- src/man/firejail.txt | 5 +++++ test/network/README | 10 +++++----- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e6d5cd5d7..e50c06ae9 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -56,9 +56,12 @@ void net_configure_bridge(Bridge *br, char *dev_name) { } } + // allow unconfigured interfaces if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { - fprintf(stderr, "Error: interface %s is not configured\n", br->dev); - exit(1); + fprintf(stderr, "Warning: interface %s is not configured\n", br->dev); + br->configured = 1; + br->arg_ip_none = 1; + return; } if (arg_debug) { if (br->macvlan == 0) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7b22a5bf2..3c4de9ed5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -460,6 +460,11 @@ in case you intend to start an external DHCP client in the sandbox. Example: .br $ firejail \-\-net=eth0 \-\-\ip=none +.br + +.br +If the coresponding interface doesn't have an IP address configured, this +option is enabled by default. .TP \fB\-\-ip6=address diff --git a/test/network/README b/test/network/README index 27e5667a2..a9b79d1de 100644 --- a/test/network/README +++ b/test/network/README @@ -1,11 +1,11 @@ -Warning: this test requires root access to configure a number of bridge, macvlan and -vlan devices. Please take a look at configure file. By the time you are finished testing, -you'll probably have to reboot the computer to get your networking subsytem -back to normal. +Warning: this test requires root access to configure a number of bridge, mac +and vlan devices. Please take a look at configure file. By the time you are +finished testing, you'll probably have to reboot the computer to get your +networking subsytem back to normal. Limitations - to be investigated and fixed: - the test is assuming an eth0 wired interface to be present - - using netstat and ifconfig - this needs to be moved to iproute2 utilities + - using netstat and ifconfig - this needs to be moved to iproute2 - configure script inserts an entry in system netfilter configuration - the test will probably not work on grsecurity settings - macvlan interfaces don't seem to work correctly under VirtualBox -- cgit v1.2.3-70-g09d2 From a4444baae73f99dc57b6eb337182f26c553b0094 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Jun 2016 10:38:02 -0400 Subject: appimage support --- README.md | 29 +++++++++++++++ src/firejail/appimage.c | 94 +++++++++++++++++++++++++++++++++++++++++++++++++ src/firejail/firejail.h | 2 ++ src/firejail/main.c | 29 +++++++++++++-- src/firejail/usage.c | 1 + src/man/firejail.txt | 13 +++++++ 6 files changed, 165 insertions(+), 3 deletions(-) create mode 100644 src/firejail/appimage.c diff --git a/README.md b/README.md index 543565fe4..2c8d0875a 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,35 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` # Current development version: 0.9.41 +## AppImage + +AppImage (http://appimage.org/) is a distribution-agnostic packaging format. +The package is a regular ISO file containing all binaries, libraries and resources +necessary for the program to run. + +We introduce in this release support for sandboxing AppImage applications. Example: +````` +$ firejail --appimage krita-3.0-x86_64.appimage +````` +All Firejail sandboxing options should be available. A private home directory: +````` +$ firejail --appimage --private krita-3.0-x86_64.appimage +````` +or some basic X11 sandboxing: +````` +$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage +````` +Major software applications distributing AppImage packages: + +..* Krita: https://krita.org/download/krita-desktop/ +..* OpenShot: http://www.openshot.org/download/ +..* Scribus: https://www.scribus.net/downloads/unstable-branch/ +..* MuseScore: https://musescore.org/en/download + +More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages + +AppImage project home: https://github.com/probonopd/AppImageKit + ## New security profiles Gitter diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c new file mode 100644 index 000000000..e25d50a2d --- /dev/null +++ b/src/firejail/appimage.c @@ -0,0 +1,94 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +// http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=770fe30a46a12b6fb6b63fbe1737654d28e84844 +// sudo mount -o loop krita-3.0-x86_64.appimage mnt + +#include "firejail.h" +#include +#include +#include +#include +#include + + + +char *appimage_set(const char *appimage_path) { + assert(appimage_path); + EUID_ASSERT(); + + // check appimage_path + if (access(appimage_path, R_OK) == -1) { + fprintf(stderr, "Error: cannot access AppImage file\n"); + exit(1); + } + + EUID_ROOT(); + + // find or allocate a free loop device to use + int cfd = open("/dev/loop-control", O_RDWR); + int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); + if (devnr == -1) { + fprintf(stderr, "Error: cannot allocate a new loopback device\n"); + exit(1); + } + close(cfd); + char *devloop; + if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) + errExit("asprintf"); + + int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); + int lfd = open(devloop, O_RDONLY); + if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) { + fprintf(stderr, "Error: cannot configure the loopback device\n"); + exit(1); + } + close(lfd); + close(ffd); + + char dirname[] = "/tmp/firejail-mnt-XXXXXX"; + char *mntdir = strdup(mkdtemp(dirname)); + if (mntdir == NULL) { + fprintf(stderr, "Error: cannot create temporary directory\n"); + exit(1); + } + mkdir(mntdir, 755); + chown(mntdir, getuid(), getgid()); + chmod(mntdir, 755); + + char *mode; + if (asprintf(&mode, "mode=755,uid=%d,gid=%d", getuid(), getgid()) == -1) + errExit("asprintf"); + + if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) + errExit("mounting appimage"); + + if (arg_debug) + printf("appimage mounted on %s\n", mntdir); + EUID_USER(); + + // build new command line + if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) + errExit("asprintf"); + + free(devloop); + free(mode); + + return mntdir; +} diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b0a3ac90d..00674c047 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -575,6 +575,8 @@ int checkcfg(int val); void fs_rdwr_add(const char *path); void fs_rdwr(void); +// appimage.c +char *appimage_set(const char *appimage_path); #endif diff --git a/src/firejail/main.c b/src/firejail/main.c index 0c843de9c..c2ac4a3fa 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -107,6 +107,7 @@ char *fullargv[MAX_ARGS]; // expanded argv for restricted shell int fullargc = 0; static pid_t child = 0; pid_t sandbox_pid; +static char *appimage_mntdir = NULL; static void set_name_file(pid_t pid); static void delete_name_file(pid_t pid); @@ -129,7 +130,12 @@ static void myexit(int rv) { // delete sandbox files in shared memory EUID_ROOT(); clear_run_files(sandbox_pid); - + if (appimage_mntdir) { + umount2(appimage_mntdir, MNT_FORCE); + rmdir(appimage_mntdir); + free(appimage_mntdir); + } + exit(rv); } @@ -701,6 +707,7 @@ int main(int argc, char **argv) { #ifdef HAVE_SECCOMP int highest_errno = errno_highest_nr(); #endif + int arg_appimage = 0; // drop permissions by default and rise them when required EUID_INIT(); @@ -1400,7 +1407,7 @@ int main(int argc, char **argv) { } else if (strncmp(argv[i], "--env=", 6) == 0) env_store(argv[i] + 6); - else if (strncmp(argv[i], "--nosound", 9) == 0) { + else if (strcmp(argv[i], "--nosound") == 0) { arg_nosound = 1; arg_private_dev = 1; } @@ -1766,6 +1773,8 @@ int main(int argc, char **argv) { //************************************* // command //************************************* + else if (strcmp(argv[i], "--appimage") == 0) + arg_appimage = 1; else if (strcmp(argv[i], "--csh") == 0) { if (arg_shell_none) { @@ -1847,7 +1856,13 @@ int main(int argc, char **argv) { } // we have a program name coming - extract_command_name(i, argv); + if (arg_appimage) { + cfg.command_name = strdup(argv[i]); + if (!cfg.command_name) + errExit("strdup"); + } + else + extract_command_name(i, argv); prog_index = i; break; } @@ -1900,6 +1915,13 @@ int main(int argc, char **argv) { cfg.window_title = "/bin/bash"; cfg.command_name = "bash"; } + else if (arg_appimage) { + if (arg_debug) + printf("Configuring appimage environment\n"); + appimage_mntdir = appimage_set(cfg.command_name); + cfg.window_title = "appimage"; + //todo: set window title + } else { // calculate the length of the command int i; @@ -1939,6 +1961,7 @@ int main(int argc, char **argv) { assert(cfg.command_name); if (arg_debug) printf("Command name #%s#\n", cfg.command_name); + // load the profile if (!arg_noprofile) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 45bf2e3b1..d2f7d9460 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -34,6 +34,7 @@ void usage(void) { printf("\n"); printf("Options:\n\n"); printf(" -- - signal the end of options and disables further option processing.\n\n"); + printf(" --appimage - sandbox an AppImage application\n\n"); #ifdef HAVE_NETWORK printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3c4de9ed5..e57b8fb93 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -75,6 +75,19 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox \fB\-\- Signal the end of options and disables further option processing. .TP +\fB\-\-appimage +Sandbox an AppImage (http://appimage.org/) application. +.br + +.br +Example: +.br +$ firejail --appimage krita-3.0-x86_64.appimage +.br +$ firejail --appimage --private krita-3.0-x86_64.appimage +.br +$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage +.TP \fB\-\-bandwidth=name|pid Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. .TP -- cgit v1.2.3-70-g09d2 From 28d747a821b1c6069c315a0b27c33c2fce10d710 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Jun 2016 10:40:09 -0400 Subject: markup --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2c8d0875a..723218fe0 100644 --- a/README.md +++ b/README.md @@ -56,10 +56,10 @@ $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage ````` Major software applications distributing AppImage packages: -..* Krita: https://krita.org/download/krita-desktop/ -..* OpenShot: http://www.openshot.org/download/ -..* Scribus: https://www.scribus.net/downloads/unstable-branch/ -..* MuseScore: https://musescore.org/en/download +* Krita: https://krita.org/download/krita-desktop/ +* OpenShot: http://www.openshot.org/download/ +* Scribus: https://www.scribus.net/downloads/unstable-branch/ +* MuseScore: https://musescore.org/en/download More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages -- cgit v1.2.3-70-g09d2 From 81bfc52e131215cd042c491f1c94c5d1f49de8a8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Jun 2016 10:44:47 -0400 Subject: spelling --- src/firejail/network_main.c | 2 +- src/man/firejail.txt | 2 +- test/network/README | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index e50c06ae9..396c612b1 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -58,7 +58,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) { // allow unconfigured interfaces if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { - fprintf(stderr, "Warning: interface %s is not configured\n", br->dev); + fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev); br->configured = 1; br->arg_ip_none = 1; return; diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e57b8fb93..71a73a02d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -476,7 +476,7 @@ $ firejail \-\-net=eth0 \-\-\ip=none .br .br -If the coresponding interface doesn't have an IP address configured, this +If the corresponding interface doesn't have an IP address configured, this option is enabled by default. .TP diff --git a/test/network/README b/test/network/README index a9b79d1de..a715d8edf 100644 --- a/test/network/README +++ b/test/network/README @@ -1,5 +1,5 @@ Warning: this test requires root access to configure a number of bridge, mac -and vlan devices. Please take a look at configure file. By the time you are +and vlan devices. Please take a look at configure file. By the time you are finished testing, you'll probably have to reboot the computer to get your networking subsytem back to normal. -- cgit v1.2.3-70-g09d2 From d7b05860cfe2e2f9a0e4efd1eb56000437f8f371 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 5 Jun 2016 18:47:26 -0400 Subject: /proc cleanup --- src/firejail/fs.c | 106 ++++++++++++++++++------------------------------------ 1 file changed, 35 insertions(+), 71 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c38a9a32e..984d413a3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -248,8 +248,6 @@ static void disable_file(OPERATION op, const char *filename) { // Resolve all symlinks char* fname = realpath(filename, NULL); if (fname == NULL && errno != EACCES) { - if (arg_debug) - printf("Warning (realpath): %s is an invalid file, skipping...\n", filename); return; } if (fname == NULL && errno == EACCES) { @@ -601,89 +599,55 @@ void fs_proc_sys_dev_boot(void) { fs_logger("remount /sys"); } - if (stat("/sys/firmware", &s) == 0) { - disable_file(BLACKLIST_FILE, "/sys/firmware"); - } - - if (stat("/sys/hypervisor", &s) == 0) { - disable_file(BLACKLIST_FILE, "/sys/hypervisor"); - } - - if (stat("/sys/fs", &s) == 0) { - disable_file(BLACKLIST_FILE, "/sys/fs"); - } - - if (stat("/sys/module", &s) == 0) { - disable_file(BLACKLIST_FILE, "/sys/module"); - } - - if (stat("/sys/power", &s) == 0) { - disable_file(BLACKLIST_FILE, "/sys/power"); - } + disable_file(BLACKLIST_FILE, "/sys/firmware"); + disable_file(BLACKLIST_FILE, "/sys/hypervisor"); + disable_file(BLACKLIST_FILE, "/sys/fs"); + disable_file(BLACKLIST_FILE, "/sys/module"); + disable_file(BLACKLIST_FILE, "/sys/power"); + disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); + disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); + disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) // errExit("mounting /sys"); - // Disable SysRq - // a linux box can be shut down easily using the following commands (as root): - // # echo 1 > /proc/sys/kernel/sysrq - // #echo b > /proc/sysrq-trigger - // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt - if (arg_debug) - printf("Disable /proc/sysrq-trigger\n"); - fs_rdonly_noexit("/proc/sysrq-trigger"); - - // disable hotplug and uevent_helper - if (arg_debug) - printf("Disable /proc/sys/kernel/hotplug\n"); - fs_rdonly_noexit("/proc/sys/kernel/hotplug"); - if (arg_debug) - printf("Disable /sys/kernel/uevent_helper\n"); - fs_rdonly_noexit("/sys/kernel/uevent_helper"); - - // read-only /proc/irq and /proc/bus - if (arg_debug) - printf("Disable /proc/irq\n"); - fs_rdonly_noexit("/proc/irq"); - if (arg_debug) - printf("Disable /proc/bus\n"); - fs_rdonly_noexit("/proc/bus"); - - // disable /proc/kcore - disable_file(BLACKLIST_FILE, "/proc/kcore"); - // disable /proc/kallsyms + // various /proc/sys files + disable_file(BLACKLIST_FILE, "/proc/sys/security"); + disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); + disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc"); + disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern"); + disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe"); + disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger"); + disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); + disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); + + + // various /proc files + disable_file(BLACKLIST_FILE, "/proc/irq"); + disable_file(BLACKLIST_FILE, "/proc/bus"); + disable_file(BLACKLIST_FILE, "/proc/config.gz"); + disable_file(BLACKLIST_FILE, "/proc/sched_debug"); + disable_file(BLACKLIST_FILE, "/proc/timer_list"); + disable_file(BLACKLIST_FILE, "/proc/timer_stats"); + disable_file(BLACKLIST_FILE, "/proc/kcore"); disable_file(BLACKLIST_FILE, "/proc/kallsyms"); + disable_file(BLACKLIST_FILE, "/proc/mem"); + disable_file(BLACKLIST_FILE, "/proc/kmem"); // disable /boot - if (stat("/boot", &s) == 0) { - if (arg_debug) - printf("Disable /boot directory\n"); - disable_file(BLACKLIST_FILE, "/boot"); - } + disable_file(BLACKLIST_FILE, "/boot"); // disable /selinux - if (stat("/selinux", &s) == 0) { - if (arg_debug) - printf("Disable /selinux directory\n"); - disable_file(BLACKLIST_FILE, "/selinux"); - } + disable_file(BLACKLIST_FILE, "/selinux"); // disable /dev/port - if (stat("/dev/port", &s) == 0) { - disable_file(BLACKLIST_FILE, "/dev/port"); - } + disable_file(BLACKLIST_FILE, "/dev/port"); if (getuid() != 0) { - // disable /dev/kmsg - if (stat("/dev/kmsg", &s) == 0) { - disable_file(BLACKLIST_FILE, "/dev/kmsg"); - } - - // disable /proc/kmsg - if (stat("/proc/kmsg", &s) == 0) { - disable_file(BLACKLIST_FILE, "/proc/kmsg"); - } + // disable /dev/kmsg and /proc/kmsg + disable_file(BLACKLIST_FILE, "/dev/kmsg"); + disable_file(BLACKLIST_FILE, "/proc/kmsg"); } } -- cgit v1.2.3-70-g09d2 From 9fc8878b4131b34e4425d0b0eb30b477a71b1c44 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 6 Jun 2016 10:09:21 -0400 Subject: appimage fixes --- src/firejail/appimage.c | 43 +++++++++++++++++++++++++++++++++---------- src/firejail/firejail.h | 3 ++- src/firejail/fs.c | 2 -- src/firejail/main.c | 11 +++-------- 4 files changed, 38 insertions(+), 21 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index e25d50a2d..59ce31052 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -26,11 +26,14 @@ #include #include #include +#include +static char *devloop = NULL; // device file +static char *mntdir = NULL; // mount point in /tmp directory - -char *appimage_set(const char *appimage_path) { +void appimage_set(const char *appimage_path) { assert(appimage_path); + assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); // check appimage_path @@ -49,7 +52,6 @@ char *appimage_set(const char *appimage_path) { exit(1); } close(cfd); - char *devloop; if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) errExit("asprintf"); @@ -63,15 +65,17 @@ char *appimage_set(const char *appimage_path) { close(ffd); char dirname[] = "/tmp/firejail-mnt-XXXXXX"; - char *mntdir = strdup(mkdtemp(dirname)); + mntdir = strdup(mkdtemp(dirname)); if (mntdir == NULL) { fprintf(stderr, "Error: cannot create temporary directory\n"); exit(1); } mkdir(mntdir, 755); - chown(mntdir, getuid(), getgid()); - chmod(mntdir, 755); - + if (chown(mntdir, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(mntdir, 755) == -1) + errExit("chmod"); + char *mode; if (asprintf(&mode, "mode=755,uid=%d,gid=%d", getuid(), getgid()) == -1) errExit("asprintf"); @@ -79,6 +83,7 @@ char *appimage_set(const char *appimage_path) { if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) errExit("mounting appimage"); + if (arg_debug) printf("appimage mounted on %s\n", mntdir); EUID_USER(); @@ -87,8 +92,26 @@ char *appimage_set(const char *appimage_path) { if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) errExit("asprintf"); - free(devloop); free(mode); - - return mntdir; +} + +void appimage_clear(void) { + int rv; + + if (mntdir) { + rv = umount2(mntdir, MNT_FORCE); + if (rv == -1 && errno == EBUSY) { + sleep(1); + rv = umount2(mntdir, MNT_FORCE); + + } + rmdir(mntdir); + free(mntdir); + } + + if (devloop) { + int lfd = open(devloop, O_RDONLY); + rv = ioctl(lfd, LOOP_CLR_FD, 0); + close(lfd); + } } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 00674c047..2d5e05f79 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -576,7 +576,8 @@ void fs_rdwr_add(const char *path); void fs_rdwr(void); // appimage.c -char *appimage_set(const char *appimage_path); +void appimage_set(const char *appimage_path); +void appimage_clear(void); #endif diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 984d413a3..8cae9191c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -570,8 +570,6 @@ void fs_rdonly_noexit(const char *dir) { // mount /proc and /sys directories void fs_proc_sys_dev_boot(void) { - struct stat s; - if (arg_debug) printf("Remounting /proc and /proc/sys filesystems\n"); if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) diff --git a/src/firejail/main.c b/src/firejail/main.c index c2ac4a3fa..1c2f021bb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -107,7 +107,6 @@ char *fullargv[MAX_ARGS]; // expanded argv for restricted shell int fullargc = 0; static pid_t child = 0; pid_t sandbox_pid; -static char *appimage_mntdir = NULL; static void set_name_file(pid_t pid); static void delete_name_file(pid_t pid); @@ -130,16 +129,13 @@ static void myexit(int rv) { // delete sandbox files in shared memory EUID_ROOT(); clear_run_files(sandbox_pid); - if (appimage_mntdir) { - umount2(appimage_mntdir, MNT_FORCE); - rmdir(appimage_mntdir); - free(appimage_mntdir); - } + appimage_clear(); exit(rv); } static void my_handler(int s){ +printf("**************************\n"); EUID_ROOT(); if (!arg_quiet) { printf("\nParent received signal %d, shutting down the child process...\n", s); @@ -1918,9 +1914,8 @@ int main(int argc, char **argv) { else if (arg_appimage) { if (arg_debug) printf("Configuring appimage environment\n"); - appimage_mntdir = appimage_set(cfg.command_name); + appimage_set(cfg.command_name); cfg.window_title = "appimage"; - //todo: set window title } else { // calculate the length of the command -- cgit v1.2.3-70-g09d2 From c5ed2af102d72be6aa4edc473f50278013b10241 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 6 Jun 2016 10:15:01 -0400 Subject: fixed /etc/skel problem --- src/firejail/fs_home.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index d4a16da0a..b12d8bb76 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -41,10 +41,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.zshrc", &s) == 0) { - if (is_link("/etc/skel/.zshrc")) { - fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n"); - exit(1); - } if (copy_file("/etc/skel/.zshrc", fname) == 0) { if (chown(fname, u, g) == -1) errExit("chown"); @@ -75,10 +71,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.cshrc", &s) == 0) { - if (is_link("/etc/skel/.cshrc")) { - fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n"); - exit(1); - } if (copy_file("/etc/skel/.cshrc", fname) == 0) { if (chown(fname, u, g) == -1) errExit("chown"); @@ -110,10 +102,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.bashrc", &s) == 0) { - if (is_link("/etc/skel/.bashrc")) { - fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n"); - exit(1); - } if (copy_file("/etc/skel/.bashrc", fname) == 0) { /* coverity[toctou] */ if (chown(fname, u, g) == -1) -- cgit v1.2.3-70-g09d2 From 9e3469e1cffffa9d0e50f284c9b46a773138a1a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 6 Jun 2016 11:54:53 -0400 Subject: added gThumb and mpv profiles --- Makefile.in | 2 ++ README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ etc/gthumb.profile | 17 +++++++++++++++++ etc/mpv.profile | 14 ++++++++++++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 8 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 etc/gthumb.profile create mode 100644 etc/mpv.profile diff --git a/Makefile.in b/Makefile.in index ea6299b3e..c7897145a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -189,6 +189,8 @@ realinstall: install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README.md b/README.md index 723218fe0..efbb97f36 100644 --- a/README.md +++ b/README.md @@ -67,4 +67,4 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## New security profiles -Gitter +Gitter, gThumb, mpv diff --git a/RELNOTES b/RELNOTES index db3828354..7731c88f2 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.41) baseline; urgency=low * work in progress... - * new profiles: Gitter + * new profiles: Gitter, gThumb, mpv -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1f86a0ebe..04cc1ac7a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -6,6 +6,7 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet @@ -26,6 +27,7 @@ blacklist ${HOME}/.config/cmus blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/spotify blacklist ${HOME}/.config/vlc +blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer diff --git a/etc/gthumb.profile b/etc/gthumb.profile new file mode 100644 index 000000000..55041b5cc --- /dev/null +++ b/etc/gthumb.profile @@ -0,0 +1,17 @@ +# gthumb profile +noblacklist ${HOME}/.config/gthumb + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-bin gthumb +shell none diff --git a/etc/mpv.profile b/etc/mpv.profile new file mode 100644 index 000000000..0a8a6103f --- /dev/null +++ b/etc/mpv.profile @@ -0,0 +1,14 @@ +# mpv media player profile +noblacklist ${HOME}/.config/mpv + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7ae5ca1b9..b4bbdb36a 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -103,3 +103,5 @@ /etc/firejail/psi-plus.profile /etc/firejail/brave.profile /etc/firejail/gitter.profile +/etc/firejail/gthumb.profile +/etc/firejail/mpv.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 566fb156f..8bb90bf4a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -87,6 +87,7 @@ cmus deadbeef gnome-mplayer google-play-music-desktop-player +mpv parole rhythmbox spotify @@ -104,6 +105,7 @@ cherrytree evince fbreader gwenview +gthumb Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From 57d7bb7b149d3cf39b8b93ec7c864e2bc03243b1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Jun 2016 07:36:36 -0400 Subject: remove lxterm from firecfg configuration file --- src/firecfg/firecfg.config | 1 - 1 file changed, 1 deletion(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8bb90bf4a..dfbfd5f3f 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -112,7 +112,6 @@ okular xreader # other -lxterminal openbox snap ssh -- cgit v1.2.3-70-g09d2 From 609b9287190df1cb39bbce895ea15402ea864905 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 7 Jun 2016 08:02:20 -0400 Subject: remove noroot from midori profile --- etc/midori.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/midori.profile b/etc/midori.profile index c4055fa83..01ab58bc1 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -7,6 +7,6 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs -noroot +# noroot - noroot break midori on Ubuntu 14.04 protocol unix,inet,inet6 seccomp -- cgit v1.2.3-70-g09d2 From 86df483afa5088a64c99214c7c2cc6726cccc352 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Jun 2016 08:04:42 -0400 Subject: removed noroot from midori profile --- etc/midori.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/midori.profile b/etc/midori.profile index 01ab58bc1..046c45d94 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -10,3 +10,4 @@ nonewprivs # noroot - noroot break midori on Ubuntu 14.04 protocol unix,inet,inet6 seccomp + -- cgit v1.2.3-70-g09d2 From 9fafef8e0054176a7af4eb8786fb7ceefaf73026 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 8 Jun 2016 10:30:14 -0400 Subject: lxc support --- src/firejail/no_sandbox.c | 62 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index cc7f6d234..9672d003e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -23,16 +23,64 @@ #include #include +#define MAX_BUF 4096 + +int is_container(const char *str) { + assert(str); + if (strcmp(str, "lxc") == 0 || + strcmp(str, "docker") == 0 || + strcmp(str, "lxc-libvirt") == 0 || + strcmp(str, "systemd-nspawn") == 0 || + strcmp(str, "rkt") == 0) + return 1; + return 0; + + +} + // returns 1 if we are running under LXC int check_namespace_virt(void) { - char *container = getenv("container"); - if (container && - (strcmp(container, "lxc") == 0 || - strcmp(container, "docker") == 0 || - strcmp(container, "lxc-libvirt") == 0 || - strcmp(container, "systemd-nspawn") == 0 || - strcmp(container, "rkt") == 0)) + EUID_ASSERT(); + + // check container environment variable + char *str = getenv("container"); + if (str && is_container(str)) return 1; + + // check PID 1 container environment variable + EUID_ROOT(); + FILE *fp = fopen("/proc/1/environ", "r"); + if (fp) { + int c = 0; + while (c != EOF) { + // read one line + char buf[MAX_BUF]; + int i = 0; + while ((c = fgetc(fp)) != EOF) { + if (c == 0) + break; + buf[i] = (char) c; + if (++i == (MAX_BUF - 1)) + break; + } + buf[i] = '\0'; + + // check env var name + if (strncmp(buf, "container=", 10) == 0) { + // found it + if (is_container(buf + 10)) { + fclose(fp); + EUID_USER(); + return 1; + } + } +// printf("i %d c %d, buf #%s#\n", i, c, buf); + } + + fclose(fp); + } + + EUID_USER(); return 0; } -- cgit v1.2.3-70-g09d2 From 6313ab799d95065ef75491a9d11d31a1d684701b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 8 Jun 2016 13:16:22 -0400 Subject: fixes --- src/firecfg/firecfg.config | 1 - src/firejail/appimage.c | 2 ++ src/firemon/procevent.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index dfbfd5f3f..e31a7c12a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -112,7 +112,6 @@ okular xreader # other -openbox snap ssh diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 59ce31052..2d5a05b8d 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -103,6 +103,7 @@ void appimage_clear(void) { if (rv == -1 && errno == EBUSY) { sleep(1); rv = umount2(mntdir, MNT_FORCE); + (void) rv; } rmdir(mntdir); @@ -112,6 +113,7 @@ void appimage_clear(void) { if (devloop) { int lfd = open(devloop, O_RDONLY); rv = ioctl(lfd, LOOP_CLR_FD, 0); + (void) rv; close(lfd); } } diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index e2dd5aaa2..7c961adde 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -89,7 +89,8 @@ static int pid_is_firejail(pid_t pid) { // list of firejail arguments that don't trigger sandbox creation // the initial -- is not included - char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols"; + char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols " + "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get "; int i; char *start; -- cgit v1.2.3-70-g09d2 From f1c611a1280cd977dc7c5643e5c3fd13315514e1 Mon Sep 17 00:00:00 2001 From: maces Date: Wed, 8 Jun 2016 21:54:04 +0200 Subject: added profile for franz messenger added profile for franz messenger app based n electron --- etc/franz.profile | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 etc/franz.profile diff --git a/etc/franz.profile b/etc/franz.profile new file mode 100644 index 000000000..fc4a665de --- /dev/null +++ b/etc/franz.profile @@ -0,0 +1,26 @@ +# Franz profile +noblacklist ~/.config/Franz +noblacklist ~/.cache/Franz +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +#tracelog +nonewprivs +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.config +mkdir ~/.config/Franz +whitelist ~/.config/Franz +mkdir ~/.cache +mkdir ~/.cache/Franz +whitelist ~/.cache/Franz +mkdir ~/.pki +whitelist ~/.pki + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From d073a425b3e3ed3829a0e042e8c41963f0f40f0e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 08:42:59 -0400 Subject: whitelist support in /etc/firejail/firejail.config --- configure | 17 +++++++++++++++++ configure.ac | 9 +++++++++ etc/firejail.config | 15 +++++++++------ src/firejail/Makefile.in | 3 ++- src/firejail/checkcfg.c | 11 ++++++++++- src/firejail/firejail.h | 3 ++- src/firejail/main.c | 25 +++++++++++++++++++------ src/firejail/profile.c | 12 ++++++++++-- src/firejail/usage.c | 6 ++++-- src/man/firejail-config.txt | 19 +++++++++++-------- 10 files changed, 93 insertions(+), 27 deletions(-) diff --git a/configure b/configure index 66b1663f9..da7d370d3 100755 --- a/configure +++ b/configure @@ -629,6 +629,7 @@ EGREP GREP CPP HAVE_FATAL_WARNINGS +HAVE_WHITELIST HAVE_FILE_TRANSFER HAVE_X11 HAVE_USERNS @@ -695,6 +696,7 @@ enable_network enable_userns enable_x11 enable_file_transfer +enable_whitelist enable_fatal_warnings ' ac_precious_vars='build_alias @@ -1324,6 +1326,7 @@ Optional Features: --disable-userns disable user namespace --disable-x11 disable X11 sandboxing support --disable-file-transfer disable file transfer + --disable-whitelist disable whitelist --enable-fatal-warnings -W -Wall -Werror Some influential environment variables: @@ -3161,6 +3164,19 @@ if test "x$enable_file_transfer" != "xno"; then : HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" +fi + +HAVE_WHITELIST="" +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; +fi + +if test "x$enable_whitelist" != "xno"; then : + + HAVE_WHITELIST="-DHAVE_WHITELIST" + + fi HAVE_FATAL_WARNINGS="" @@ -4823,6 +4839,7 @@ echo " bind: $HAVE_BIND" echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" +echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo diff --git a/configure.ac b/configure.ac index ef6a11af5..c9061f219 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [ AC_SUBST(HAVE_FILE_TRANSFER) ]) +HAVE_WHITELIST="" +AC_ARG_ENABLE([whitelist], + AS_HELP_STRING([--disable-whitelist], [disable whitelist])) +AS_IF([test "x$enable_whitelist" != "xno"], [ + HAVE_WHITELIST="-DHAVE_WHITELIST" + AC_SUBST(HAVE_WHITELIST) +]) + HAVE_FATAL_WARNINGS="" AC_ARG_ENABLE([fatal_warnings], AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) @@ -103,6 +111,7 @@ echo " bind: $HAVE_BIND" echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" +echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo diff --git a/etc/firejail.config b/etc/firejail.config index 55d2faa9f..4fcaee213 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -12,6 +12,12 @@ # Enable or disable file transfer support, default enabled. # file-transfer yes +# Force use of nonewprivs. This mitigates the possibility of +# a user abusing firejail's features to trick a privileged (suid +# or file capabilities) process into loading code or configuration +# that is partially under their control. Default disabled +# force-nonewprivs no + # Enable or disable networking features, default enabled. # network yes @@ -27,15 +33,12 @@ # Enable or disable user namespace support, default enabled. # userns yes +# Enable or disable whitelisting support, default enabled +# whitelist yes + # Enable or disable X11 sandboxing support, default enabled. # x11 yes -# Force use of nonewprivs. This mitigates the possibility of -# a user abusing firejail's features to trick a privileged (suid -# or file capabilities) process into loading code or configuration -# that is partially under their control. Default disabled -# force-nonewprivs no - # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..a8af1a4e0 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@ HAVE_USERNS=@HAVE_USERNS@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3ea8caf5b..bf85436c3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -38,7 +38,7 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default - cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default + cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default // open configuration file char *fname; @@ -126,6 +126,15 @@ int checkcfg(int val) { else goto errout; } + // whitelist + else if (strncmp(ptr, "whitelist ", 10) == 0) { + if (strcmp(ptr + 10, "yes") == 0) + cfg_val[CFG_WHITELIST] = 1; + else if (strcmp(ptr + 10, "no") == 0) + cfg_val[CFG_WHITELIST] = 0; + else + goto errout; + } // network else if (strncmp(ptr, "network ", 8) == 0) { if (strcmp(ptr + 8, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d5e05f79..026273aa3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_NETWORK 6 #define CFG_RESTRICTED_NETWORK 7 #define CFG_FORCE_NONEWPRIVS 8 -#define CFG_MAX 9 // this should always be the last entry +#define CFG_WHITELIST 9 +#define CFG_MAX 10 // this should always be the last entry int checkcfg(int val); // fs_rdwr.c diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c2f021bb..1621d810f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -276,6 +276,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { #endif #ifndef HAVE_FILE_TRANSFER printf("File transfer support is disabled.\n"); +#endif +#ifndef HAVE_WHITELIST + printf("whitelisting support is disabled.\n"); #endif exit(0); } @@ -1114,14 +1117,24 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + +#ifdef HAVE_WHITELIST else if (strncmp(argv[i], "--whitelist=", 12) == 0) { - char *line; - if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) - errExit("asprintf"); - - profile_check_line(line, 0, NULL); // will exit if something wrong - profile_add(line); + if (checkcfg(CFG_WHITELIST)) { + char *line; + if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + else { + fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); + exit(1); + } } +#endif + else if (strncmp(argv[i], "--read-only=", 12) == 0) { char *line; if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 192f36974..a64f28c9a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { - arg_whitelist = 1; - ptr += 10; +#ifdef HAVE_WHITELIST + if (checkcfg(CFG_WHITELIST)) { + arg_whitelist = 1; + ptr += 10; + } + else + return 0; +#else + return 0; +#endif } else if (strncmp(ptr, "read-only ", 10) == 0) ptr += 10; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d2f7d9460..af1a30ac3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -72,8 +72,9 @@ void usage(void) { printf("\tsoftware build.\n\n"); printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); printf("\tsoftware build.\n\n"); +#ifdef HAVE_WHITELIST printf(" --debug-whitelists - debug whitelisting.\n\n"); - +#endif #ifdef HAVE_NETWORK @@ -250,8 +251,9 @@ void usage(void) { printf(" --tree - print a tree of all sandboxed processes.\n\n"); printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); printf(" --version - print program version and exit.\n\n"); +#ifdef HAVE_WHITELIST printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); - +#endif printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); printf(" --writable-var - /var directory is mounted read-write.\n\n"); diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 026765f1a..6a66c7f75 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -25,6 +25,13 @@ Enable or disable chroot support, default enabled. \fBfile-transfer Enable or disable file transfer support, default enabled. +.TP +\fBforce-nonewprivs +Force use of nonewprivs. This mitigates the possibility of +a user abusing firejail's features to trick a privileged (suid +or file capabilities) process into loading code or configuration +that is partially under their control. Default disabled. + .TP \fBnetwork Enable or disable networking features, default enabled. @@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled. Enable or disable user namespace support, default enabled. .TP -\fBx11 -Enable or disable X11 sandboxing support, default enabled. +\fBwhitelist +Enable or disable whitelisting support, default enabled. .TP -\fBforce-nonewprivs -Force use of nonewprivs. This mitigates the possibility of -a user abusing firejail's features to trick a privileged (suid -or file capabilities) process into loading code or configuration -that is partially under their control. Default disabled. - +\fBx11 +Enable or disable X11 sandboxing support, default enabled. .TP \fBxephyr-screen -- cgit v1.2.3-70-g09d2 From 1cceda11ad83b8e46ebe4293911046a35e2a748f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 08:58:20 -0400 Subject: Franz messenger profile --- Makefile.in | 1 + README | 2 ++ README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 1 + 6 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index c7897145a..7a4590bcf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -191,6 +191,7 @@ realinstall: install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 437703b9b..d08a11680 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +maces (https://github.com/maces) + - Franz messenger profile KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter diff --git a/README.md b/README.md index efbb97f36..bc5717fb7 100644 --- a/README.md +++ b/README.md @@ -67,4 +67,4 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## New security profiles -Gitter, gThumb, mpv +Gitter, gThumb, mpv, Franz messenger diff --git a/RELNOTES b/RELNOTES index 7731c88f2..c2552c533 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.41) baseline; urgency=low * work in progress... - * new profiles: Gitter, gThumb, mpv + * new profiles: Gitter, gThumb, mpv, Franz messenger -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 04cc1ac7a..6e79b3be0 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -68,6 +68,7 @@ blacklist ${HOME}/.Skype blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter +blacklist ${HOME}/.config/Franz # Games blacklist ${HOME}/.hedgewars @@ -106,6 +107,7 @@ blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.cache/Franz # share blacklist ${HOME}/.local/share/epiphany diff --git a/platform/debian/conffiles b/platform/debian/conffiles index b4bbdb36a..3ada0256a 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -105,3 +105,4 @@ /etc/firejail/gitter.profile /etc/firejail/gthumb.profile /etc/firejail/mpv.profile +/etc/firejail/franz.profile -- cgit v1.2.3-70-g09d2 From c80e838a5a6d36ad0a331c43df3a576fa48fd967 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 10:53:17 -0400 Subject: fixes --- Makefile.in | 2 +- etc/firejail.config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index 7a4590bcf..c89f9167b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -193,7 +193,7 @@ realinstall: install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" - sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" + install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc # man pages rm -f firejail.1.gz diff --git a/etc/firejail.config b/etc/firejail.config index 4fcaee213..8795b0aae 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -33,7 +33,7 @@ # Enable or disable user namespace support, default enabled. # userns yes -# Enable or disable whitelisting support, default enabled +# Enable or disable whitelisting support, default enabled. # whitelist yes # Enable or disable X11 sandboxing support, default enabled. -- cgit v1.2.3-70-g09d2 From ecaf0cb4edcc9f216af7c0bfd238db6b2516c799 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 12:39:21 -0400 Subject: x11 work --- etc/firejail.config | 7 +++++++ src/firejail/checkcfg.c | 21 ++++++++++++++++++++- src/firejail/firejail.h | 6 ++++-- src/firejail/x11.c | 12 +++++++++--- 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index 8795b0aae..eaff4de8f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -45,3 +45,10 @@ # xephyr-screen 800x600 # xephyr-screen 1024x768 # xephyr-screen 1280x1024 + +# Firejail window title in Xephry, default enabled. +# xephyr-window-title yes + +# Xephyr command extra parameters. None by default, and the declaration is commented out. +# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev +# xephyr-extra-params -grayscale diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index bf85436c3..a69c2831e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -25,6 +25,7 @@ static int initialized = 0; static int cfg_val[CFG_MAX]; char *xephyr_screen = "800x600"; +char *xephyr_extra_params = ""; int checkcfg(int val) { EUID_ASSERT(); @@ -165,9 +166,27 @@ int checkcfg(int val) { if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) errExit("asprintf"); } + + // xephyr window title + else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { + if (strcmp(ptr + 20, "yes") == 0) + cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; + else if (strcmp(ptr + 20, "no") == 0) + cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; + else + goto errout; + } + + // Xephyr command extra parameters + else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) { + xephyr_extra_params = strdup(ptr + 19); + if (!xephyr_extra_params) + errExit("strdup"); + } + else goto errout; - + free(ptr); } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 026273aa3..6d64ce4cd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -550,7 +550,6 @@ int x11_display(void); void x11_start(int argc, char **argv); void x11_start_xpra(int argc, char **argv); void x11_start_xephyr(int argc, char **argv); -extern char *xephyr_screen; // ls.c #define SANDBOX_FS_LS 0 @@ -569,7 +568,10 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_RESTRICTED_NETWORK 7 #define CFG_FORCE_NONEWPRIVS 8 #define CFG_WHITELIST 9 -#define CFG_MAX 10 // this should always be the last entry +#define CFG_XEPHYR_WINDOW_TITLE 10 +#define CFG_MAX 11 // this should always be the last entry +extern char *xephyr_screen; +extern char *xephyr_extra_params; int checkcfg(int val); // fs_rdwr.c diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 300078872..c742ff567 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -187,9 +187,15 @@ void x11_start_xephyr(int argc, char **argv) { // start xephyr char *cmd1; - if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" -noreset -screen %s :%d", xephyr_screen, display) == -1) - errExit("asprintf"); - + if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { + if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + errExit("asprintf"); + } + else { + if (asprintf(&cmd1, "Xephyr -ac -br %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + errExit("asprintf"); + } + int len = 50; // DISPLAY... for (i = 0; i < argc; i++) { len += strlen(argv[i]) + 1; // + ' ' -- cgit v1.2.3-70-g09d2 From 783251e0749e27e28b3ac54b5047f10cf1c44016 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 08:40:24 -0400 Subject: private-bin conversion --- README.md | 4 +++ etc/deluge.profile | 5 ++- etc/disable-devel.inc | 3 +- etc/mpv.profile | 4 +++ etc/qbittorrent.profile | 3 ++ etc/rtorrent.profile | 3 ++ etc/transmission-gtk.profile | 5 ++- etc/transmission-qt.profile | 5 ++- etc/vlc.profile | 5 +++ src/man/firejail.txt | 2 +- test/apps/apps.sh | 9 +++++ test/apps/qbittorrent.exp | 83 ++++++++++++++++++++++++++++++++++++++++++++ 12 files changed, 125 insertions(+), 6 deletions(-) create mode 100755 test/apps/qbittorrent.exp diff --git a/README.md b/README.md index bc5717fb7..029a7c904 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo AppImage project home: https://github.com/probonopd/AppImageKit +## Converting profiles to private-bin - work in progress + +BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt + ## New security profiles Gitter, gThumb, mpv, Franz messenger diff --git a/etc/deluge.profile b/etc/deluge.profile index 277ecc15e..87a17423b 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -1,4 +1,4 @@ -# deluge bittorernt client profile +# deluge bittorrernt client profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc # deluge is using python on Debian @@ -12,3 +12,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin deluge,sh,python,uname diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 0c9d21d39..99f059c44 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,8 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# disabled temporarily pending globbing implementation -# in noblacklist command and firefox profile fix +# Programs using python: deluge, some firefox addons # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/mpv.profile b/etc/mpv.profile index 0a8a6103f..cbed7e8c6 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -12,3 +12,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# to test +shell none +private-bin mpv diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index cbf898502..bb97a880b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -11,3 +11,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin qbittorrent diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 0be5e15d1..c196370a2 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -11,3 +11,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin rtorrent diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 5aef32d45..e8d0e25e7 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -1,4 +1,4 @@ -# transmission-gtk profile +# transmission-gtk bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission @@ -15,3 +15,6 @@ nosound protocol unix,inet,inet6 seccomp tracelog + +shell none +private-bin transmission-gtk diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index d8ab1c60d..fd3a98aad 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -1,4 +1,4 @@ -# transmission-qt profile +# transmission-qt bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission @@ -15,3 +15,6 @@ nosound protocol unix,inet,inet6 seccomp tracelog + +shell none +private-bin transmission-qt diff --git a/etc/vlc.profile b/etc/vlc.profile index f8eebd376..e225e80e9 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -12,3 +12,8 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + + +# to test +shell none +private-bin vlc diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 71a73a02d..d72deab2f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, -migrate_pages, move_pages, vmsplice, perf_event_open, chroot, +migrate_pages, move_pages, vmsplice, chroot, tuxcall, reboot, mfsservctl and get_kernel_syms. .br diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 37d66d609..3ecc161a1 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -60,6 +60,15 @@ else echo "TESTING SKIP: transmission-qt not found" fi +which qbittorrent +if [ "$?" -eq 0 ]; +then + echo "TESTING: qbittorrent" + ./qbittorrent.exp +else + echo "TESTING SKIP: qbittorrent not found" +fi + which evince if [ "$?" -eq 0 ]; then diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp new file mode 100755 index 000000000..4f3f7c362 --- /dev/null +++ b/test/apps/qbittorrent.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail qbittorrent\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/qbittorrent.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 5 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "qbittorrent" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail qbittorrent" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail qbittorrent" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + -- cgit v1.2.3-70-g09d2 From ca592b90f11fff9737731c69d1e1e2439b6e3c44 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 08:56:55 -0400 Subject: private-bin conversion --- README.md | 1 + etc/disable-devel.inc | 2 +- etc/filezilla.profile | 3 ++ test/apps/apps.sh | 9 ++++++ test/apps/filezilla.exp | 83 +++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 97 insertions(+), 1 deletion(-) create mode 100755 test/apps/filezilla.exp diff --git a/README.md b/README.md index 029a7c904..8c2e9d9b6 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## Converting profiles to private-bin - work in progress BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt +File transfer: filezilla ## New security profiles diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 99f059c44..8c18ec2c3 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, some firefox addons +# Programs using python: deluge, some firefox addons, filezilla # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 3cb4890e2..35663f2fa 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -13,3 +13,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 3ecc161a1..fa56ce370 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -69,6 +69,15 @@ else echo "TESTING SKIP: qbittorrent not found" fi +which filezilla +if [ "$?" -eq 0 ]; +then + echo "TESTING: filezilla" + ./filezilla.exp +else + echo "TESTING SKIP: filezilla not found" +fi + which evince if [ "$?" -eq 0 ]; then diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp new file mode 100755 index 000000000..7f232f311 --- /dev/null +++ b/test/apps/filezilla.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail filezilla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/filezilla.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "filezilla" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail filezilla" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail filezilla" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From f48ed55fcbabbbe044e6d708960f56c309e4293e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 09:10:17 -0400 Subject: private-bin conversion --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c2e9d9b6..36fb99f3d 100644 --- a/README.md +++ b/README.md @@ -65,9 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo AppImage project home: https://github.com/probonopd/AppImageKit -## Converting profiles to private-bin - work in progress +## Converting profiles to private-bin - work in progress! BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt + File transfer: filezilla ## New security profiles -- cgit v1.2.3-70-g09d2 From e3abab47dcda4dba4a1412261e35cb1608ffd900 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 10:41:57 -0400 Subject: private-bin conversion --- README.md | 4 +++ etc/cherrytree.profile | 9 +++++ etc/disable-devel.inc | 2 +- etc/evince.profile | 3 ++ etc/fbreader.profile | 3 ++ etc/gnome-mplayer.profile | 3 ++ etc/gthumb.profile | 2 +- etc/vlc.profile | 2 +- src/firejail/main.c | 1 - test/apps/apps.sh | 10 ++++++ test/apps/gthumb.exp | 83 +++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 118 insertions(+), 4 deletions(-) create mode 100755 test/apps/gthumb.exp diff --git a/README.md b/README.md index 36fb99f3d..db0625d43 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra File transfer: filezilla +Media: vlc, mpv, gnome-mplayer + +Office: evince, gthumb, fbreader + ## New security profiles Gitter, gThumb, mpv, Franz messenger diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink tracelog include /etc/firejail/whitelist-common.inc + +# no private-bin support for various reasons: +#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree +#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" +#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree +#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null +#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc +# it requires acces to browser to show the online help +# it doesn't play nicely with expect diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, some firefox addons, filezilla +# Programs using python: deluge, firefox addons, filezilla, cherrytree # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -10,3 +10,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin evince,evince-previewer,evince-thumbnailer diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -13,3 +13,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin fbreader,FBReader \ No newline at end of file diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -9,3 +9,6 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +shell none +private-bin gnome-mplayer diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -13,5 +13,5 @@ noroot protocol unix,inet,inet6 seccomp -private-bin gthumb shell none +private-bin gthumb diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -16,4 +16,4 @@ seccomp # to test shell none -private-bin vlc +private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc diff --git a/src/firejail/main.c b/src/firejail/main.c index 1621d810f..d027eb697 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -135,7 +135,6 @@ static void myexit(int rv) { } static void my_handler(int s){ -printf("**************************\n"); EUID_ROOT(); if (!arg_quiet) { printf("\nParent received signal %d, shutting down the child process...\n", s); diff --git a/test/apps/apps.sh b/test/apps/apps.sh index fa56ce370..bbfe2a606 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -87,6 +87,16 @@ else echo "TESTING SKIP: evince not found" fi + +which gthumb +if [ "$?" -eq 0 ]; +then + echo "TESTING: gthumb" + ./gthumb.exp +else + echo "TESTING SKIP: gthumb not found" +fi + which icedove if [ "$?" -eq 0 ]; then diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..86bb975ba --- /dev/null +++ b/test/apps/gthumb.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gthumb\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gthumb.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gthumb" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From f5b452bc4276ff2abecae522d9598441899293f1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 11:22:24 -0400 Subject: private-bin conversion --- README.md | 2 +- etc/deluge.profile | 1 + etc/disable-devel.inc | 2 +- etc/evince.profile | 1 + etc/fbreader.profile | 3 +- etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/hexchat.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 4 +++ etc/weechat.profile | 4 +++ etc/xchat.profile | 2 ++ test/apps/apps.sh | 9 +++++ test/apps/uget-gtk.exp | 83 ++++++++++++++++++++++++++++++++++++++++++++ 17 files changed, 116 insertions(+), 3 deletions(-) create mode 100755 test/apps/uget-gtk.exp diff --git a/README.md b/README.md index db0625d43..69890ffaf 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## Converting profiles to private-bin - work in progress! -BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt +BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk File transfer: filezilla diff --git a/etc/deluge.profile b/etc/deluge.profile index 87a17423b..96df13a73 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin deluge,sh,python,uname +whitelist /tmp/.X11-unix diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 071a82f76..4e401055a 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, firefox addons, filezilla, cherrytree +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8671c1251..320d55fad 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -13,3 +13,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer +whitelist /tmp/.X11-unix diff --git a/etc/fbreader.profile b/etc/fbreader.profile index df359e50a..f155b02af 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -15,4 +15,5 @@ protocol unix,inet,inet6 seccomp shell none -private-bin fbreader,FBReader \ No newline at end of file +private-bin fbreader,FBReader +whitelist /tmp/.X11-unix diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 35663f2fa..c146dba13 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp +whitelist /tmp/.X11-unix diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 68d6a52d9..2d6cd160c 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin gthumb +whitelist /tmp/.X11-unix diff --git a/etc/hexchat.profile b/etc/hexchat.profile index a584d25c5..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -17,3 +17,5 @@ mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc + +# private-bin requires perl, python, etc. diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bb97a880b..bc87ad5c8 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin qbittorrent +whitelist /tmp/.X11-unix diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c196370a2..97c2335a8 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin rtorrent +whitelist /tmp/.X11-unix diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e8d0e25e7..80d71d615 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-gtk +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index fd3a98aad..dfb600871 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-qt +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 02c7f56bf..591a82af4 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -17,3 +17,7 @@ mkdir ~/.config mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc + +shell none +private-bin uget-gtk +whitelist /tmp/.X11-unix diff --git a/etc/weechat.profile b/etc/weechat.profile index 6cfe58420..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -9,3 +9,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# no private-bin support for various reasons: +# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file diff --git a/etc/xchat.profile b/etc/xchat.profile index 061c4f3da..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -10,3 +10,5 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# private-bin requires perl, python, etc. diff --git a/test/apps/apps.sh b/test/apps/apps.sh index bbfe2a606..c329c57e5 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -69,6 +69,15 @@ else echo "TESTING SKIP: qbittorrent not found" fi +which uget-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: uget" + ./uget-gtk.exp +else + echo "TESTING SKIP: uget-gtk not found" +fi + which filezilla if [ "$?" -eq 0 ]; then diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp new file mode 100755 index 000000000..47fa5849b --- /dev/null +++ b/test/apps/uget-gtk.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail uget-gtk\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/uget-gtk.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "uget-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 2e4bd3028464e92a1fcb1c94a530bca0950a20da Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 13:15:27 -0400 Subject: testing --- test/apps/chromium.exp | 6 +++--- test/apps/deluge.exp | 6 +++--- test/apps/evince.exp | 6 +++--- test/apps/fbreader.exp | 6 +++--- test/apps/filezilla.exp | 6 +++--- test/apps/firefox.exp | 6 +++--- test/apps/gnome-mplayer.exp | 8 ++++---- test/apps/gthumb.exp | 6 +++--- test/apps/hexchat.exp | 6 +++--- test/apps/icedove.exp | 6 +++--- test/apps/midori.exp | 8 ++++---- test/apps/opera.exp | 6 +++--- test/apps/qbittorrent.exp | 8 ++++---- test/apps/transmission-gtk.exp | 8 ++++---- test/apps/transmission-qt.exp | 8 ++++---- test/apps/uget-gtk.exp | 6 +++--- test/apps/vlc.exp | 6 +++--- test/apps/weechat.exp | 6 +++--- test/apps/xchat.exp | 6 +++--- 19 files changed, 62 insertions(+), 62 deletions(-) diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index 98ea66a51..c01f9a54d 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "chromium" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index 5142ac184..df7899b51 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "deluge" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/evince.exp b/test/apps/evince.exp index e129a00fa..0c1efcf59 100755 --- a/test/apps/evince.exp +++ b/test/apps/evince.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "evince" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index aa9d77c1c..30fbb1a77 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "fbreader" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp index 7f232f311..1533eae69 100755 --- a/test/apps/filezilla.exp +++ b/test/apps/filezilla.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "filezilla" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 5ac6b125e..64a733f98 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp @@ -33,7 +33,7 @@ expect { timeout {puts "TESTING ERROR 3.2\n";exit} "no-remote" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -70,7 +70,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -93,7 +93,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index b460a5d79..aa0ef44fb 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp @@ -16,7 +16,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 10 +sleep 5 spawn $env(SHELL) send -- "firejail --list\r" @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "gnome-mplayer" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp index 86bb975ba..8dcd2fcd0 100755 --- a/test/apps/gthumb.exp +++ b/test/apps/gthumb.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "gthumb" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index a24ccbf91..a66cc52cc 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "hexchat" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp index 9ae89535e..667f6745d 100755 --- a/test/apps/icedove.exp +++ b/test/apps/icedove.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "icedove" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/midori.exp b/test/apps/midori.exp index 2225942e8..fdd47954c 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp @@ -16,7 +16,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 10 +sleep 5 spawn $env(SHELL) send -- "firejail --list\r" @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "midori" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/opera.exp b/test/apps/opera.exp index bfb2d6f83..b94c9dbbd 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "opera" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp index 4f3f7c362..ee4044a84 100755 --- a/test/apps/qbittorrent.exp +++ b/test/apps/qbittorrent.exp @@ -16,7 +16,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 5 +sleep 3 spawn $env(SHELL) send -- "firejail --list\r" @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "qbittorrent" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 92ed05cc4..33f4ef963 100755 --- a/test/apps/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 10 +sleep 5 spawn $env(SHELL) send -- "firejail --list\r" @@ -24,7 +24,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "transmission-gtk" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -54,7 +54,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -72,7 +72,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 3ea2a112f..991742106 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp @@ -16,7 +16,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 10 +sleep 3 spawn $env(SHELL) send -- "firejail --list\r" @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "transmission-qt" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp index 47fa5849b..1511a07af 100755 --- a/test/apps/uget-gtk.exp +++ b/test/apps/uget-gtk.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "uget-gtk" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index 762e1fbd9..f0903c170 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "vlc" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/apps/weechat.exp b/test/apps/weechat.exp index af2eab1cc..b3e04da84 100755 --- a/test/apps/weechat.exp +++ b/test/apps/weechat.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "weechat-curses" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index bfdf581be..206397f3e 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp @@ -28,7 +28,7 @@ expect { timeout {puts "TESTING ERROR 3.1\n";exit} "xchat" } -sleep 1 +after 100 # grsecurity exit send -- "file /proc/sys/kernel/grsecurity\r" @@ -59,7 +59,7 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "name=blablabla" } -sleep 1 +after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 6.3\n";exit} "name=blablabla" } -sleep 1 +after 100 puts "\n" -- cgit v1.2.3-70-g09d2 From 51187308df74ae27a551cb31fd063c92c8b44371 Mon Sep 17 00:00:00 2001 From: probonopd Date: Sat, 11 Jun 2016 09:11:12 +0200 Subject: Set $APPIMAGE and $APPDIR environment variables Partly fixes #560 --- src/firejail/appimage.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 2d5a05b8d..930d92177 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -87,7 +87,13 @@ void appimage_set(const char *appimage_path) { if (arg_debug) printf("appimage mounted on %s\n", mntdir); EUID_USER(); + + if (mntdir && setenv("APPIMAGE", appimage_path, 1) < 0) + errExit("setenv"); + if (mntdir && setenv("APPDIR", mntdir, 1) < 0) + errExit("setenv"); + // build new command line if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) errExit("asprintf"); -- cgit v1.2.3-70-g09d2 From 5b42a97993761a49abe3ba14d8dac78938033747 Mon Sep 17 00:00:00 2001 From: probonopd Date: Sat, 11 Jun 2016 09:12:15 +0200 Subject: Update appimage.c --- src/firejail/appimage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 930d92177..dd347a714 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -88,7 +88,7 @@ void appimage_set(const char *appimage_path) { printf("appimage mounted on %s\n", mntdir); EUID_USER(); - if (mntdir && setenv("APPIMAGE", appimage_path, 1) < 0) + if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0) errExit("setenv"); if (mntdir && setenv("APPDIR", mntdir, 1) < 0) -- cgit v1.2.3-70-g09d2 From faf5badb5c5abe6f3487535e2fdb3b713788c021 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Jun 2016 09:11:03 -0400 Subject: removed private-bin from qbittorrent --- etc/qbittorrent.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bc87ad5c8..b2bfe49ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -12,6 +12,7 @@ nosound protocol unix,inet,inet6 seccomp -shell none -private-bin qbittorrent +# there are some problems with "Open destination folder", see bug #536 +#shell none +#private-bin qbittorrent whitelist /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From cd4205802c405bfe1a8f45a159309d598765d48e Mon Sep 17 00:00:00 2001 From: geg2048 Date: Sat, 11 Jun 2016 20:47:17 +0200 Subject: kwallet typo kde and kde4 are hidden. At least on my pc --- etc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index a61f1b210..cff2289fd 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -95,8 +95,8 @@ read-only ${HOME}/bin blacklist ${HOME}/.ssh blacklist ${HOME}/.cert blacklist ${HOME}/.gnome2/keyrings -blacklist ${HOME}/kde4/share/apps/kwallet -blacklist ${HOME}/kde/share/apps/kwallet +blacklist ${HOME}/.kde4/share/apps/kwallet +blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.local/share/kwalletd blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg -- cgit v1.2.3-70-g09d2 From d28f1d7157c87076771498f062f5af7e932bd20f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Jun 2016 07:27:21 -0400 Subject: support to disable enforcing firejail.config --- README | 2 ++ RELNOTES | 3 +++ configure | 18 ++++++++++++++++++ configure.ac | 9 +++++++++ src/firejail/Makefile.in | 4 ++-- src/firejail/checkcfg.c | 5 +++++ src/firejail/fs.c | 25 +++++++++++++------------ src/firejail/main.c | 2 +- src/include/euid_common.h | 4 ++-- src/man/firecfg.txt | 2 +- src/man/firejail-config.txt | 17 +++++++++++++++++ 11 files changed, 73 insertions(+), 18 deletions(-) diff --git a/README b/README index d08a11680..05c9408ec 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Simon Peter (https://github.com/probonopd) + - set $APPIMAGE and $APPDIR environment variables maces (https://github.com/maces) - Franz messenger profile KellerFuchs (https://github.com/KellerFuchs) diff --git a/RELNOTES b/RELNOTES index c2552c533..04a9d7cbb 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,8 @@ firejail (0.9.41) baseline; urgency=low * work in progress... + * compile time and run time support to disable whitelists + * compile time support to disable global configuration file + * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger -- netblue30 Tue, 31 May 2016 08:00:00 -0500 diff --git a/configure b/configure index da7d370d3..ca0704e91 100755 --- a/configure +++ b/configure @@ -634,6 +634,7 @@ HAVE_FILE_TRANSFER HAVE_X11 HAVE_USERNS HAVE_NETWORK +HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP @@ -692,6 +693,7 @@ enable_option_checking enable_seccomp enable_chroot enable_bind +enable_globalcfg enable_network enable_userns enable_x11 @@ -1320,6 +1322,8 @@ Optional Features: --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind + --disable-globalcfg disable global config file + (/etc/firejail/firejail.cfg) --disable-network disable network --enable-network=restricted restrict --net= to root only @@ -3102,6 +3106,19 @@ if test "x$enable_bind" != "xno"; then : HAVE_BIND="-DHAVE_BIND" +fi + +HAVE_GLOBALCFG="" +# Check whether --enable-globalcfg was given. +if test "${enable_globalcfg+set}" = set; then : + enableval=$enable_globalcfg; +fi + +if test "x$enable_globalcfg" != "xno"; then : + + HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" + + fi HAVE_NETWORK="" @@ -4834,6 +4851,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" echo " network: $HAVE_NETWORK" diff --git a/configure.ac b/configure.ac index c9061f219..93e062518 100644 --- a/configure.ac +++ b/configure.ac @@ -33,6 +33,14 @@ AS_IF([test "x$enable_bind" != "xno"], [ AC_SUBST(HAVE_BIND) ]) +HAVE_GLOBALCFG="" +AC_ARG_ENABLE([globalcfg], + AS_HELP_STRING([--disable-globalcfg], [if the global config file firejail.cfg is not present, continue the program using defaults])) +AS_IF([test "x$enable_globalcfg" != "xno"], [ + HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" + AC_SUBST(HAVE_GLOBALCFG) +]) + HAVE_NETWORK="" AC_ARG_ENABLE([network], AS_HELP_STRING([--disable-network], [disable network])) @@ -106,6 +114,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" echo " network: $HAVE_NETWORK" diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index a8af1a4e0..21f415ba5 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -17,13 +17,13 @@ HAVE_USERNS=@HAVE_USERNS@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ HAVE_WHITELIST=@HAVE_WHITELIST@ - +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index a69c2831e..6636e7efe 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -48,8 +48,13 @@ int checkcfg(int val) { FILE *fp = fopen(fname, "r"); if (!fp) { +#ifdef HAVE_GLOBALCFG fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname); exit(1); +#else + initialized = 1; + return cfg_val[val]; +#endif } // read configuration file diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8cae9191c..acc03e412 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -652,26 +652,27 @@ void fs_proc_sys_dev_boot(void) { // disable firejail configuration in /etc/firejail and in ~/.config/firejail static void disable_firejail_config(void) { struct stat s; - if (stat("/etc/firejail", &s) == 0) - disable_file(BLACKLIST_FILE, "/etc/firejail"); +// if (stat("/etc/firejail", &s) == 0) +// disable_file(BLACKLIST_FILE, "/etc/firejail"); char *fname; if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) errExit("asprintf"); if (stat(fname, &s) == 0) disable_file(BLACKLIST_FILE, fname); + free(fname); - if (stat("/usr/local/etc/firejail", &s) == 0) - disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail"); - - if (strcmp(PREFIX, "/usr/local")) { - if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1) - errExit("asprintf"); - if (stat(fname, &s) == 0) - disable_file(BLACKLIST_FILE, fname); - } +// if (stat("/usr/local/etc/firejail", &s) == 0) +// disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail"); +// +// if (strcmp(PREFIX, "/usr/local")) { +// if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1) +// errExit("asprintf"); +// if (stat(fname, &s) == 0) +// disable_file(BLACKLIST_FILE, fname); +// free(fname); +// } - free(fname); // disable run time information if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) diff --git a/src/firejail/main.c b/src/firejail/main.c index d027eb697..423df3752 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -854,7 +854,7 @@ int main(int argc, char **argv) { // check for force-nonewprivs in /etc/firejail/firejail.config file - if (!option_force && checkcfg(CFG_FORCE_NONEWPRIVS)) + if (checkcfg(CFG_FORCE_NONEWPRIVS)) arg_nonewprivs = 1; // parse arguments diff --git a/src/include/euid_common.h b/src/include/euid_common.h index f07cf2868..b6d341bf4 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -36,12 +36,12 @@ extern uid_t firejail_uid; static inline void EUID_ROOT(void) { if (seteuid(0) == -1) - fprintf(stderr, "Error: cannot switch euid to root\n"); + fprintf(stderr, "Warning: cannot switch euid to root\n"); } static inline void EUID_USER(void) { if (seteuid(firejail_uid) == -1) - fprintf(stderr, "Error: cannot switch euid to user\n"); + fprintf(stderr, "Warning: cannot switch euid to user\n"); } static inline void EUID_PRINT(void) { diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index e2e4229b0..c12bf7731 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -10,7 +10,7 @@ sandbox applications automatically, just by clicking on a regular desktop menus and icons. The symbolic links are placed in /usr/local/bin. For more information, see -DESKTOP INTEGRATION section in man 1 firejail. +\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR. .SH OPTIONS .TP diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 6a66c7f75..bc29dc977 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -74,6 +74,23 @@ xephyr-screen 1024x768 .br xephyr-screen 1280x1024 +.TP +\fBxephyr-window-title +Firejail window title in Xephry, default enabled. + +.TP +\fBxephyr-extra-params +Xephyr command extra parameters. None by default, and the declaration is commented out. Examples: +.br + +.br +xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev +.br +xephyr-extra-params -grayscale + +.SH COMPILE TIME CONFIGURATION +Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details. + .SH FILES /etc/firejail/firejail.config -- cgit v1.2.3-70-g09d2 From a137cfb715fab07a2e21cf2a0770d1afcd2e2119 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 12 Jun 2016 11:58:59 -0400 Subject: fixes --- README | 2 ++ src/firejail/fs.c | 6 ------ test/dist-compile/compile.sh | 45 ++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 45 insertions(+), 8 deletions(-) diff --git a/README b/README index 05c9408ec..0f825fd8e 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +geg2048 (https://github.com/geg2048) + - kwallet profile fixes Simon Peter (https://github.com/probonopd) - set $APPIMAGE and $APPDIR environment variables maces (https://github.com/maces) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index acc03e412..7811fd2a2 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -725,8 +725,6 @@ void fs_basic_fs(void) { // firejail sandboxes (firejail --force) if (getuid() != 0) disable_firejail_config(); - else - fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); if (getuid() == 0) fs_rdwr(); @@ -964,8 +962,6 @@ void fs_overlayfs(void) { // firejail sandboxes (firejail --force) if (getuid() != 0) disable_firejail_config(); - else - fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); // cleanup and exit free(option); @@ -1101,8 +1097,6 @@ void fs_chroot(const char *rootdir) { // firejail sandboxes (firejail --force) if (getuid() != 0) disable_firejail_config(); - else - fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root\n"); } #endif diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index 64c99133a..2d055c1bd 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -9,7 +9,8 @@ arr[6]="TEST 6: compile network disabled" arr[7]="TEST 7: compile X11 disabled" arr[8]="TEST 8: compile network restricted" arr[9]="TEST 9: compile file transfer disabled" - +arr[10]="TEST 10: compile disable whitelist" +arr[11]="TEST 11: compile disable global config" # remove previous reports and output file cleanup() { @@ -213,7 +214,7 @@ print_title "${arr[9]}" # seccomp cd firejail make distclean -./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure +./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test9 @@ -222,6 +223,44 @@ cp output-configure oc9 cp output-make om9 rm output-configure output-make +#***************************************************************** +# TEST 10 +#***************************************************************** +# - disable whitelist +# - check compilation +#***************************************************************** +print_title "${arr[10]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test10 +grep Error output-configure output-make >> ./report-test10 +cp output-configure oc10 +cp output-make om10 +rm output-configure output-make + +#***************************************************************** +# TEST 11 +#***************************************************************** +# - disable global config +# - check compilation +#***************************************************************** +print_title "${arr[11]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test11 +grep Error output-configure output-make >> ./report-test11 +cp output-configure oc11 +cp output-make om11 +rm output-configure output-make + #***************************************************************** # PRINT REPORTS @@ -246,3 +285,5 @@ echo ${arr[6]} echo ${arr[7]} echo ${arr[8]} echo ${arr[9]} +echo ${arr[10]} +echo ${arr[11]} -- cgit v1.2.3-70-g09d2 From b843c5313dee1ff5145dafbcfd54c888b902ea22 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 13 Jun 2016 08:34:01 -0400 Subject: appimage whitlist fix --- src/firejail/appimage.c | 4 ++++ src/firejail/firejail.h | 2 ++ src/firejail/fs_whitelist.c | 25 ++++++++++++++++++++++++- src/firejail/main.c | 2 +- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index dd347a714..db9382dc3 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -31,6 +31,10 @@ static char *devloop = NULL; // device file static char *mntdir = NULL; // mount point in /tmp directory +const char *appimage_getdir(void) { + return mntdir; +} + void appimage_set(const char *appimage_path) { assert(appimage_path); assert(devloop == NULL); // don't call this twice! diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6d64ce4cd..0b6e2e181 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -259,6 +259,7 @@ extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc extern int arg_writable_var; // writable var +extern int arg_appimage; // appimage extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; @@ -581,6 +582,7 @@ void fs_rdwr(void); // appimage.c void appimage_set(const char *appimage_path); void appimage_clear(void); +const char *appimage_getdir(void); #endif diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 617e61dcd..ba6c8cd74 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -504,7 +504,7 @@ void fs_whitelist(void) { // /tmp mountpoint if (tmp_dir) { - // keep a copy of real /tmp directory in WHITELIST_TMP_DIR + // keep a copy of real /tmp directory in int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); if (rv == -1) errExit("mkdir"); @@ -522,6 +522,29 @@ void fs_whitelist(void) { if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting tmpfs on /tmp"); fs_logger("tmpfs /tmp"); + + // mount appimage directory if necessary + if (arg_appimage) { + const char *dir = appimage_getdir(); + assert(dir); + char *wdir; + if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1) + errExit("asprintf"); + + // create directory + if (mkdir(dir, 0755) < 0) + errExit("mkdir"); + if (chown(dir, getuid(), getgid()) < 0) + errExit("chown"); + if (chmod(dir, 0755) < 0) + errExit("chmod"); + + // mount + if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + fs_logger2("whitelist", dir); + free(wdir); + } } // /media mountpoint diff --git a/src/firejail/main.c b/src/firejail/main.c index 423df3752..9e8e1eaf0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -99,6 +99,7 @@ int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var +int arg_appimage = 0; // appimage int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -705,7 +706,6 @@ int main(int argc, char **argv) { #ifdef HAVE_SECCOMP int highest_errno = errno_highest_nr(); #endif - int arg_appimage = 0; // drop permissions by default and rise them when required EUID_INIT(); -- cgit v1.2.3-70-g09d2 From 58b470209a737b3839bb20a683e6fac6bc047dd7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 13 Jun 2016 08:43:00 -0400 Subject: configure.ac fixes --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index ca0704e91..807a53a3d 100755 --- a/configure +++ b/configure @@ -1322,8 +1322,8 @@ Optional Features: --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind - --disable-globalcfg disable global config file - (/etc/firejail/firejail.cfg) + --disable-globalcfg if the global config file firejail.cfg is not + present, continue the program using defaults --disable-network disable network --enable-network=restricted restrict --net= to root only -- cgit v1.2.3-70-g09d2 From 3cc86927c990f85326d4b6f6b8b9d8ee9d8613e5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 13 Jun 2016 12:04:35 -0400 Subject: testing --- Makefile.in | 4 ++ test/dns.exp | 69 ------------------------------- test/doubledash.exp | 60 --------------------------- test/environment/dns.exp | 30 ++++++++++++++ test/environment/doubledash.exp | 60 +++++++++++++++++++++++++++ test/environment/environment.sh | 16 ++++++++ test/environment/extract_command.exp | 23 +++++++++++ test/environment/output.exp | 65 +++++++++++++++++++++++++++++ test/environment/output.sh | 9 ++++ test/extract_command.exp | 23 ----------- test/google-chrome.exp | 80 ------------------------------------ test/output.exp | 66 ----------------------------- test/output.sh | 9 ---- test/test.sh | 7 ---- 14 files changed, 207 insertions(+), 314 deletions(-) delete mode 100755 test/dns.exp delete mode 100755 test/doubledash.exp create mode 100755 test/environment/dns.exp create mode 100755 test/environment/doubledash.exp create mode 100755 test/environment/extract_command.exp create mode 100755 test/environment/output.exp create mode 100755 test/environment/output.sh delete mode 100755 test/extract_command.exp delete mode 100755 test/google-chrome.exp delete mode 100755 test/output.exp delete mode 100755 test/output.sh diff --git a/Makefile.in b/Makefile.in index c89f9167b..8726e4211 100644 --- a/Makefile.in +++ b/Makefile.in @@ -49,6 +49,10 @@ clean: rm -f test/utils/index.html* rm -f test/utils/wget-log rm -f test/utils/lstesting + rm -f test/environment/index.html* + rm -f test/environment/wget-log* + rm -fr test/environment/-testdir + rm -f test/environment/logfile* cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. diff --git a/test/dns.exp b/test/dns.exp deleted file mode 100755 index 96513f278..000000000 --- a/test/dns.exp +++ /dev/null @@ -1,69 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 30 -spawn $env(SHELL) -match_max 100000 - -# no chroot -send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "1:wget:connect 208.67.222.222:53" -} -sleep 1 - -send -- "rm index.html\r" -sleep 1 - -# with chroot -send -- "firejail --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "1:wget:connect 208.67.222.222:53" -} -sleep 1 - -send -- "rm index.html\r" -sleep 1 - -# net eth0 -send -- "firejail --net=eth0 --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "1:wget:connect 208.67.222.222:53" -} -sleep 1 - -send -- "rm index.html\r" -sleep 1 - -# net eth0 and chroot -send -- "firejail --net=eth0 --chroot=/tmp/chroot --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 4.2\n";exit} - "1:wget:connect 208.67.222.222:53" -} -sleep 1 - -send -- "rm index.html\r" -sleep 1 - - -puts "\n" - diff --git a/test/doubledash.exp b/test/doubledash.exp deleted file mode 100755 index 668468980..000000000 --- a/test/doubledash.exp +++ /dev/null @@ -1,60 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail -- ls -- -testdir\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "ttt" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Parent is shutting down" -} -sleep 1 - - -send -- "firejail --name=testing -- -testdir/bash\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --join=testing -- -testdir/bash\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "the first child process inside the sandbox" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "name=testing" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "home" -} -send -- "firejail --list;pwd\r" -expect { - timeout {puts "TESTING ERROR 8 (join)\n";exit} - "join=testing" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/environment/dns.exp b/test/environment/dns.exp new file mode 100755 index 000000000..6ffb124cf --- /dev/null +++ b/test/environment/dns.exp @@ -0,0 +1,30 @@ +#!/usr/bin/expect -f + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +# no chroot +send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "connect" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "208.67.222.222" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "53" +} + +after 100 + +send -- "rm index.html\r" +after 100 +puts "\nall done\n" diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp new file mode 100755 index 000000000..668468980 --- /dev/null +++ b/test/environment/doubledash.exp @@ -0,0 +1,60 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail -- ls -- -testdir\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "ttt" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Parent is shutting down" +} +sleep 1 + + +send -- "firejail --name=testing -- -testdir/bash\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --join=testing -- -testdir/bash\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "the first child process inside the sandbox" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "name=testing" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "home" +} +send -- "firejail --list;pwd\r" +expect { + timeout {puts "TESTING ERROR 8 (join)\n";exit} + "join=testing" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "home" +} + +sleep 1 + +puts "\n" diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 49b50797a..a6fe07a1c 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -6,6 +6,22 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: DNS (test/environment/dns.exp)" +./dns.exp + +echo "TESTING: doubledash (test/environment/doubledash.exp" +mkdir -- -testdir +touch -- -testdir/ttt +cp -- /bin/bash -testdir/. +./doubledash.exp +rm -fr -- -testdir + +echo "TESTING: output (test/environment/output.exp)" +./output.exp + +echo "TESTING: extract command (extract_command.exp)" +./extract_command.exp + echo "TESTING: environment variables (test/environment/env.exp)" ./env.exp diff --git a/test/environment/extract_command.exp b/test/environment/extract_command.exp new file mode 100755 index 000000000..266f66ff5 --- /dev/null +++ b/test/environment/extract_command.exp @@ -0,0 +1,23 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug ls -al\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/default.profile" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Parent is shutting down, bye" +} +after 100 + +puts "\nall done\n" + diff --git a/test/environment/output.exp b/test/environment/output.exp new file mode 100755 index 000000000..10c325832 --- /dev/null +++ b/test/environment/output.exp @@ -0,0 +1,65 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -f logfile*\r" +sleep 1 +puts "\n" + +send -- "firejail --output=logfile -- ./output.sh\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "20000" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "60000" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "100000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "120000" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "14999" +} +sleep 2 +puts "\n" + + +set timeout 2 +send -- "ls -al logfile*\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "logfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "logfile.1" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "logfile.2" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "logfile.3" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "logfile.4" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "logfile.5" +} +after 100 +send -- "rm -f logfile*\r" +after 100 +puts "\nall done\n" diff --git a/test/environment/output.sh b/test/environment/output.sh new file mode 100755 index 000000000..2be188e3a --- /dev/null +++ b/test/environment/output.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +i="0" + +while [ $i -lt 150000 ] +do + echo message number $i + i=$[$i+1] +done diff --git a/test/extract_command.exp b/test/extract_command.exp deleted file mode 100755 index 851b793c9..000000000 --- a/test/extract_command.exp +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug ls -al\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/default.profile" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Parent is shutting down, bye" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/google-chrome.exp b/test/google-chrome.exp deleted file mode 100755 index 389988e3c..000000000 --- a/test/google-chrome.exp +++ /dev/null @@ -1,80 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail google-chrome www.gentoo.org\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/google-chrome.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "google-chrome" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail google-chrome" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Seccomp: 0" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail google-chrome" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "fffffffff" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -puts "\n" - diff --git a/test/output.exp b/test/output.exp deleted file mode 100755 index 90a9d64b6..000000000 --- a/test/output.exp +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "rm -f logfile*\r" -sleep 1 -puts "\n" - -send -- "firejail --output=logfile -- ./output.sh\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "20000" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "60000" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "100000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "120000" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "14999" -} -sleep 2 -puts "\n" - - -set timeout 2 -send -- "ls -al logfile*\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "logfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "logfile.1" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "logfile.2" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "logfile.3" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "logfile.4" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "logfile.5" -} -sleep 1 -send -- "rm -f logfile*\r" -sleep 1 - -puts "\n" diff --git a/test/output.sh b/test/output.sh deleted file mode 100755 index 2be188e3a..000000000 --- a/test/output.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -i="0" - -while [ $i -lt 150000 ] -do - echo message number $i - i=$[$i+1] -done diff --git a/test/test.sh b/test/test.sh index c4f0afd94..4d57aaad2 100755 --- a/test/test.sh +++ b/test/test.sh @@ -27,13 +27,6 @@ rm -fr auto2 rm -fr auto3 rm -fr auto4 -echo "TESTING: doubledash" -mkdir -- -testdir -touch -- -testdir/ttt -cp -- /bin/bash -testdir/. -./doubledash.exp -rm -fr -- -testdir - echo "TESTING: extract command (extract_command.exp)" ./extract_command.exp -- cgit v1.2.3-70-g09d2 From 980e11d8e1e31d51bf04f2e6f31de1511b709351 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 14 Jun 2016 15:33:57 -0400 Subject: pulseaudio fix --- src/firejail/pulseaudio.c | 4 ---- test/test.sh | 5 ----- 2 files changed, 9 deletions(-) diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 1eb5e59e1..767aaab09 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -104,10 +104,6 @@ void pulseaudio_init(void) { char *pulsecfg = NULL; if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) errExit("asprintf"); - if (is_link("/etc/pulse/client.conf")) { - fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n"); - exit(1); - } if (copy_file("/etc/pulse/client.conf", pulsecfg)) errExit("copy_file"); FILE *fp = fopen(pulsecfg, "a+"); diff --git a/test/test.sh b/test/test.sh index 4d57aaad2..71e2c6720 100755 --- a/test/test.sh +++ b/test/test.sh @@ -27,9 +27,6 @@ rm -fr auto2 rm -fr auto3 rm -fr auto4 -echo "TESTING: extract command (extract_command.exp)" -./extract_command.exp - echo "TESTING: chroot overlay (option_chroot_overlay.exp)" ./option_chroot_overlay.exp @@ -46,8 +43,6 @@ sleep 5 rm -f tmpreadonly -echo "TESTING: output (output.exp)" -./output.exp echo "TESTING: private directory (private_dir.exp)" rm -fr dirprivate -- cgit v1.2.3-70-g09d2 From 2871c94d0cdaf23a6cf34fff1d52a734519b658b Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Thu, 16 Jun 2016 19:39:39 +0200 Subject: skip ip6 test if filter table not available --- test/network/ip6.exp | 1 + 1 file changed, 1 insertion(+) diff --git a/test/network/ip6.exp b/test/network/ip6.exp index 2cd756a1d..e5939021e 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -18,6 +18,7 @@ expect { } expect { timeout {puts "TESTING ERROR 2\n";exit} + "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} "2001:db8:1f0a:3ec::2" } expect { -- cgit v1.2.3-70-g09d2 From 99033ce1520901fbfe3c2178171032238be4d2f0 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Thu, 16 Jun 2016 19:45:46 +0200 Subject: Xephyr typo --- test/apps-x11/apps-x11.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index a8556ab8f..1b3494290 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -13,12 +13,12 @@ then echo "xpra found" else echo "xpra not found" - which xephyr + which Xephyr if [ "$?" -eq 0 ]; then - echo "xephyr found" + echo "Xephyr found" else - echo "TESTING SKIP: xpra and/or xephyr not found" + echo "TESTING SKIP: xpra and/or Xephyr not found" exit fi fi -- cgit v1.2.3-70-g09d2 From ccf3d4994ed79ca289f8dabf6f0febdc39056155 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 17 Jun 2016 10:24:55 -0400 Subject: free memory --- src/firejail/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 9e8e1eaf0..c6fbd584e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -659,6 +659,7 @@ static void delete_name_file(pid_t pid) { errExit("asprintf"); int rv = unlink(fname); (void) rv; + free(fname); } static void set_x11_file(pid_t pid, int display) { @@ -689,6 +690,7 @@ static void delete_x11_file(pid_t pid) { errExit("asprintf"); int rv = unlink(fname); (void) rv; + free(fname); } //******************************************* -- cgit v1.2.3-70-g09d2 From 04fd67d0cc3b525d2fc46778df8d0e3a1babb7e6 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:35:25 +0200 Subject: disable-common: Add ZSH-related init files Antigen is a popular plugin manager for ZSH --- etc/disable-common.inc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index cff2289fd..4a8a379e5 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -58,11 +58,15 @@ read-only ${HOME}/.xserverrc read-only ${HOME}/.profile # Shell startup files +read-only ${HOME}/.antigen read-only ${HOME}/.bash_login read-only ${HOME}/.bashrc read-only ${HOME}/.bash_profile read-only ${HOME}/.bash_logout +read-only ${HOME}/.zsh.d +read-only ${HOME}/.zshenv read-only ${HOME}/.zshrc +read-only ${HOME}/.zshrc.local read-only ${HOME}/.zlogin read-only ${HOME}/.zprofile read-only ${HOME}/.zlogout -- cgit v1.2.3-70-g09d2 From 91bca369232cb075d7a46a7218e1f7a9736d6360 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:36:53 +0200 Subject: disable-common: Make ~/.profile read-only Several shells, including Bash, fallback to ~/.profile if their specific profile file does not exist. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4a8a379e5..aebf099af 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -74,6 +74,7 @@ read-only ${HOME}/.zsh_files read-only ${HOME}/.tcshrc read-only ${HOME}/.cshrc read-only ${HOME}/.csh_files +read-only ${HOME}/.profile # Initialization files that allow arbitrary command execution read-only ${HOME}/.mailcap -- cgit v1.2.3-70-g09d2 From 0065456d6d6043206367ad56440943071ed25b69 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:38:01 +0200 Subject: disable-common: Protect caff's files Caff (CA fire & forget) is a popular GnuPG helper for keysigning safely. --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index aebf099af..c857ff439 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -77,6 +77,7 @@ read-only ${HOME}/.csh_files read-only ${HOME}/.profile # Initialization files that allow arbitrary command execution +read-only ${HOME}/.caffrc read-only ${HOME}/.mailcap read-only ${HOME}/.exrc read-only ${HOME}/_exrc @@ -105,6 +106,7 @@ blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.local/share/kwalletd blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg +blacklist ${HOME}/.caff blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key -- cgit v1.2.3-70-g09d2 From afb8b355971cf3c31e26e0384b93068aabea4ba1 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:45:08 +0200 Subject: disable-common: Blacklist ~/.smbcredentials --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c857ff439..689aecfd4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -107,6 +107,7 @@ blacklist ${HOME}/.local/share/kwalletd blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg blacklist ${HOME}/.caff +blacklist ${HOME}/.smbcredentials blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key -- cgit v1.2.3-70-g09d2 From 9c8fb3a24944e5618afe5ce118a1e45898a464b4 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:45:54 +0200 Subject: disable-common: Make ~/.emacs.d and ~/.nano read-only --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 689aecfd4..a4c940bdb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -87,6 +87,8 @@ read-only ${HOME}/.gvimrc read-only ${HOME}/_gvimrc read-only ${HOME}/.vim read-only ${HOME}/.emacs +read-only ${HOME}/.emacs.d +read-only ${HOME}/.nano read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc -- cgit v1.2.3-70-g09d2 From 4ff6a94aa9cf45de40c7dffc2b7d8ad83794c98c Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:47:01 +0200 Subject: disable-common: Make ~/.msmtprc read-only msmtp is a MTA that aims for simplicity and security. ~/.msmtprc may specify commands that are run when sending email. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index a4c940bdb..b5b0f5f2f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -93,6 +93,7 @@ read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc read-only ${HOME}/.mutt/muttrc +read-only ${HOME}/.msmtprc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver -- cgit v1.2.3-70-g09d2 From 32bdfff6ada62f10e2b5221c772c8bf8efc36dff Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:48:47 +0200 Subject: disable-common: Make ~/.reportbugrc read-only reportbug is a standard Debian tool. Its config file may specify a specific command to use as MTA. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b5b0f5f2f..0139e984e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -94,6 +94,7 @@ read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc read-only ${HOME}/.mutt/muttrc read-only ${HOME}/.msmtprc +read-only ${HOME}/.reportbugrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver -- cgit v1.2.3-70-g09d2 From 9a6e6692b1709f3d5f06d5f1bd4d1544f026aa0b Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:58:39 +0200 Subject: disable-common: Make ~/.dotfiles and ~/dotfiles RO Having dotfiles in such a directory, under version control, and symlinking the actual dotfiles to there, is a common-enough practice that I believe should be supported. --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0139e984e..197e5fbf0 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -78,6 +78,8 @@ read-only ${HOME}/.profile # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc +read-only ${HOME}/.dotfiles +read-only ${HOME}/dotfiles read-only ${HOME}/.mailcap read-only ${HOME}/.exrc read-only ${HOME}/_exrc -- cgit v1.2.3-70-g09d2 From 778267086a0d140ac4c3a6fb93920277d949b278 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 18 Jun 2016 18:51:37 +0200 Subject: noqueue not exposed on older kernels; pfifo_fast is default qdisc --- test/network/bandwidth.exp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index a3dc9b55f..bccb0b9f3 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -18,7 +18,7 @@ spawn $env(SHELL) send -- "firejail --bandwidth=test status\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "qdisc noqueue 0: dev eth0" + "qdisc pfifo_fast 0: dev eth0" } sleep 1 -- cgit v1.2.3-70-g09d2 From cb3a61d71f60f788f72cf2dbcd0b02079272c792 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 18 Jun 2016 18:52:11 +0200 Subject: fix logged test sequence number --- test/utils/seccomp.exp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/utils/seccomp.exp b/test/utils/seccomp.exp index a318e39b1..c9726ff21 100755 --- a/test/utils/seccomp.exp +++ b/test/utils/seccomp.exp @@ -40,7 +40,7 @@ expect { "bingo2" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Seccomp: 0" } after 100 -- cgit v1.2.3-70-g09d2 From 90f527234a62021466991c3f349e45cefbf79acd Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 19 Jun 2016 09:29:50 +1000 Subject: added libreoffice profile --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + etc/libreoffice.profile | 14 ++++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 8 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 etc/libreoffice.profile diff --git a/Makefile.in b/Makefile.in index 8726e4211..7f21811f5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -196,6 +196,7 @@ realinstall: install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 0f825fd8e..8c15b17a2 100644 --- a/README +++ b/README @@ -87,6 +87,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Brave profile - added Gitter profile - various organising + - added Libreoffice profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index 69890ffaf..c53823304 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ Office: evince, gthumb, fbreader ## New security profiles -Gitter, gThumb, mpv, Franz messenger +Gitter, gThumb, mpv, Franz messenger, LibreOffice diff --git a/RELNOTES b/RELNOTES index 04a9d7cbb..4a698620b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,7 +3,7 @@ firejail (0.9.41) baseline; urgency=low * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin - * new profiles: Gitter, gThumb, mpv, Franz messenger + * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6e79b3be0..6c166c186 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -16,6 +16,7 @@ blacklist ${HOME}/.config/stellarium blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer +blacklist $(HOME)/.config/libreoffice blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile new file mode 100644 index 000000000..9056b1df2 --- /dev/null +++ b/etc/libreoffice.profile @@ -0,0 +1,14 @@ +# Firejail profile for LibreOffice +noblacklist ~/.config/libreoffice +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3ada0256a..6635a594b 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -106,3 +106,4 @@ /etc/firejail/gthumb.profile /etc/firejail/mpv.profile /etc/firejail/franz.profile +/etc/firejail/libreoffice.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e31a7c12a..eeac7a088 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -106,6 +106,7 @@ evince fbreader gwenview gthumb +LibreOffice Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From 03187188f55a78411f069c3e13f73dbe86c014dc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Jun 2016 06:21:27 -0400 Subject: fixes --- README | 1 + etc/disable-programs.inc | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README b/README index 8c15b17a2..d87430f89 100644 --- a/README +++ b/README @@ -34,6 +34,7 @@ maces (https://github.com/maces) KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter + - disable-common.inc additions ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6c166c186..a5b33c860 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -16,7 +16,7 @@ blacklist ${HOME}/.config/stellarium blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer -blacklist $(HOME)/.config/libreoffice +blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc -- cgit v1.2.3-70-g09d2 From 08c8c86233337ff00ccb7112f659776e5ac1efe1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Jun 2016 07:15:16 -0400 Subject: libreoffice support --- Makefile.in | 8 ++++++++ etc/disable-devel.inc | 2 +- etc/libreoffice.profile | 4 ++++ etc/localc.profile | 5 +++++ etc/lodraw.profile | 5 +++++ etc/loffice.profile | 5 +++++ etc/lofromtemplate.profile | 5 +++++ etc/loimpress.profile | 5 +++++ etc/lomath.profile | 5 +++++ etc/loweb.profile | 5 +++++ etc/lowriter.profile | 5 +++++ platform/debian/conffiles | 10 ++++++++++ src/firecfg/firecfg.config | 9 ++++++++- 13 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 etc/localc.profile create mode 100644 etc/lodraw.profile create mode 100644 etc/loffice.profile create mode 100644 etc/lofromtemplate.profile create mode 100644 etc/loimpress.profile create mode 100644 etc/lomath.profile create mode 100644 etc/loweb.profile create mode 100644 etc/lowriter.profile diff --git a/Makefile.in b/Makefile.in index 7f21811f5..c7ecab5ac 100644 --- a/Makefile.in +++ b/Makefile.in @@ -197,6 +197,14 @@ realinstall: install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/localc.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lodraw.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/loffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lofromtemplate.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/loimpress.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 4e401055a..821aa1ea4 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 9056b1df2..6cbdbfd66 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -12,3 +12,7 @@ noroot protocol unix,inet,inet6,netlink seccomp tracelog + +private-dev +whitelist /tmp/.X11-unix/ + diff --git a/etc/localc.profile b/etc/localc.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/localc.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lodraw.profile b/etc/lodraw.profile new file mode 100644 index 000000000..9a53d9fb0 --- /dev/null +++ b/etc/lodraw.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/liberoffice.profile + diff --git a/etc/loffice.profile b/etc/loffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lofromtemplate.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/loimpress.profile b/etc/loimpress.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loimpress.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lomath.profile b/etc/lomath.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lomath.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/loweb.profile b/etc/loweb.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loweb.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lowriter.profile b/etc/lowriter.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lowriter.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6635a594b..b3aa62217 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -107,3 +107,13 @@ /etc/firejail/mpv.profile /etc/firejail/franz.profile /etc/firejail/libreoffice.profile +/etc/firejail/localc.profile +/etc/firejail/lodraw.profile +/etc/firejail/loffice.profile +/etc/firejail/lofromtemplate.profile +/etc/firejail/loimpress.profile +/etc/firejail/lomath.profile +/etc/firejail/loweb.profile +/etc/firejail/lowriter.profile + + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index eeac7a088..fa2dee81d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -106,7 +106,14 @@ evince fbreader gwenview gthumb -LibreOffice +libreoffice +lodraw +loffice +lofromtemplate +loimpres +lomath +loweb +lowriter Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From ff7fd50f5df649cfc517d7c636b518b32b633830 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Jun 2016 07:52:15 -0400 Subject: libreoffice support --- etc/lodraw.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/lodraw.profile b/etc/lodraw.profile index 9a53d9fb0..fecd08822 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile @@ -1,5 +1,5 @@ ################################ # LibreOffice profile ################################ -include /etc/firejail/liberoffice.profile +include /etc/firejail/libreoffice.profile -- cgit v1.2.3-70-g09d2 From 26c4c477177ad3801f2f6f99bfd8f44fe920af9c Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 19 Jun 2016 16:29:00 +0200 Subject: Add profile for Firefox ESR --- Makefile.in | 1 + etc/firefox-esr.profile | 2 ++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 4 files changed, 5 insertions(+) create mode 100644 etc/firefox-esr.profile diff --git a/Makefile.in b/Makefile.in index c7ecab5ac..196c5892f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -98,6 +98,7 @@ realinstall: install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile new file mode 100644 index 000000000..d2fde9a3f --- /dev/null +++ b/etc/firefox-esr.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox ESR +include /etc/firejail/firefox.profile diff --git a/platform/debian/conffiles b/platform/debian/conffiles index b3aa62217..2730a497c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -11,6 +11,7 @@ /etc/firejail/dropbox.profile /etc/firejail/login.users /etc/firejail/firefox.profile +/etc/firejail/firefox-esr.profile /etc/firejail/opera.profile /etc/firejail/opera-beta.profile /etc/firejail/thunderbird.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fa2dee81d..b54ca221c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -24,6 +24,7 @@ chromium-browser conkeror cyberfox firefox +firefox-esr flashpeak-slimjet epiphany dillo -- cgit v1.2.3-70-g09d2 From 8dc1d21e5a1196696fd617ecf4d025b274d57260 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 20 Jun 2016 10:09:02 +1000 Subject: Pix profile --- etc/pix.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/pix.profile diff --git a/etc/pix.profile b/etc/pix.profile new file mode 100644 index 000000000..ccf0c0381 --- /dev/null +++ b/etc/pix.profile @@ -0,0 +1,19 @@ +# gthumb profile +noblacklist ${HOME}/.config/pix +noblacklist ${HOME}/.local/share/pix + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +shell none +private-bin pix +whitelist /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From bc5c520e8dbfdb8d070948b2bc9c3a7f1fdb3eab Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 20 Jun 2016 10:09:30 +1000 Subject: extra Pix files --- Makefile.in | 1 + README | 1 + README.md | 4 ++-- RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 3 +-- src/firecfg/firecfg.config | 1 + 7 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Makefile.in b/Makefile.in index 196c5892f..1a5a9160d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -206,6 +206,7 @@ realinstall: install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index d87430f89..9dfbbec14 100644 --- a/README +++ b/README @@ -89,6 +89,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Gitter profile - various organising - added Libreoffice profile + - added pix profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index c53823304..fa1e38b52 100644 --- a/README.md +++ b/README.md @@ -73,8 +73,8 @@ File transfer: filezilla Media: vlc, mpv, gnome-mplayer -Office: evince, gthumb, fbreader +Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix diff --git a/RELNOTES b/RELNOTES index 4a698620b..767ef8f34 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low * compile time support to disable global configuration file * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice + * new profiles: pix -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a5b33c860..70deb2b0c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -17,6 +17,7 @@ blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer blacklist ${HOME}/.config/libreoffice +blacklist ${HOME}/.config/pix blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc @@ -120,3 +121,4 @@ blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/pix diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2730a497c..d312d4bd9 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -116,5 +116,4 @@ /etc/firejail/lomath.profile /etc/firejail/loweb.profile /etc/firejail/lowriter.profile - - +/etc/firejail/pix.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index b54ca221c..ee90a6d89 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -118,6 +118,7 @@ lowriter Mathematica mathematica okular +pix xreader # other -- cgit v1.2.3-70-g09d2 From c34aceb3df382f5649582854c05fc50dc5f5bc29 Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 20 Jun 2016 04:03:07 +0200 Subject: mpv.profile: make youtube-dl work --- etc/mpv.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/mpv.profile b/etc/mpv.profile index cbed7e8c6..80f8de54a 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -15,4 +15,4 @@ seccomp # to test shell none -private-bin mpv +private-bin mpv,youtube-dl,python2.7 -- cgit v1.2.3-70-g09d2 From 42b48c6e44235e323db8dd77428a4d7923ab6de2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 21 Jun 2016 12:08:53 -0400 Subject: libreoffice fix --- Makefile.in | 1 + README | 1 + etc/soffice.profile | 5 +++++ src/firecfg/firecfg.config | 1 + 4 files changed, 8 insertions(+) create mode 100644 etc/soffice.profile diff --git a/Makefile.in b/Makefile.in index 1a5a9160d..b21200180 100644 --- a/Makefile.in +++ b/Makefile.in @@ -207,6 +207,7 @@ realinstall: install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 9dfbbec14..087e4f07d 100644 --- a/README +++ b/README @@ -51,6 +51,7 @@ avoidr (https://github.com/avoidr) - paths fix - lots of profile fixes - added mcabber profile + - fixed mpv profile Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) diff --git a/etc/soffice.profile b/etc/soffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/soffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ee90a6d89..7340e430e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -115,6 +115,7 @@ loimpres lomath loweb lowriter +soffice Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From fbf0ca925f15b6e32919cc2fc68be3245f46e9e7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 23 Jun 2016 08:42:00 -0400 Subject: x11/chroot fix --- src/firejail/fs.c | 32 +++++++++++++++++++++++++++----- src/firejail/x11.c | 3 +++ 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7811fd2a2..be77dfa85 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1006,7 +1006,7 @@ int fs_check_chroot_dir(const char *rootdir) { } free(name); - // check /proc + // check /tmp if (asprintf(&name, "%s/tmp", rootdir) == -1) errExit("asprintf"); if (stat(name, &s) == -1) { @@ -1014,7 +1014,7 @@ int fs_check_chroot_dir(const char *rootdir) { return 1; } free(name); - + // check /bin/bash if (asprintf(&name, "%s/bin/bash", rootdir) == -1) errExit("asprintf"); @@ -1024,6 +1024,18 @@ int fs_check_chroot_dir(const char *rootdir) { } free(name); + // check x11 socket directory + if (getenv("FIREJAIL_X11")) { + char *name; + if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1) + errExit("asprintf"); + if (stat(name, &s) == -1) { + fprintf(stderr, "Error: cannot find /tmp/.X11-unix in chroot directory\n"); + return 1; + } + free(name); + } + return 0; } @@ -1031,10 +1043,7 @@ int fs_check_chroot_dir(const char *rootdir) { void fs_chroot(const char *rootdir) { assert(rootdir); - //*********************************** // mount-bind a /dev in rootdir - //*********************************** - // mount /dev char *newdev; if (asprintf(&newdev, "%s/dev", rootdir) == -1) errExit("asprintf"); @@ -1042,6 +1051,19 @@ void fs_chroot(const char *rootdir) { printf("Mounting /dev on %s\n", newdev); if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /dev"); + free(newdev); + + // x11 + if (getenv("FIREJAIL_X11")) { + char *newx11; + if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Mounting /tmp/.X11-unix on %s\n", newdev); + if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /tmp/.X11-unix"); + free(newx11); + } // some older distros don't have a /run directory // create one by default diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c742ff567..2accaeb71 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -168,6 +168,8 @@ void x11_start_xephyr(int argc, char **argv) { pid_t server = 0; + setenv("FIREJAIL_X11", "yes", 1); + // unfortunately, xephyr does a number of weird things when started by root user!!! if (getuid() == 0) { fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); @@ -296,6 +298,7 @@ void x11_start_xpra(int argc, char **argv) { pid_t client = 0; pid_t server = 0; + setenv("FIREJAIL_X11", "yes", 1); // unfortunately, xpra does a number of weird things when started by root user!!! if (getuid() == 0) { -- cgit v1.2.3-70-g09d2 From 66e7bdf16731a225fdd260f4b1bfb8d73fe9ce22 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 23 Jun 2016 10:52:43 -0400 Subject: profile update --- etc/deluge.profile | 2 ++ etc/evince.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/pix.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 2 ++ etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 2 ++ 11 files changed, 15 insertions(+) diff --git a/etc/deluge.profile b/etc/deluge.profile index 96df13a73..61bc80bd5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -16,3 +16,5 @@ seccomp shell none private-bin deluge,sh,python,uname whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/evince.profile b/etc/evince.profile index 320d55fad..9899da84d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer whitelist /tmp/.X11-unix +private-dev diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f155b02af..24b35df9a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -17,3 +17,4 @@ seccomp shell none private-bin fbreader,FBReader whitelist /tmp/.X11-unix +private-dev diff --git a/etc/filezilla.profile b/etc/filezilla.profile index c146dba13..390769382 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -17,3 +17,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp whitelist /tmp/.X11-unix +private-dev diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 2d6cd160c..44e7051a5 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin gthumb whitelist /tmp/.X11-unix +private-dev diff --git a/etc/pix.profile b/etc/pix.profile index ccf0c0381..4e53de00b 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -17,3 +17,5 @@ seccomp shell none private-bin pix whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index b2bfe49ca..c5b9a72e6 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -16,3 +16,4 @@ seccomp #shell none #private-bin qbittorrent whitelist /tmp/.X11-unix +private-dev diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 97c2335a8..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin rtorrent whitelist /tmp/.X11-unix +private-dev diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 80d71d615..fa5c3b22b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,3 +19,5 @@ tracelog shell none private-bin transmission-gtk whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index dfb600871..754211a63 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,3 +19,4 @@ tracelog shell none private-bin transmission-qt whitelist /tmp/.X11-unix +private-dev diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 591a82af4..2c3c62c5f 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -21,3 +21,5 @@ include /etc/firejail/whitelist-common.inc shell none private-bin uget-gtk whitelist /tmp/.X11-unix +private-dev + -- cgit v1.2.3-70-g09d2 From 152a2259a597029fd8cd93d5b806c7e685d17d7a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 23 Jun 2016 13:20:11 -0400 Subject: overlayfs fix --- src/firejail/fs.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index be77dfa85..5665ab456 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -928,17 +928,19 @@ void fs_overlayfs(void) { fs_logger("whitelist /run"); // mount-bind /tmp/.X11-unix directory - if (arg_debug) - printf("Mounting /tmp/.X11-unix\n"); - char *x11; - if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) - errExit("asprintf"); - if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /tmp/.X11-unix"); - fs_logger("whitelist /tmp/.X11-unix"); - - - + struct stat s; + if (stat("/tmp/.X11-unix", &s) == 0) { + if (arg_debug) + printf("Mounting /tmp/.X11-unix\n"); + char *x11; + if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) + errExit("asprintf"); + if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) + fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n"); + else + fs_logger("whitelist /tmp/.X11-unix"); + free(x11); + } // chroot in the new filesystem if (chroot(oroot) == -1) -- cgit v1.2.3-70-g09d2 From a501b24f0be4e49ebfe873e71e1421562a747334 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 24 Jun 2016 04:12:21 +1000 Subject: Fixed conffiles warning for soffice --- platform/debian/conffiles | 1 + 1 file changed, 1 insertion(+) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d312d4bd9..574567f4d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -117,3 +117,4 @@ /etc/firejail/loweb.profile /etc/firejail/lowriter.profile /etc/firejail/pix.profile +/etc/firejail/soffice.profile -- cgit v1.2.3-70-g09d2 From 8fc12eeaa7aed0a5e6c260e0e6129820e2ddd164 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 24 Jun 2016 11:53:10 -0400 Subject: updated syscall list --- src/firejail/syscall.h | 135 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/src/firejail/syscall.h b/src/firejail/syscall.h index 5b2cb4915..68d4b5736 100644 --- a/src/firejail/syscall.h +++ b/src/firejail/syscall.h @@ -37,6 +37,11 @@ {"_sysctl", __NR__sysctl}, #endif #endif +#ifdef SYS_accept4 +#ifdef __NR_accept4 + {"accept4", __NR_accept4}, +#endif +#endif #ifdef SYS_access #ifdef __NR_access {"access", __NR_access}, @@ -72,6 +77,11 @@ {"bdflush", __NR_bdflush}, #endif #endif +#ifdef SYS_bind +#ifdef __NR_bind + {"bind", __NR_bind}, +#endif +#endif #ifdef SYS_bpf #ifdef __NR_bpf {"bpf", __NR_bpf}, @@ -157,6 +167,16 @@ {"close", __NR_close}, #endif #endif +#ifdef SYS_connect +#ifdef __NR_connect + {"connect", __NR_connect}, +#endif +#endif +#ifdef SYS_copy_file_range +#ifdef __NR_copy_file_range + {"copy_file_range", __NR_copy_file_range}, +#endif +#endif #ifdef SYS_creat #ifdef __NR_creat {"creat", __NR_creat}, @@ -492,6 +512,11 @@ {"getitimer", __NR_getitimer}, #endif #endif +#ifdef SYS_getpeername +#ifdef __NR_getpeername + {"getpeername", __NR_getpeername}, +#endif +#endif #ifdef SYS_getpgid #ifdef __NR_getpgid {"getpgid", __NR_getpgid}, @@ -562,6 +587,16 @@ {"getsid", __NR_getsid}, #endif #endif +#ifdef SYS_getsockname +#ifdef __NR_getsockname + {"getsockname", __NR_getsockname}, +#endif +#endif +#ifdef SYS_getsockopt +#ifdef __NR_getsockopt + {"getsockopt", __NR_getsockopt}, +#endif +#endif #ifdef SYS_gettid #ifdef __NR_gettid {"gettid", __NR_gettid}, @@ -722,6 +757,11 @@ {"linkat", __NR_linkat}, #endif #endif +#ifdef SYS_listen +#ifdef __NR_listen + {"listen", __NR_listen}, +#endif +#endif #ifdef SYS_listxattr #ifdef __NR_listxattr {"listxattr", __NR_listxattr}, @@ -777,6 +817,11 @@ {"mbind", __NR_mbind}, #endif #endif +#ifdef SYS_membarrier +#ifdef __NR_membarrier + {"membarrier", __NR_membarrier}, +#endif +#endif #ifdef SYS_memfd_create #ifdef __NR_memfd_create {"memfd_create", __NR_memfd_create}, @@ -817,6 +862,11 @@ {"mlock", __NR_mlock}, #endif #endif +#ifdef SYS_mlock2 +#ifdef __NR_mlock2 + {"mlock2", __NR_mlock2}, +#endif +#endif #ifdef SYS_mlockall #ifdef __NR_mlockall {"mlockall", __NR_mlockall}, @@ -1122,11 +1172,21 @@ {"reboot", __NR_reboot}, #endif #endif +#ifdef SYS_recvfrom +#ifdef __NR_recvfrom + {"recvfrom", __NR_recvfrom}, +#endif +#endif #ifdef SYS_recvmmsg #ifdef __NR_recvmmsg {"recvmmsg", __NR_recvmmsg}, #endif #endif +#ifdef SYS_recvmsg +#ifdef __NR_recvmsg + {"recvmsg", __NR_recvmsg}, +#endif +#endif #ifdef SYS_remap_file_pages #ifdef __NR_remap_file_pages {"remap_file_pages", __NR_remap_file_pages}, @@ -1292,6 +1352,16 @@ {"sendmmsg", __NR_sendmmsg}, #endif #endif +#ifdef SYS_sendmsg +#ifdef __NR_sendmsg + {"sendmsg", __NR_sendmsg}, +#endif +#endif +#ifdef SYS_sendto +#ifdef __NR_sendto + {"sendto", __NR_sendto}, +#endif +#endif #ifdef SYS_set_mempolicy #ifdef __NR_set_mempolicy {"set_mempolicy", __NR_set_mempolicy}, @@ -1432,6 +1502,11 @@ {"setsid", __NR_setsid}, #endif #endif +#ifdef SYS_setsockopt +#ifdef __NR_setsockopt + {"setsockopt", __NR_setsockopt}, +#endif +#endif #ifdef SYS_settimeofday #ifdef __NR_settimeofday {"settimeofday", __NR_settimeofday}, @@ -1457,6 +1532,11 @@ {"sgetmask", __NR_sgetmask}, #endif #endif +#ifdef SYS_shutdown +#ifdef __NR_shutdown + {"shutdown", __NR_shutdown}, +#endif +#endif #ifdef SYS_sigaction #ifdef __NR_sigaction {"sigaction", __NR_sigaction}, @@ -1502,11 +1582,21 @@ {"sigsuspend", __NR_sigsuspend}, #endif #endif +#ifdef SYS_socket +#ifdef __NR_socket + {"socket", __NR_socket}, +#endif +#endif #ifdef SYS_socketcall #ifdef __NR_socketcall {"socketcall", __NR_socketcall}, #endif #endif +#ifdef SYS_socketpair +#ifdef __NR_socketpair + {"socketpair", __NR_socketpair}, +#endif +#endif #ifdef SYS_splice #ifdef __NR_splice {"splice", __NR_splice}, @@ -1722,6 +1812,11 @@ {"uselib", __NR_uselib}, #endif #endif +#ifdef SYS_userfaultfd +#ifdef __NR_userfaultfd + {"userfaultfd", __NR_userfaultfd}, +#endif +#endif #ifdef SYS_ustat #ifdef __NR_ustat {"ustat", __NR_ustat}, @@ -1934,6 +2029,11 @@ {"connect", __NR_connect}, #endif #endif +#ifdef SYS_copy_file_range +#ifdef __NR_copy_file_range + {"copy_file_range", __NR_copy_file_range}, +#endif +#endif #ifdef SYS_creat #ifdef __NR_creat {"creat", __NR_creat}, @@ -2484,6 +2584,11 @@ {"mbind", __NR_mbind}, #endif #endif +#ifdef SYS_membarrier +#ifdef __NR_membarrier + {"membarrier", __NR_membarrier}, +#endif +#endif #ifdef SYS_memfd_create #ifdef __NR_memfd_create {"memfd_create", __NR_memfd_create}, @@ -2524,6 +2629,11 @@ {"mlock", __NR_mlock}, #endif #endif +#ifdef SYS_mlock2 +#ifdef __NR_mlock2 + {"mlock2", __NR_mlock2}, +#endif +#endif #ifdef SYS_mlockall #ifdef __NR_mlockall {"mlockall", __NR_mlockall}, @@ -3354,6 +3464,11 @@ {"uselib", __NR_uselib}, #endif #endif +#ifdef SYS_userfaultfd +#ifdef __NR_userfaultfd + {"userfaultfd", __NR_userfaultfd}, +#endif +#endif #ifdef SYS_ustat #ifdef __NR_ustat {"ustat", __NR_ustat}, @@ -3546,6 +3661,11 @@ {"connect", __NR_connect}, #endif #endif +#ifdef SYS_copy_file_range +#ifdef __NR_copy_file_range + {"copy_file_range", __NR_copy_file_range}, +#endif +#endif #ifdef SYS_creat #ifdef __NR_creat {"creat", __NR_creat}, @@ -4071,6 +4191,11 @@ {"mbind", __NR_mbind}, #endif #endif +#ifdef SYS_membarrier +#ifdef __NR_membarrier + {"membarrier", __NR_membarrier}, +#endif +#endif #ifdef SYS_memfd_create #ifdef __NR_memfd_create {"memfd_create", __NR_memfd_create}, @@ -4111,6 +4236,11 @@ {"mlock", __NR_mlock}, #endif #endif +#ifdef SYS_mlock2 +#ifdef __NR_mlock2 + {"mlock2", __NR_mlock2}, +#endif +#endif #ifdef SYS_mlockall #ifdef __NR_mlockall {"mlockall", __NR_mlockall}, @@ -4921,6 +5051,11 @@ {"unshare", __NR_unshare}, #endif #endif +#ifdef SYS_userfaultfd +#ifdef __NR_userfaultfd + {"userfaultfd", __NR_userfaultfd}, +#endif +#endif #ifdef SYS_ustat #ifdef __NR_ustat {"ustat", __NR_ustat}, -- cgit v1.2.3-70-g09d2 From 02afbccc304136a6a70dd72cf239f3ee83e1813b Mon Sep 17 00:00:00 2001 From: rahul golam Date: Sat, 25 Jun 2016 14:25:28 +0400 Subject: add a firejail profile for strings --- strings.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 strings.profile diff --git a/strings.profile b/strings.profile new file mode 100644 index 000000000..ea6d4b415 --- /dev/null +++ b/strings.profile @@ -0,0 +1,12 @@ +noblacklist ~/.config + +include /usr/local/etc/firejail/disable-common.inc +include /usr/local/etc/firejail/disable-programs.inc +include /usr/local/etc/firejail/disable-devel.inc +include /usr/local/etc/firejail/disable-passwdmgr.inc + +caps.drop all +noroot +nonewprivs +seccomp +tracelog -- cgit v1.2.3-70-g09d2 From cb8f31dd884ed312443e2080f4e283a81ea914df Mon Sep 17 00:00:00 2001 From: kouul Date: Sat, 25 Jun 2016 15:25:12 +0400 Subject: xz decompressor --- etc/xzdec.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/xzdec.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile new file mode 100644 index 000000000..f29f7360c --- /dev/null +++ b/etc/xzdec.profile @@ -0,0 +1,13 @@ +# Firejail profile for XZ decompressor +# xzdec.profile + +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +tracelog +noroot +shell none -- cgit v1.2.3-70-g09d2 From 82ebb6b943cb8b9ad1de1109ae93629e95d17492 Mon Sep 17 00:00:00 2001 From: jaykishan mutkawoa Date: Sat, 25 Jun 2016 15:52:58 +0400 Subject: cpio sandbox profile for decompression --- etc/cpio.profile | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 etc/cpio.profile diff --git a/etc/cpio.profile b/etc/cpio.profile new file mode 100644 index 000000000..0efe2e20c --- /dev/null +++ b/etc/cpio.profile @@ -0,0 +1,7 @@ +include /usr/local/etc/firejail/server.profile +include /usr/local/etc/firejail/disable-common.inc +include /usr/local/etc/firejail/disable-programs.inc +include /usr/local/etc/firejail/disable-passwdmgr.inc +caps.drop all +shell none +seccomp -- cgit v1.2.3-70-g09d2 From b92cae3a9222decc4aebb447a44ffa127cedd3be Mon Sep 17 00:00:00 2001 From: root Date: Sat, 25 Jun 2016 15:57:38 +0400 Subject: Committer: Paupiah Yashvi Desctiption: Gzip sandbox profile for decompression Changes to be committed: new file: gzip.profile --- etc/gzip.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/gzip.profile diff --git a/etc/gzip.profile b/etc/gzip.profile new file mode 100644 index 000000000..f231c3780 --- /dev/null +++ b/etc/gzip.profile @@ -0,0 +1,19 @@ +################################ +# Gzip profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +blacklist ${HOME}/.wine +blacklist ${HOME}/.ssh + +tracelog +caps.drop all +seccomp +net none +noroot +nosound +nogroups +nonewprivs + -- cgit v1.2.3-70-g09d2 From 135b32363fe676f05684b3a152da3c6110f65770 Mon Sep 17 00:00:00 2001 From: jaykishan mutkawoa Date: Sun, 26 Jun 2016 12:45:03 +0400 Subject: sandbox profile for CPIO --- etc/cpio.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/cpio.profile b/etc/cpio.profile index 0efe2e20c..811d657f2 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -3,5 +3,6 @@ include /usr/local/etc/firejail/disable-common.inc include /usr/local/etc/firejail/disable-programs.inc include /usr/local/etc/firejail/disable-passwdmgr.inc caps.drop all +net none shell none seccomp -- cgit v1.2.3-70-g09d2 From ce8789af098b9fded984b9ea65fb09ad75a58936 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 27 Jun 2016 05:33:05 +1000 Subject: added audacity profile --- etc/audacity.profile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/audacity.profile diff --git a/etc/audacity.profile b/etc/audacity.profile new file mode 100644 index 000000000..8971ce1a2 --- /dev/null +++ b/etc/audacity.profile @@ -0,0 +1,16 @@ +# Audacity profile +noblacklist ~/.audacity-data + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +#private-bin audacity +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From a9108bb31f7ed62ef06dc15854697e5e3161108c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 27 Jun 2016 05:37:45 +1000 Subject: extra audacity files --- Makefile.in | 1 + README | 3 ++- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Makefile.in b/Makefile.in index b21200180..38279beca 100644 --- a/Makefile.in +++ b/Makefile.in @@ -208,6 +208,7 @@ realinstall: install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 087e4f07d..ab7115bec 100644 --- a/README +++ b/README @@ -89,8 +89,9 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Brave profile - added Gitter profile - various organising - - added Libreoffice profile + - added LibreOffice profile - added pix profile + - added audacity profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index fa1e38b52..6ab15d2fd 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity diff --git a/RELNOTES b/RELNOTES index 767ef8f34..78a21bd2b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,7 +4,7 @@ firejail (0.9.41) baseline; urgency=low * compile time support to disable global configuration file * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice - * new profiles: pix + * new profiles: pix, audacity -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 70deb2b0c..e9dd331aa 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -32,6 +32,7 @@ blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer +blacklist ${HOME}/.audacity-data # HTTP / FTP / Mail blacklist ${HOME}/.icedove diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 574567f4d..eca804ab6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -118,3 +118,4 @@ /etc/firejail/lowriter.profile /etc/firejail/pix.profile /etc/firejail/soffice.profile +/etc/firejail/audacity.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 7340e430e..35338d427 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -83,6 +83,7 @@ warzone2100 # Media audacious +audacity clementine cmus deadbeef -- cgit v1.2.3-70-g09d2 From 7b458eadbf0ad73153bcce884721cb3e7a82b21c Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 27 Jun 2016 01:14:30 +0200 Subject: tighten disable-devel.inc --- etc/disable-devel.inc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 821aa1ea4..963cf6da0 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -2,15 +2,20 @@ # GCC blacklist /usr/include +blacklist /usr/lib/gcc blacklist /usr/bin/gcc* blacklist /usr/bin/cpp* blacklist /usr/bin/c9* blacklist /usr/bin/c8* blacklist /usr/bin/c++* +blacklist /usr/bin/as blacklist /usr/bin/ld blacklist /usr/bin/gdb blacklist /usr/bin/g++* blacklist /usr/bin/x86_64-linux-gnu-g++* +blacklist /usr/bin/x86_64-linux-gnu-gcc* +blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* +blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* # clang/llvm blacklist /usr/bin/clang* @@ -18,6 +23,11 @@ blacklist /usr/bin/llvm* blacklist /usb/bin/lldb* blacklist /usr/lib/llvm* +# tcc - Tiny C Compiler +blacklist /usr/bin/tcc +blacklist /usr/bin/x86_64-tcc +blacklist /usr/lib/tcc + # Valgrind blacklist /usr/bin/valgrind* blacklist /usr/lib/valgrind @@ -51,4 +61,3 @@ blacklist /usr/lib/ruby #blacklist /usr/local/lib/python3* #blacklist /usr/share/python3* #blacklist /usr/include/python3* - -- cgit v1.2.3-70-g09d2 From c95e16451b83eea2cbfada9b42d2e6b9c77126a5 Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 27 Jun 2016 01:27:51 +0200 Subject: fix some typos --- src/firejail/usage.c | 2 +- src/man/firejail-login.txt | 2 +- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index af1a30ac3..82b1affcc 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -336,7 +336,7 @@ void usage(void) { printf("\n"); printf("Restricted shell\n\n"); printf("To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n"); - printf("/etc/password file for each user that needs to be restricted.\n"); + printf("/etc/passwd file for each user that needs to be restricted.\n"); printf("Alternatively, you can specify /usr/bin/firejail in adduser command:\n\n"); printf(" adduser --shell /usr/bin/firejail username\n\n"); printf("Arguments to be passed to firejail executable upon login are declared in\n"); diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 6cd9ce3cb..464551202 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -15,7 +15,7 @@ Example: .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in -/etc/password file for each user that needs to be restricted. Alternatively, +/etc/passwd file for each user that needs to be restricted. Alternatively, you can specify /usr/bin/firejail using adduser or usermod commands: adduser \-\-shell /usr/bin/firejail username diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1f7c8beac..c2d5e7955 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -243,7 +243,7 @@ Enable seccomp filter and whitelist the system calls in the list. Sets the NO_NEW_PRIVS prctl. This ensures that child processes cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) -does not results in an increase of privilege. +does not result in an increase of privilege. .TP \fBnoroot Use this command to enable an user namespace. The namespace has only one user, the current user. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d72deab2f..bb8c64dc9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -926,7 +926,7 @@ $ Sets the NO_NEW_PRIVS prctl. This ensures that child processes cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) -does not results in an increase of privilege. +does not result in an increase of privilege. .TP \fB\-\-nosound -- cgit v1.2.3-70-g09d2 From 7b5b2f9d29218a662cac81f88ff0e39aa9b37c2c Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 27 Jun 2016 01:47:20 +0200 Subject: s/Xephry/Xephyr/ --- etc/firejail.config | 2 +- src/man/firejail-config.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index eaff4de8f..59bbd77a5 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -46,7 +46,7 @@ # xephyr-screen 1024x768 # xephyr-screen 1280x1024 -# Firejail window title in Xephry, default enabled. +# Firejail window title in Xephyr, default enabled. # xephyr-window-title yes # Xephyr command extra parameters. None by default, and the declaration is commented out. diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index bc29dc977..386eda976 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -76,7 +76,7 @@ xephyr-screen 1280x1024 .TP \fBxephyr-window-title -Firejail window title in Xephry, default enabled. +Firejail window title in Xephyr, default enabled. .TP \fBxephyr-extra-params -- cgit v1.2.3-70-g09d2 From e34051c203dd7eafcd70789ccc852b743b782c3b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 26 Jun 2016 21:40:19 -0400 Subject: strings, cpio, gzip, xz profiles --- Makefile.in | 4 ++++ README | 9 +++++++++ README.md | 2 +- etc/strings.profile | 12 ++++++++++++ platform/debian/conffiles | 5 +++++ strings.profile | 12 ------------ 6 files changed, 31 insertions(+), 13 deletions(-) create mode 100644 etc/strings.profile delete mode 100644 strings.profile diff --git a/Makefile.in b/Makefile.in index 38279beca..cb166aa33 100644 --- a/Makefile.in +++ b/Makefile.in @@ -209,6 +209,10 @@ realinstall: install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index ab7115bec..65eeccd03 100644 --- a/README +++ b/README @@ -25,6 +25,14 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Jaykishan Mutkawoa (https://github.com/jmutkawoa) + - cpio profile +Paupiah Yash (https://github.com/CaffeinatedStud) + - gzip profile +Akhil Hans Maulloo (https://github.com/kouul) + - xz profile +Rahul Golam (https://github.com/technoLord) + - strings profile geg2048 (https://github.com/geg2048) - kwallet profile fixes Simon Peter (https://github.com/probonopd) @@ -52,6 +60,7 @@ avoidr (https://github.com/avoidr) - lots of profile fixes - added mcabber profile - fixed mpv profile + - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) diff --git a/README.md b/README.md index 6ab15d2fd..b11dc8249 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, gzip, cpio diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..ea6d4b415 --- /dev/null +++ b/etc/strings.profile @@ -0,0 +1,12 @@ +noblacklist ~/.config + +include /usr/local/etc/firejail/disable-common.inc +include /usr/local/etc/firejail/disable-programs.inc +include /usr/local/etc/firejail/disable-devel.inc +include /usr/local/etc/firejail/disable-passwdmgr.inc + +caps.drop all +noroot +nonewprivs +seccomp +tracelog diff --git a/platform/debian/conffiles b/platform/debian/conffiles index eca804ab6..a09df0c29 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -119,3 +119,8 @@ /etc/firejail/pix.profile /etc/firejail/soffice.profile /etc/firejail/audacity.profile +/etc/firejail/cpio.profile +/etc/firejail/gzip.profile +/etc/firejail/xzdec.profile +/etc/firejail/strings.profile + diff --git a/strings.profile b/strings.profile deleted file mode 100644 index ea6d4b415..000000000 --- a/strings.profile +++ /dev/null @@ -1,12 +0,0 @@ -noblacklist ~/.config - -include /usr/local/etc/firejail/disable-common.inc -include /usr/local/etc/firejail/disable-programs.inc -include /usr/local/etc/firejail/disable-devel.inc -include /usr/local/etc/firejail/disable-passwdmgr.inc - -caps.drop all -noroot -nonewprivs -seccomp -tracelog -- cgit v1.2.3-70-g09d2 From fdaab24ae0123ec3b0d23f5df6dd3dd97946cc52 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 27 Jun 2016 09:03:06 -0400 Subject: cpio, gzip, strings, xzdec --- etc/cpio.profile | 14 ++++++++------ etc/gzip.profile | 21 ++++----------------- etc/strings.profile | 16 +++++----------- etc/xzdec.profile | 16 +++++----------- 4 files changed, 22 insertions(+), 45 deletions(-) diff --git a/etc/cpio.profile b/etc/cpio.profile index 811d657f2..f10b82962 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,8 +1,10 @@ -include /usr/local/etc/firejail/server.profile -include /usr/local/etc/firejail/disable-common.inc -include /usr/local/etc/firejail/disable-programs.inc -include /usr/local/etc/firejail/disable-passwdmgr.inc -caps.drop all +# cpio profile +# testing: find . -print -depth | cpio -ov > tree.cpio +include /etc/firejail/default.profile +tracelog net none shell none -seccomp +private-bin cpio +private-dev + + diff --git a/etc/gzip.profile b/etc/gzip.profile index f231c3780..3c9e8a9bf 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,19 +1,6 @@ -################################ -# Gzip profile -################################ -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - -blacklist ${HOME}/.wine -blacklist ${HOME}/.ssh - +# gzip profile +include /etc/firejail/default.profile tracelog -caps.drop all -seccomp net none -noroot -nosound -nogroups -nonewprivs - +shell none +private-dev diff --git a/etc/strings.profile b/etc/strings.profile index ea6d4b415..8be9a5719 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,12 +1,6 @@ -noblacklist ~/.config - -include /usr/local/etc/firejail/disable-common.inc -include /usr/local/etc/firejail/disable-programs.inc -include /usr/local/etc/firejail/disable-devel.inc -include /usr/local/etc/firejail/disable-passwdmgr.inc - -caps.drop all -noroot -nonewprivs -seccomp +# strings profile +include /etc/firejail/default.profile tracelog +net none +shell none +private-dev diff --git a/etc/xzdec.profile b/etc/xzdec.profile index f29f7360c..ade46dddd 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,13 +1,7 @@ -# Firejail profile for XZ decompressor -# xzdec.profile - -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -seccomp +# XZ decompressor profile +include /etc/firejail/default.profile tracelog -noroot +net none shell none +private-dev + -- cgit v1.2.3-70-g09d2 From 4ece607b8f833cf0974bcf2a5e41f0504cbbff59 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 07:58:20 -0400 Subject: sysutils --- Makefile.in | 7 +++++- etc/cpio.profile | 21 ++++++++++++---- etc/gzip.profile | 1 + etc/strings.profile | 1 + etc/xz.profile | 2 ++ etc/xzdec.profile | 4 ++-- platform/debian/conffiles | 1 + src/firejail/main.c | 61 +++++++++++++++++++++++++++++++++++++---------- test/sysutils/cpio.exp | 26 ++++++++++++++++++++ test/sysutils/gzip.exp | 26 ++++++++++++++++++++ test/sysutils/strings.exp | 26 ++++++++++++++++++++ test/sysutils/sysutils.sh | 44 ++++++++++++++++++++++++++++++++++ test/sysutils/xzdec.exp | 29 ++++++++++++++++++++++ todo | 7 ++++++ 14 files changed, 235 insertions(+), 21 deletions(-) create mode 100644 etc/xz.profile create mode 100755 test/sysutils/cpio.exp create mode 100755 test/sysutils/gzip.exp create mode 100755 test/sysutils/strings.exp create mode 100755 test/sysutils/sysutils.sh create mode 100755 test/sysutils/xzdec.exp diff --git a/Makefile.in b/Makefile.in index cb166aa33..5204fc34a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -53,6 +53,7 @@ clean: rm -f test/environment/wget-log* rm -fr test/environment/-testdir rm -f test/environment/logfile* + rm -f test/sysutils/firejail_t* cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. @@ -213,6 +214,7 @@ realinstall: install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc @@ -327,6 +329,9 @@ test-apps: test-apps-x11: cd test/apps-x11; ./apps-x11.sh | grep TESTING +test-sysutils: + cd test/sysutils; ./sysutils.sh | grep TESTING + test-utils: cd test/utils; ./utils.sh | grep TESTING @@ -342,5 +347,5 @@ test-network: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters +test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters echo "TEST COMPLETE" diff --git a/etc/cpio.profile b/etc/cpio.profile index f10b82962..b0e59c106 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,10 +1,21 @@ # cpio profile -# testing: find . -print -depth | cpio -ov > tree.cpio -include /etc/firejail/default.profile -tracelog +# /sbin and /usr/sbin are visible inside the sandbox +# /boot is not visible and /var is heavily modified + +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +private-dev +private-tmp +seccomp +caps.drop all net none shell none -private-bin cpio -private-dev +tracelog +net none + diff --git a/etc/gzip.profile b/etc/gzip.profile index 3c9e8a9bf..8d35c9f66 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -4,3 +4,4 @@ tracelog net none shell none private-dev +private-tmp diff --git a/etc/strings.profile b/etc/strings.profile index 8be9a5719..9bc67cfb8 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -4,3 +4,4 @@ tracelog net none shell none private-dev +private-tmp diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..709585acd --- /dev/null +++ b/etc/xz.profile @@ -0,0 +1,2 @@ +# xz profile +include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index ade46dddd..1bff66965 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,7 +1,7 @@ -# XZ decompressor profile +# xzdec profile include /etc/firejail/default.profile tracelog net none shell none private-dev - +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a09df0c29..34ab8cd81 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -123,4 +123,5 @@ /etc/firejail/gzip.profile /etc/firejail/xzdec.profile /etc/firejail/strings.profile +/etc/firejail/xz.profile diff --git a/src/firejail/main.c b/src/firejail/main.c index c6fbd584e..f149dd376 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -693,6 +693,52 @@ static void delete_x11_file(pid_t pid) { free(fname); } +static void detect_quiet(int argc, char **argv) { + int i; + char *progs[] = { + "cpio", + "strings", + "gzip", + "xz", + "xzdec", + NULL + }; + + // detect --quiet + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--quiet") == 0) { + arg_quiet = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } + + // argv[i] is the program name if --quiet was not already detected + if (arg_quiet || i == argc) + return; + + // extract the name of the program without the leading path + char *ptr = strrchr(argv[i], '/'); + char *name = (ptr)? (ptr + 1): argv[i]; + if (*name == '\0') + return; + + // look for the program in the list + int j = 0; + while (progs[j] != NULL) { + if (strcmp(name, progs[j]) == 0) { + arg_quiet = 1; + return; + } + j++; + } +} + //******************************************* // Main program //******************************************* @@ -709,6 +755,8 @@ int main(int argc, char **argv) { int highest_errno = errno_highest_nr(); #endif + detect_quiet(argc, argv); + // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); @@ -717,19 +765,6 @@ int main(int argc, char **argv) { if (*argv[0] != '-') run_symlink(argc, argv); - // detect --quiet - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--quiet") == 0) { - arg_quiet = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } // check if we already have a sandbox running // If LXC is detected, start firejail sandbox diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp new file mode 100755 index 000000000..9755d8737 --- /dev/null +++ b/test/sysutils/cpio.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r" +sleep 1 + +send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp new file mode 100755 index 000000000..ab0e727de --- /dev/null +++ b/test/sysutils/gzip.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp new file mode 100755 index 000000000..1fd0f5dc0 --- /dev/null +++ b/test/sysutils/strings.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh new file mode 100755 index 000000000..f230c9a6b --- /dev/null +++ b/test/sysutils/sysutils.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +which cpio +if [ "$?" -eq 0 ]; +then + echo "TESTING: cpio" + ./cpio.exp +else + echo "TESTING SKIP: cpio not found" +fi + +which strings +if [ "$?" -eq 0 ]; +then + echo "TESTING: strings" + ./strings.exp +else + echo "TESTING SKIP: strings not found" +fi + +which gzip +if [ "$?" -eq 0 ]; +then + echo "TESTING: gzip" + ./gzip.exp +else + echo "TESTING SKIP: gzip not found" +fi + +which xzdec +if [ "$?" -eq 0 ]; +then + echo "TESTING: xzdec" + ./xzdec.exp +else + echo "TESTING SKIP: xzdec not found" +fi + diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp new file mode 100755 index 000000000..0ea6f5fb0 --- /dev/null +++ b/test/sysutils/xzdec.exp @@ -0,0 +1,29 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" +sleep 1 + +send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/todo b/todo index cd36b5f11..a5c311562 100644 --- a/todo +++ b/todo @@ -101,3 +101,10 @@ firejail.src: E: no-changelogname-tag firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found 1 packages and 0 specfiles checked; 1 errors, 1 warnings. +15. Testing: +find /usr/share/doc/firejail | cpio -ov > t1 +strings /usr/bin/firejail > t1 +gzip -c /usr/bin/firejail > t1 + +use diff -s to compare the files + -- cgit v1.2.3-70-g09d2 From e413b78c49234ae2698f0d9f27945c30ef723fe0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 08:41:51 -0400 Subject: sysutils --- Makefile.in | 1 + etc/less.profile | 7 +++++++ platform/debian/conffiles | 1 + src/firejail/main.c | 1 + test/sysutils/less.exp | 20 ++++++++++++++++++++ test/sysutils/sysutils.sh | 18 ++++++++++++++++++ test/sysutils/xz.exp | 26 ++++++++++++++++++++++++++ 7 files changed, 74 insertions(+) create mode 100644 etc/less.profile create mode 100755 test/sysutils/less.exp create mode 100755 test/sysutils/xz.exp diff --git a/Makefile.in b/Makefile.in index 5204fc34a..00131099a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -215,6 +215,7 @@ realinstall: install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/etc/less.profile b/etc/less.profile new file mode 100644 index 000000000..9cad7ceb6 --- /dev/null +++ b/etc/less.profile @@ -0,0 +1,7 @@ +# less profile +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 34ab8cd81..62a4cfebe 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -124,4 +124,5 @@ /etc/firejail/xzdec.profile /etc/firejail/strings.profile /etc/firejail/xz.profile +/etc/firejail/less.profile diff --git a/src/firejail/main.c b/src/firejail/main.c index f149dd376..463bf4f31 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -696,6 +696,7 @@ static void delete_x11_file(pid_t pid) { static void detect_quiet(int argc, char **argv) { int i; char *progs[] = { + "less", "cpio", "strings", "gzip", diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp new file mode 100755 index 000000000..720830304 --- /dev/null +++ b/test/sysutils/less.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail less ../../Makefile.in\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "MYLIBS" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "APPS" +} + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index f230c9a6b..d75738f97 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -42,3 +42,21 @@ else echo "TESTING SKIP: xzdec not found" fi +which xz +if [ "$?" -eq 0 ]; +then + echo "TESTING: xz" + ./xz.exp +else + echo "TESTING SKIP: xz not found" +fi + +which less +if [ "$?" -eq 0 ]; +then + echo "TESTING: less" + ./less.exp +else + echo "TESTING SKIP: less not found" +fi + diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp new file mode 100755 index 000000000..11d0e560c --- /dev/null +++ b/test/sysutils/xz.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 5cd597e5dfe13afa097e0a7b9d2344b204be2ec6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 10:56:17 -0400 Subject: fix --version --- README.md | 3 ++- RELNOTES | 2 +- src/firejail/main.c | 15 +++++++++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b11dc8249..230657756 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,5 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, gzip, cpio +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less + diff --git a/RELNOTES b/RELNOTES index 78a21bd2b..8d170a9b3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,7 +4,7 @@ firejail (0.9.41) baseline; urgency=low * compile time support to disable global configuration file * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice - * new profiles: pix, audacity + * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/src/firejail/main.c b/src/firejail/main.c index 463bf4f31..6faec9109 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -766,7 +766,6 @@ int main(int argc, char **argv) { if (*argv[0] != '-') run_symlink(argc, argv); - // check if we already have a sandbox running // If LXC is detected, start firejail sandbox // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: @@ -836,7 +835,19 @@ int main(int argc, char **argv) { // check root/suid EUID_ROOT(); if (geteuid()) { - fprintf(stderr, "Error: the sandbox is not setuid root\n"); + // detect --version + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--version") == 0) { + printf("firejail version %s\n", VERSION); + exit(0); + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } exit(1); } EUID_USER(); -- cgit v1.2.3-70-g09d2 From 7ab61fae3128796df4f8f62da36da437b1d3d7a7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 13:04:54 -0400 Subject: fixing ampersand url --- src/firejail/no_sandbox.c | 5 +++-- src/firejail/run_symlink.c | 9 +++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9672d003e..f6ad3d472 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -180,7 +180,7 @@ void run_no_sandbox(int argc, char **argv) { } int start_index = i; for (i = start_index; i < argc; i++) - len += strlen(argv[i]) + 1; + len += strlen(argv[i]) + 3; // allocate command = malloc(len + 1); @@ -191,8 +191,9 @@ void run_no_sandbox(int argc, char **argv) { // copy for (i = start_index; i < argc; i++) { + strcat(command, "\""); strcat(command, argv[i]); - strcat(command, " "); + strcat(command, "\" "); } } diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index cc6f6b3e9..554d243e5 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -102,8 +102,13 @@ void run_symlink(int argc, char **argv) { a[0] = firejail; a[1] = program; int i; - for (i = 0; i < (argc - 1); i++) - a[i + 2] = argv[i + 1]; + for (i = 0; i < (argc - 1); i++) { + char *str = malloc(strlen(argv[i + 1])); + if (str == NULL) + errExit("malloc"); + sprintf(str, "\"%s\"", argv[i + 1]); + a[i + 2] = str; + } a[i + 2] = NULL; execvp(a[0], a); -- cgit v1.2.3-70-g09d2 From 834c420f2f97e4bfa48c528380f2c18b0261a6e5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 13:18:06 -0400 Subject: fixing ampersand url --- src/firejail/join.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 98e140ce4..5a2c02d63 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -53,7 +53,7 @@ static void extract_command(int argc, char **argv, int index) { int i; // calculate command length for (i = index; i < argc; i++) { - len += strlen(argv[i]) + 1; + len += strlen(argv[i]) + 3; } assert(len > 0); @@ -61,8 +61,9 @@ static void extract_command(int argc, char **argv, int index) { cfg.command_line = malloc(len + 1); *cfg.command_line = '\0'; for (i = index; i < argc; i++) { + strcat(cfg.command_line, "\""); strcat(cfg.command_line, argv[i]); - strcat(cfg.command_line, " "); + strcat(cfg.command_line, "\" "); } if (arg_debug) printf("Extracted command #%s#\n", cfg.command_line); -- cgit v1.2.3-70-g09d2 From 74a9ffe66e0f4e41bccea80783c5ac946c3ac51e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 29 Jun 2016 12:53:35 -0400 Subject: fixed broken argument functionality --- src/firejail/join.c | 12 +++++++++--- src/firejail/no_sandbox.c | 12 +++++++++--- src/firejail/run_symlink.c | 15 ++++++++++----- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 5a2c02d63..aba8f064b 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -61,9 +61,15 @@ static void extract_command(int argc, char **argv, int index) { cfg.command_line = malloc(len + 1); *cfg.command_line = '\0'; for (i = index; i < argc; i++) { - strcat(cfg.command_line, "\""); - strcat(cfg.command_line, argv[i]); - strcat(cfg.command_line, "\" "); + if (strchr(argv[i], '&')) { + strcat(cfg.command_line, "\""); + strcat(cfg.command_line, argv[i]); + strcat(cfg.command_line, "\" "); + } + else { + strcat(cfg.command_line, argv[i]); + strcat(cfg.command_line, " "); + } } if (arg_debug) printf("Extracted command #%s#\n", cfg.command_line); diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index f6ad3d472..898803615 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -191,9 +191,15 @@ void run_no_sandbox(int argc, char **argv) { // copy for (i = start_index; i < argc; i++) { - strcat(command, "\""); - strcat(command, argv[i]); - strcat(command, "\" "); + if (strchr(argv[i], '&')) { + strcat(command, "\""); + strcat(command, argv[i]); + strcat(command, "\" "); + } + else { + strcat(command, argv[i]); + strcat(command, " "); + } } } diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 554d243e5..26c6c5133 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -103,11 +103,16 @@ void run_symlink(int argc, char **argv) { a[1] = program; int i; for (i = 0; i < (argc - 1); i++) { - char *str = malloc(strlen(argv[i + 1])); - if (str == NULL) - errExit("malloc"); - sprintf(str, "\"%s\"", argv[i + 1]); - a[i + 2] = str; + // look for & character + if (strchr(argv[i + 1], '&')) { + char *str = malloc(strlen(argv[i + 1])); + if (str == NULL) + errExit("malloc"); + sprintf(str, "\"%s\"", argv[i + 1]); + a[i + 2] = str; + } + else + a[i + 2] = argv[i + 1]; } a[i + 2] = NULL; execvp(a[0], a); -- cgit v1.2.3-70-g09d2 From fd2a6201aed79311e3ce3d905270e9f36d607fc3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 1 Jul 2016 11:01:16 -0400 Subject: cleanup --- Makefile.in | 2 ++ src/firejail/no_sandbox.c | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index 00131099a..db3c6f059 100644 --- a/Makefile.in +++ b/Makefile.in @@ -53,6 +53,8 @@ clean: rm -f test/environment/wget-log* rm -fr test/environment/-testdir rm -f test/environment/logfile* + rm -f test/environment/index.html + rm -f test/environment/wget-log rm -f test/sysutils/firejail_t* cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 898803615..f1fd04aec 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -34,8 +34,6 @@ int is_container(const char *str) { strcmp(str, "rkt") == 0) return 1; return 0; - - } // returns 1 if we are running under LXC -- cgit v1.2.3-70-g09d2 From c34fbcdf4cf6ee00b8b131dd957e34ed4c7ab798 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 1 Jul 2016 11:29:26 -0400 Subject: audit compile and install --- Makefile.in | 5 +++-- configure | 3 ++- configure.ac | 2 +- src/faudit/Makefile.in | 25 +++++++++++++++++++++++++ src/faudit/main.c | 5 +++++ 5 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 src/faudit/Makefile.in create mode 100644 src/faudit/main.c diff --git a/Makefile.in b/Makefile.in index db3c6f059..604c76f9f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5 MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/libtracelog src/faudit prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -84,6 +84,7 @@ realinstall: install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. @@ -249,7 +250,6 @@ realinstall: install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg - install: all $(MAKE) realinstall @@ -260,6 +260,7 @@ install-strip: all strip src/libtrace/libtrace.so strip src/libtracelog/libtracelog.so strip src/ftee/ftee + strip src/faudit/faudit $(MAKE) realinstall uninstall: diff --git a/configure b/configure index 807a53a3d..d7017e6d7 100755 --- a/configure +++ b/configure @@ -3673,7 +3673,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4390,6 +4390,7 @@ do "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; + "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.ac b/configure.ac index 93e062518..470c55d37 100644 --- a/configure.ac +++ b/configure.ac @@ -106,7 +106,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile) +AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) echo echo "Configuration options:" diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in new file mode 100644 index 000000000..995a0bf49 --- /dev/null +++ b/src/faudit/Makefile.in @@ -0,0 +1,25 @@ +all: faudit + +PREFIX=@prefix@ +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread + +%.o : %.c $(H_FILE_LIST) + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +faudit: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) + +clean:; rm -f *.o faudit + +distclean: clean + rm -fr Makefile + diff --git a/src/faudit/main.c b/src/faudit/main.c new file mode 100644 index 000000000..e4536d20b --- /dev/null +++ b/src/faudit/main.c @@ -0,0 +1,5 @@ +#include + +int main(int argc, char **argv) { + printf("faudit running\n"); +} -- cgit v1.2.3-70-g09d2 From d954df5d3319924ff1a83e3e301f70825691b4f3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 1 Jul 2016 19:19:59 -0400 Subject: audit pid --- src/faudit/faudit.h | 37 ++++++++++++++++++++++ src/faudit/main.c | 30 ++++++++++++++++-- src/faudit/pid.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 src/faudit/faudit.h create mode 100644 src/faudit/pid.c diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h new file mode 100644 index 000000000..9c001c285 --- /dev/null +++ b/src/faudit/faudit.h @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#ifndef FAUDIT_H +#define FAUDIT_H +#include +#include +#include +#include +#include +#include +#include +#include + +#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) + +// pid.c +void pid(void); + +#endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index e4536d20b..d90eb1c0b 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -1,5 +1,31 @@ -#include +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" int main(int argc, char **argv) { - printf("faudit running\n"); + printf("FAUDIT: Firejail audit started\n"); + + // check pid namespace + pid(); + + printf("FAUDIT: Firejail audit ended\n"); + return 0; + } diff --git a/src/faudit/pid.c b/src/faudit/pid.c new file mode 100644 index 000000000..861324255 --- /dev/null +++ b/src/faudit/pid.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" + +void pid(void) { + char *kern_proc[] = { + "kthreadd", + "ksoftirqd", + "kworker", + "rcu_sched", + "rcu_bh", + NULL // NULL terminated list + }; + int i; + + // look at the first 10 processes + for (i = 1; i <= 10; i++) { + struct stat s; + char *fname; + if (asprintf(&fname, "/proc/%d/comm", i) == -1) + errExit("asprintf"); + if (stat(fname, &s) == -1) { + free(fname); + continue; + } + + // open file + /* coverity[toctou] */ + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Warning: cannot open %s\n", fname); + free(fname); + continue; + } + + // read file + char buf[100]; + if (fgets(buf, 10, fp) == NULL) { + fprintf(stderr, "Warning: cannot read %s\n", fname); + fclose(fp); + free(fname); + continue; + } + // clean /n + char *ptr; + if ((ptr = strchr(buf, '\n')) != NULL) + *ptr = '\0'; + + // check process name against the kernel list + int j = 0; + while (kern_proc[j] != NULL) { + if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { + fclose(fp); + free(fname); + printf("FAUDIT: Process PID %d, not running in a PID namespace\n", getpid()); + return; + } + j++; + } + + fclose(fp); + free(fname); + } + + + printf("FAUDIT: Process PID %d, running in a PID namespace\n", getpid()); + + // try to guess the type of container/sandbox + char *str = getenv("container"); + if (str) + printf("FAUDIT: Container/sandbox: %s\n", str); +} -- cgit v1.2.3-70-g09d2 From 7655973d13775fc8a939cae7ebbadf3b38209a02 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Jul 2016 07:41:19 -0400 Subject: faudit: caps --- src/faudit/caps.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/faudit/faudit.h | 4 +++ src/faudit/main.c | 7 +++-- src/faudit/pid.c | 6 ++--- todo | 25 +++++++++++++---- 5 files changed, 109 insertions(+), 10 deletions(-) create mode 100644 src/faudit/caps.c diff --git a/src/faudit/caps.c b/src/faudit/caps.c new file mode 100644 index 000000000..364cfcd03 --- /dev/null +++ b/src/faudit/caps.c @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include + +#define MAXBUF 4098 +static int extract_caps(uint64_t *val) { + FILE *fp = fopen("/proc/self/status", "r"); + if (!fp) + return 1; + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "CapBnd:\t", 8) == 0) { + char *ptr = buf + 8; + unsigned long long tmp; + sscanf(ptr, "%llx", &tmp); + *val = tmp; + fclose(fp); + return 0; + } + } + + fclose(fp); + return 1; +} + +// return 1 if the capability is in tbe map +static int check_capability(uint64_t map, int cap) { + int i; + uint64_t mask = 1ULL; + + for (i = 0; i < 64; i++, mask <<= 1) { + if ((i == cap) && (mask & map)) + return 1; + } + + return 0; +} + +void caps(void) { + uint64_t caps_val; + + if (extract_caps(&caps_val)) { + printf("SKIP: cannot extract capabilities on this platform\n"); + return; + } + + if (caps_val) { + printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); + + if (check_capability(caps_val, CAP_SYS_ADMIN)) + printf("UGLY: CAP_SYS_ADMIN is enabled\n"); + if (check_capability(caps_val, CAP_SYS_BOOT)) + printf("UGLY: CAP_SYS_BOOT is enabled\n"); + } + else + printf("GOOD: all capabilities are disabled\n"); +} + diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 9c001c285..74426ac0a 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -22,6 +22,7 @@ #define FAUDIT_H #include #include +#include #include #include #include @@ -34,4 +35,7 @@ // pid.c void pid(void); +// caps.c +void caps(void); + #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index d90eb1c0b..a3407caa1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -20,12 +20,15 @@ #include "faudit.h" int main(int argc, char **argv) { - printf("FAUDIT: Firejail audit started\n"); + printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n"); // check pid namespace pid(); + + // chack capabilities + caps(); - printf("FAUDIT: Firejail audit ended\n"); + printf("----------------------------------------------------------\n"); return 0; } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 861324255..a6f02c051 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -69,7 +69,7 @@ void pid(void) { if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { fclose(fp); free(fname); - printf("FAUDIT: Process PID %d, not running in a PID namespace\n", getpid()); + printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); return; } j++; @@ -80,10 +80,10 @@ void pid(void) { } - printf("FAUDIT: Process PID %d, running in a PID namespace\n", getpid()); + printf("GOOD: Process PID %d, running in a PID namespace\n", getpid()); // try to guess the type of container/sandbox char *str = getenv("container"); if (str) - printf("FAUDIT: Container/sandbox: %s\n", str); + printf("Container/sandbox: %s\n", str); } diff --git a/todo b/todo index a5c311562..a30a5319b 100644 --- a/todo +++ b/todo @@ -101,10 +101,25 @@ firejail.src: E: no-changelogname-tag firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found 1 packages and 0 specfiles checked; 1 errors, 1 warnings. -15. Testing: -find /usr/share/doc/firejail | cpio -ov > t1 -strings /usr/bin/firejail > t1 -gzip -c /usr/bin/firejail > t1 +15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles -use diff -s to compare the files +$ firejail --caps.keep=chown,net_bind_service src/faudit/faudit +Reading profile /etc/firejail/default.profile +Reading profile /etc/firejail/disable-common.inc +Reading profile /etc/firejail/disable-programs.inc +Reading profile /etc/firejail/disable-passwdmgr.inc +** Note: you can use --noprofile to disable default.profile ** + +Parent pid 6872, child pid 6873 + +Child process initialized + +----- Firejail Audit: the Good, the Bad and the Ugly ----- + +GOOD: Process PID 2, running in a PID namespace +Container/sandbox: firejail +GOOD: all capabilities are disabled + + +Parent is shutting down, bye... -- cgit v1.2.3-70-g09d2 From 7ac22ed3588ce9e8bb5ec7ebd3d7062dcf65a64c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Jul 2016 09:48:57 -0400 Subject: audit: seccomp --- src/faudit/caps.c | 2 +- src/faudit/faudit.h | 10 ++++++-- src/faudit/main.c | 26 ++++++++++++++++----- src/faudit/pid.c | 2 +- src/faudit/seccomp.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 94 insertions(+), 10 deletions(-) create mode 100644 src/faudit/seccomp.c diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 364cfcd03..3cf4a076f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -55,7 +55,7 @@ static int check_capability(uint64_t map, int cap) { return 0; } -void caps(void) { +void caps_test(void) { uint64_t caps_val; if (extract_caps(&caps_val)) { diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 74426ac0a..50d75c2a4 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -32,10 +32,16 @@ #define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) +// main.c +extern char *prog; + // pid.c -void pid(void); +void pid_test(void); // caps.c -void caps(void); +void caps_test(void); + +// seccomp.c +void seccomp_test(void); #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index a3407caa1..0724a7ec9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -18,17 +18,31 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" +#include +char *prog; int main(int argc, char **argv) { - printf("\n----- Firejail Audit: the Good, the Bad and the Ugly -----\n"); + printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n"); + // extract program name + prog = realpath(argv[0], NULL); + if (prog == NULL) { + fprintf(stderr, "Error: cannot extract the path of the audit program\n"); + return 1; + } + printf("Running %s\n", prog); + + // check pid namespace - pid(); + pid_test(); - // chack capabilities - caps(); + // check capabilities + caps_test(); - printf("----------------------------------------------------------\n"); - return 0; + // check seccomp + seccomp_test(); + free(prog); + printf("----------------------------------------------------------------\n"); + return 0; } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index a6f02c051..5744ab244 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -19,7 +19,7 @@ */ #include "faudit.h" -void pid(void) { +void pid_test(void) { char *kern_proc[] = { "kthreadd", "ksoftirqd", diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c new file mode 100644 index 000000000..a50ec1e0c --- /dev/null +++ b/src/faudit/seccomp.c @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include + +#define MAXBUF 4098 +static int extract_seccomp(int *val) { + FILE *fp = fopen("/proc/self/status", "r"); + if (!fp) + return 1; + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "Seccomp:\t", 8) == 0) { + char *ptr = buf + 8; + int tmp; + sscanf(ptr, "%d", &tmp); + *val = tmp; + fclose(fp); + return 0; + } + } + + fclose(fp); + return 1; +} + +void seccomp_test(void) { + int seccomp_status; + int rv = extract_seccomp(&seccomp_status); + + if (rv) { + printf("SKIP: cannot extract seccomp configuration on this platform\n"); + return; + } + + if (seccomp_status == 0) + printf("BAD: seccomp disabled\n"); + else if (seccomp_status == 1) + printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); + else if (seccomp_status == 2) { + printf("GOOD: seccomp BPF enababled\n"); + } + else + fprintf(stderr, "Error: unrecognized seccomp mode\n"); + +} \ No newline at end of file -- cgit v1.2.3-70-g09d2 From b14628560a972d9f1709a249207b6595ffe7ed09 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 2 Jul 2016 14:10:07 -0400 Subject: audit: seccomp --- src/faudit/caps.c | 1 + src/faudit/faudit.h | 4 +++ src/faudit/main.c | 19 ++++++++--- src/faudit/pid.c | 4 +-- src/faudit/seccomp.c | 40 ++++++++++++++++++++++- src/faudit/syscall.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 152 insertions(+), 7 deletions(-) create mode 100644 src/faudit/syscall.c diff --git a/src/faudit/caps.c b/src/faudit/caps.c index 3cf4a076f..f98d45ec8 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -17,6 +17,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + #include "faudit.h" #include diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 50d75c2a4..fdb4556c3 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -44,4 +44,8 @@ void caps_test(void); // seccomp.c void seccomp_test(void); +// syscall.c +void syscall_helper(int argc, char **argv); +void syscall_run(const char *name); + #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index 0724a7ec9..cd358cc1a 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -18,11 +18,22 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" -#include char *prog; int main(int argc, char **argv) { - printf("\n-------- Firejail Audit: the Good, the Bad and the Ugly --------\n"); + if (argc != 1) { + int i; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "syscall")) { + syscall_helper(argc, argv); + return 0; + } + } + return 1; + } + + printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n"); // extract program name prog = realpath(argv[0], NULL); @@ -30,7 +41,7 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: cannot extract the path of the audit program\n"); return 1; } - printf("Running %s\n", prog); + printf("INFO: starting %s\n", prog); // check pid namespace @@ -43,6 +54,6 @@ int main(int argc, char **argv) { seccomp_test(); free(prog); - printf("----------------------------------------------------------------\n"); + printf("--------------------------------------------------------------------------------\n"); return 0; } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 5744ab244..53b59a838 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -80,10 +80,10 @@ void pid_test(void) { } - printf("GOOD: Process PID %d, running in a PID namespace\n", getpid()); + printf("GOOD: process PID %d, running in a PID namespace\n", getpid()); // try to guess the type of container/sandbox char *str = getenv("container"); if (str) - printf("Container/sandbox: %s\n", str); + printf("INFO: container/sandbox %s\n", str); } diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index a50ec1e0c..d88d6a958 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -18,7 +18,6 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" -#include #define MAXBUF 4098 static int extract_seccomp(int *val) { @@ -57,6 +56,45 @@ void seccomp_test(void) { printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); else if (seccomp_status == 2) { printf("GOOD: seccomp BPF enababled\n"); + + printf("checking syscalls: "); fflush(0); + printf("mount... "); fflush(0); + syscall_run("mount"); + + printf("umount2... "); fflush(0); + syscall_run("umount2"); + + printf("ptrace... "); fflush(0); + syscall_run("ptrace"); + + printf("swapon... "); fflush(0); + syscall_run("swapon"); + + printf("swapoff... "); fflush(0); + syscall_run("swapoff"); + + printf("init_module... "); fflush(0); + syscall_run("init_module"); + + printf("finit_module... "); fflush(0); + syscall_run("finit_module"); + + printf("delete_module... "); fflush(0); + syscall_run("delete_module"); + + printf("chroot... "); fflush(0); + syscall_run("chroot"); + + printf("pivot_root... "); fflush(0); + syscall_run("pivot_root"); + + printf("iopl... "); fflush(0); + syscall_run("iopl"); + + printf("ioperm... "); fflush(0); + syscall_run("ioperm"); + + printf("\n"); } else fprintf(stderr, "Error: unrecognized seccomp mode\n"); diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c new file mode 100644 index 000000000..11fb3730b --- /dev/null +++ b/src/faudit/syscall.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" + +void syscall_helper(int argc, char **argv) { + if (strcmp(argv[2], "mount") == 0) { + mount(NULL, NULL, NULL, 0, NULL); + printf("\nUGLY: mount syscall permitted\n"); + } + else if (strcmp(argv[2], "umount2") == 0) { + umount2(NULL, 0); + printf("\nUGLY: umount2 syscall permitted\n"); + } + else if (strcmp(argv[2], "ptrace") == 0) { + ptrace(0, 0, NULL, NULL); + printf("\nUGLY: ptrace syscall permitted\n"); + } + else if (strcmp(argv[2], "swapon") == 0) { + swapon(NULL, 0); + printf("\nUGLY: swapon syscall permitted\n"); + } + else if (strcmp(argv[2], "swapoff") == 0) { + swapoff(NULL); + printf("\nUGLY: swapoff syscall permitted\n"); + } + else if (strcmp(argv[2], "init_module") == 0) { + init_module(NULL, 0, NULL); + printf("\nUGLY: init_moule syscall permitted\n"); + } + else if (strcmp(argv[2], "finit_module") == 0) { + swapoff(0, NULL, 0); + printf("\nUGLY: finit_moule syscall permitted\n"); + } + else if (strcmp(argv[2], "delete_module") == 0) { + delete_module(NULL, 0); + printf("\nUGLY: delete_moule syscall permitted\n"); + } + else if (strcmp(argv[2], "chroot") == 0) { + int rv = chroot(NULL); + (void) rv; + printf("\nUGLY: chroot syscall permitted\n"); + } + else if (strcmp(argv[2], "pivot_root") == 0) { + pivot_root(NULL, NULL); + printf("\nUGLY: pivot_root syscall permitted\n"); + } + else if (strcmp(argv[2], "iopl") == 0) { + iopl(0L); + printf("\nUGLY: iopl syscall permitted\n"); + } + else if (strcmp(argv[2], "ioperm") == 0) { + ioperm(0, 0, 0); + printf("\nUGLY: ioperm syscall permitted\n"); + } + exit(0); +} + +void syscall_run(const char *name) { + assert(prog); + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + char *cmd; + if (asprintf(&cmd, "%s syscall %s", prog, name) == -1) + errExit("asprintf"); + execl(prog, prog, "syscall", name, NULL); + exit(0); + } + + // wait for the child to finish + waitpid(child, NULL, 0); +} \ No newline at end of file -- cgit v1.2.3-70-g09d2 From 3b2da566f9dfa2af18b1c03e3f0c7d4764d975f4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 08:38:06 -0400 Subject: fixed telegram profile --- etc/telegram.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/telegram.profile b/etc/telegram.profile index 819cd8f3a..8e91e426b 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -11,6 +11,3 @@ noroot protocol unix,inet,inet6 seccomp -whitelist ~/Downloads/Telegram Desktop -mkdir ${HOME}/.TelegramDesktop -whitelist ~/.TelegramDesktop -- cgit v1.2.3-70-g09d2 From 242d48789244bb4d743349577d8615538eeeed3a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 08:54:19 -0400 Subject: more Telegram fixes --- Makefile.in | 1 + platform/debian/conffiles | 1 + 2 files changed, 2 insertions(+) diff --git a/Makefile.in b/Makefile.in index db3c6f059..9cf00562e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -218,6 +218,7 @@ realinstall: install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 62a4cfebe..9ef2f1b26 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -125,4 +125,5 @@ /etc/firejail/strings.profile /etc/firejail/xz.profile /etc/firejail/less.profile +/etc/firejail/Telegram.profile -- cgit v1.2.3-70-g09d2 From 5c85f2e8eef026fe8463500383a0e61f346d610c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 09:33:17 -0400 Subject: audit: checking files --- src/faudit/files.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/faudit/main.c | 3 +++ todo | 16 ++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 src/faudit/files.c diff --git a/src/faudit/files.c b/src/faudit/files.c new file mode 100644 index 000000000..0463af66d --- /dev/null +++ b/src/faudit/files.c @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include +#include + +static char *username = NULL; +static char *homedir = NULL; + +static void check_home_file(const char *name) { + assert(homedir); + + char *fname; + if (asprintf(&fname, "%s/%s", homedir, name) == -1) + errExit("asprintf"); + + if (access(fname, R_OK) == 0) + printf("UGLY: I can access files in %s directory\n", fname); + else + printf("GOOD: I cannot access files in %s directory\n", fname); + + free(fname); +} + +void files_test(void) { + struct passwd *pw = getpwuid(getuid()); + if (!pw) { + fprintf(stderr, "Error: cannot retrive user account information\n"); + return; + } + + username = strdup(pw->pw_name); + if (!username) + errExit("strdup"); + homedir = strdup(pw->pw_dir); + if (!homedir) + errExit("strdup"); + + // check access to .ssh directory + check_home_file(".ssh"); + + // check access to .gnupg directory + check_home_file(".gnupg"); + + // check access to Firefox browser directory + check_home_file(".mozilla"); + + // check access to Chromium browser directory + check_home_file(".config/chromium"); + + // check access to Debian Icedove directory + check_home_file(".icedove"); + + // check access to Thunderbird directory + check_home_file(".thunderbird"); +} diff --git a/src/faudit/main.c b/src/faudit/main.c index cd358cc1a..2ed3aa2e1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -53,6 +53,9 @@ int main(int argc, char **argv) { // check seccomp seccomp_test(); + // check some well-known problematic files + files_test(); + free(prog); printf("--------------------------------------------------------------------------------\n"); return 0; diff --git a/todo b/todo index a30a5319b..3cfea559a 100644 --- a/todo +++ b/todo @@ -123,3 +123,19 @@ GOOD: all capabilities are disabled Parent is shutting down, bye... + +16. Sound devices: +/dev/snd + + + /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4 + /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3 + /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12 + /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20 + /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19 + /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28 + /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36 + /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35 + /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44 + + -- cgit v1.2.3-70-g09d2 From fe6b414578ac67533d9ce6b475503046d08bf19b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 12:50:06 -0400 Subject: more Telegram fixes --- etc/Telegram.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/Telegram.profile diff --git a/etc/Telegram.profile b/etc/Telegram.profile new file mode 100644 index 000000000..8e91e426b --- /dev/null +++ b/etc/Telegram.profile @@ -0,0 +1,13 @@ +# Telegram IRC profile +noblacklist ${HOME}/.TelegramDesktop +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + -- cgit v1.2.3-70-g09d2 From 8cc23dbc8f6b48a3d7eb3cfe8d589d78ce34a62a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 19:55:47 -0400 Subject: faudit network --- src/faudit/caps.c | 1 + src/faudit/faudit.h | 6 ++++++ src/faudit/files.c | 4 +++- src/faudit/main.c | 7 +++++-- src/faudit/pid.c | 1 + src/faudit/seccomp.c | 4 +++- 6 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/faudit/caps.c b/src/faudit/caps.c index f98d45ec8..db1d3266f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -66,6 +66,7 @@ void caps_test(void) { if (caps_val) { printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); + printf("Use \"firejail --caps.drop=all\" to fix it.\n"); if (check_capability(caps_val, CAP_SYS_ADMIN)) printf("UGLY: CAP_SYS_ADMIN is enabled\n"); diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index fdb4556c3..f8d9b709d 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -48,4 +48,10 @@ void seccomp_test(void); void syscall_helper(int argc, char **argv); void syscall_run(const char *name); +// files.c +void files_test(void); + +// network.c +void network_test(void); + #endif \ No newline at end of file diff --git a/src/faudit/files.c b/src/faudit/files.c index 0463af66d..9a230d7e5 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -31,8 +31,10 @@ static void check_home_file(const char *name) { if (asprintf(&fname, "%s/%s", homedir, name) == -1) errExit("asprintf"); - if (access(fname, R_OK) == 0) + if (access(fname, R_OK) == 0) { printf("UGLY: I can access files in %s directory\n", fname); + printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); + } else printf("GOOD: I cannot access files in %s directory\n", fname); diff --git a/src/faudit/main.c b/src/faudit/main.c index 2ed3aa2e1..6758f5671 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -33,7 +33,7 @@ int main(int argc, char **argv) { return 1; } - printf("\n---------------- Firejail Audit: the Good, the Bad and the Ugly ----------------\n"); + printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); // extract program name prog = realpath(argv[0], NULL); @@ -53,9 +53,12 @@ int main(int argc, char **argv) { // check seccomp seccomp_test(); - // check some well-known problematic files + // check some well-known problematic files and directories files_test(); + // network + network_test(); + free(prog); printf("--------------------------------------------------------------------------------\n"); return 0; diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 53b59a838..57947418e 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -70,6 +70,7 @@ void pid_test(void) { fclose(fp); free(fname); printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); + printf("Are you sure you're running in a sandbox?\n"); return; } j++; diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index d88d6a958..9cc1a20f6 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -50,8 +50,10 @@ void seccomp_test(void) { return; } - if (seccomp_status == 0) + if (seccomp_status == 0) { printf("BAD: seccomp disabled\n"); + printf("Use \"firejail --seccomp\" to fix it.\n"); + } else if (seccomp_status == 1) printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); else if (seccomp_status == 2) { -- cgit v1.2.3-70-g09d2 From 2913ccf84a11d9c1c19c1885738ae8e5eaeb53d1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 19:56:10 -0400 Subject: faudit network --- src/faudit/network.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 src/faudit/network.c diff --git a/src/faudit/network.c b/src/faudit/network.c new file mode 100644 index 000000000..697b1d1fb --- /dev/null +++ b/src/faudit/network.c @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include +#include + +void check_ssh(void) { + printf("INFO: looking for ssh servers running on localhost\n"); + + // open socket + int sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock == -1) { + printf("Error: cannot create an IPv4 socket\n"); + return; + } + + // connect to localhost + struct sockaddr_in server; + server.sin_addr.s_addr = inet_addr("127.0.0.1"); + server.sin_family = AF_INET; + server.sin_port = htons(22); + + if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) + printf("GOOD: SSH server not available on localhost\n"); + else { + printf("MAYBE: an SSH server is accessible on localhost\n"); + printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); + } + + close(sock); +} + +void network_test(void) { + check_ssh(); +} -- cgit v1.2.3-70-g09d2 From cbdf71ac12dcc26f3135fde94f51cc6bd5f38a29 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 4 Jul 2016 14:24:47 +0300 Subject: Fix improper quoting of arguments --- src/firejail/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 6faec9109..7b956bf64 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2005,7 +2005,7 @@ int main(int argc, char **argv) { sprintf(ptr1, "%s ", argv[i + prog_index]); } else { - sprintf(ptr1, "\"%s\" ", argv[i + prog_index]); + sprintf(ptr1, "\'%s\' ", argv[i + prog_index]); } sprintf(ptr2, "%s ", argv[i + prog_index]); -- cgit v1.2.3-70-g09d2 From d578c4c6cfaeb7eb4c9174d7ec52d509cc3ec04f Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 4 Jul 2016 14:27:16 +0300 Subject: Fix improper quoting of arguments --- src/firejail/join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index aba8f064b..47d31669d 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -62,9 +62,9 @@ static void extract_command(int argc, char **argv, int index) { *cfg.command_line = '\0'; for (i = index; i < argc; i++) { if (strchr(argv[i], '&')) { - strcat(cfg.command_line, "\""); + strcat(cfg.command_line, "\'"); strcat(cfg.command_line, argv[i]); - strcat(cfg.command_line, "\" "); + strcat(cfg.command_line, "\' "); } else { strcat(cfg.command_line, argv[i]); -- cgit v1.2.3-70-g09d2 From fa9e6aa8b5dd6937fa35847209faf703cd85f09c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 4 Jul 2016 23:51:45 +1000 Subject: 'include' profile --- etc/Telegram.profile | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 8e91e426b..2e0f97821 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile @@ -1,13 +1,2 @@ # Telegram IRC profile -noblacklist ${HOME}/.TelegramDesktop -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6 -seccomp - +include /etc/firejail/telegram.profile -- cgit v1.2.3-70-g09d2 From c219c24261efb7e56d719c4a2bbf26b53b9036e4 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 5 Jul 2016 00:16:59 +1000 Subject: tightened qtox profile --- etc/qtox.profile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/qtox.profile b/etc/qtox.profile index 3a19efa3a..39f900748 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/tox include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.config/tox whitelist ${HOME}/.config/tox @@ -10,7 +11,11 @@ whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all +netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + -- cgit v1.2.3-70-g09d2 From 63b0c48bbd9acccf7f93dce9b95807d1c9122162 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 4 Jul 2016 13:25:22 -0400 Subject: src/faudit/dbus.c --- src/faudit/faudit.h | 3 +++ src/faudit/main.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index f8d9b709d..f54f95f98 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -54,4 +54,7 @@ void files_test(void); // network.c void network_test(void); +// dbus.c +void dbus_test(void); + #endif \ No newline at end of file diff --git a/src/faudit/main.c b/src/faudit/main.c index 6758f5671..81672fd62 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -59,6 +59,9 @@ int main(int argc, char **argv) { // network network_test(); + // dbus + dbus_test(); + free(prog); printf("--------------------------------------------------------------------------------\n"); return 0; -- cgit v1.2.3-70-g09d2 From 3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 07:24:10 -0400 Subject: faudit: dbus --- src/faudit/caps.c | 10 +++---- src/faudit/dbus.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/faudit/files.c | 4 +-- src/faudit/main.c | 2 +- src/faudit/network.c | 35 +++++++++++++++++++++---- src/faudit/pid.c | 6 ++--- src/faudit/seccomp.c | 9 +++---- src/faudit/syscall.c | 24 ++++++++--------- 8 files changed, 131 insertions(+), 33 deletions(-) create mode 100644 src/faudit/dbus.c diff --git a/src/faudit/caps.c b/src/faudit/caps.c index db1d3266f..d4a62b34f 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -60,20 +60,20 @@ void caps_test(void) { uint64_t caps_val; if (extract_caps(&caps_val)) { - printf("SKIP: cannot extract capabilities on this platform\n"); + printf("SKIP: cannot extract capabilities on this platform.\n"); return; } if (caps_val) { - printf("BAD: the capability map is %llx, it should be all zero\n", (unsigned long long) caps_val); + printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); printf("Use \"firejail --caps.drop=all\" to fix it.\n"); if (check_capability(caps_val, CAP_SYS_ADMIN)) - printf("UGLY: CAP_SYS_ADMIN is enabled\n"); + printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); if (check_capability(caps_val, CAP_SYS_BOOT)) - printf("UGLY: CAP_SYS_BOOT is enabled\n"); + printf("UGLY: CAP_SYS_BOOT is enabled.\n"); } else - printf("GOOD: all capabilities are disabled\n"); + printf("GOOD: all capabilities are disabled.\n"); } diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c new file mode 100644 index 000000000..5f25e7312 --- /dev/null +++ b/src/faudit/dbus.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include +#include + +void check_session_bus(const char *sockfile) { + assert(sockfile); + + // open socket + int sock = socket(AF_UNIX, SOCK_STREAM, 0); + if (sock == -1) { + printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); + return; + } + + // connect + struct sockaddr_un remote; + memset(&remote, 0, sizeof(struct sockaddr_un)); + remote.sun_family = AF_UNIX; + strcpy(remote.sun_path, sockfile); + int len = strlen(remote.sun_path) + sizeof(remote.sun_family); + remote.sun_path[0] = '\0'; + if (connect(sock, (struct sockaddr *)&remote, len) == -1) { + printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); + } + else { + printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n"); + } + + close(sock); +} + +void dbus_test(void) { + // check the session bus + char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); + if (str) { + char *bus = strdup(str); + if (!bus) + errExit("strdup"); + char *sockfile = strstr(bus, "unix:abstract="); + if (sockfile) { + sockfile += 13; + *sockfile = '@'; + char *ptr = strchr(sockfile, ','); + if (ptr) { + *ptr = '\0'; + check_session_bus(sockfile); + } + sockfile -= 13; + free(sockfile); + } + } +} + + + diff --git a/src/faudit/files.c b/src/faudit/files.c index 9a230d7e5..c27973358 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -32,11 +32,11 @@ static void check_home_file(const char *name) { errExit("asprintf"); if (access(fname, R_OK) == 0) { - printf("UGLY: I can access files in %s directory\n", fname); + printf("UGLY: I can access files in %s directory. ", fname); printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); } else - printf("GOOD: I cannot access files in %s directory\n", fname); + printf("GOOD: I cannot access files in %s directory.\n", fname); free(fname); } diff --git a/src/faudit/main.c b/src/faudit/main.c index 81672fd62..df549ac3e 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -41,7 +41,7 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: cannot extract the path of the audit program\n"); return 1; } - printf("INFO: starting %s\n", prog); + printf("INFO: Starting %s.\n", prog); // check pid namespace diff --git a/src/faudit/network.c b/src/faudit/network.c index 697b1d1fb..bb3116c3b 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c @@ -20,14 +20,14 @@ #include "faudit.h" #include #include +#include +#include void check_ssh(void) { - printf("INFO: looking for ssh servers running on localhost\n"); - // open socket int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == -1) { - printf("Error: cannot create an IPv4 socket\n"); + printf("GOOD: SSH server not available on localhost.\n"); return; } @@ -38,15 +38,40 @@ void check_ssh(void) { server.sin_port = htons(22); if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: SSH server not available on localhost\n"); + printf("GOOD: SSH server not available on localhost.\n"); else { - printf("MAYBE: an SSH server is accessible on localhost\n"); + printf("MAYBE: An SSH server is accessible on localhost. "); printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } close(sock); } + +void check_netlink(void) { + socklen_t addr_len; + int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); + if (sock == -1) { + printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); + return; + } + + struct sockaddr_nl local; + memset(&local, 0, sizeof(local)); + local.nl_family = AF_NETLINK; + local.nl_groups = 0; //subscriptions; + + if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { + printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); + close(sock); + return; + } + + close(sock); + printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); + printf("You can use \"--protocol\" to disable the socket.\n"); +} void network_test(void) { check_ssh(); + check_netlink(); } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 57947418e..2770daece 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -69,7 +69,7 @@ void pid_test(void) { if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { fclose(fp); free(fname); - printf("BAD: Process PID %d, not running in a PID namespace\n", getpid()); + printf("BAD: Process %d, not running in a PID namespace. ", getpid()); printf("Are you sure you're running in a sandbox?\n"); return; } @@ -81,10 +81,10 @@ void pid_test(void) { } - printf("GOOD: process PID %d, running in a PID namespace\n", getpid()); + printf("GOOD: process %d running in a PID namespace.\n", getpid()); // try to guess the type of container/sandbox char *str = getenv("container"); if (str) - printf("INFO: container/sandbox %s\n", str); + printf("INFO: container/sandbox %s.\n", str); } diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 9cc1a20f6..099e0e420 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -46,18 +46,17 @@ void seccomp_test(void) { int rv = extract_seccomp(&seccomp_status); if (rv) { - printf("SKIP: cannot extract seccomp configuration on this platform\n"); + printf("INFO: cannot extract seccomp configuration on this platform.\n"); return; } if (seccomp_status == 0) { - printf("BAD: seccomp disabled\n"); - printf("Use \"firejail --seccomp\" to fix it.\n"); + printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); } else if (seccomp_status == 1) - printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd\n"); + printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowd.\n"); else if (seccomp_status == 2) { - printf("GOOD: seccomp BPF enababled\n"); + printf("GOOD: seccomp BPF enabled.\n"); printf("checking syscalls: "); fflush(0); printf("mount... "); fflush(0); diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 11fb3730b..84d73a03f 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -22,52 +22,52 @@ void syscall_helper(int argc, char **argv) { if (strcmp(argv[2], "mount") == 0) { mount(NULL, NULL, NULL, 0, NULL); - printf("\nUGLY: mount syscall permitted\n"); + printf("\nUGLY: mount syscall permitted.\n"); } else if (strcmp(argv[2], "umount2") == 0) { umount2(NULL, 0); - printf("\nUGLY: umount2 syscall permitted\n"); + printf("\nUGLY: umount2 syscall permitted.\n"); } else if (strcmp(argv[2], "ptrace") == 0) { ptrace(0, 0, NULL, NULL); - printf("\nUGLY: ptrace syscall permitted\n"); + printf("\nUGLY: ptrace syscall permitted.\n"); } else if (strcmp(argv[2], "swapon") == 0) { swapon(NULL, 0); - printf("\nUGLY: swapon syscall permitted\n"); + printf("\nUGLY: swapon syscall permitted.\n"); } else if (strcmp(argv[2], "swapoff") == 0) { swapoff(NULL); - printf("\nUGLY: swapoff syscall permitted\n"); + printf("\nUGLY: swapoff syscall permitted.\n"); } else if (strcmp(argv[2], "init_module") == 0) { init_module(NULL, 0, NULL); - printf("\nUGLY: init_moule syscall permitted\n"); + printf("\nUGLY: init_module syscall permitted.\n"); } else if (strcmp(argv[2], "finit_module") == 0) { swapoff(0, NULL, 0); - printf("\nUGLY: finit_moule syscall permitted\n"); + printf("\nUGLY: finit_module syscall permitted.\n"); } else if (strcmp(argv[2], "delete_module") == 0) { delete_module(NULL, 0); - printf("\nUGLY: delete_moule syscall permitted\n"); + printf("\nUGLY: delete_module syscall permitted.\n"); } else if (strcmp(argv[2], "chroot") == 0) { int rv = chroot(NULL); (void) rv; - printf("\nUGLY: chroot syscall permitted\n"); + printf("\nUGLY: chroot syscall permitted.\n"); } else if (strcmp(argv[2], "pivot_root") == 0) { pivot_root(NULL, NULL); - printf("\nUGLY: pivot_root syscall permitted\n"); + printf("\nUGLY: pivot_root syscall permitted.\n"); } else if (strcmp(argv[2], "iopl") == 0) { iopl(0L); - printf("\nUGLY: iopl syscall permitted\n"); + printf("\nUGLY: iopl syscall permitted.\n"); } else if (strcmp(argv[2], "ioperm") == 0) { ioperm(0, 0, 0); - printf("\nUGLY: ioperm syscall permitted\n"); + printf("\nUGLY: ioperm syscall permitted.\n"); } exit(0); } -- cgit v1.2.3-70-g09d2 From 0063db06522cbc907b52ab9f9b1faf571db2497a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 07:36:32 -0400 Subject: readme --- README | 52 +++++++++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/README b/README index 65eeccd03..6cab5bd7a 100644 --- a/README +++ b/README @@ -25,6 +25,33 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Aleksey Manevich (https://github.com/manevich) + - several profile fixes + - fix problem with relative path in storage_find function + - fix build for systems without bash + - fix double quotes/single quotes problem +Fred-Barclay (https://github.com/Fred-Barclay) + - added Vivaldi, Atril profiles + - added PaleMoon profile + - split Icedove and Thunderbird profiles + - added 0ad profile + - fixed version for .deb packages + - added Warzone2100 profile + - blacklisted VeraCrypt + - added Gpredict profile + - added Aweather, Stellarium profiles + - fixed HexChat and Atril profiles + - fixed disable-common.inc for mate-terminal + - blacklisted escape-happy terminals in disable-common.inc + - blacklisted g++ + - added xplayer, xreader, and xviewer profiles + - added Brave profile + - added Gitter profile + - various organising + - added LibreOffice profile + - added pix profile + - added audacity profile + - fixed Telegram and qtox profiles Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) @@ -80,27 +107,6 @@ Joan Figueras (https://github.com/figue) - added abrowser profile - added Google-Play-Music-Desktop-Player - added cyberfox profile -Fred-Barclay (https://github.com/Fred-Barclay) - - added Vivaldi, Atril profiles - - added PaleMoon profile - - split Icedove and Thunderbird profiles - - added 0ad profile - - fixed version for .deb packages - - added Warzone2100 profile - - blacklisted VeraCrypt - - added Gpredict profile - - added Aweather, Stellarium profiles - - fixed HexChat and Atril profiles - - fixed disable-common.inc for mate-terminal - - blacklisted escape-happy terminals in disable-common.inc - - blacklisted g++ - - added xplayer, xreader, and xviewer profiles - - added Brave profile - - added Gitter profile - - various organising - - added LibreOffice profile - - added pix profile - - added audacity profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) @@ -131,10 +137,6 @@ Tom Mellor (https://github.com/kalegrill) Martin Carpenter (https://github.com/mcarpenter) - security audit and bug fixes - Centos 6.x support -Aleksey Manevich (https://github.com/manevich) - - several profile fixes - - fix problem with relative path in storage_find function - - fix build for systems without bash pszxzsd (https://github.com/pszxzsd) -uGet profile Rahiel Kasim (https://github.com/rahiel) -- cgit v1.2.3-70-g09d2 From d18216ee9bc8c0fb42eb519e65a7733a3ee4233e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 07:39:29 -0400 Subject: gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 85e317827..34a228a76 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ src/firemon/firemon src/firecfg/firecfg src/ftee/ftee src/tags +src/faudit/faudit + -- cgit v1.2.3-70-g09d2 From 86286babe204b6ac95a1cbc0af958e79d43655b5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 09:51:18 -0400 Subject: audit feature --- src/faudit/dbus.c | 2 +- src/faudit/files.c | 2 +- src/faudit/main.c | 2 +- src/faudit/network.c | 2 +- src/faudit/syscall.c | 5 +---- src/firejail/firejail.h | 1 + src/firejail/main.c | 3 +++ src/firejail/sandbox.c | 11 ++++++++++- src/firejail/usage.c | 16 +++++++++++++++- src/man/firejail.txt | 31 ++++++++++++++++++++++++++++--- 10 files changed, 62 insertions(+), 13 deletions(-) diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 5f25e7312..f7b5a221d 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) { printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); } else { - printf("MAYBE: I can connect to session bus. If this is undesirable, use \"--private-tmp\" or blacklist the socket file.\n"); + printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } close(sock); diff --git a/src/faudit/files.c b/src/faudit/files.c index c27973358..e27d3436a 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -33,7 +33,7 @@ static void check_home_file(const char *name) { if (access(fname, R_OK) == 0) { printf("UGLY: I can access files in %s directory. ", fname); - printf("Use \"firejail --blacklist=~/%s\" to block it.\n", fname); + printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); } else printf("GOOD: I cannot access files in %s directory.\n", fname); diff --git a/src/faudit/main.c b/src/faudit/main.c index df549ac3e..86d3fe4a9 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -41,7 +41,7 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: cannot extract the path of the audit program\n"); return 1; } - printf("INFO: Starting %s.\n", prog); + printf("INFO: starting %s.\n", prog); // check pid namespace diff --git a/src/faudit/network.c b/src/faudit/network.c index bb3116c3b..39821cd25 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c @@ -40,7 +40,7 @@ void check_ssh(void) { if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) printf("GOOD: SSH server not available on localhost.\n"); else { - printf("MAYBE: An SSH server is accessible on localhost. "); + printf("MAYBE: an SSH server is accessible on localhost. "); printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 84d73a03f..7088ad340 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -79,11 +79,8 @@ void syscall_run(const char *name) { if (child < 0) errExit("fork"); if (child == 0) { - char *cmd; - if (asprintf(&cmd, "%s syscall %s", prog, name) == -1) - errExit("asprintf"); execl(prog, prog, "syscall", name, NULL); - exit(0); + exit(1); } // wait for the child to finish diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0b6e2e181..39013de56 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -260,6 +260,7 @@ extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc extern int arg_writable_var; // writable var extern int arg_appimage; // appimage +extern int arg_audit; // audit extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 7b956bf64..34cc38cd5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -100,6 +100,7 @@ int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var int arg_appimage = 0; // appimage +int arg_audit = 0; // audit int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -1830,6 +1831,8 @@ int main(int argc, char **argv) { //************************************* // command //************************************* + else if (strcmp(argv[i], "--audit") == 0) + arg_audit = 1; else if (strcmp(argv[i], "--appimage") == 0) arg_appimage = 1; else if (strcmp(argv[i], "--csh") == 0) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0e3d722b7..8cf2486b3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -274,10 +274,19 @@ static int monitor_application(pid_t app_pid) { static void start_application(void) { + //**************************************** + // audit + //**************************************** + if (arg_audit) { + char *audit_prog; + if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) + errExit("asprintf"); + execl(audit_prog, audit_prog, NULL); + } //**************************************** // start the program without using a shell //**************************************** - if (arg_shell_none) { + else if (arg_shell_none) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 82b1affcc..e31867351 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -35,6 +35,8 @@ void usage(void) { printf("Options:\n\n"); printf(" -- - signal the end of options and disables further option processing.\n\n"); printf(" --appimage - sandbox an AppImage application\n\n"); + printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); + printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); #ifdef HAVE_NETWORK printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); @@ -298,7 +300,19 @@ void usage(void) { printf("\n"); #endif - + printf("Audit\n\n"); + printf("Audit feature allows the user to point out gaps in security profiles. The\n"); + printf("implementation replaces the program to be sandboxed with a test program. By\n"); + printf("default, we use faudit program distributed with Firejail. A custom test program\n"); + printf("can also be supplied by the user. Examples:\n\n"); + printf("Running the default audit program:\n"); + printf(" $ firejail --audit transmission-gtk\n\n"); + printf("Running a custom audit program:\n"); + printf(" $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); + printf("In the examples above, the sandbox configures transmission-gtk profile and\n"); + printf("starts the test program. The real program, transmission-gtk, will not be\n"); + printf("started.\n\n\n"); + printf("Monitoring\n\n"); printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bb8c64dc9..a523e51cb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -88,6 +88,12 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage .br $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage .TP +\fB\-\-audit +Audit the sandbox, see \fBAUDIT\fR section for more details. +.TP +\fB\-\-audit=test-program +Audit the sandbox, see \fBAUDIT\fR section for more details. +.TP \fB\-\-bandwidth=name|pid Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. .TP @@ -1691,15 +1697,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured Set rate-limits: - firejail --bandwidth=name|pid set network download upload + $ firejail --bandwidth=name|pid set network download upload Clear rate-limits: - firejail --bandwidth=name|pid clear network + $ firejail --bandwidth=name|pid clear network Status: - firejail --bandwidth=name|pid status + $ firejail --bandwidth=name|pid status where: .br @@ -1723,6 +1729,25 @@ Example: .br $ firejail \-\-bandwidth=mybrowser clear eth0 +.SH AUDIT +Audit feature allows the user to point out gaps in security profiles. The +implementation replaces the program to be sandboxed with a test program. By +default, we use faudit program distributed with Firejail. A custom test program +can also be supplied by the user. Examples: + +Running the default audit program: +.br + $ firejail --audit transmission-gtk + +Running a custom audit program: +.br + $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); + +In the examples above, the sandbox configures transmission-gtk profile and +starts the test program. The real program, transmission-gtk, will not be +started. + + .SH MONITORING Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: -- cgit v1.2.3-70-g09d2 From 73ce1000234e0910bc77f424e481a47c6da55dbb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 10:13:25 -0400 Subject: audit feature --- README.md | 21 +++++++++++++++++++++ RELNOTES | 2 ++ src/firejail/firejail.h | 1 + src/firejail/main.c | 16 +++++++++++++++- src/firejail/sandbox.c | 20 ++++++++++++++++---- src/man/firejail.txt | 3 ++- 6 files changed, 57 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 230657756..a46e116d0 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,27 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo AppImage project home: https://github.com/probonopd/AppImageKit +## Sandbox auditing +````` +AUDIT + Audit feature allows the user to point out gaps in security profiles. + The implementation replaces the program to be sandboxed with a test + program. By default, we use faudit program distributed with Firejail. A + custom test program can also be supplied by the user. Examples: + + Running the default audit program: + $ firejail --audit transmission-gtk + + Running a custom audit program: + $ firejail --audit=~/sandbox-test transmission-gtk + + In the examples above, the sandbox configures transmission-gtk profile + and starts the test program. The real program, transmission-gtk, will + not be started. + + Limitations: audit feature is not implemented for --x11 commands. +````` + ## Converting profiles to private-bin - work in progress! BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk diff --git a/RELNOTES b/RELNOTES index 8d170a9b3..d845e976c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,7 @@ firejail (0.9.41) baseline; urgency=low * work in progress... + * AppImage support (--appimage) + * Sandbox auditing support (--audit) * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 39013de56..ddc37e203 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -261,6 +261,7 @@ extern int arg_writable_etc; // writable etc extern int arg_writable_var; // writable var extern int arg_appimage; // appimage extern int arg_audit; // audit +extern char *arg_audit_prog; // audit extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 34cc38cd5..ac554ca2a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -101,6 +101,7 @@ int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var int arg_appimage = 0; // appimage int arg_audit = 0; // audit +char *arg_audit_prog; // audit int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -1831,8 +1832,21 @@ int main(int argc, char **argv) { //************************************* // command //************************************* - else if (strcmp(argv[i], "--audit") == 0) + else if (strcmp(argv[i], "--audit") == 0) { + if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1) + errExit("asprintf"); arg_audit = 1; + } + else if (strncmp(argv[i], "--audit=", 8) == 0) { + if (strlen(argv[i] + 8) == 0) { + fprintf(stderr, "Error: invalid audit program\n"); + exit(1); + } + arg_audit_prog = strdup(argv[i] + 8); + if (!arg_audit_prog) + errExit("strdup"); + arg_audit = 1; + } else if (strcmp(argv[i], "--appimage") == 0) arg_appimage = 1; else if (strcmp(argv[i], "--csh") == 0) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8cf2486b3..d384d6fa0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -272,16 +272,27 @@ static int monitor_application(pid_t app_pid) { #endif } +void start_audit(void) { + char *audit_prog; + if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) + errExit("asprintf"); + execl(audit_prog, audit_prog, NULL); + perror("execl"); + exit(1); +} static void start_application(void) { //**************************************** // audit //**************************************** if (arg_audit) { - char *audit_prog; - if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) - errExit("asprintf"); - execl(audit_prog, audit_prog, NULL); + assert(arg_audit_prog); + struct stat s; + if (stat(arg_audit_prog, &s) != 0) { + fprintf(stderr, "Error: cannot find the audit program\n"); + exit(1); + } + execl(arg_audit_prog, arg_audit_prog, NULL); } //**************************************** // start the program without using a shell @@ -305,6 +316,7 @@ static void start_application(void) { printf("Child process initialized\n"); execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); + exit(1); } //**************************************** // start the program using a shell diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a523e51cb..e4505754e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1741,12 +1741,13 @@ Running the default audit program: Running a custom audit program: .br - $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); + $ firejail --audit=~/sandbox-test transmission-gtk In the examples above, the sandbox configures transmission-gtk profile and starts the test program. The real program, transmission-gtk, will not be started. +Limitations: audit feature is not implemented for --x11 commands. .SH MONITORING Option \-\-list prints a list of all sandboxes. The format -- cgit v1.2.3-70-g09d2 From 6f3597aac7f2f770bf54fe8605e805ee55dff36e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 10:15:31 -0400 Subject: audit feature: rpm platform --- platform/rpm/firejail.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index e1799d7a6..67280921a 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec @@ -37,6 +37,7 @@ rm -rf %{buildroot} %{_bindir}/firemon %{_libdir}/__NAME__/firecfg.config %{_libdir}/__NAME__/ftee +%{_libdir}/__NAME__/faudit %{_libdir}/__NAME__/fshaper.sh %{_libdir}/__NAME__/libtrace.so %{_libdir}/__NAME__/libtracelog.so -- cgit v1.2.3-70-g09d2 From b5cfe9cfaddf61f6eb96b990611438ca502fd1db Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Jul 2016 10:17:23 -0400 Subject: audit feature: bash completion --- src/bash_completion/firejail.bash_completion | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 21e28c98b..78bd622fc 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion @@ -63,6 +63,10 @@ _firejail() _filedir return 0 ;; + --audit) + _filedir + return 0 + ;; --net) comps=$(__interfaces) COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) -- cgit v1.2.3-70-g09d2 From 6b5b020d253aa3f7b38c53a165b9f9478995cf10 Mon Sep 17 00:00:00 2001 From: Niklas Haas Date: Wed, 6 Jul 2016 05:21:55 +0200 Subject: disable-common: Blacklist ~/.config/keybase This is used by keybase.io's client to store secrets. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 197e5fbf0..17f37c5cc 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -110,6 +110,7 @@ blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.config/keybase blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg blacklist ${HOME}/.caff -- cgit v1.2.3-70-g09d2 From ce72091a8690a6274dcae68bdc4dc5555ae1406e Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 6 Jul 2016 08:00:45 +0300 Subject: Fix chdir bug in libtracelog --- src/libtracelog/libtracelog.c | 66 ++++++++++++++++++++++++++++++++----------- 1 file changed, 50 insertions(+), 16 deletions(-) diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index c3fd40a67..0a6d8299f 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -91,9 +91,9 @@ static void storage_add(const char *str) { storage[h] = ptr; } -char* cwd = NULL; // global variable for keeping current working directory -typedef int (*orig_chdir_t)(const char *pathname); -static orig_chdir_t orig_chdir = NULL; +// global variable to keep current working directory +char* cwd = NULL; + static char *storage_find(const char *str) { #ifdef DEBUG printf("storage find %s\n", str); @@ -107,17 +107,23 @@ static char *storage_find(const char *str) { const char *tofind = str; int allocated = 0; - if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0]!='/') { - if (!orig_chdir) - orig_chdir = (orig_chdir_t)dlsym(RTLD_NEXT, "chdir"); - if (!orig_chdir(cwd)) { -#ifdef DEBUG - printf("chdir failed\n"); -#endif - return NULL; + if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0] != '/') { + if (cwd != NULL & str[0] != '/') { + char *fullpath=malloc(PATH_MAX); + if (!fullpath) { + fprintf(stderr, "Error: cannot allocate memory\n"); + return NULL; + } + if (snprintf(fullpath, PATH_MAX, "%s/%s", cwd, str)<3) { + fprintf(stderr, "Error: snprintf failed\n"); + free(fullpath); + return NULL; + } + tofind = realpath(fullpath, NULL); + free(fullpath); + } else { + tofind = realpath(str, NULL); } - - tofind = realpath(str, NULL); if (!tofind) { #ifdef DEBUG printf("realpath failed\n"); @@ -641,9 +647,8 @@ DIR *opendir(const char *pathname) { } // chdir -// definition of orig_chdir placed before storage_find function -//typedef int (*orig_chdir_t)(const char *pathname); -//static orig_chdir_t orig_chdir = NULL; +typedef int (*orig_chdir_t)(const char *pathname); +static orig_chdir_t orig_chdir = NULL; int chdir(const char *pathname) { #ifdef DEBUG printf("%s %s\n", __FUNCTION__, pathname); @@ -662,3 +667,32 @@ int chdir(const char *pathname) { int rv = orig_chdir(pathname); return rv; } + +// fchdir +typedef int (*orig_fchdir_t)(int fd); +static orig_fchdir_t orig_fchdir = NULL; +int fchdir(int fd) { +#ifdef DEBUG + printf("%s %d\n", __FUNCTION__, fd); +#endif + if (!orig_fchdir) + orig_fchdir = (orig_fchdir_t)dlsym(RTLD_NEXT, "fchdir"); + + free(cwd); + char *pathname=malloc(PATH_MAX); + if (pathname) { + if (snprintf(pathname,PATH_MAX,"/proc/self/fd/%d", fd)>0) { + cwd = realpath(pathname, NULL); + } else { + cwd = NULL; + fprintf(stderr, "Error: snprintf failed\n"); + } + free(pathname); + } else { + fprintf(stderr, "Error: cannot allocate memory\n"); + cwd = NULL; + } + + int rv = orig_fchdir(fd); + return rv; +} -- cgit v1.2.3-70-g09d2 From 50b9de988c17fc45e9baa97848b70e549190ff3a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 6 Jul 2016 07:31:39 -0400 Subject: private-dev enhancements --- README.md | 4 ++++ RELNOTES | 1 + src/firejail/firejail.h | 2 ++ src/firejail/fs_dev.c | 42 +++++++++++++++++++++++++++++++++++++++++- src/firejail/main.c | 1 - src/firejail/profile.c | 1 - src/firejail/sandbox.c | 7 ++++++- 7 files changed, 54 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a46e116d0..bec1a2716 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,10 @@ AUDIT Limitations: audit feature is not implemented for --x11 commands. ````` +## --private-dev enhancements - work in progress! + +The following devices are added to --private-dev list. + ## Converting profiles to private-bin - work in progress! BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk diff --git a/RELNOTES b/RELNOTES index d845e976c..96a5f0a7f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,6 +2,7 @@ firejail (0.9.41) baseline; urgency=low * work in progress... * AppImage support (--appimage) * Sandbox auditing support (--audit) + * include /dev/snd in --private-dev * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ddc37e203..24af41192 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -44,6 +44,7 @@ #define RUN_ETC_DIR "/run/firejail/mnt/etc" #define RUN_BIN_DIR "/run/firejail/mnt/bin" #define RUN_DRI_DIR "/run/firejail/mnt/dri" +#define RUN_SND_DIR "/run/firejail/mnt/snd" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" @@ -406,6 +407,7 @@ void dbg_test_dir(const char *dir); // fs_dev.c void fs_dev_shm(void); void fs_private_dev(void); +void fs_dev_disable_sound(); // fs_home.c // private mode (--private) diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 2fd450391..c7a27115f 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -68,9 +68,12 @@ void fs_private_dev(void){ printf("Mounting tmpfs on /dev\n"); int have_dri = 0; + int have_snd = 0; struct stat s; if (stat("/dev/dri", &s) == 0) have_dri = 1; + if (stat("/dev/snd", &s) == 0) + have_snd = 1; // create DRI_DIR fs_build_mnt_dir(); @@ -89,7 +92,23 @@ void fs_private_dev(void){ errExit("mounting /dev/dri"); } - // restore /dev/log + // create SND_DIR + if (have_snd) { + /* coverity[toctou] */ + rv = mkdir(RUN_SND_DIR, 0755); + if (rv == -1) + errExit("mkdir"); + if (chown(RUN_SND_DIR, 0, 0) < 0) + errExit("chown"); + if (chmod(RUN_SND_DIR, 0755) < 0) + errExit("chmod"); + + // keep a copy of /dev/dri under DRI_DIR + if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev/snd"); + } + + // create DEVLOG_FILE int have_devlog = 0; if (stat("/dev/log", &s) == 0) { have_devlog = 1; @@ -121,6 +140,21 @@ void fs_private_dev(void){ } } + // bring back the /dev/snd directory + if (have_snd) { + /* coverity[toctou] */ + rv = mkdir("/dev/snd", 0755); + if (rv == -1) + errExit("mkdir"); + if (chown("/dev/snd", 0, 0) < 0) + errExit("chown"); + if (chmod("/dev/snd",0755) < 0) + errExit("chmod"); + if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev/snd"); + fs_logger("whitelist /dev/snd"); + } + // bring back the /dev/dri directory if (have_dri) { /* coverity[toctou] */ @@ -243,3 +277,9 @@ void fs_dev_shm(void) { } } + +void fs_dev_disable_sound() { + if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable /dev/snd"); + fs_logger("blacklist /dev/snd"); +} diff --git a/src/firejail/main.c b/src/firejail/main.c index ac554ca2a..b1dd7d32c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1468,7 +1468,6 @@ int main(int argc, char **argv) { env_store(argv[i] + 6); else if (strcmp(argv[i], "--nosound") == 0) { arg_nosound = 1; - arg_private_dev = 1; } //************************************* diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a64f28c9a..040efea74 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -178,7 +178,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else if (strcmp(ptr, "nosound") == 0) { arg_nosound = 1; - arg_private_dev = 1; return 0; } else if (strcmp(ptr, "netfilter") == 0) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d384d6fa0..0fd81979f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -559,8 +559,13 @@ int sandbox(void* sandbox_arg) { //**************************** // --nosound and fix for pulseaudio 7.0 //**************************** - if (arg_nosound) + if (arg_nosound) { + // disable pulseaudio pulseaudio_disable(); + + // disable /dev/snd + fs_dev_disable_sound(); + } else pulseaudio_init(); -- cgit v1.2.3-70-g09d2 From 1f83479b6a5f8d372091fe73aa6c05d2721bf87f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 7 Jul 2016 05:43:27 +1000 Subject: Fixed typo --- etc/pix.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/pix.profile b/etc/pix.profile index 4e53de00b..87056e32c 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -1,4 +1,4 @@ -# gthumb profile +# Firejail profile for pix noblacklist ${HOME}/.config/pix noblacklist ${HOME}/.local/share/pix -- cgit v1.2.3-70-g09d2 From 6175c869299b89bd5f9742d404ed5cd7a85a581f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 7 Jul 2016 05:45:24 +1000 Subject: added Atom Beta profile --- etc/atom-beta.profile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/atom-beta.profile diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile new file mode 100644 index 000000000..e2c3000c9 --- /dev/null +++ b/etc/atom-beta.profile @@ -0,0 +1,17 @@ +# Firjail profile for Atom Beta. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +seccomp +shell none + +private-dev -- cgit v1.2.3-70-g09d2 From 49968ea2702263b038a675e10f667d18ae030ee0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 7 Jul 2016 05:53:22 +1000 Subject: additional atom-beta files --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 1 + 7 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 9ee65c975..85e81fada 100644 --- a/Makefile.in +++ b/Makefile.in @@ -220,6 +220,7 @@ realinstall: install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 6cab5bd7a..9bde4793f 100644 --- a/README +++ b/README @@ -52,6 +52,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added pix profile - added audacity profile - fixed Telegram and qtox profiles + - added Atom Beta profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index bec1a2716..e6757c6f1 100644 --- a/README.md +++ b/README.md @@ -102,5 +102,5 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta diff --git a/RELNOTES b/RELNOTES index 96a5f0a7f..e48f7dc29 100644 --- a/RELNOTES +++ b/RELNOTES @@ -8,6 +8,7 @@ firejail (0.9.41) baseline; urgency=low * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less + * new profiles: Atom Beta -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e9dd331aa..81c97ca2d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -1,4 +1,5 @@ # various programs +blacklist ${HOME}/.Atom blacklist ${HOME}/.remmina blacklist ${HOME}/.tconn blacklist ${HOME}/.FBReader @@ -6,6 +7,7 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 9ef2f1b26..20a68146c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -126,4 +126,6 @@ /etc/firejail/xz.profile /etc/firejail/less.profile /etc/firejail/Telegram.profile +/etc/firejail/atom-beta.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 35338d427..55b61df7d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -126,6 +126,7 @@ xreader # other snap ssh +atom-beta # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 6f77f836705d5d6195185c167e0a6694483fcf84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 6 Jul 2016 21:32:44 -0400 Subject: keybase.io --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index 9bde4793f..ac05329c1 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Niklas Haas (https://github.com/haasn) + - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) - several profile fixes - fix problem with relative path in storage_find function -- cgit v1.2.3-70-g09d2 From 6e814a14b4a4805eca4f0cda68b9fec988b5c5e5 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 8 Jul 2016 11:15:04 +1000 Subject: added Atom profile --- etc/atom.profile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/atom.profile diff --git a/etc/atom.profile b/etc/atom.profile new file mode 100644 index 000000000..f996ea79e --- /dev/null +++ b/etc/atom.profile @@ -0,0 +1,17 @@ +# Firjail profile for Atom. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +seccomp +shell none + +private-dev -- cgit v1.2.3-70-g09d2 From 3693a7de1d0800f76719fef807d99065731a0c88 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 8 Jul 2016 12:26:50 +1000 Subject: extra Atom files --- Makefile.in | 1 + README | 2 +- README.md | 2 +- RELNOTES | 2 +- src/firecfg/firecfg.config | 1 + 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Makefile.in b/Makefile.in index 85e81fada..a5a3d7da9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -221,6 +221,7 @@ realinstall: install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index ac05329c1..f00e7b377 100644 --- a/README +++ b/README @@ -54,7 +54,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added pix profile - added audacity profile - fixed Telegram and qtox profiles - - added Atom Beta profile + - added Atom Beta and Atom profiles Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index e6757c6f1..877d2b556 100644 --- a/README.md +++ b/README.md @@ -102,5 +102,5 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom diff --git a/RELNOTES b/RELNOTES index e48f7dc29..3d1004601 100644 --- a/RELNOTES +++ b/RELNOTES @@ -8,7 +8,7 @@ firejail (0.9.41) baseline; urgency=low * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta + * new profiles: Atom Beta, Atom -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 55b61df7d..55e7e30de 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -127,6 +127,7 @@ xreader snap ssh atom-beta +atom # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 4506cecc4a7d914b64cea5011b3a509e9ddaa204 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 8 Jul 2016 12:27:28 +1000 Subject: should fix conffile warning --- platform/debian/conffiles | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 20a68146c..eb2dd9725 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -1,3 +1,5 @@ +# Do not have a new/empty line on the end of this file or dpkg-deb will warn +# that "connfile '' is not a plain file." /etc/firejail/evince.profile /etc/firejail/chromium.profile /etc/firejail/chromium-browser.profile @@ -127,5 +129,4 @@ /etc/firejail/less.profile /etc/firejail/Telegram.profile /etc/firejail/atom-beta.profile - - +/etc/firejail/atom.profile -- cgit v1.2.3-70-g09d2 From 2069368ecb91e149b5f3e173bf5adf64ad73486f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 8 Jul 2016 12:29:09 +1000 Subject: spelling correction --- platform/debian/conffiles | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index eb2dd9725..3ae366541 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -1,5 +1,5 @@ # Do not have a new/empty line on the end of this file or dpkg-deb will warn -# that "connfile '' is not a plain file." +# that "conffile '' is not a plain file." /etc/firejail/evince.profile /etc/firejail/chromium.profile /etc/firejail/chromium-browser.profile -- cgit v1.2.3-70-g09d2 From 96d8a03c886e67291aff4973582c96f4ba2a4955 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 8 Jul 2016 08:20:10 -0400 Subject: pulseaudio fix --- src/firejail/pulseaudio.c | 20 +++++++++++++++----- todo | 25 +++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 767aaab09..908ef1d25 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -56,13 +56,27 @@ void pulseaudio_disable(void) { // blacklist user config directory disable_file(cfg.homedir, ".config/pulse"); + + // blacklist pulseaudio socket in XDG_RUNTIME_DIR + char *name = getenv("XDG_RUNTIME_DIR"); + if (name) + disable_file(name, "pulse/native"); + + // try the default location anyway + char *path; + if (asprintf(&path, "/run/user/%d", getuid()) == -1) + errExit("asprintf"); + disable_file(path, "pulse/native"); + free(path); + + + // blacklist any pulse* file in /tmp directory DIR *dir; if (!(dir = opendir("/tmp"))) { // sleep 2 seconds and try again sleep(2); if (!(dir = opendir("/tmp"))) { - fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets are not disabled\n"); return; } } @@ -76,10 +90,6 @@ void pulseaudio_disable(void) { closedir(dir); - // blacklist XDG_RUNTIME_DIR - char *name = getenv("XDG_RUNTIME_DIR"); - if (name) - disable_file(name, "pulse/native"); } diff --git a/todo b/todo index 3cfea559a..20d4418ec 100644 --- a/todo +++ b/todo @@ -139,3 +139,28 @@ Parent is shutting down, bye... /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44 +17. test 3d acceleration + +$ lspci -nn | grep VGA + +# apt-get install mesa-utils + +$ glxinfo | grep rendering + +The output should be: + +direct rendering: Yes + +$ glxinfo | grep "renderer string" + +OpenGL renderer string: Gallium 0.4 on AMD KAVERI + + +glxgears stuck to 60fps may be due to VSync signal synchronization. +To disable Vsync + +$ vblank_mode=0 glxgears + +18. Add nosound in all profiles with private-dev (including server.profile) +test hedgewars! + -- cgit v1.2.3-70-g09d2 From 442655366ff4f32139cad216390eae8e9d12eda7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 8 Jul 2016 09:00:27 -0400 Subject: nosound --- etc/atom-beta.profile | 2 ++ etc/atom.profile | 1 + etc/bitlbee.profile | 2 ++ etc/cpio.profile | 1 + etc/deluge.profile | 1 + etc/dnscrypt-proxy.profile | 1 + etc/dnsmasq.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 2 ++ etc/gthumb.profile | 1 + etc/gwenview.profile | 1 + etc/gzip.profile | 1 + etc/hedgewars.profile | 1 + etc/less.profile | 1 + etc/libreoffice.profile | 1 + etc/mcabber.profile | 1 + etc/okular.profile | 1 + etc/pix.profile | 1 + etc/qbittorrent.profile | 1 + etc/quiterss.profile | 1 + etc/rtorrent.profile | 1 + etc/server.profile | 1 + etc/strings.profile | 1 + etc/uget-gtk.profile | 1 + etc/unbound.profile | 1 + etc/wesnoth.profile | 1 + etc/xzdec.profile | 1 + 27 files changed, 30 insertions(+) diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index e2c3000c9..3c753e86c 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -15,3 +15,5 @@ seccomp shell none private-dev +nosound + diff --git a/etc/atom.profile b/etc/atom.profile index f996ea79e..8304cd379 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -15,3 +15,4 @@ seccomp shell none private-dev +nosound diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index e63802c8a..4666d2fe7 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -10,3 +10,5 @@ private private-dev protocol unix,inet,inet6 seccomp +nosound + diff --git a/etc/cpio.profile b/etc/cpio.profile index b0e59c106..b4d232496 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -16,6 +16,7 @@ net none shell none tracelog net none +nosound diff --git a/etc/deluge.profile b/etc/deluge.profile index 61bc80bd5..8fde9acf9 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -17,4 +17,5 @@ shell none private-bin deluge,sh,python,uname whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index bd7e19dc2..90c244e03 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 6b199c34b..1c01d44e4 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -11,5 +11,6 @@ netfilter nonewprivs private private-dev +nosound protocol unix,inet,inet6,netlink seccomp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 24b35df9a..de31ce8de 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -18,3 +18,4 @@ shell none private-bin fbreader,FBReader whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 390769382..551c17a78 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -18,3 +18,5 @@ shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp whitelist /tmp/.X11-unix private-dev +nosound + diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 44e7051a5..c673a1297 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -17,3 +17,4 @@ shell none private-bin gthumb whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 65cc084e6..67f10c4e1 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -13,6 +13,7 @@ nogroups private-dev protocol unix seccomp +nosound #Experimental: #shell none diff --git a/etc/gzip.profile b/etc/gzip.profile index 8d35c9f66..cc19e7608 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..11cd844ce 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -12,6 +12,7 @@ noroot private-dev seccomp tracelog +nosound mkdir ~/.hedgewars whitelist ~/.hedgewars diff --git a/etc/less.profile b/etc/less.profile index 9cad7ceb6..0c43111d7 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 6cbdbfd66..77a00ebef 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -15,4 +15,5 @@ tracelog private-dev whitelist /tmp/.X11-unix/ +nosound diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 6b236a9a7..48b46dba0 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -18,3 +18,4 @@ private-bin mcabber private-etc null private-dev shell none +nosound diff --git a/etc/okular.profile b/etc/okular.profile index b1efc4753..c9c342b15 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -14,6 +14,7 @@ noroot private-dev protocol unix seccomp +nosound #Experimental: #net none diff --git a/etc/pix.profile b/etc/pix.profile index 87056e32c..81ab7486f 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -18,4 +18,5 @@ shell none private-bin pix whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index c5b9a72e6..138b6db55 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -17,3 +17,4 @@ seccomp #private-bin qbittorrent whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 3e5dde36e..f2b9959f6 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -22,6 +22,7 @@ nogroups noroot private-bin quiterss private-dev +nosound #private-etc X11,ssl protocol unix,inet,inet6 seccomp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..15df2c374 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -16,3 +16,4 @@ shell none private-bin rtorrent whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/server.profile b/etc/server.profile index 1b3cb7207..88331d951 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound private-tmp seccomp diff --git a/etc/strings.profile b/etc/strings.profile index 9bc67cfb8..881edf4ad 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 2c3c62c5f..269f8f0fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -22,4 +22,5 @@ shell none private-bin uget-gtk whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/unbound.profile b/etc/unbound.profile index 4365e4fee..5e2cb5f65 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index cd0c6406f..8bd6ef8e1 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,6 +15,7 @@ protocol unix,inet,inet6 seccomp private-dev +nosound whitelist /tmp/.X11-unix diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 1bff66965..ddf2061bf 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound -- cgit v1.2.3-70-g09d2 From c37bc90efdb672c5873d3df8b3a6fee6a87c391d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 8 Jul 2016 09:05:38 -0400 Subject: private-dev --- src/firejail/usage.c | 2 +- src/man/firejail.txt | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index e31867351..1efc247b5 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -190,7 +190,7 @@ void usage(void) { printf("\tand copy the programs in the list.\n\n"); printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); - printf("\ttty, pst, ptms, random, urandom, log and shm devices are available.\n\n"); + printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n\n"); printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); printf("\tfilesystem, and copy the files and directories in the list.\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e4505754e..e915ab6cb 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1048,7 +1048,7 @@ bash cat ls sed .TP \fB\-\-private-dev -Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available. +Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available. .br .br @@ -1062,7 +1062,7 @@ Child process initialized .br $ ls /dev .br -dri full log null ptmx pts random shm tty urandom zero +dri full log null ptmx pts random shm snd tty urandom zero .br $ .TP -- cgit v1.2.3-70-g09d2 From 0838606e623fc11fac5fd8db8b197d63f3e21f32 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 8 Jul 2016 09:39:18 -0400 Subject: added mkfile profile command --- RELNOTES | 1 + src/firejail/firejail.h | 1 + src/firejail/fs_mkdir.c | 33 +++++++++++++++++++++++++++++++++ src/firejail/profile.c | 5 +++++ src/man/firejail-profile.txt | 4 ++++ 5 files changed, 44 insertions(+) diff --git a/RELNOTES b/RELNOTES index 3d1004601..f93237d43 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,6 +3,7 @@ firejail (0.9.41) baseline; urgency=low * AppImage support (--appimage) * Sandbox auditing support (--audit) * include /dev/snd in --private-dev + * added mkfile profile command * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 24af41192..3d0e9a51b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -548,6 +548,7 @@ char **build_paths(void); // fs_mkdir.c void fs_mkdir(const char *name); +void fs_mkfile(const char *name); // x11.c void fs_x11(void); diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 398c534bf..c4ce52079 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -48,3 +48,36 @@ void fs_mkdir(const char *name) { doexit: free(expanded); } + +void fs_mkfile(const char *name) { + EUID_ASSERT(); + + // check file name + invalid_filename(name); + char *expanded = expand_home(name, cfg.homedir); + if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { + fprintf(stderr, "Error: only files in user home are supported by mkfile\n"); + exit(1); + } + + struct stat s; + if (stat(expanded, &s) == 0) { + // file exists, do nothing + goto doexit; + } + + // create file + FILE *fp = fopen(expanded, "w"); + if (!fp) + fprintf(stderr, "Warning: cannot create %s file\n", expanded); + else { + fclose(fp); + int rv = chown(expanded, getuid(), getgid()); + (void) rv; + rv = chmod(expanded, 0600); + (void) rv; + } + +doexit: + free(expanded); +} \ No newline at end of file diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 040efea74..bb834bf19 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -107,6 +107,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { fs_mkdir(ptr + 6); return 0; } + // mkfile + if (strncmp(ptr, "mkfile ", 7) == 0) { + fs_mkfile(ptr + 7); + return 0; + } // sandbox name else if (strncmp(ptr, "name ", 5) == 0) { cfg.name = ptr + 5; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index c2d5e7955..9c416b0f3 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -153,6 +153,10 @@ mkdir ~/.cache/mozilla/firefox .br whitelist ~/.cache/mozilla/firefox .TP +\fBmkfile file +Similar to mkdir, this command creates a file in user home before the sandbox is started. +The file is created if it doesn't already exist. +.TP \fBprivate Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is -- cgit v1.2.3-70-g09d2 From 2ee8f947ba9b4ff53478012c3353679bfc6fb333 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 01:06:44 +1000 Subject: correction no. 2 --- platform/debian/conffiles | 2 -- 1 file changed, 2 deletions(-) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3ae366541..ae495ec6d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -1,5 +1,3 @@ -# Do not have a new/empty line on the end of this file or dpkg-deb will warn -# that "conffile '' is not a plain file." /etc/firejail/evince.profile /etc/firejail/chromium.profile /etc/firejail/chromium-browser.profile -- cgit v1.2.3-70-g09d2 From ec0483b9cecab6b654e7b0281b9cc6f9e4c7d98e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 02:52:01 +1000 Subject: private-bin conversion --- etc/qtox.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/qtox.profile b/etc/qtox.profile index 39f900748..0cac18573 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -8,14 +8,15 @@ include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.config/tox whitelist ${HOME}/.config/tox whitelist ${DOWNLOADS} -include /etc/firejail/whitelist-common.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp shell none tracelog +private-bin qtox -- cgit v1.2.3-70-g09d2 From 4b3bc7b61d9f357def05aa747e37e61b38c7af9c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 02:54:19 +1000 Subject: missed a file... --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 877d2b556..e783ae33f 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,8 @@ Media: vlc, mpv, gnome-mplayer Office: evince, gthumb, fbreader, pix +Chat/messaging: qtox + ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom -- cgit v1.2.3-70-g09d2 From c99ddd579d823dae018e1f65ad28b3234e8e51bb Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:27:38 +1000 Subject: tightened and fixed permissions warning --- etc/0ad.profile | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/etc/0ad.profile b/etc/0ad.profile index 3797ae5cd..11fb45463 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -1,21 +1,13 @@ # Firejail profile for 0ad. +noblacklist ~/.cache/0ad noblacklist ~/.config/0ad +noblacklist ~/.local/share/0ad include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options -caps.drop all -netfilter -noroot -nonewprivs -protocol unix,inet,inet6,netlink -seccomp -tracelog - # Whitelists -noblacklist ~/.cache/0ad mkdir ~/.cache mkdir ~/.cache/0ad whitelist ~/.cache/0ad @@ -24,8 +16,20 @@ mkdir ~/.config mkdir ~/.config/0ad whitelist ~/.config/0ad -noblacklist ~/.local/share/0ad mkdir ~/.local mkdir ~/.local/share mkdir ~/.local/share/0ad whitelist ~/.local/share/0ad + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-dev + -- cgit v1.2.3-70-g09d2 From 56a34f63f22d20e2dd51f3a0932dc07f2647f252 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:28:39 +1000 Subject: If you give a mouse a cookie... --- etc/atril.profile | 8 ++++++-- etc/evince.profile | 3 ++- etc/xreader.profile | 8 ++++++-- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/etc/atril.profile b/etc/atril.profile index 8ee7da173..bfe731bec 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,10 +7,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot nosound -protocol unix,inet,inet6 +protocol unix seccomp +shell none tracelog + +private-bin atril, atril-previewer, atril-thumbnailer +private-dev diff --git a/etc/evince.profile b/etc/evince.profile index 9899da84d..530ce959a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -6,9 +6,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all nonewprivs +nogroups noroot nosound -protocol unix,inet,inet6 +protocol unix seccomp shell none diff --git a/etc/xreader.profile b/etc/xreader.profile index 2cf109f09..fed9d4db5 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,10 +9,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot nosound -protocol unix,inet,inet6 +protocol unix seccomp +shell none tracelog + +private-bin xreader, xreader-previewer, xreader-thumbnailer +private-dev -- cgit v1.2.3-70-g09d2 From 741bd754b70c5020b2c21681879ead4d1910e4ff Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:29:23 +1000 Subject: ...he'll probably want to hack Firejail profiles. --- etc/gthumb.profile | 9 +++++---- etc/pix.profile | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/etc/gthumb.profile b/etc/gthumb.profile index c673a1297..3c02576aa 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot -protocol unix,inet,inet6 +nosound +protocol unix seccomp - shell none +tracelog + private-bin gthumb whitelist /tmp/.X11-unix private-dev -nosound diff --git a/etc/pix.profile b/etc/pix.profile index 81ab7486f..80c05fd09 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -8,15 +8,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot -protocol unix,inet,inet6 +nosound +protocol unix seccomp - shell none +tracelog + private-bin pix whitelist /tmp/.X11-unix private-dev -nosound -- cgit v1.2.3-70-g09d2 From 225c68fd3b19e49a1dcf0e234a75211d51b63737 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:38:01 +1000 Subject: Extra files (the mouse forgot a few crumbs). --- README | 1 + README.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README b/README index f00e7b377..9d1732108 100644 --- a/README +++ b/README @@ -55,6 +55,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added audacity profile - fixed Telegram and qtox profiles - added Atom Beta and Atom profiles + - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index e783ae33f..d71b27c61 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ File transfer: filezilla Media: vlc, mpv, gnome-mplayer -Office: evince, gthumb, fbreader, pix +Office: evince, gthumb, fbreader, pix, atril, xreader Chat/messaging: qtox -- cgit v1.2.3-70-g09d2 From a31c175c95ac0c5bf0c023c532e79f7b50eb826f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 07:25:15 -0400 Subject: fixes --- etc/hedgewars.profile | 1 - etc/wesnoth.profile | 1 - todo | 19 +++++++++++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 11cd844ce..c5d863bd5 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -12,7 +12,6 @@ noroot private-dev seccomp tracelog -nosound mkdir ~/.hedgewars whitelist ~/.hedgewars diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 8bd6ef8e1..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,7 +15,6 @@ protocol unix,inet,inet6 seccomp private-dev -nosound whitelist /tmp/.X11-unix diff --git a/todo b/todo index 20d4418ec..0a76cd850 100644 --- a/todo +++ b/todo @@ -164,3 +164,22 @@ $ vblank_mode=0 glxgears 18. Add nosound in all profiles with private-dev (including server.profile) test hedgewars! +19. new syscalls: +create_module +name_to_handle_at +ioprio_set, + +??? +146 - sched_get_priority_max +147 - sched_get_priority_min +204 - sched_getaffinity +315 - sched_getattr +143 - sched_getparam +145 - sched_getscheduler +148 - sched_rr_get_interval +203 - sched_setaffinity +314 - sched_setattr +142 - sched_setparam +144 - sched_setscheduler +24 - sched_yield + -- cgit v1.2.3-70-g09d2 From fb2406ff02ea1e4fe6a5d5840e5e24ad303330aa Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 09:48:17 -0400 Subject: seccomp filter update --- RELNOTES | 1 + src/firejail/seccomp.c | 18 ++++++++++++++++++ src/man/firejail-profile.txt | 10 +--------- src/man/firejail.txt | 4 ++-- todo | 4 +--- 5 files changed, 23 insertions(+), 14 deletions(-) diff --git a/RELNOTES b/RELNOTES index f93237d43..2ff5ae16c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low * Sandbox auditing support (--audit) * include /dev/snd in --private-dev * added mkfile profile command + * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7108b5a05..efe24a211 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -334,12 +334,15 @@ void seccomp_filter_32(void) { BLACKLIST(52), // umount2 BLACKLIST(26), // ptrace BLACKLIST(283), // kexec_load + BLACKLIST(341), // name_to_handle_at BLACKLIST(342), // open_by_handle_at + BLACKLIST(127), // create_module BLACKLIST(128), // init_module BLACKLIST(350), // finit_module BLACKLIST(129), // delete_module BLACKLIST(110), // iopl BLACKLIST(101), // ioperm + BLACKLIST(289), // ioprio_set BLACKLIST(87), // swapon BLACKLIST(115), // swapoff BLACKLIST(103), // syslog @@ -376,6 +379,7 @@ void seccomp_filter_32(void) { BLACKLIST(88), // reboot BLACKLIST(169), // nfsservctl BLACKLIST(130), // get_kernel_syms + RETURN_ALLOW }; @@ -403,11 +407,14 @@ void seccomp_filter_64(void) { BLACKLIST(101), // ptrace BLACKLIST(246), // kexec_load BLACKLIST(304), // open_by_handle_at + BLACKLIST(303), // name_to_handle_at + BLACKLIST(174), // create_module BLACKLIST(175), // init_module BLACKLIST(313), // finit_module BLACKLIST(176), // delete_module BLACKLIST(172), // iopl BLACKLIST(173), // ioperm + BLACKLIST(251), // ioprio_set BLACKLIST(167), // swapon BLACKLIST(168), // swapoff BLACKLIST(103), // syslog @@ -445,6 +452,7 @@ void seccomp_filter_64(void) { BLACKLIST(169), // reboot BLACKLIST(180), // nfsservctl BLACKLIST(177), // get_kernel_syms + RETURN_ALLOW }; @@ -493,12 +501,18 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_open_by_handle_at filter_add_blacklist(SYS_open_by_handle_at, 0); #endif +#ifdef SYS_name_to_handle_at + filter_add_blacklist(SYS_name_to_handle_at, 0); +#endif #ifdef SYS_init_module filter_add_blacklist(SYS_init_module, 0); #endif #ifdef SYS_finit_module // introduced in 2013 filter_add_blacklist(SYS_finit_module, 0); #endif +#ifdef SYS_create_module + filter_add_blacklist(SYS_create_module, 0); +#endif #ifdef SYS_delete_module filter_add_blacklist(SYS_delete_module, 0); #endif @@ -508,6 +522,9 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_ioperm filter_add_blacklist(SYS_ioperm, 0); #endif +#ifdef SYS_ioprio_set + filter_add_blacklist(SYS_ioprio_set, 0); +#endif #ifdef SYS_ni_syscall // new io permissions call on arm devices filter_add_blacklist(SYS_ni_syscall, 0); #endif @@ -648,6 +665,7 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_get_kernel_syms filter_add_blacklist(SYS_get_kernel_syms, 0); #endif + } // default seccomp filter with additional drop list diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9c416b0f3..98fa17908 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -224,15 +224,7 @@ first argument to socket system call. Recognized values: \fBunix\fR, \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. .TP \fBseccomp -Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: -mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, -iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, -sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, -add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, -io_destroy, io_getevents, io_submit, io_cancel, -remap_file_pages, mbind, get_mempolicy, set_mempolicy, -migrate_pages, move_pages, vmsplice, perf_event_open, chroot, -tuxcall, reboot, mfsservctl and get_kernel_syms. +Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. .TP \fBseccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e915ab6cb..cb555980d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1206,8 +1206,8 @@ $ firejail \-\-net=eth0 \-\-scan .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: -mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, -iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, +mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module, +iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, diff --git a/todo b/todo index 0a76cd850..8f27fb26a 100644 --- a/todo +++ b/todo @@ -164,12 +164,10 @@ $ vblank_mode=0 glxgears 18. Add nosound in all profiles with private-dev (including server.profile) test hedgewars! -19. new syscalls: +19. new syscalls in 0.9.41: create_module name_to_handle_at ioprio_set, - -??? 146 - sched_get_priority_max 147 - sched_get_priority_min 204 - sched_getaffinity -- cgit v1.2.3-70-g09d2 From eae28741173e1007f5e38a52e62def276042a094 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 09:51:10 -0400 Subject: seccomp filter update --- todo | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/todo b/todo index 8f27fb26a..88baff216 100644 --- a/todo +++ b/todo @@ -161,23 +161,3 @@ To disable Vsync $ vblank_mode=0 glxgears -18. Add nosound in all profiles with private-dev (including server.profile) -test hedgewars! - -19. new syscalls in 0.9.41: -create_module -name_to_handle_at -ioprio_set, -146 - sched_get_priority_max -147 - sched_get_priority_min -204 - sched_getaffinity -315 - sched_getattr -143 - sched_getparam -145 - sched_getscheduler -148 - sched_rr_get_interval -203 - sched_setaffinity -314 - sched_setattr -142 - sched_setparam -144 - sched_setscheduler -24 - sched_yield - -- cgit v1.2.3-70-g09d2 From df5208d228c4864d7064ad47b4b2143e22959e84 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 23:59:23 +1000 Subject: cleanup --- etc/xreader.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/xreader.profile b/etc/xreader.profile index fed9d4db5..ac7d34022 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,8 +9,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix -- cgit v1.2.3-70-g09d2 From 2e1b94c4251e6a841672f3df96e3d503d380ef1b Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 10 Jul 2016 00:00:11 +1000 Subject: private-bin conversion --- etc/audacity.profile | 11 +++++++---- etc/aweather.profile | 19 ++++++++++--------- etc/gitter.profile | 7 ++++++- etc/gpredict.profile | 19 ++++++++++--------- etc/palemoon.profile | 24 ++++++++++++------------ etc/rhythmbox.profile | 6 ++++++ etc/spotify.profile | 5 +++++ etc/stellarium.profile | 23 ++++++++++++----------- etc/warzone2100.profile | 11 ++++++++--- etc/xplayer.profile | 5 +++++ etc/xviewer.profile | 11 ++++++++--- 11 files changed, 89 insertions(+), 52 deletions(-) diff --git a/etc/audacity.profile b/etc/audacity.profile index 8971ce1a2..162201cb8 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -7,10 +7,13 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -netfilter nonewprivs -noroot nogroups -#private-bin audacity -protocol unix,inet,inet6 +noroot +protocol unix seccomp +shell none +tracelog + +private-bin audacity +private-dev diff --git a/etc/aweather.profile b/etc/aweather.profile index dd508e736..d617fb701 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -1,24 +1,25 @@ # Firejail profile for aweather. - -# Noblacklist noblacklist ~/.config/aweather - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.config +mkdir ~/.config/aweather +whitelist ~/.config/aweather + caps.drop all netfilter nonewprivs +nogroups noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.config -mkdir ~/.config/aweather -whitelist ~/.config/aweather +private-bin aweather +private-dev diff --git a/etc/gitter.profile b/etc/gitter.profile index 0c2bd1353..2882c59a6 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -1,6 +1,5 @@ # Firejail profile for Gitter noblacklist ~/.config/Gitter - include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -8,6 +7,12 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs +nogroups noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-bin gitter +private-dev diff --git a/etc/gpredict.profile b/etc/gpredict.profile index ba9fce37b..02bb4d24d 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -1,24 +1,25 @@ # Firejail profile for gpredict. - -# Noblacklist noblacklist ~/.config/Gpredict - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.config +mkdir ~/.config/Gpredict +whitelist ~/.config/Gpredict + caps.drop all netfilter nonewprivs +nogroups noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.config -mkdir ~/.config/Gpredict -whitelist ~/.config/Gpredict +private-bin gpredict +private-dev diff --git a/etc/palemoon.profile b/etc/palemoon.profile index a74954ddb..302c20d7d 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -1,31 +1,30 @@ # Firejail profile for Pale Moon - -# Noblacklists noblacklist ~/.moonchild productions/pale moon noblacklist ~/.cache/moonchild productions/pale moon - -# Included profiles include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/whitelist-common.inc -# Options +whitelist ${DOWNLOADS} +mkdir ~/.moonchild productions +whitelist ~/.moonchild productions +mkdir ~/.cache +mkdir ~/.cache/moonchild productions +mkdir ~/.cache/moonchild productions/pale moon +whitelist ~/.cache/moonchild productions/pale moon + caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog -whitelist ${DOWNLOADS} -mkdir ~/.moonchild productions -whitelist ~/.moonchild productions -mkdir ~/.cache -mkdir ~/.cache/moonchild productions -mkdir ~/.cache/moonchild productions/pale moon -whitelist ~/.cache/moonchild productions/pale moon +private-bin palemoon # These are uncommented in the Firefox profile. If you run into trouble you may # want to uncomment (some of) them. @@ -56,3 +55,4 @@ whitelist ~/.config/lastpass # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +#private-dev (disabled for now as it will interfere with webcam use in palemoon) diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0782a653d..9f087ea1d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-bin rhythmbox +private-dev diff --git a/etc/spotify.profile b/etc/spotify.profile index 9ba25b818..ca575970b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -24,7 +24,12 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-bin spotify +private-dev diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 148ec949d..d0c1326b3 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -1,28 +1,29 @@ # Firejail profile for Stellarium. - -# Noblacklist noblacklist ~/.stellarium noblacklist ~/.config/stellarium - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium +mkdir ~/.config +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium + caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.stellarium -whitelist ~/.stellarium +private-bin stellarium +private-dev -mkdir ~/.config -mkdir ~/.config/stellarium -whitelist ~/.config/stellarium diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ceeaca012..ff37e2800 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -6,15 +6,20 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# Whitelist +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 + # Call these options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.warzone2100-3.1 -whitelist ~/.warzone2100-3.1 +private-bin warzone2100 +private-dev diff --git a/etc/xplayer.profile b/etc/xplayer.profile index cd9cbed45..a46b2fa06 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -10,7 +10,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp +shell none tracelog + +private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer +private-dev diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 51949526d..7a4ae4858 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,9 +6,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -noroot nonewprivs -protocol unix,inet,inet6 +nogroups +noroot +nosound +protocol unix seccomp +shell none tracelog + +private-dev +private-bin xviewer -- cgit v1.2.3-70-g09d2 From 665b60a42212504ada1296a1c0f2313df8558cdd Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 10 Jul 2016 00:07:48 +1000 Subject: extra files --- README | 1 + README.md | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/README b/README index 9d1732108..2e629ead1 100644 --- a/README +++ b/README @@ -56,6 +56,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed Telegram and qtox profiles - added Atom Beta and Atom profiles - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. + - several private-bin conversions Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index d71b27c61..c4d2907af 100644 --- a/README.md +++ b/README.md @@ -96,11 +96,19 @@ BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, ug File transfer: filezilla -Media: vlc, mpv, gnome-mplayer +Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer Office: evince, gthumb, fbreader, pix, atril, xreader -Chat/messaging: qtox +Chat/messaging: qtox, gitter + +Games: warzone2100 + +Weather/climate: aweather + +Astronomy: gpredict, stellarium + +Browsers: Palemoon ## New security profiles -- cgit v1.2.3-70-g09d2 From 7c964608ba3560d8869492c674f89a07f5240850 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 12:26:56 -0400 Subject: added --rmenv --- src/firejail/env.c | 55 +++++++++++++++++++++++++++++++++++-------------- src/firejail/firejail.h | 7 ++++++- src/firejail/main.c | 4 +++- src/firejail/profile.c | 6 +++++- src/firejail/usage.c | 3 ++- src/man/firejail.txt | 22 ++++++++++++++------ 6 files changed, 72 insertions(+), 25 deletions(-) diff --git a/src/firejail/env.c b/src/firejail/env.c index 54a6b0036..1a6236407 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -27,12 +27,27 @@ typedef struct env_t { struct env_t *next; char *name; char *value; + ENV_OP op; } Env; static Env *envlist = NULL; static void env_add(Env *env) { - env->next = envlist; - envlist = env; + env->next = NULL; + + // add the new entry at the end of the list + if (envlist == NULL) { + envlist = env; + return; + } + + Env *ptr = envlist; + while (1) { + if (ptr->next == NULL) { + ptr->next = env; + break; + } + ptr = ptr->next; + } } // load IBUS env variables @@ -87,7 +102,7 @@ void env_ibus_load(void) { if (arg_debug) printf("%s\n", buf); EUID_USER(); - env_store(buf); + env_store(buf, SETENV); EUID_ROOT(); } @@ -126,7 +141,7 @@ void env_defaults(void) { } // parse and store the environment setting -void env_store(const char *str) { +void env_store(const char *str, ENV_OP op) { EUID_ASSERT(); assert(str); @@ -134,11 +149,13 @@ void env_store(const char *str) { if (*str == '\0') goto errexit; char *ptr = strchr(str, '='); - if (!ptr) - goto errexit; - ptr++; - if (*ptr == '\0') - goto errexit; + if (op == SETENV) { + if (!ptr) + goto errexit; + ptr++; + if (*ptr == '\0') + goto errexit; + } // build list entry Env *env = malloc(sizeof(Env)); @@ -148,10 +165,13 @@ void env_store(const char *str) { env->name = strdup(str); if (env->name == NULL) errExit("strdup"); - char *ptr2 = strchr(env->name, '='); - assert(ptr2); - *ptr2 = '\0'; - env->value = ptr2 + 1; + if (op == SETENV) { + char *ptr2 = strchr(env->name, '='); + assert(ptr2); + *ptr2 = '\0'; + env->value = ptr2 + 1; + } + env->op = op; // add entry to the list env_add(env); @@ -167,8 +187,13 @@ void env_apply(void) { Env *env = envlist; while (env) { - if (setenv(env->name, env->value, 1) < 0) - errExit("setenv"); + if (env->op == SETENV) { + if (setenv(env->name, env->value, 1) < 0) + errExit("setenv"); + } + else if (env->op == RMENV) { + unsetenv(env->name); + } env = env->next; } } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3d0e9a51b..590646f23 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -493,7 +493,12 @@ int check_kernel_procs(void); void run_no_sandbox(int argc, char **argv); // env.c -void env_store(const char *str); +typedef enum { + SETENV = 0, + RMENV +} ENV_OP; + +void env_store(const char *str, ENV_OP op); void env_apply(void); void env_defaults(void); void env_ibus_load(void); diff --git a/src/firejail/main.c b/src/firejail/main.c index b1dd7d32c..a0225be15 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1465,7 +1465,9 @@ int main(int argc, char **argv) { arg_nonewprivs = 1; } else if (strncmp(argv[i], "--env=", 6) == 0) - env_store(argv[i] + 6); + env_store(argv[i] + 6, SETENV); + else if (strncmp(argv[i], "--rmenv=", 8) == 0) + env_store(argv[i] + 8, RMENV); else if (strcmp(argv[i], "--nosound") == 0) { arg_nosound = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index bb834bf19..1106ed84e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -457,7 +457,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } if (strncmp(ptr, "env ", 4) == 0) { - env_store(ptr + 4); + env_store(ptr + 4, SETENV); + return 0; + } + if (strncmp(ptr, "rmenv ", 6) == 0) { + env_store(ptr + 6, RMENV); return 0; } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1efc247b5..b67300618 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -208,6 +208,7 @@ void usage(void) { printf(" --quiet - turn off Firejail's output.\n\n"); printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); + printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); printf("\tby a process.\n\n"); printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); @@ -216,7 +217,7 @@ void usage(void) { printf("\tcreated for the real user ID of the calling process.\n\n"); printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); printf("\tfor a process.\n\n"); - printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); + printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n"); #ifdef HAVE_NETWORK printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cb555980d..8d20cf36b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1171,6 +1171,15 @@ make the whitelist read-only. Example: .br $ firejail --whitelist=~/work --read-only=~ --read-only=~/work +.TP +\fB\-\-read-write=dirname_or_filename +By default, the sandbox mounts system directories read-only. +These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. +Use this option to mount read-write files or directories inside the system directories. + +This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these +cases the system directories are mounted read-write. + .TP \fB\-\-rlimit-fsize=number Set the maximum file size that can be created by a process. @@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of Set the maximum number of pending signals for a process. .TP -\fB\-\-read-write=dirname_or_filename -By default, the sandbox mounts system directories read-only. -These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. -Use this option to mount read-write files or directories inside the system directories. +\fB\-\-rmenv=name +Remove environment variable in the new sandbox. +.br -This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these -cases the system directories are mounted read-write. +.br +Example: +.br +$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS .TP \fB\-\-scan -- cgit v1.2.3-70-g09d2 From ca85b1a884f79333bb33628d52451d52695770f0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 12:27:45 -0400 Subject: added --rmenv --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index 2ff5ae16c..788bfe407 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,6 +2,7 @@ firejail (0.9.41) baseline; urgency=low * work in progress... * AppImage support (--appimage) * Sandbox auditing support (--audit) + * Remove environment variable (--rmenv) * include /dev/snd in --private-dev * added mkfile profile command * seccomp filter updated -- cgit v1.2.3-70-g09d2 From ab36d4527faf8eed995c62966fe35ca1062e212b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 17:33:01 -0400 Subject: removed --user --- README.md | 4 ++ RELNOTES | 3 +- src/firejail/firejail.h | 3 -- src/firejail/main.c | 1 - src/firejail/usage.c | 1 - src/firejail/user.c | 115 ------------------------------------------------ src/man/firejail.txt | 8 ---- 7 files changed, 6 insertions(+), 129 deletions(-) delete mode 100644 src/firejail/user.c diff --git a/README.md b/README.md index c4d2907af..c16a32e62 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,10 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` # Current development version: 0.9.41 +## Deprecated --user + +--user option was deprecated, please use "sudo -u username firejail application" instead. + ## AppImage AppImage (http://appimage.org/) is a distribution-agnostic packaging format. diff --git a/RELNOTES b/RELNOTES index 788bfe407..20e7df7f1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,8 +1,9 @@ firejail (0.9.41) baseline; urgency=low * work in progress... + * deprecated --user option, please use "sudo -u username firejail" instead * AppImage support (--appimage) * Sandbox auditing support (--audit) - * Remove environment variable (--rmenv) + * remove environment variable (--rmenv) * include /dev/snd in --private-dev * added mkfile profile command * seccomp filter updated diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 590646f23..c18dacbbb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -545,9 +545,6 @@ void fs_logger_print_log(pid_t pid); // run_symlink.c void run_symlink(int argc, char **argv); -// user.c -void check_user(int argc, char **argv); - // paths.c char **build_paths(void); diff --git a/src/firejail/main.c b/src/firejail/main.c index a0225be15..35f825a07 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -900,7 +900,6 @@ int main(int argc, char **argv) { else { // check --output option and execute it; check_output(argc, argv); // the function will not return if --output option was found - check_user(argc, argv); // the function will not return if --user option was found } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b67300618..6b7a666db 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -252,7 +252,6 @@ void usage(void) { printf(" --tracelog - add a syslog message for every access to files or\n"); printf("\tdirectoires blacklisted by the security profile.\n\n"); printf(" --tree - print a tree of all sandboxed processes.\n\n"); - printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); printf(" --version - print program version and exit.\n\n"); #ifdef HAVE_WHITELIST printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); diff --git a/src/firejail/user.c b/src/firejail/user.c deleted file mode 100644 index a2f34392c..000000000 --- a/src/firejail/user.c +++ /dev/null @@ -1,115 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ -#include "firejail.h" -#include -#include -#include -#include -#include - - -void check_user(int argc, char **argv) { - EUID_ASSERT(); - int i; - char *user = NULL; - - int found = 0; - for (i = 1; i < argc; i++) { - // check options - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - - // check user option - if (strncmp(argv[i], "--user=", 7) == 0) { - found = 1; - user = argv[i] + 7; - break; - } - } - if (!found) - return; - - // check root - if (getuid() != 0) { - fprintf(stderr, "Error: you need to be root to use --user command line option\n"); - exit(1); - } - - // switch user - struct passwd *pw = getpwnam(user); - if (!pw) { - fprintf(stderr, "Error: cannot find user %s\n", user); - exit(1); - } - - printf("Switching to user %s, UID %d, GID %d\n", user, pw->pw_uid, pw->pw_gid); - int rv = initgroups(user, pw->pw_gid); - if (rv == -1) { - perror("initgroups"); - fprintf(stderr, "Error: cannot switch to user %s\n", user); - } - - rv = setgid(pw->pw_gid); - if (rv == -1) { - perror("setgid"); - fprintf(stderr, "Error: cannot switch to user %s\n", user); - } - - rv = setuid(pw->pw_uid); - if (rv == -1) { - perror("setuid"); - fprintf(stderr, "Error: cannot switch to user %s\n", user); - } - - // build the new command line - int len = 0; - for (i = 0; i < argc; i++) { - len += strlen(argv[i]) + 1; // + ' ' - } - - char *cmd = malloc(len + 1); // + '\0' - if (!cmd) - errExit("malloc"); - - char *ptr = cmd; - int first = 1; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--user=", 7) == 0 && first) { - first = 0; - continue; - } - - ptr += sprintf(ptr, "%s ", argv[i]); - } - - // run command - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd; - a[3] = NULL; - - execvp(a[0], a); - - perror("execvp"); - exit(1); -} diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8d20cf36b..7c9cd98de 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1485,15 +1485,7 @@ $ firejail \-\-tree 11969:netblue:firejail \-\-net=eth0 transmission-gtk .br 11970:netblue:transmission-gtk -.TP -\fB\-\-user=new-user -Switch the user before starting the sandbox. This command should be run as root. -.br -.br -Example: -.br -# firejail \-\-user=www-data .TP \fB\-\-version Print program version and exit. -- cgit v1.2.3-70-g09d2 From ec44167ca0de9f0a582ce8d95dbddecf82efe0c7 Mon Sep 17 00:00:00 2001 From: Rahiel Kasim Date: Sun, 10 Jul 2016 11:44:01 +0200 Subject: restrict Dropbox to its own directories --- etc/dropbox.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 2427c6af8..71e019f8c 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -1,4 +1,5 @@ # dropbox profile +noblacklist ~/.config/autostart include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -8,3 +9,14 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +mkdir ~/Dropbox +whitelist ~/Dropbox +mkdir ~/.dropbox +whitelist ~/.dropbox +mkdir ~/.dropbox-dist +whitelist ~/.dropbox-dist + +mkdir ~/.config/autostart +mkfile ~/.config/autostart/dropbox.desktop +whitelist ~/.config/autostart/dropbox.desktop -- cgit v1.2.3-70-g09d2 From fcba1d07f8919d966965c4924be9bc8785421263 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 08:06:11 -0400 Subject: readme --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 2e629ead1..9f5bc7bdf 100644 --- a/README +++ b/README @@ -146,6 +146,7 @@ pszxzsd (https://github.com/pszxzsd) -uGet profile Rahiel Kasim (https://github.com/rahiel) - Mathematica profile + - whitelisted Dropbox profile creideiki (https://github.com/creideiki) - make the sandbox process reap all children sinkuu (https://github.com/sinkuu) -- cgit v1.2.3-70-g09d2 From 0723d323e7996149d5f7ebd417f9c9162a4dea5e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 08:07:09 -0400 Subject: adding nodev, nosuid, and noexec --- src/firejail/fs_home.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b12d8bb76..41092de2b 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -248,7 +248,7 @@ void fs_private_homedir(void) { // mount bind private_homedir on top of homedir if (arg_debug) printf("Mount-bind %s on top of %s\n", private_homedir, homedir); - if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) errExit("mount bind"); fs_logger3("mount-bind", private_homedir, cfg.homedir); fs_logger2("whitelist", cfg.homedir); @@ -262,7 +262,7 @@ void fs_private_homedir(void) { // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); - if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) + if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) errExit("mounting home directory"); fs_logger("tmpfs /root"); } @@ -270,7 +270,7 @@ void fs_private_homedir(void) { // mask /home if (arg_debug) printf("Mounting a new /home directory\n"); - if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting home directory"); fs_logger("tmpfs /home"); } @@ -300,14 +300,14 @@ void fs_private(void) { // mask /home if (arg_debug) printf("Mounting a new /home directory\n"); - if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting home directory"); fs_logger("tmpfs /home"); // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); - if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) + if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) errExit("mounting root directory"); fs_logger("tmpfs /root"); @@ -331,6 +331,7 @@ void fs_private(void) { copy_xauthority(); if (aflag) copy_asoundrc(); + } -- cgit v1.2.3-70-g09d2 From 18217e0feb2116534dcb9812dc75556a5cb5d41f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 08:40:32 -0400 Subject: --noexec --- src/firejail/firejail.h | 2 ++ src/firejail/fs.c | 30 ++++++++++++++++++++++++++++++ src/firejail/main.c | 8 ++++++++ src/firejail/profile.c | 2 ++ 4 files changed, 42 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c18dacbbb..8856986e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -313,6 +313,8 @@ void fs_delete_cp_command(void) ; void fs_blacklist(void); // remount a directory read-only void fs_rdonly(const char *dir); +// remount a directory noexec, nodev and nosuid +void fs_noexec(const char *dir); // mount /proc and /sys directories void fs_proc_sys_dev_boot(void); // build a basic read-only filesystem diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5665ab456..de59b6676 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -228,6 +228,7 @@ typedef enum { BLACKLIST_NOLOG, MOUNT_READONLY, MOUNT_TMPFS, + MOUNT_NOEXEC, OPERATION_MAX } OPERATION; @@ -328,6 +329,12 @@ static void disable_file(OPERATION op, const char *filename) { if (arg_debug) printf("Mounting read-only %s\n", fname); fs_rdonly(fname); +// todo: last_disable = SUCCESSFUL; + } + else if (op == MOUNT_NOEXEC) { + if (arg_debug) + printf("Mounting noexec %s\n", fname); + fs_noexec(fname); // todo: last_disable = SUCCESSFUL; } else if (op == MOUNT_TMPFS) { @@ -485,6 +492,10 @@ void fs_blacklist(void) { ptr = entry->data + 10; op = MOUNT_READONLY; } + else if (strncmp(entry->data, "noexec ", 7) == 0) { + ptr = entry->data + 7; + op = MOUNT_NOEXEC; + } else if (strncmp(entry->data, "tmpfs ", 6) == 0) { ptr = entry->data + 6; op = MOUNT_TMPFS; @@ -548,6 +559,25 @@ void fs_rdonly(const char *dir) { fs_logger2("read-only", dir); } } + +void fs_noexec(const char *dir) { + assert(dir); + // check directory exists + struct stat s; + int rv = stat(dir, &s); + if (rv == 0) { + // mount --bind /bin /bin + if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount noexec"); + // mount --bind -o remount,ro /bin + if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) + errExit("mount read-only"); + fs_logger2("noexec", dir); + } +} + + + void fs_rdonly_noexit(const char *dir) { assert(dir); // check directory exists diff --git a/src/firejail/main.c b/src/firejail/main.c index 35f825a07..232a57499 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1192,6 +1192,14 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--noexec=", 9) == 0) { + char *line; + if (asprintf(&line, "noexec %s", argv[i] + 9) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } else if (strncmp(argv[i], "--read-write=", 13) == 0) { char *line; if (asprintf(&line, "read-write %s", argv[i] + 13) == -1) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1106ed84e..40e2e4330 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -747,6 +747,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else if (strncmp(ptr, "read-only ", 10) == 0) ptr += 10; + else if (strncmp(ptr, "noexec ", 7) == 0) + ptr += 7; else if (strncmp(ptr, "tmpfs ", 6) == 0) { if (getuid() != 0) { fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); -- cgit v1.2.3-70-g09d2 From d1afb133e35ba444b214d2d4b63f460925e90ece Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 08:44:00 -0400 Subject: /var and /etc are noexec by default --- src/firejail/fs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index de59b6676..4b2b91b17 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -722,10 +722,12 @@ void fs_basic_fs(void) { printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); if (!arg_writable_etc) { fs_rdonly("/etc"); + fs_noexec("/etc"); if (arg_debug) printf(", /etc"); } if (!arg_writable_var) { fs_rdonly("/var"); + fs_noexec("/var"); if (arg_debug) printf(", /var"); } if (arg_debug) printf("\n"); -- cgit v1.2.3-70-g09d2 From a31dc992449959b86d403e1ad0bb5cae285e2826 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 08:52:09 -0400 Subject: noexec inside /var directory --- src/firejail/fs_var.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f904fa5d9..1516d684f 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -121,7 +121,7 @@ void fs_var_log(void) { // mount a tmpfs on top of /var/log if (arg_debug) printf("Mounting tmpfs on /var/log\n"); - if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/log"); fs_logger("tmpfs /var/log"); @@ -160,7 +160,7 @@ void fs_var_lib(void) { if (stat("/var/lib/dhcp", &s) == 0) { if (arg_debug) printf("Mounting tmpfs on /var/lib/dhcp\n"); - if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/dhcp"); fs_logger("tmpfs /var/lib/dhcp"); @@ -182,7 +182,7 @@ void fs_var_lib(void) { if (stat("/var/lib/nginx", &s) == 0) { if (arg_debug) printf("Mounting tmpfs on /var/lib/nginx\n"); - if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/nginx"); fs_logger("tmpfs /var/lib/nginx"); } @@ -191,7 +191,7 @@ void fs_var_lib(void) { if (stat("/var/lib/snmp", &s) == 0) { if (arg_debug) printf("Mounting tmpfs on /var/lib/snmp\n"); - if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/snmp"); fs_logger("tmpfs /var/lib/snmp"); } @@ -200,7 +200,7 @@ void fs_var_lib(void) { if (stat("/var/lib/sudo", &s) == 0) { if (arg_debug) printf("Mounting tmpfs on /var/lib/sudo\n"); - if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/lib/sudo"); fs_logger("tmpfs /var/lib/sudo"); } @@ -212,7 +212,7 @@ void fs_var_cache(void) { if (stat("/var/cache/apache2", &s) == 0) { if (arg_debug) printf("Mounting tmpfs on /var/cache/apache2\n"); - if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/cache/apache2"); fs_logger("tmpfs /var/cache/apache2"); } @@ -220,7 +220,7 @@ void fs_var_cache(void) { if (stat("/var/cache/lighttpd", &s) == 0) { if (arg_debug) printf("Mounting tmpfs on /var/cache/lighttpd\n"); - if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /var/cache/lighttpd"); fs_logger("tmpfs /var/cache/lighttpd"); @@ -268,7 +268,7 @@ void fs_var_lock(void) { if (is_dir("/var/lock")) { if (arg_debug) printf("Mounting tmpfs on /var/lock\n"); - if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) + if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /lock"); fs_logger("tmpfs /var/lock"); } @@ -286,7 +286,7 @@ void fs_var_lock(void) { } if (arg_debug) printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); - if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) + if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /var/lock"); free(lnk); fs_logger("tmpfs /var/lock"); @@ -304,7 +304,7 @@ void fs_var_tmp(void) { if (!is_link("/var/tmp")) { if (arg_debug) printf("Mounting tmpfs on /var/tmp\n"); - if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) + if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting /var/tmp"); fs_logger("tmpfs /var/tmp"); } @@ -362,7 +362,7 @@ void fs_var_utmp(void) { // mount the new utmp file if (arg_debug) printf("Mount the new utmp file\n"); - if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) + if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mount bind utmp"); fs_logger("create /var/run/utmp"); } -- cgit v1.2.3-70-g09d2 From a344c555ff282c23a8274d10ad0f75eb4fae6836 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 10:08:53 -0400 Subject: --noexec --- README.md | 23 +++++++++++++++++++++-- RELNOTES | 1 + src/firejail/usage.c | 4 +++- src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 15 +++++++++++++++ 5 files changed, 43 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c16a32e62..a60c8dd7f 100644 --- a/README.md +++ b/README.md @@ -90,9 +90,28 @@ AUDIT Limitations: audit feature is not implemented for --x11 commands. ````` -## --private-dev enhancements - work in progress! +## --noexec +````` + --noexec=dirname_or_filename + Remount directory or file noexec, nodev and nosuid. + + Example: + $ firejail --noexec=/tmp + + /etc and /var are noexec by default. If there are more than one + mount operation on the path of the file or directory, noexec + should be applied to the last one. Always check if the change + took effect inside the sandbox. +````` -The following devices are added to --private-dev list. +## --rmenv +````` + --rmenv=name + Remove environment variable in the new sandbox. + + Example: + $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS +````` ## Converting profiles to private-bin - work in progress! diff --git a/RELNOTES b/RELNOTES index 20e7df7f1..ef3706eb1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low * AppImage support (--appimage) * Sandbox auditing support (--audit) * remove environment variable (--rmenv) + * noexec support (--noexec) * include /dev/snd in --private-dev * added mkfile profile command * seccomp filter updated diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 6b7a666db..f7a93174f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -147,9 +147,11 @@ void usage(void) { printf(" --nice=value - set nice value\n\n"); printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); printf("\tfile.\n\n"); + printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); + printf("\tnosuid and nodev\n\n"); printf(" --nogroups - disable supplementary groups. Without this option,\n"); printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); - printf("\t For root, groups are always disabled.\n\n"); + printf("\tFor root, groups are always disabled.\n\n"); printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); printf("\tspecified on the command line, next try to find one that\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 98fa17908..504842a9e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -157,6 +157,9 @@ whitelist ~/.cache/mozilla/firefox Similar to mkdir, this command creates a file in user home before the sandbox is started. The file is created if it doesn't already exist. .TP +\fBnoexec file_or_directory +Remount the file or the directory noexec, nodev and nosuid. +.TP \fBprivate Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7c9cd98de..cd9ea6a8a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -850,6 +850,21 @@ $ nc dict.org 2628 .br 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 .br +.TP +\fB\-\-noexec=dirname_or_filename +Remount directory or file noexec, nodev and nosuid. +.br + +.br +Example: +.br +$ firejail \-\-noexec=/tmp +.br + +.br +/etc and /var are noexec by default. If there are more than one mount operation +on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. + .TP \fB\-\-nogroups Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the -- cgit v1.2.3-70-g09d2 From be8e844ec731a7885bbee37a2f977ed4dae2a3c7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 12:24:34 -0400 Subject: compile fixes --- src/faudit/faudit.h | 3 ++- src/faudit/network.c | 1 - src/faudit/seccomp.c | 5 +---- src/faudit/syscall.c | 20 ++++++++++++++------ src/libtracelog/libtracelog.c | 4 ++-- 5 files changed, 19 insertions(+), 14 deletions(-) diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index f54f95f98..3c08a3eab 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -20,6 +20,7 @@ #ifndef FAUDIT_H #define FAUDIT_H +#define _GNU_SOURCE #include #include #include @@ -57,4 +58,4 @@ void network_test(void); // dbus.c void dbus_test(void); -#endif \ No newline at end of file +#endif diff --git a/src/faudit/network.c b/src/faudit/network.c index 39821cd25..0e0ad1844 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c @@ -48,7 +48,6 @@ void check_ssh(void) { } void check_netlink(void) { - socklen_t addr_len; int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); if (sock == -1) { printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 099e0e420..6f5d23c48 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -77,9 +77,6 @@ void seccomp_test(void) { printf("init_module... "); fflush(0); syscall_run("init_module"); - printf("finit_module... "); fflush(0); - syscall_run("finit_module"); - printf("delete_module... "); fflush(0); syscall_run("delete_module"); @@ -100,4 +97,4 @@ void seccomp_test(void) { else fprintf(stderr, "Error: unrecognized seccomp mode\n"); -} \ No newline at end of file +} diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 7088ad340..bc28936c9 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -18,8 +18,20 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "faudit.h" +#include +#include +#include +#include +extern int init_module(void *module_image, unsigned long len, + const char *param_values); +extern int finit_module(int fd, const char *param_values, + int flags); +extern int delete_module(const char *name, int flags); +extern int pivot_root(const char *new_root, const char *put_old); void syscall_helper(int argc, char **argv) { + (void) argc; + if (strcmp(argv[2], "mount") == 0) { mount(NULL, NULL, NULL, 0, NULL); printf("\nUGLY: mount syscall permitted.\n"); @@ -44,16 +56,12 @@ void syscall_helper(int argc, char **argv) { init_module(NULL, 0, NULL); printf("\nUGLY: init_module syscall permitted.\n"); } - else if (strcmp(argv[2], "finit_module") == 0) { - swapoff(0, NULL, 0); - printf("\nUGLY: finit_module syscall permitted.\n"); - } else if (strcmp(argv[2], "delete_module") == 0) { delete_module(NULL, 0); printf("\nUGLY: delete_module syscall permitted.\n"); } else if (strcmp(argv[2], "chroot") == 0) { - int rv = chroot(NULL); + int rv = chroot("/blablabla-57281292"); (void) rv; printf("\nUGLY: chroot syscall permitted.\n"); } @@ -85,4 +93,4 @@ void syscall_run(const char *name) { // wait for the child to finish waitpid(child, NULL, 0); -} \ No newline at end of file +} diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 0a6d8299f..3e65587c4 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -92,7 +92,7 @@ static void storage_add(const char *str) { } // global variable to keep current working directory -char* cwd = NULL; +static char* cwd = NULL; static char *storage_find(const char *str) { #ifdef DEBUG @@ -108,7 +108,7 @@ static char *storage_find(const char *str) { int allocated = 0; if (strstr(str, "..") || strstr(str, "/./") || strstr(str, "//") || str[0] != '/') { - if (cwd != NULL & str[0] != '/') { + if (cwd != NULL && str[0] != '/') { char *fullpath=malloc(PATH_MAX); if (!fullpath) { fprintf(stderr, "Error: cannot allocate memory\n"); -- cgit v1.2.3-70-g09d2 From 747f15f17531a58c05a4ec30d00519950732cd5f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jul 2016 12:28:04 -0400 Subject: removed snap from firecfg list --- src/firecfg/firecfg.config | 1 - 1 file changed, 1 deletion(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 55e7e30de..eb51f4052 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -124,7 +124,6 @@ pix xreader # other -snap ssh atom-beta atom -- cgit v1.2.3-70-g09d2 From 0c37b30ad6bf30bb3f77b4bcb3b92a53bc6ff1fa Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 11 Jul 2016 13:49:38 +1000 Subject: Jitsi profile --- etc/jitsi.profile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/jitsi.profile diff --git a/etc/jitsi.profile b/etc/jitsi.profile new file mode 100644 index 000000000..8baf1ad94 --- /dev/null +++ b/etc/jitsi.profile @@ -0,0 +1,16 @@ +# Firejail profile for jitsi +noblacklist ~/.jitsi +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + -- cgit v1.2.3-70-g09d2 From 9ff481769ae394e27ffa636c10a6614f3374e105 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 11 Jul 2016 14:39:42 +1000 Subject: extra Jitsi files --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index a5a3d7da9..181f30538 100644 --- a/Makefile.in +++ b/Makefile.in @@ -222,6 +222,7 @@ realinstall: install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 9f5bc7bdf..f2547ad90 100644 --- a/README +++ b/README @@ -57,6 +57,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Atom Beta and Atom profiles - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. - several private-bin conversions + - added jitsi profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index a60c8dd7f..8f4a66c0f 100644 --- a/README.md +++ b/README.md @@ -135,5 +135,5 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi diff --git a/RELNOTES b/RELNOTES index ef3706eb1..3ff1bf1ad 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,7 @@ firejail (0.9.41) baseline; urgency=low * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom + * new profiles: Atom Beta, Atom, jitsi -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 81c97ca2d..837ac1e4c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -74,6 +74,7 @@ blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.jitsi # Games blacklist ${HOME}/.hedgewars diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ae495ec6d..3bbd93d3c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -128,3 +128,4 @@ /etc/firejail/Telegram.profile /etc/firejail/atom-beta.profile /etc/firejail/atom.profile +/etc/firejail/jitsi.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 55e7e30de..665cd80c8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -53,6 +53,7 @@ corebird empathy gitter hexchat +jitsi konversation pidgin polari -- cgit v1.2.3-70-g09d2 From ff7fe7cbc0cf38717e93629eccf16d8294c94f67 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 11 Jul 2016 08:13:00 -0400 Subject: snap platform --- Makefile.in | 3 +++ platform/snap/snap.sh | 20 ++++++++++++++++++++ platform/snap/snapcraft.yaml | 21 +++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100755 platform/snap/snap.sh create mode 100644 platform/snap/snapcraft.yaml diff --git a/Makefile.in b/Makefile.in index 181f30538..9ef542958 100644 --- a/Makefile.in +++ b/Makefile.in @@ -307,6 +307,9 @@ dist: deb: dist ./mkdeb.sh $(NAME) $(VERSION) +snap: all + cd platform/snap; ./snap.sh + github-compile: cd test/compile; ./compile.sh diff --git a/platform/snap/snap.sh b/platform/snap/snap.sh new file mode 100755 index 000000000..d7f924293 --- /dev/null +++ b/platform/snap/snap.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +rm -fr faudit-snap +rm -f faudit_*.snap +mkdir faudit-snap +cd faudit-snap +snapcraft init +cp ../snapcraft.yaml . +#snapcraft stage +mkdir -p stage/usr/lib/firejail +cp ../../../src/faudit/faudit stage/usr/lib/firejail/. +find stage +snapcraft stage +snapcraft snap +cd .. +mv faudit-snap/faudit_*.snap ../../. +rm -fr faudit-snap + + + diff --git a/platform/snap/snapcraft.yaml b/platform/snap/snapcraft.yaml new file mode 100644 index 000000000..7b04a2ca1 --- /dev/null +++ b/platform/snap/snapcraft.yaml @@ -0,0 +1,21 @@ +name: faudit # the name of the snap +version: 0 # the version of the snap +summary: Fireajail audit snap edition # 79 char long summary +description: faudit program extracted from Firejail and packaged as a snap # a longer description for the snap +confinement: strict # use "strict" to enforce system access only via declared interfaces + +apps: + faudit: + command: /usr/lib/firejail/faudit + +parts: + faudit: # Replace with a part name of your liking + # Get more information about plugins by running + # snapcraft help plugins + # and more information about the available plugins + # by running + # snapcraft list-plugins + plugin: nil + snap: + - usr/lib/firejail/faudit + -- cgit v1.2.3-70-g09d2 From 5bef777f30c7d5c2640486d33453b8648beb1eee Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 11 Jul 2016 10:01:45 -0400 Subject: audit work --- Makefile.in | 3 +++ src/faudit/dbus.c | 6 +++--- src/faudit/main.c | 13 ++++++++++--- src/faudit/network.c | 27 ++++++++++++++++++++++++++- src/faudit/pid.c | 21 ++++++++++++++++----- 5 files changed, 58 insertions(+), 12 deletions(-) diff --git a/Makefile.in b/Makefile.in index 9ef542958..db326d2db 100644 --- a/Makefile.in +++ b/Makefile.in @@ -310,6 +310,9 @@ deb: dist snap: all cd platform/snap; ./snap.sh +install-snap: snap + sudo snap remove faudit; sudo snap install faudit*.snap + github-compile: cd test/compile; ./compile.sh diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index f7b5a221d..1ead2aa38 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -60,10 +60,10 @@ void dbus_test(void) { sockfile += 13; *sockfile = '@'; char *ptr = strchr(sockfile, ','); - if (ptr) { + if (ptr) *ptr = '\0'; - check_session_bus(sockfile); - } + check_session_bus(sockfile); + sockfile -= 13; free(sockfile); } diff --git a/src/faudit/main.c b/src/faudit/main.c index 86d3fe4a9..14794719d 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -46,23 +46,30 @@ int main(int argc, char **argv) { // check pid namespace pid_test(); + printf("\n"); - // check capabilities - caps_test(); - // check seccomp seccomp_test(); + printf("\n"); + // check capabilities + caps_test(); + printf("\n"); + // check some well-known problematic files and directories files_test(); + printf("\n"); // network network_test(); + printf("\n"); // dbus dbus_test(); + printf("\n"); free(prog); printf("--------------------------------------------------------------------------------\n"); + return 0; } diff --git a/src/faudit/network.c b/src/faudit/network.c index 0e0ad1844..cf1eede69 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c @@ -23,7 +23,7 @@ #include #include -void check_ssh(void) { +static void check_ssh(void) { // open socket int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == -1) { @@ -47,6 +47,30 @@ void check_ssh(void) { close(sock); } +static void check_http(void) { + // open socket + int sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock == -1) { + printf("GOOD: HTTP server not available on localhost.\n"); + return; + } + + // connect to localhost + struct sockaddr_in server; + server.sin_addr.s_addr = inet_addr("127.0.0.1"); + server.sin_family = AF_INET; + server.sin_port = htons(80); + + if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) + printf("GOOD: HTTP server not available on localhost.\n"); + else { + printf("MAYBE: an HTTP server is accessible on localhost. "); + printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); + } + + close(sock); +} + void check_netlink(void) { int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); if (sock == -1) { @@ -72,5 +96,6 @@ void check_netlink(void) { void network_test(void) { check_ssh(); + check_http(); check_netlink(); } diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 2770daece..a0fb1d921 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -31,6 +31,7 @@ void pid_test(void) { int i; // look at the first 10 processes + int not_visible = 1; for (i = 1; i <= 10; i++) { struct stat s; char *fname; @@ -45,7 +46,7 @@ void pid_test(void) { /* coverity[toctou] */ FILE *fp = fopen(fname, "r"); if (!fp) { - fprintf(stderr, "Warning: cannot open %s\n", fname); +// fprintf(stderr, "Warning: cannot open %s\n", fname); free(fname); continue; } @@ -53,11 +54,13 @@ void pid_test(void) { // read file char buf[100]; if (fgets(buf, 10, fp) == NULL) { - fprintf(stderr, "Warning: cannot read %s\n", fname); +// fprintf(stderr, "Warning: cannot read %s\n", fname); fclose(fp); free(fname); continue; } + not_visible = 0; + // clean /n char *ptr; if ((ptr = strchr(buf, '\n')) != NULL) @@ -69,7 +72,7 @@ void pid_test(void) { if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { fclose(fp); free(fname); - printf("BAD: Process %d, not running in a PID namespace. ", getpid()); + printf("BAD: Process %d is not running in a PID namespace. ", getpid()); printf("Are you sure you're running in a sandbox?\n"); return; } @@ -80,11 +83,19 @@ void pid_test(void) { free(fname); } - - printf("GOOD: process %d running in a PID namespace.\n", getpid()); + pid_t pid = getpid(); + if (not_visible && pid > 100) + printf("BAD: Process %d is not running in a PID namespace.\n", pid); + else + printf("GOOD: process %d is running in a PID namespace.\n", pid); // try to guess the type of container/sandbox char *str = getenv("container"); if (str) printf("INFO: container/sandbox %s.\n", str); + else { + str = getenv("SNAP"); + if (str) + printf("INFO: this is a snap package\n"); + } } -- cgit v1.2.3-70-g09d2 From 68b9c1382593fabc0e58862a45b4d010e8bb2256 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 12 Jul 2016 05:22:47 +0300 Subject: Another command line quoting fix 1. Arguments passed to shell should always be quoted by single quotes. 2. Arguments passed directly to program (--shell=none) should never be quoted. --- src/firejail/main.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 232a57499..366b41f88 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2022,11 +2022,7 @@ int main(int argc, char **argv) { char *ptr1 = cfg.command_line; char *ptr2 = cfg.window_title; for (i = 0; i < argcnt; i++) { - // detect bash commands - if (strstr(argv[i + prog_index], "&&") || strstr(argv[i + prog_index], "||")) { - sprintf(ptr1, "%s ", argv[i + prog_index]); - } - else if (arg_command){ + if (arg_shell_none){ sprintf(ptr1, "%s ", argv[i + prog_index]); } else { -- cgit v1.2.3-70-g09d2 From 0a79f8ebe8201f52495b26f6b28b6eb7c553d7ff Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 12 Jul 2016 05:28:41 +0300 Subject: Remove redundant code This code also causes obscure errors in some rare cases --- src/firejail/run_symlink.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 26c6c5133..020e70b80 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -103,16 +103,7 @@ void run_symlink(int argc, char **argv) { a[1] = program; int i; for (i = 0; i < (argc - 1); i++) { - // look for & character - if (strchr(argv[i + 1], '&')) { - char *str = malloc(strlen(argv[i + 1])); - if (str == NULL) - errExit("malloc"); - sprintf(str, "\"%s\"", argv[i + 1]); - a[i + 2] = str; - } - else - a[i + 2] = argv[i + 1]; + a[i + 2] = argv[i + 1]; } a[i + 2] = NULL; execvp(a[0], a); -- cgit v1.2.3-70-g09d2 From 834ca520e8a54291c91e46d9a3e10dce9b806e57 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 12 Jul 2016 07:00:46 +0300 Subject: Small fix args prepared here are only for shell --- src/firejail/main.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 366b41f88..91f39ed71 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2022,12 +2022,7 @@ int main(int argc, char **argv) { char *ptr1 = cfg.command_line; char *ptr2 = cfg.window_title; for (i = 0; i < argcnt; i++) { - if (arg_shell_none){ - sprintf(ptr1, "%s ", argv[i + prog_index]); - } - else { - sprintf(ptr1, "\'%s\' ", argv[i + prog_index]); - } + sprintf(ptr1, "\'%s\' ", argv[i + prog_index]); sprintf(ptr2, "%s ", argv[i + prog_index]); ptr1 += strlen(ptr1); -- cgit v1.2.3-70-g09d2 From 67f8a71cd721b1786dc5b17248316a714ea71869 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 12 Jul 2016 08:21:57 -0400 Subject: whitelist rework --- README.md | 17 ++++++++++++++ src/firejail/fs_whitelist.c | 28 +++++++++++----------- src/man/firejail.txt | 6 ++--- todo | 57 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 8f4a66c0f..019a6a56c 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,23 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ --user option was deprecated, please use "sudo -u username firejail application" instead. +## --whitelist rework + +Symlinks outside user home directories are allowed: +````` + --whitelist=dirname_or_filename + Whitelist directory or file. This feature is implemented only + for user home, /dev, /media, /opt, /var, and /tmp directories. + With the exeception of user home, both the link and the real + file should be in the same top directory. + + Example: + $ firejail --noprofile --whitelist=~/.mozilla + $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null + $ firejail "--whitelist=/home/username/My Virtual Machines" +````` + + ## AppImage AppImage (http://appimage.org/) is a distribution-agnostic packaging format. diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ba6c8cd74..926e5415c 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) { char *wfile = NULL; if (entry->home_dir) { - fname = path + strlen(cfg.homedir); - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); - exit(1); + if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { + fname = path + strlen(cfg.homedir); + if (*fname == '\0') { + fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); + exit(1); + } } + else + fname = path; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) errExit("asprintf"); @@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) { printf("Whitelisting %s\n", path); } else { - if (arg_debug || arg_debug_whitelists) { - fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path); - } return; } @@ -390,13 +391,14 @@ void fs_whitelist(void) { entry->home_dir = 1; home_dir = 1; + if (arg_debug) + fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", + __LINE__, fname, cfg.homedir); + // both path and absolute path are under /home - if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", - __LINE__, fname, cfg.homedir); - goto errexit; - } +// if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { +// goto errexit; +// } } else if (strncmp(new_name, "/tmp/", 5) == 0) { entry->tmp_dir = 1; diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd9ea6a8a..f7079200e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1515,14 +1515,14 @@ firejail version 0.9.27 .TP \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. -When whitlisting symbolic links, both the link and the real file should be in the same top directory -(home user, /media, /var etc.) +With the exeception of user home, both the link and the real file should be in +the same top directory. .br .br Example: .br -$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads +$ firejail \-\-noprofile \-\-whitelist=~/.mozilla .br $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null .br diff --git a/todo b/todo index 88baff216..5ceb4e530 100644 --- a/todo +++ b/todo @@ -161,3 +161,60 @@ To disable Vsync $ vblank_mode=0 glxgears +18. Bring in nvidia drives in private-dev + +/dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm + +19. testing snaps + +Install firejail from official repository +sudo apt-get install firejail + +Check firejail version +firejail --version + +Above command outputs: firejail version 0.9.38 + +Search the snap 'ubuntu clock' application +sudo snap find ubuntu-clock-app + +Install 'ubuntu clock' application using snap +sudo snap install ubuntu-clock-app + +Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ +cd /snap/bin/ +ls -l + +Note: We see application name is: ubuntu-clock-app.clock + +Run application +/snap/bin/ubuntu-clock-app.clock + +Note: Application starts-up without a problem and clock is displayed. + +Close application using mouse. + +Now try to firejail the application. +firejail /snap/bin/ubuntu-clock-app.clock + +-------- Error message -------- +Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/disable-mgmt.inc +Reading profile /etc/firejail/disable-secret.inc +Reading profile /etc/firejail/disable-common.inc + +** Note: you can use --noprofile to disable generic.profile ** + +Parent pid 3770, child pid 3771 + +Child process initialized +need to run as root or suid + +parent is shutting down, bye... +-------- End of Error message -------- + +Try running as root as message instructs. +sudo firejail /snap/bin/ubuntu-clock-app.clock + +extract env for process +ps e -p | sed 's/ /\n/g' -- cgit v1.2.3-70-g09d2 From f4c4140b4eb405172afe4755464f8af10e58350b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 13 Jul 2016 12:10:50 -0400 Subject: todo --- todo | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/todo b/todo index 5ceb4e530..43168dd5a 100644 --- a/todo +++ b/todo @@ -218,3 +218,20 @@ sudo firejail /snap/bin/ubuntu-clock-app.clock extract env for process ps e -p | sed 's/ /\n/g' + + +20. check default disable - from grsecurity + +GRKERNSEC_HIDESYM +/proc/kallsyms and other files + +GRKERNSEC_PROC_USER +If you say Y here, non-root users will only be able to view their own +processes, and restricts them from viewing network-related information, +and viewing kernel symbol and module information. + +GRKERNSEC_PROC_ADD +If you say Y here, additional restrictions will be placed on +/proc that keep normal users from viewing device information and +slabinfo information that could be useful for exploits. + -- cgit v1.2.3-70-g09d2 From 52a80d1ffd8681379c8afcc7de145c79127b084f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 13 Jul 2016 12:16:17 -0400 Subject: todo --- todo | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/todo b/todo index 43168dd5a..491f9d8eb 100644 --- a/todo +++ b/todo @@ -235,3 +235,14 @@ If you say Y here, additional restrictions will be placed on /proc that keep normal users from viewing device information and slabinfo information that could be useful for exploits. +21. Core Infrastructure Initiative (CII) Best Practices + +Proposal + +Someone closely involved with the project could go thought the criteria and keep them up-to-date. +References + + https://bestpractices.coreinfrastructure.org + https://twit.tv/shows/floss-weekly/episodes/389 + +@netblue30 \ No newline at end of file -- cgit v1.2.3-70-g09d2 From a9f3209570c19843a011da9b254066eb38a648db Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 15 Jul 2016 07:28:06 +1000 Subject: Pidgin private-bin conversion --- README | 1 + README.md | 2 +- etc/pidgin.profile | 10 +++++++++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/README b/README index f2547ad90..2055c221c 100644 --- a/README +++ b/README @@ -58,6 +58,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. - several private-bin conversions - added jitsi profile + - pidgin private-bin conversion Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index 019a6a56c..f36bbc3ae 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer Office: evince, gthumb, fbreader, pix, atril, xreader -Chat/messaging: qtox, gitter +Chat/messaging: qtox, gitter, pidgin Games: warzone2100 diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 091456d76..3df2cafa6 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -2,11 +2,19 @@ noblacklist ${HOME}/.purple include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-bin pidgin +private-dev -- cgit v1.2.3-70-g09d2 From 80ccd124b6e510f820f5ccca7dd6b8acc3671e6a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 15 Jul 2016 12:10:58 -0400 Subject: faudit work --- src/faudit/dbus.c | 2 +- src/faudit/dev.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ src/faudit/faudit.h | 3 +++ src/faudit/main.c | 4 ++++ 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 src/faudit/dev.c diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1ead2aa38..979617001 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) { printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); } else { - printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); + printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } close(sock); diff --git a/src/faudit/dev.c b/src/faudit/dev.c new file mode 100644 index 000000000..52506a258 --- /dev/null +++ b/src/faudit/dev.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include + +void dev_test(void) { + DIR *dir; + if (!(dir = opendir("/dev"))) { + fprintf(stderr, "Error: cannot open /dev directory\n"); + return; + } + + struct dirent *entry; + char *end; + printf("INFO: files visible in /dev directory: "); + int cnt = 0; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + continue; + + printf("%s, ", entry->d_name); + cnt++; + } + printf("\n"); + + if (cnt > 20) + printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); + else + printf("GOOD: Access to /dev directory is restricted.\n"); + closedir(dir); +} diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 3c08a3eab..93fb4b709 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -58,4 +58,7 @@ void network_test(void); // dbus.c void dbus_test(void); +// dev.c +void dev_test(void); + #endif diff --git a/src/faudit/main.c b/src/faudit/main.c index 14794719d..72c386cd1 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -68,6 +68,10 @@ int main(int argc, char **argv) { dbus_test(); printf("\n"); + // /dev test + dev_test(); + printf("\n"); + free(prog); printf("--------------------------------------------------------------------------------\n"); -- cgit v1.2.3-70-g09d2 From 7669b9410df5639365967c57326a3fc3bb192810 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 16 Jul 2016 00:34:07 +0300 Subject: Fix problem with single quotes in args Single quotes can't be represented in single quoted text, so quote them separately by double quotes. --- src/firejail/main.c | 45 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 91f39ed71..28351a2df 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2008,8 +2008,26 @@ int main(int argc, char **argv) { int i; int len = 0; int argcnt = argc - prog_index; - for (i = 0; i < argcnt; i++) - len += strlen(argv[i + prog_index]) + 3; // + ' ' + 2 '"' + int j; + char *arg, *arg_ptr, *token; + + for (i = 0; i < argcnt; i++) { + arg = strdup(argv[i + prog_index]); + arg_ptr = arg; + for (token = strsep(&arg_ptr, "\'"); token != NULL; token = strsep(&arg_ptr, "\'")) { + if (token[0] == '\0') { + len += 3; + } else { + len += strlen(token) + 5; + } + } + free(arg); + len -= 2; // + ' ' - 3 char overrun + } + len += 3; // for overrun + + if (arg_debug) + printf("Predicted command length %d\n", len); // build the string cfg.command_line = malloc(len + 1); // + '\0' @@ -2022,12 +2040,31 @@ int main(int argc, char **argv) { char *ptr1 = cfg.command_line; char *ptr2 = cfg.window_title; for (i = 0; i < argcnt; i++) { - sprintf(ptr1, "\'%s\' ", argv[i + prog_index]); - sprintf(ptr2, "%s ", argv[i + prog_index]); + // enclose args by single quotes, + // and since single quote can't be represented in single quoted text + // each occurence of it in arg should be enclosed by double quotes + arg = strdup(argv[i + prog_index]); + arg_ptr = arg; + for (token = strsep(&arg_ptr, "\'"); token != NULL; token = strsep(&arg_ptr, "\'")) { + if (token[0] == '\0') { + sprintf(ptr1, "\"\'\""); + } else { + sprintf(ptr1, "\'%s\'\"\'\"", token); + } + ptr1 += strlen(ptr1); + } + free(arg); + ptr1 -= 3; + sprintf(ptr1, " "); ptr1 += strlen(ptr1); + + sprintf(ptr2, "%s ", argv[i + prog_index]); ptr2 += strlen(ptr2); } + ptr1[0]='\0'; // just to be sure + if (arg_debug) + printf("Actual command length %zd\n", strlen(cfg.command_line)); } assert(cfg.command_name); -- cgit v1.2.3-70-g09d2 From 8235624a64df55b3dbaca2fb93543b9300df64e3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Jul 2016 08:19:21 -0400 Subject: fixes --- src/faudit/dev.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/faudit/dev.c b/src/faudit/dev.c index 52506a258..92f615958 100644 --- a/src/faudit/dev.c +++ b/src/faudit/dev.c @@ -28,7 +28,6 @@ void dev_test(void) { } struct dirent *entry; - char *end; printf("INFO: files visible in /dev directory: "); int cnt = 0; while ((entry = readdir(dir)) != NULL) { -- cgit v1.2.3-70-g09d2 From 14ad07435d339b290e284995c1d0349f4434a371 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Jul 2016 12:58:09 -0400 Subject: testing --- src/faudit/dbus.c | 1 + src/firejail/fs.c | 2 +- test/features/1.2.exp | 6 +++--- test/features/1.8.exp | 18 ------------------ test/features/3.5.exp | 10 +++++----- test/private_dir.exp | 2 +- test/private_dir_profile.exp | 2 +- test/test.sh | 3 --- 8 files changed, 12 insertions(+), 32 deletions(-) diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 979617001..996e013ed 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -67,6 +67,7 @@ void dbus_test(void) { sockfile -= 13; free(sockfile); } + free(bus); } } diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4b2b91b17..d426636d8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1093,7 +1093,7 @@ void fs_chroot(const char *rootdir) { if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) errExit("asprintf"); if (arg_debug) - printf("Mounting /tmp/.X11-unix on %s\n", newdev); + printf("Mounting /tmp/.X11-unix on %s\n", newx11); if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /tmp/.X11-unix"); free(newx11); diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 6f7cae888..685acf737 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp @@ -34,7 +34,7 @@ expect { } expect { timeout {puts "TESTING ERROR 1.4\n";exit} - "proc /proc/sysrq-trigger proc" + "/proc/sysrq-trigger" } #expect { # timeout {puts "TESTING ERROR 1.5\n";exit} @@ -42,11 +42,11 @@ expect { #} expect { timeout {puts "TESTING ERROR 1.6\n";exit} - "proc /proc/irq proc" + "/proc/irq" } expect { timeout {puts "TESTING ERROR 1.7\n";exit} - "proc /proc/bus proc" + "/proc/bus" } after 100 send -- "exit\r" diff --git a/test/features/1.8.exp b/test/features/1.8.exp index 493a87328..4c6d3f3dc 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp @@ -20,12 +20,6 @@ expect { } sleep 1 -send -- "ls /etc/firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Permission denied" -} -after 100 send -- "ls ~/.config/firejail\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} @@ -77,12 +71,6 @@ if { $overlay == "overlay" } { "Child process initialized" {puts "normal system\n"} } sleep 1 - send -- "ls /etc/firejail\r" - expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Permission denied" - } - after 100 send -- "ls ~/.config/firejail\r" expect { timeout {puts "TESTING ERROR 3.1\n";exit} @@ -134,12 +122,6 @@ if { $chroot == "chroot" } { "Child process initialized" } sleep 1 - send -- "ls /etc/firejail\r" - expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Permission denied" - } - after 100 send -- "ls ~/.config/firejail\r" expect { timeout {puts "TESTING ERROR 5.1\n";exit} diff --git a/test/features/3.5.exp b/test/features/3.5.exp index aed5fe836..f4b544b3d 100755 --- a/test/features/3.5.exp +++ b/test/features/3.5.exp @@ -22,8 +22,8 @@ sleep 1 send -- "ls -l /dev | wc -l\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} - "12" { puts "Debian\n"} - "11" { puts "Centos\n"} + "13" { puts "Debian\n"} + "12" { puts "Centos\n"} } after 100 @@ -45,8 +45,8 @@ if { $overlay == "overlay" } { send -- "ls -l /dev | wc -l\r" expect { timeout {puts "TESTING ERROR 3.1\n";exit} - "12" { puts "Debian\n"} - "11" { puts "Centos\n"} + "13" { puts "Debian\n"} + "12" { puts "Centos\n"} } after 100 @@ -68,7 +68,7 @@ if { $chroot == "chroot" } { send -- "ls -l /dev | wc -l\r" expect { timeout {puts "TESTING ERROR 5.1\n";exit} - "11" + "12" } after 100 diff --git a/test/private_dir.exp b/test/private_dir.exp index 9dfb2ea9f..a4beeba27 100755 --- a/test/private_dir.exp +++ b/test/private_dir.exp @@ -42,7 +42,7 @@ expect { send -- "ls -al | wc -l;pwd\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "7" {puts "normal system\n";} + "6" {puts "normal system\n";} "5" {puts "OpenSUSE\n";} } expect { diff --git a/test/private_dir_profile.exp b/test/private_dir_profile.exp index 5b38ad0bb..8d1c74444 100755 --- a/test/private_dir_profile.exp +++ b/test/private_dir_profile.exp @@ -42,7 +42,7 @@ expect { send -- "ls -al | wc -l;pwd\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "7" {puts "normal system\n";} + "6" {puts "normal system\n";} "5" {puts "OpenSUSE\n";} } expect { diff --git a/test/test.sh b/test/test.sh index 71e2c6720..4b7d5bb6d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -62,9 +62,6 @@ echo "TESTING: overlayfs (fs_overlay.exp)" echo "TESTING: login SSH (login_ssh.exp)" ./login_ssh.exp -echo "TESTING: DNS (dns.exp)" -./dns.exp - echo "TESTING: firemon --arp (firemon-arp.exp)" ./firemon-arp.exp -- cgit v1.2.3-70-g09d2 From fcdd585786849aee34ef45dbfb46fa222a5e213d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Jul 2016 22:11:10 -0400 Subject: faudit fix --- src/faudit/dbus.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 996e013ed..1edce5802 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -65,7 +65,6 @@ void dbus_test(void) { check_session_bus(sockfile); sockfile -= 13; - free(sockfile); } free(bus); } -- cgit v1.2.3-70-g09d2 From 56765e75e4c526750b8c157635c4345797327315 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Jul 2016 03:49:02 +1000 Subject: for Issue #637 --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 17f37c5cc..d18ee0287 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -20,6 +20,8 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart blacklist ${HOME}/.fluxbox/startup blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment +blacklist ${HOME}/.gnomerc +blacklist /etc/X11/Xsession.d/ # VirtualBox blacklist ${HOME}/.VirtualBox -- cgit v1.2.3-70-g09d2 From 1f4e6d3888130eff5485cbdd6ff4e84aa6e69f96 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 19 Jul 2016 15:45:55 +0300 Subject: Fix problem with single quotes in args Single quotes can't be represented in single quoted text, so quote them separately by double quotes. Better version. --- src/firejail/main.c | 96 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 69 insertions(+), 27 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 28351a2df..4f1c81e2b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2009,25 +2009,34 @@ int main(int argc, char **argv) { int len = 0; int argcnt = argc - prog_index; int j; - char *arg, *arg_ptr, *token; + bool in_quotes = false; for (i = 0; i < argcnt; i++) { - arg = strdup(argv[i + prog_index]); - arg_ptr = arg; - for (token = strsep(&arg_ptr, "\'"); token != NULL; token = strsep(&arg_ptr, "\'")) { - if (token[0] == '\0') { - len += 3; + in_quotes = false; + for (j = 0; j < strlen(argv[i + prog_index]); j++) { + if (argv[i + prog_index][j] == '\'') { + if (in_quotes) + len++; + if (j > 0 && argv[i + prog_index][j-1] == '\'') + len++; + else + len += 3; + in_quotes = false; } else { - len += strlen(token) + 5; + if (!in_quotes) + len++; + len++; + in_quotes = true; } } - free(arg); - len -= 2; // + ' ' - 3 char overrun + if (in_quotes) { + len++; + } + if (strlen(argv[i + prog_index]) == 0) { + len += 2; + } + len++; } - len += 3; // for overrun - - if (arg_debug) - printf("Predicted command length %d\n", len); // build the string cfg.command_line = malloc(len + 1); // + '\0' @@ -2040,31 +2049,64 @@ int main(int argc, char **argv) { char *ptr1 = cfg.command_line; char *ptr2 = cfg.window_title; for (i = 0; i < argcnt; i++) { + // enclose args by single quotes, // and since single quote can't be represented in single quoted text - // each occurence of it in arg should be enclosed by double quotes - arg = strdup(argv[i + prog_index]); - arg_ptr = arg; - for (token = strsep(&arg_ptr, "\'"); token != NULL; token = strsep(&arg_ptr, "\'")) { - if (token[0] == '\0') { - sprintf(ptr1, "\"\'\""); - } else { - sprintf(ptr1, "\'%s\'\"\'\"", token); + // each occurence of it should be enclosed by double quotes + in_quotes = false; + for (j = 0; j < strlen(argv[i + prog_index]); j++) { + // single quote + if (argv[i + prog_index][j] == '\'') { + if (in_quotes) { + // close quotes + ptr1[0] = '\''; + ptr1++; + } + // previous char was single quote too + if (j > 0 && argv[i + prog_index][j-1] == '\'') { + ptr1--; + sprintf(ptr1, "\'\""); + } + // this first in series + else + { + sprintf(ptr1, "\"\'\""); + } + ptr1 += strlen(ptr1); + in_quotes = false; } + // anything other + else + { + if (!in_quotes) { + // open quotes + ptr1[0] = '\''; + ptr1++; + } + ptr1[0] = argv[i + prog_index][j]; + ptr1++; + in_quotes = true; + } + } + // close quotes + if (in_quotes) { + ptr1[0] = '\''; + ptr1++; + } + // handle empty argument case + if (strlen(argv[i + prog_index]) == 0) { + sprintf(ptr1, "\'\'"); ptr1 += strlen(ptr1); } - free(arg); - ptr1 -= 3; - + // add space sprintf(ptr1, " "); ptr1 += strlen(ptr1); sprintf(ptr2, "%s ", argv[i + prog_index]); ptr2 += strlen(ptr2); } - ptr1[0]='\0'; // just to be sure - if (arg_debug) - printf("Actual command length %zd\n", strlen(cfg.command_line)); + + assert(len == strlen(cfg.command_line)); } assert(cfg.command_name); -- cgit v1.2.3-70-g09d2 From afe0e236a855b8917c1f4c1bc0273d27dfabda62 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Jul 2016 11:47:44 -0400 Subject: default.profile bug --- src/firejail/main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 232a57499..703b9913b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2072,8 +2072,6 @@ int main(int argc, char **argv) { fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); else if (arg_overlay) fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); -// else if (cfg.home_private_keep) -// fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); else { // try to load a default profile char *profile_name = DEFAULT_USER_PROFILE; @@ -2096,6 +2094,10 @@ int main(int argc, char **argv) { else custom_profile = profile_find(profile_name, SYSCONFDIR); } + if (!custom_profile) { + fprintf(stderr, "Error: no default.profile installed\n"); + exit(1); + } if (custom_profile && !arg_quiet) printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); -- cgit v1.2.3-70-g09d2 From afe9fe993293a27dc345f6bca2a4b7ea964120b8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Jul 2016 13:03:24 -0400 Subject: --read-write rework --- RELNOTES | 1 + src/bash_completion/firejail.bash_completion | 4 +++ src/firejail/firejail.h | 4 --- src/firejail/fs.c | 39 +++++++++++++++++++++++++--- src/firejail/fs_rdwr.c | 3 +++ src/firejail/main.c | 2 +- src/firejail/profile.c | 12 ++------- src/man/firejail.txt | 17 ++++++++---- todo | 2 +- 9 files changed, 60 insertions(+), 24 deletions(-) diff --git a/RELNOTES b/RELNOTES index 3ff1bf1ad..067bac4ea 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.41) baseline; urgency=low * work in progress... * deprecated --user option, please use "sudo -u username firejail" instead + * --read-write opton rework * AppImage support (--appimage) * Sandbox auditing support (--audit) * remove environment variable (--rmenv) diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 78bd622fc..d3dcd57d0 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion @@ -47,6 +47,10 @@ _firejail() _filedir return 0 ;; + --read-write) + _filedir + return 0 + ;; --bind) _filedir return 0 diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8856986e6..29bb6c494 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -584,10 +584,6 @@ extern char *xephyr_screen; extern char *xephyr_extra_params; int checkcfg(int val); -// fs_rdwr.c -void fs_rdwr_add(const char *path); -void fs_rdwr(void); - // appimage.c void appimage_set(const char *appimage_path); void appimage_clear(void); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d426636d8..630458549 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -27,6 +27,8 @@ #include #include +static void fs_rdwr(const char *dir); + static void create_empty_dir(void) { struct stat s; @@ -229,6 +231,7 @@ typedef enum { MOUNT_READONLY, MOUNT_TMPFS, MOUNT_NOEXEC, + MOUNT_RDWR, OPERATION_MAX } OPERATION; @@ -329,6 +332,12 @@ static void disable_file(OPERATION op, const char *filename) { if (arg_debug) printf("Mounting read-only %s\n", fname); fs_rdonly(fname); +// todo: last_disable = SUCCESSFUL; + } + else if (op == MOUNT_RDWR) { + if (arg_debug) + printf("Mounting read-only %s\n", fname); + fs_rdwr(fname); // todo: last_disable = SUCCESSFUL; } else if (op == MOUNT_NOEXEC) { @@ -492,6 +501,10 @@ void fs_blacklist(void) { ptr = entry->data + 10; op = MOUNT_READONLY; } + else if (strncmp(entry->data, "read-write ", 11) == 0) { + ptr = entry->data + 11; + op = MOUNT_RDWR; + } else if (strncmp(entry->data, "noexec ", 7) == 0) { ptr = entry->data + 7; op = MOUNT_NOEXEC; @@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) { } } +static void fs_rdwr(const char *dir) { + assert(dir); + // check directory exists + struct stat s; + int rv = stat(dir, &s); + if (rv == 0) { + // if the file is outside /home directory, allow only root user + uid_t u = getuid(); + if (u != 0 && s.st_uid != u) { + fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); + return; + } + + // mount --bind /bin /bin + if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount read-write"); + // mount --bind -o remount,rw /bin + if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) + errExit("mount read-write"); + fs_logger2("read-write", dir); + } +} + void fs_noexec(const char *dir) { assert(dir); // check directory exists @@ -757,9 +793,6 @@ void fs_basic_fs(void) { // firejail sandboxes (firejail --force) if (getuid() != 0) disable_firejail_config(); - - if (getuid() == 0) - fs_rdwr(); } diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c index 68df6465f..e098be416 100644 --- a/src/firejail/fs_rdwr.c +++ b/src/firejail/fs_rdwr.c @@ -17,6 +17,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#if 0 #include "firejail.h" #include #include @@ -91,3 +92,5 @@ void fs_rdwr(void) { } } +#endif + diff --git a/src/firejail/main.c b/src/firejail/main.c index 703b9913b..25063700c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1206,7 +1206,7 @@ int main(int argc, char **argv) { errExit("asprintf"); profile_check_line(line, 0, NULL); // will exit if something wrong - // profile_add(line); is not necessary + profile_add(line); } else if (strcmp(argv[i], "--overlay") == 0) { if (cfg.chrootdir) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 40e2e4330..46ef0921d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } - // read-write - if (strncmp(ptr, "read-write ", 11) == 0) { - if (getuid() != 0) { - fprintf(stderr, "Error: read-write command is available only for root user\n"); - exit(1); - } - fs_rdwr_add(ptr + 11); - return 0; - } - // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; @@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else if (strncmp(ptr, "read-only ", 10) == 0) ptr += 10; + else if (strncmp(ptr, "read-write ", 11) == 0) + ptr += 11; else if (strncmp(ptr, "noexec ", 7) == 0) ptr += 7; else if (strncmp(ptr, "tmpfs ", 6) == 0) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f7079200e..fed573e6c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1183,17 +1183,24 @@ $ firejail \-\-read-only=~/.mozilla firefox A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories should be made read-only independently. Making a parent directory read-only, will not make the whitelist read-only. Example: +.br + .br $ firejail --whitelist=~/work --read-only=~ --read-only=~/work .TP \fB\-\-read-write=dirname_or_filename -By default, the sandbox mounts system directories read-only. -These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. -Use this option to mount read-write files or directories inside the system directories. +Set directory or file read-write. Only files or directories belonging to the current user are allowed for +this operation. Example: +.br + +.br +$ mkdir ~/test +.br +$ touch ~/test/a +.br +$ firejail --read-only=~/test --read-write=~/test/a -This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these -cases the system directories are mounted read-write. .TP \fB\-\-rlimit-fsize=number diff --git a/todo b/todo index 491f9d8eb..30e8f3949 100644 --- a/todo +++ b/todo @@ -245,4 +245,4 @@ References https://bestpractices.coreinfrastructure.org https://twit.tv/shows/floss-weekly/episodes/389 -@netblue30 \ No newline at end of file +22. add support for read-write and noexec to Firetools -- cgit v1.2.3-70-g09d2 From 6462230ff0e5cf09a1c35ee5c737c86765edaa09 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Jul 2016 13:04:08 -0400 Subject: --read-write rework --- src/firejail/fs_rdwr.c | 96 -------------------------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 src/firejail/fs_rdwr.c diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c deleted file mode 100644 index e098be416..000000000 --- a/src/firejail/fs_rdwr.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#if 0 -#include "firejail.h" -#include -#include -#include -#include -#include - -typedef struct rdwr_t { - struct rdwr_t *next; - const char *path; -} RDWR; - -RDWR *rdwr = NULL; - -void fs_rdwr_add(const char *path) { - // verify path - if (*path != '/') { - fprintf(stderr, "Error: invalid path for read-write command\n"); - exit(1); - } - invalid_filename(path); - if (is_link(path)) { - fprintf(stderr, "Error: invalid symbolic link for read-write command\n"); - exit(1); - } - if (strstr(path, "..")) { - fprintf(stderr, "Error: invalid path for read-write command\n"); - exit(1); - } - - // print warning if the file doesn't exist - struct stat s; - if (stat(path, &s) == -1) { - fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path); - return; - } - - // build list entry - RDWR *r = malloc(sizeof(RDWR)); - if (!r) - errExit("malloc"); - memset(r, 0, sizeof(RDWR)); - r->path = path; - - // add - r->next = rdwr; - rdwr = r; -} - -static void mount_rdwr(const char *path) { - assert(path); - // check directory exists - struct stat s; - int rv = stat(path, &s); - if (rv == 0) { - // mount --bind /bin /bin - if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount read-write"); - // mount --bind -o remount,rw /bin - if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) - errExit("mount read-write"); - fs_logger2("read-write", path); - } -} - -void fs_rdwr(void) { - RDWR *ptr = rdwr; - - while (ptr) { - mount_rdwr(ptr->path); - ptr = ptr->next; - } -} - -#endif - -- cgit v1.2.3-70-g09d2 From bcfb0465a3eda584f2dcef5585117a6aaac83ff8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Jul 2016 08:52:09 -0400 Subject: audit fixes --- src/faudit/main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/faudit/main.c b/src/faudit/main.c index 72c386cd1..6ff938d98 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -38,8 +38,9 @@ int main(int argc, char **argv) { // extract program name prog = realpath(argv[0], NULL); if (prog == NULL) { - fprintf(stderr, "Error: cannot extract the path of the audit program\n"); - return 1; + prog = strdup("faudit"); + if (!prog) + errExit("strdup"); } printf("INFO: starting %s.\n", prog); @@ -67,11 +68,11 @@ int main(int argc, char **argv) { // dbus dbus_test(); printf("\n"); - + // /dev test dev_test(); printf("\n"); - + free(prog); printf("--------------------------------------------------------------------------------\n"); -- cgit v1.2.3-70-g09d2 From 76a3248ab596149078b334949346f238092022f4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Jul 2016 09:12:44 -0400 Subject: snap profile fix --- etc/snap.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/snap.profile b/etc/snap.profile index b7e6d9b19..270fdf1a5 100644 --- a/etc/snap.profile +++ b/etc/snap.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc whitelist ~/snap +whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.keep chown,sys_admin -- cgit v1.2.3-70-g09d2 From d65d32dbc9f1b28871ba5e9e05ae6497e8be2176 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Jul 2016 09:45:43 -0400 Subject: 0.9.42~rc1 testing --- RELNOTES | 10 +++++----- configure | 18 +++++++++--------- configure.ac | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/RELNOTES b/RELNOTES index 067bac4ea..30672819c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,21 +1,21 @@ -firejail (0.9.41) baseline; urgency=low - * work in progress... +firejail (0.9.42~rc1) baseline; urgency=low * deprecated --user option, please use "sudo -u username firejail" instead - * --read-write opton rework + * --read-write option rework + * allow symlinks in home directory for --whitelist option * AppImage support (--appimage) * Sandbox auditing support (--audit) * remove environment variable (--rmenv) * noexec support (--noexec) + * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file - * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi - -- netblue30 Tue, 31 May 2016 08:00:00 -0500 + -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low * added --nice option diff --git a/configure b/configure index d7017e6d7..3596bfd82 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.41. +# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc1. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.41' -PACKAGE_STRING='firejail 0.9.41' +PACKAGE_VERSION='0.9.42~rc1' +PACKAGE_STRING='firejail 0.9.42~rc1' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1250,7 +1250,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.41 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.42~rc1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1311,7 +1311,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.41:";; + short | recursive ) echo "Configuration of firejail 0.9.42~rc1:";; esac cat <<\_ACEOF @@ -1410,7 +1410,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.41 +firejail configure 0.9.42~rc1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1712,7 +1712,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.41, which was +It was created by firejail $as_me 0.9.42~rc1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4217,7 +4217,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.41, which was +This file was extended by firejail $as_me 0.9.42~rc1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4271,7 +4271,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.41 +firejail config.status 0.9.42~rc1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 470c55d37..7ff04cd71 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.41, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.42~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From 6a7a3c938e0b4a6af76b855e6039eeffb4f34b37 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 24 Jul 2016 10:17:49 +1000 Subject: added eom profile --- etc/eom.profile | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 etc/eom.profile diff --git a/etc/eom.profile b/etc/eom.profile new file mode 100644 index 000000000..81d993e96 --- /dev/null +++ b/etc/eom.profile @@ -0,0 +1,20 @@ +# Firejail profile for Eye of Mate (eom) +noblacklist ~/.config/mate/eom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin eom +private-dev -- cgit v1.2.3-70-g09d2 From 4f54836eecd4881f78b6ba97a08e62a1607176b0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 24 Jul 2016 10:18:12 +1000 Subject: extra eom files --- Makefile.in | 1 + README | 1 + README.md | 6 +++--- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Makefile.in b/Makefile.in index db326d2db..c6147cee7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -223,6 +223,7 @@ realinstall: install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 2055c221c..1c9d85d65 100644 --- a/README +++ b/README @@ -59,6 +59,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - several private-bin conversions - added jitsi profile - pidgin private-bin conversion + - added eom profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index f36bbc3ae..3ab6f43be 100644 --- a/README.md +++ b/README.md @@ -136,9 +136,9 @@ BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, ug File transfer: filezilla -Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer +Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom -Office: evince, gthumb, fbreader, pix, atril, xreader +Office: evince, gthumb, fbreader, pix, atril, xreader, Chat/messaging: qtox, gitter, pidgin @@ -152,5 +152,5 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom diff --git a/RELNOTES b/RELNOTES index 30672819c..be65b9fca 100644 --- a/RELNOTES +++ b/RELNOTES @@ -14,7 +14,7 @@ firejail (0.9.42~rc1) baseline; urgency=low * compile time support to disable global configuration file * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom, jitsi + * new profiles: Atom Beta, Atom, jitsi, eom -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 837ac1e4c..0f155351d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -20,6 +20,7 @@ blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/pix +blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3bbd93d3c..24884228e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -129,3 +129,4 @@ /etc/firejail/atom-beta.profile /etc/firejail/atom.profile /etc/firejail/jitsi.profile +/etc/firejail/eom.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ba975c4b4..5909ab4fe 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -98,6 +98,7 @@ totem vlc xplayer xviewer +eom # news readers quiterss -- cgit v1.2.3-70-g09d2 From a22b20973b58f9eb88555b94078f92855af54f68 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 24 Jul 2016 13:36:50 +1000 Subject: added missing programmes --- src/firecfg/firecfg.config | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5909ab4fe..48e205a58 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -40,6 +40,7 @@ midori netsurf opera-beta opera +palemoon qutebrowser seamonkey seamonkey-bin @@ -111,10 +112,11 @@ fbreader gwenview gthumb libreoffice +localc lodraw loffice lofromtemplate -loimpres +loimpress lomath loweb lowriter -- cgit v1.2.3-70-g09d2 From e8a99ca706b934f8c6f2b918b7207febeecd43b2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Jul 2016 08:42:50 -0400 Subject: 0.9.42~rc2 development --- README.md | 4 +++- configure | 18 +++++++++--------- configure.ac | 2 +- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 3ab6f43be..5e9c2e3f2 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,9 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` -# Current development version: 0.9.41 +# Current development version: 0.9.42~rc2 + +Version 0.9.41~rc1 was released. ## Deprecated --user diff --git a/configure b/configure index 3596bfd82..cd4be9296 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc1. +# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc2. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.42~rc1' -PACKAGE_STRING='firejail 0.9.42~rc1' +PACKAGE_VERSION='0.9.42~rc2' +PACKAGE_STRING='firejail 0.9.42~rc2' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1250,7 +1250,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.42~rc1 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.42~rc2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1311,7 +1311,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.42~rc1:";; + short | recursive ) echo "Configuration of firejail 0.9.42~rc2:";; esac cat <<\_ACEOF @@ -1410,7 +1410,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.42~rc1 +firejail configure 0.9.42~rc2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1712,7 +1712,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.42~rc1, which was +It was created by firejail $as_me 0.9.42~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4217,7 +4217,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.42~rc1, which was +This file was extended by firejail $as_me 0.9.42~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4271,7 +4271,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.42~rc1 +firejail config.status 0.9.42~rc2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 7ff04cd71..c22228d0f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.42~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.42~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From c9acc69dcc12f937c5abdde64e4f115bbf38a7a5 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 24 Jul 2016 23:29:14 +0200 Subject: Fix spelling errors found by lintian --- README.md | 2 +- src/faudit/files.c | 2 +- src/man/firejail.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5e9c2e3f2..63b9edb04 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ Symlinks outside user home directories are allowed: --whitelist=dirname_or_filename Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. - With the exeception of user home, both the link and the real + With the exception of user home, both the link and the real file should be in the same top directory. Example: diff --git a/src/faudit/files.c b/src/faudit/files.c index e27d3436a..67b43f22b 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -44,7 +44,7 @@ static void check_home_file(const char *name) { void files_test(void) { struct passwd *pw = getpwuid(getuid()); if (!pw) { - fprintf(stderr, "Error: cannot retrive user account information\n"); + fprintf(stderr, "Error: cannot retrieve user account information\n"); return; } diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fed573e6c..c9e24380c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1522,7 +1522,7 @@ firejail version 0.9.27 .TP \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. -With the exeception of user home, both the link and the real file should be in +With the exception of user home, both the link and the real file should be in the same top directory. .br -- cgit v1.2.3-70-g09d2 From da19d2d1b371ccff4cd30385075a7b9cb036df00 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Mon, 25 Jul 2016 00:11:16 +0200 Subject: Simplify dist target and add missing test/sysutils to tarball --- Makefile.in | 23 ++++++++--------------- test/filters/seccomp-dualfilter.exp | 4 ++-- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/Makefile.in b/Makefile.in index c6147cee7..0903e3b8d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -284,24 +284,17 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg +DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES" +DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils" + dist: make distclean rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2 - mkdir $(NAME)-$(VERSION) - cd $(NAME)-$(VERSION); cp -a ../src .; cp -a ../etc .; cp -a ../platform .; rm -fr src/tools; cd .. - cd $(NAME)-$(VERSION); cp -a ../configure .; cp -a ../configure.ac .; cp -a ../Makefile.in .; cp -a ../install.sh .; cp -a ../mkman.sh .; cp -a ../mketc.sh .; cp -a ../mkdeb.sh .;cd .. - cd $(NAME)-$(VERSION); cp -a ../COPYING .; cp -a ../README .; cp -a ../RELNOTES .; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/profiles test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/utils test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/apps-x11 test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/environment test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/filters test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/network test/.; cd .. - cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/fs test/.; cd .. - cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. + mkdir -p $(NAME)-$(VERSION)/test + cp -a "$(DISTFILES)" $(NAME)-$(VERSION) + cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test + rm -rf $(NAME)-$(VERSION)/src/tools + find $(NAME)-$(VERSION) -name .svn -delete tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index c75063672..8a48130b3 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -9,13 +9,13 @@ match_max 100000 send -- "./syscall_test\r" expect { - timeout {puts "TESTING SKIP: 64-bit support missing\n";exit} + timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit} "Usage" } send -- "./syscall_test32\r" expect { - timeout {puts "TESTING SKIP: 32-bit support missing\n";exit} + timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit} "Usage" } -- cgit v1.2.3-70-g09d2 From 23bd0c41457262e7ef5223a187e3c15e44be039c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 25 Jul 2016 12:29:00 -0400 Subject: argument subsystem testing framework --- README | 1 + test/arguments/arguments.sh | 17 +++++++++ test/arguments/bashrun.exp | 86 ++++++++++++++++++++++++++++++++++++++++++ test/arguments/bashrun.sh | 22 +++++++++++ test/arguments/joinrun.exp | 91 +++++++++++++++++++++++++++++++++++++++++++++ test/arguments/joinrun.sh | 22 +++++++++++ test/arguments/main.c | 31 +++++++++++++++ test/arguments/outrun.exp | 90 ++++++++++++++++++++++++++++++++++++++++++++ test/arguments/outrun.sh | 22 +++++++++++ test/arguments/readme | 9 +++++ test/arguments/symrun.exp | 71 +++++++++++++++++++++++++++++++++++ test/arguments/symrun.sh | 27 ++++++++++++++ 12 files changed, 489 insertions(+) create mode 100755 test/arguments/arguments.sh create mode 100755 test/arguments/bashrun.exp create mode 100755 test/arguments/bashrun.sh create mode 100755 test/arguments/joinrun.exp create mode 100755 test/arguments/joinrun.sh create mode 100644 test/arguments/main.c create mode 100755 test/arguments/outrun.exp create mode 100755 test/arguments/outrun.sh create mode 100644 test/arguments/readme create mode 100755 test/arguments/symrun.exp create mode 100755 test/arguments/symrun.sh diff --git a/README b/README index 1c9d85d65..cb8b185fb 100644 --- a/README +++ b/README @@ -32,6 +32,7 @@ Aleksey Manevich (https://github.com/manevich) - fix problem with relative path in storage_find function - fix build for systems without bash - fix double quotes/single quotes problem + - big rework of argument processing subsytem Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh new file mode 100755 index 000000000..a9b3f9587 --- /dev/null +++ b/test/arguments/arguments.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +echo "TESTING: 1. regular bash session" +./bashrun.exp + +echo "TESTING: 2. symbolic link to firejail" +./symrun.exp + +echo "TESTING: 3. --join option" +./joinrun.exp + +echo "TESTING: 4. --output option" +./outrun.exp +rm out +rm out.* + + diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp new file mode 100755 index 000000000..a3c9e382d --- /dev/null +++ b/test/arguments/bashrun.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "./bashrun.sh\r" +expect { + timeout {puts "TESTING ERROR 1.1.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 1.1.2\n";exit} + "#arg1#" +} +expect { + timeout {puts "TESTING ERROR 1.1.3\n";exit} + "#arg2#" +} + +expect { + timeout {puts "TESTING ERROR 1.2.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 1.2.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 1.2.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 1.3.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 1.3.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 1.3.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 1.4.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 1.4.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 1.4.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 1.5.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 1.5.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 1.5.3\n";exit} + "#arg2&tail#" +} + +expect { + timeout {puts "TESTING ERROR 1.6.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 1.6.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 1.6.3\n";exit} + "#arg2&tail#" +} + +puts "\nall done\n" diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh new file mode 100755 index 000000000..c2f209548 --- /dev/null +++ b/test/arguments/bashrun.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +echo "TESTING: 1.1 - simple args" +firejail --quiet ./argtest arg1 arg2 + +# simple quotes, testing spaces in file names +echo "TESTING: 1.2 - args with space and \"" +firejail --quiet ./argtest "arg1 tail" "arg2 tail" + +echo "TESTING: 1.3 - args with space and '" +firejail --quiet ./argtest 'arg1 tail' 'arg2 tail' + +# escaped space in file names +echo "TESTING: 1.4 - args with space and \\" +firejail --quiet ./argtest arg1\ tail arg2\ tail + +# & char appears in URLs - URLs should be quoted +echo "TESTING: 1.5 - args with & and \"" +firejail --quiet ./argtest "arg1&tail" "arg2&tail" + +echo "TESTING: 1.6 - args with & and '" +firejail --quiet ./argtest 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp new file mode 100755 index 000000000..8e8570e4f --- /dev/null +++ b/test/arguments/joinrun.exp @@ -0,0 +1,91 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --name=joinrun\r" +sleep 2 + +spawn $env(SHELL) +send -- "./joinrun.sh\r" +expect { + timeout {puts "TESTING ERROR 3.1.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 3.1.2\n";exit} + "#arg1#" +} +expect { + timeout {puts "TESTING ERROR 3.1.3\n";exit} + "#arg2#" +} + +expect { + timeout {puts "TESTING ERROR 3.2.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 3.2.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 3.2.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 3.3.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 3.3.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 3.3.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 3.4.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 3.4.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 3.4.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 3.5.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 3.5.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 3.5.3\n";exit} + "#arg2&tail#" +} + +expect { + timeout {puts "TESTING ERROR 3.6.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 3.6.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 3.6.3\n";exit} + "#arg2&tail#" +} + +puts "\nall done\n" diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh new file mode 100755 index 000000000..f6c2b2e22 --- /dev/null +++ b/test/arguments/joinrun.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +echo "TESTING: 3.1 - simple args" +firejail --join=joinrun ./argtest arg1 arg2 + +# simple quotes, testing spaces in file names +echo "TESTING: 3.2 - args with space and \"" +firejail --quiet ./argtest "arg1 tail" "arg2 tail" + +echo "TESTING: 3.3 - args with space and '" +firejail --quiet ./argtest 'arg1 tail' 'arg2 tail' + +# escaped space in file names +echo "TESTING: 3.4 - args with space and \\" +firejail --quiet ./argtest arg1\ tail arg2\ tail + +# & char appears in URLs - URLs should be quoted +echo "TESTING: 3.5 - args with & and \"" +firejail --quiet ./argtest "arg1&tail" "arg2&tail" + +echo "TESTING: 3.6 - args with & and '" +firejail --quiet ./argtest 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/main.c b/test/arguments/main.c new file mode 100644 index 000000000..75bdca715 --- /dev/null +++ b/test/arguments/main.c @@ -0,0 +1,31 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include + +int main(int argc, char **argv) { + printf("Arguments:\n"); + + int i; + for (i = 0; i < argc; i++) { + printf("#%s#\n", argv[i]); + } + + return 0; +} diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp new file mode 100755 index 000000000..d28e75661 --- /dev/null +++ b/test/arguments/outrun.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "./outrun.sh\r" +expect { + timeout {puts "TESTING ERROR 4.1.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 4.1.2\n";exit} + "#arg1#" +} +expect { + timeout {puts "TESTING ERROR 4.1.3\n";exit} + "#arg2#" +} + +exit +#*************************************************** +# breaking down from here on - bug to fix +#*************************************************** +expect { + timeout {puts "TESTING ERROR 4.2.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 4.2.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 4.2.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 4.3.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 4.3.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 4.3.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 4.4.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 4.4.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 4.4.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 4.5.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 4.5.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 4.5.3\n";exit} + "#arg2&tail#" +} + +expect { + timeout {puts "TESTING ERROR 4.6.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 4.6.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 4.6.3\n";exit} + "#arg2&tail#" +} + +puts "\nall done\n" diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh new file mode 100755 index 000000000..cfd8e684c --- /dev/null +++ b/test/arguments/outrun.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +echo "TESTING: 4.1 - simple args" +firejail --output=out ./argtest arg1 arg2 + +# simple quotes, testing spaces in file names +echo "TESTING: 4.2 - args with space and \"" +firejail --output=out ./argtest "arg1 tail" "arg2 tail" + +echo "TESTING: 4.3 - args with space and '" +firejail --output=out ./argtest 'arg1 tail' 'arg2 tail' + +# escaped space in file names +echo "TESTING: 4.4 - args with space and \\" +firejail --output=out ./argtest arg1\ tail arg2\ tail + +# & char appears in URLs - URLs should be quoted +echo "TESTING: 4.5 - args with & and \"" +firejail --output=out ./argtest "arg1&tail" "arg2&tail" + +echo "TESTING: 4.6 - args with & and '" +firejail --output=out ./argtest 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/readme b/test/arguments/readme new file mode 100644 index 000000000..f5844848e --- /dev/null +++ b/test/arguments/readme @@ -0,0 +1,9 @@ +Argument testing fremework for Firejail. + +A small test program, argtest, is compiled and installed in /usr/local/bin directory. +Run "make && sudo make install" to install it. + +Run "make test" to run the tests. + +Run "make uninstall" to remove the test program. + diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp new file mode 100755 index 000000000..1466b791e --- /dev/null +++ b/test/arguments/symrun.exp @@ -0,0 +1,71 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "./bashrun.sh\r" +expect { + timeout {puts "TESTING ERROR 2.1.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 2.1.2\n";exit} + "#arg1#" +} +expect { + timeout {puts "TESTING ERROR 2.1.3\n";exit} + "#arg2#" +} + +expect { + timeout {puts "TESTING ERROR 2.3.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 2.3.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 2.3.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 2.4.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 2.4.2\n";exit} + "#arg1 tail#" +} +expect { + timeout {puts "TESTING ERROR 2.4.3\n";exit} + "#arg2 tail#" +} + +expect { + timeout {puts "TESTING ERROR 2.5.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 2.5.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 2.5.3\n";exit} + "#arg2&tail#" +} + +expect { + timeout {puts "TESTING ERROR 2.6.1\n";exit} + "Arguments:" +} +expect { + timeout {puts "TESTING ERROR 2.6.2\n";exit} + "#arg1&tail#" +} +expect { + timeout {puts "TESTING ERROR 2.6.3\n";exit} + "#arg2&tail#" +} diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh new file mode 100755 index 000000000..b46803ae2 --- /dev/null +++ b/test/arguments/symrun.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +mkdir symtest +ln -s /usr/bin/firejail symtest/argtest + +echo "TESTING: 2.1 - simple args" +symtest/argtest arg1 arg2 + +# simple quotes, testing spaces in file names +echo "TESTING: 2.2 - args with space and \"" +symtest/argtest "arg1 tail" "arg2 tail" + +echo "TESTING: 2.3 - args with space and '" +symtest/argtest 'arg1 tail' 'arg2 tail' + +# escaped space in file names +echo "TESTING: 2.4 - args with space and \\" +symtest/argtest arg1\ tail arg2\ tail + +# & char appears in URLs - URLs should be quoted +echo "TESTING: 2.5 - args with & and \"" +symtest/argtest "arg1&tail" "arg2&tail" + +echo "TESTING: 2.6 - args with & and '" +symtest/argtest 'arg1&tail' 'arg2&tail' + +rm -fr symtest -- cgit v1.2.3-70-g09d2 From 5a48bfcc404e7a49f5d9ad0f44bacff44910a102 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 25 Jul 2016 17:05:37 -0400 Subject: fixes --- src/firejail/fs_mkdir.c | 43 ++++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index c4ce52079..50bcc613b 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -42,8 +42,20 @@ void fs_mkdir(const char *name) { } // create directory - if (mkdir(expanded, 0700) == -1) - fprintf(stderr, "Warning: cannot create %s directory\n", expanded); + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // create directory + if (mkdir(expanded, 0700) == -1) + fprintf(stderr, "Warning: cannot create %s directory\n", expanded); + exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); doexit: free(expanded); @@ -67,16 +79,25 @@ void fs_mkfile(const char *name) { } // create file - FILE *fp = fopen(expanded, "w"); - if (!fp) - fprintf(stderr, "Warning: cannot create %s file\n", expanded); - else { - fclose(fp); - int rv = chown(expanded, getuid(), getgid()); - (void) rv; - rv = chmod(expanded, 0600); - (void) rv; + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + FILE *fp = fopen(expanded, "w"); + if (!fp) + fprintf(stderr, "Warning: cannot create %s file\n", expanded); + else { + fclose(fp); + int rv = chmod(expanded, 0600); + (void) rv; + } + exit(0); } + // wait for the child to finish + waitpid(child, NULL, 0); doexit: free(expanded); -- cgit v1.2.3-70-g09d2 From 9d5906c708bc5123377879bc0511ed5d7fe85852 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 27 Jul 2016 08:05:51 -0400 Subject: fixed faudit compile problem for non-intel platforms --- src/faudit/seccomp.c | 3 ++- src/faudit/syscall.c | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 6f5d23c48..7b2999467 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -86,12 +86,13 @@ void seccomp_test(void) { printf("pivot_root... "); fflush(0); syscall_run("pivot_root"); +#if defined(__i386__) || defined(__x86_64__) printf("iopl... "); fflush(0); syscall_run("iopl"); printf("ioperm... "); fflush(0); syscall_run("ioperm"); - +#endif printf("\n"); } else diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index bc28936c9..9924be00f 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -20,7 +20,9 @@ #include "faudit.h" #include #include +#if defined(__i386__) || defined(__x86_64__) #include +#endif #include extern int init_module(void *module_image, unsigned long len, const char *param_values); @@ -69,6 +71,7 @@ void syscall_helper(int argc, char **argv) { pivot_root(NULL, NULL); printf("\nUGLY: pivot_root syscall permitted.\n"); } +#if defined(__i386__) || defined(__x86_64__) else if (strcmp(argv[2], "iopl") == 0) { iopl(0L); printf("\nUGLY: iopl syscall permitted.\n"); @@ -77,6 +80,7 @@ void syscall_helper(int argc, char **argv) { ioperm(0, 0, 0); printf("\nUGLY: ioperm syscall permitted.\n"); } +#endif exit(0); } -- cgit v1.2.3-70-g09d2 From 9750045412d652076310772266b143b1b289f00e Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 27 Jul 2016 21:44:32 +0300 Subject: Honor --nice option when joining --- src/firejail/join.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/firejail/join.c b/src/firejail/join.c index 47d31669d..504748331 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -23,6 +23,7 @@ #include #include #include +#include static int apply_caps = 0; static uint64_t caps = 0; @@ -338,6 +339,17 @@ void join(pid_t pid, int argc, char **argv, int index) { if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); + // set nice + if (arg_nice) { + errno = 0; + int rv = nice(cfg.nice); + (void) rv; + if (errno) { + fprintf(stderr, "Warning: cannot set nice value\n"); + errno = 0; + } + } + // run cmdline trough /bin/bash if (cfg.command_line == NULL) { struct stat s; -- cgit v1.2.3-70-g09d2 From db9e3fae364eef5720baa98f8263a7563021fb26 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 27 Jul 2016 21:47:54 +0300 Subject: Honor --shell option when joining --- src/firejail/join.c | 87 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 64 insertions(+), 23 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 504748331..c14108986 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -352,17 +352,25 @@ void join(pid_t pid, int argc, char **argv, int index) { // run cmdline trough /bin/bash if (cfg.command_line == NULL) { - struct stat s; // replace the process with a shell - if (stat("/bin/bash", &s) == 0) - execlp("/bin/bash", "/bin/bash", NULL); - else if (stat("/usr/bin/zsh", &s) == 0) - execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); - else if (stat("/bin/csh", &s) == 0) - execlp("/bin/csh", "/bin/csh", NULL); - else if (stat("/bin/sh", &s) == 0) - execlp("/bin/sh", "/bin/sh", NULL); + if (cfg.shell) + execlp(cfg.shell, cfg.shell, NULL); + else if (arg_zsh) + execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); + else if (arg_csh) + execlp("/bin/csh", "/bin/csh", NULL); + else { + struct stat s; + if (stat("/bin/bash", &s) == 0) + execlp("/bin/bash", "/bin/bash", NULL); + else if (stat("/usr/bin/zsh", &s) == 0) + execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); + else if (stat("/bin/csh", &s) == 0) + execlp("/bin/csh", "/bin/csh", NULL); + else if (stat("/bin/sh", &s) == 0) + execlp("/bin/sh", "/bin/sh", NULL); + } // no shell found, print an error and exit fprintf(stderr, "Error: no POSIX shell found\n"); @@ -389,21 +397,54 @@ void join(pid_t pid, int argc, char **argv, int index) { } } - char *arg[5]; - arg[0] = "/bin/bash"; - arg[1] = "-c"; - if (arg_debug) - printf("Starting %s\n", cfg.command_line); - if (!arg_doubledash) { - arg[2] = cfg.command_line; - arg[3] = NULL; - } - else { - arg[2] = "--"; - arg[3] = cfg.command_line; - arg[4] = NULL; + if (arg_shell_none) { + if (arg_debug) { + int i; + for (i = cfg.original_program_index; i < cfg.original_argc; i++) { + if (cfg.original_argv[i] == NULL) + break; + printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]); + } + } + + if (cfg.original_program_index == 0) { + fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); + exit(1); + } + + if (!arg_command && !arg_quiet) + printf("Child process initialized\n"); + + execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); + exit(1); + } else { + // choose the shell requested by the user, or use bash as default + char *sh; + if (cfg.shell) + sh = cfg.shell; + else if (arg_zsh) + sh = "/usr/bin/zsh"; + else if (arg_csh) + sh = "/bin/csh"; + else + sh = "/bin/bash"; + + char *arg[5]; + arg[0] = sh; + arg[1] = "-c"; + if (arg_debug) + printf("Starting %s\n", cfg.command_line); + if (!arg_doubledash) { + arg[2] = cfg.command_line; + arg[3] = NULL; + } + else { + arg[2] = "--"; + arg[3] = cfg.command_line; + arg[4] = NULL; + } + execvp("/bin/bash", arg); } - execvp("/bin/bash", arg); } // it will never get here!!! -- cgit v1.2.3-70-g09d2 From 84e3dce3c2c0712d50656506268a7ce49221bfd3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 27 Jul 2016 16:18:22 -0400 Subject: added Makefile to test/arguments --- test/arguments/Makefile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 test/arguments/Makefile diff --git a/test/arguments/Makefile b/test/arguments/Makefile new file mode 100644 index 000000000..3ccab3702 --- /dev/null +++ b/test/arguments/Makefile @@ -0,0 +1,13 @@ +all: argtest + +argtest: main.c + gcc -o argtest main.c + +clean:; rm -f argtest; rm -fr symtest; rm -f out out.* + +install:;install -c -m 0755 argtest /usr/local/bin/argtest + +uninstall:; rm -f /usr/local/bin/argtest + + +test:; ./arguments.sh | grep TESTING -- cgit v1.2.3-70-g09d2 From 858b89146a57f7c3ba6e07ecf497621d1d01d4e0 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Wed, 27 Jul 2016 22:19:01 +0200 Subject: disable-passwdmgr.inc: Don't leak keepassx config It contains the path to the last used database. --- etc/disable-passwdmgr.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index c1e68d1ec..6db9073ab 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -3,4 +3,5 @@ blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx blacklist ${HOME}/.password-store blacklist ${HOME}/keepassx.kdbx +blacklist ${HOME}/.config/keepassx -- cgit v1.2.3-70-g09d2 From 9c078255c5916a8c01873cfd8c3da6a46d53c843 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 27 Jul 2016 16:20:57 -0400 Subject: --join fixes --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index cb8b185fb..bbf138085 100644 --- a/README +++ b/README @@ -33,6 +33,7 @@ Aleksey Manevich (https://github.com/manevich) - fix build for systems without bash - fix double quotes/single quotes problem - big rework of argument processing subsytem + - --join fixes Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile -- cgit v1.2.3-70-g09d2 From c56e49cf0c91cb87ca25f3bb8a0228d4045dd075 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 27 Jul 2016 17:38:51 -0400 Subject: symlink whitelist fix --- src/firejail/fs_whitelist.c | 11 +++++++---- src/man/firejail.txt | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 926e5415c..f94040d0f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -391,14 +391,17 @@ void fs_whitelist(void) { entry->home_dir = 1; home_dir = 1; - if (arg_debug) + if (arg_debug || arg_debug_whitelists) fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", __LINE__, fname, cfg.homedir); // both path and absolute path are under /home -// if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { -// goto errexit; -// } + if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { + // check if the file is owned by the user + struct stat s; + if (stat(fname, &s) == 0 && s.st_uid != getuid()) + goto errexit; + } } else if (strncmp(new_name, "/tmp/", 5) == 0) { entry->tmp_dir = 1; diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c9e24380c..d8bd34f10 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1523,7 +1523,7 @@ firejail version 0.9.27 \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. With the exception of user home, both the link and the real file should be in -the same top directory. +the same top directory. For /home, both the link and the real file should be owned by the user. .br .br -- cgit v1.2.3-70-g09d2 From 82c353409ab09554c2a4f3517f8e654725d8da46 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 27 Jul 2016 17:53:09 -0400 Subject: symlink whitelist fix --- src/firejail/fs_whitelist.c | 3 +++ src/man/firejail.txt | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index f94040d0f..e3668140d 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -401,6 +401,9 @@ void fs_whitelist(void) { struct stat s; if (stat(fname, &s) == 0 && s.st_uid != getuid()) goto errexit; + + // set nonewprivs + arg_nonewprivs = 1; } } else if (strncmp(new_name, "/tmp/", 5) == 0) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d8bd34f10..65744235e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -949,6 +949,10 @@ cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) does not result in an increase of privilege. +--nonewprivs is enabled by default if seccomp filter is activated, or if a +symbolic link in user home directory pointing outside user home +is whitelisted. + .TP \fB\-\-nosound Disable sound system. -- cgit v1.2.3-70-g09d2 From e171eac90eb99b81a61a6850d7e8f4d4344c27c6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Jul 2016 08:21:21 -0400 Subject: fix cyberfox profile --- Makefile.in | 1 + README | 2 ++ etc/Cyberfox.profile | 3 +++ etc/cyberfox.profile | 5 ++--- platform/debian/conffiles | 1 + 5 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 etc/Cyberfox.profile diff --git a/Makefile.in b/Makefile.in index 0903e3b8d..3083ba19e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -224,6 +224,7 @@ realinstall: install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index bbf138085..dc9d8a3b0 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Thomas Jarosch (https://github.com/thomasjfox) + - disable keepassx in disable-passwdmgr.inc Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile new file mode 100644 index 000000000..1f74606ce --- /dev/null +++ b/etc/Cyberfox.profile @@ -0,0 +1,3 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +include /etc/firejail/cyberfox.profile diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 0035b6be6..afa77d1d4 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,6 +1,6 @@ # Firejail profile for Cyberfox (based on Mozilla Firefox) -noblacklist ~/.8pecxstudios/cyberfox +noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc @@ -19,8 +19,7 @@ mkdir ~/.8pecxstudios whitelist ~/.8pecxstudios mkdir ~/.cache mkdir ~/.cache/8pecxstudios -mkdir ~/.cache/8pecxstudios/cyberfox -whitelist ~/.cache/8pecxstudios/cyberfox +whitelist ~/.cache/8pecxstudios whitelist ~/dwhelper whitelist ~/.zotero whitelist ~/.vimperatorrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 24884228e..be302f833 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -94,6 +94,7 @@ /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/quiterss.profile /etc/firejail/cyberfox.profile +/etc/firejail/Cyberfox.profile /etc/firejail/snap.profile /etc/firejail/xplayer.profile /etc/firejail/xreader.profile -- cgit v1.2.3-70-g09d2 From 2aea8f1d20d68a65ce15d9f70480aecdc81e18b1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Jul 2016 08:26:27 -0400 Subject: whitelist fix --- README.md | 5 +++-- src/firejail/fs_whitelist.c | 3 --- src/man/firejail.txt | 7 ++----- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 63b9edb04..d1a41d1ca 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,9 @@ Symlinks outside user home directories are allowed: --whitelist=dirname_or_filename Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. - With the exception of user home, both the link and the real - file should be in the same top directory. + With the exception of user home, both the link and the real file + should be in the same top directory. For /home, both the link + and the real file should be owned by the user. Example: $ firejail --noprofile --whitelist=~/.mozilla diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index e3668140d..f94040d0f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -401,9 +401,6 @@ void fs_whitelist(void) { struct stat s; if (stat(fname, &s) == 0 && s.st_uid != getuid()) goto errexit; - - // set nonewprivs - arg_nonewprivs = 1; } } else if (strncmp(new_name, "/tmp/", 5) == 0) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 65744235e..2ddbc9f88 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -947,11 +947,8 @@ $ Sets the NO_NEW_PRIVS prctl. This ensures that child processes cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) -does not result in an increase of privilege. - ---nonewprivs is enabled by default if seccomp filter is activated, or if a -symbolic link in user home directory pointing outside user home -is whitelisted. +does not result in an increase of privilege. This option +is enabled by default if seccomp filter is activated. .TP \fB\-\-nosound -- cgit v1.2.3-70-g09d2 From 3da7ed2d8b6a6cb85b9fd07906b0ad518d5ccc32 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Thu, 28 Jul 2016 16:24:29 +0200 Subject: Add profile for uudeview uudeview might access unsafe email content, therefore restrict it as much as possible. In fact it's best to call firejail with a private home dir, too. --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/uudeview.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + 6 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 etc/uudeview.profile diff --git a/Makefile.in b/Makefile.in index 3083ba19e..6c0e464e4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -225,6 +225,7 @@ realinstall: install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index dc9d8a3b0..7b28226e4 100644 --- a/README +++ b/README @@ -27,6 +27,7 @@ Reiner Herrmann (https://github.com/reinerh) - unit testing framework Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc + - added uudeview profile Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) diff --git a/README.md b/README.md index d1a41d1ca..26dc2c4e3 100644 --- a/README.md +++ b/README.md @@ -155,5 +155,5 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview diff --git a/RELNOTES b/RELNOTES index be65b9fca..4f1366108 100644 --- a/RELNOTES +++ b/RELNOTES @@ -14,7 +14,7 @@ firejail (0.9.42~rc1) baseline; urgency=low * compile time support to disable global configuration file * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom, jitsi, eom + * new profiles: Atom Beta, Atom, jitsi, eom, uudeview -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/uudeview.profile b/etc/uudeview.profile new file mode 100644 index 000000000..8218ac959 --- /dev/null +++ b/etc/uudeview.profile @@ -0,0 +1,13 @@ +# uudeview profile +# the default profile will disable root user, enable seccomp filter etc. +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin uudeview +private-dev +private-tmp +private-etc nonexisting_fakefile_for_empty_etc +hostname uudeview +nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index be302f833..6e0f86473 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -131,3 +131,4 @@ /etc/firejail/atom.profile /etc/firejail/jitsi.profile /etc/firejail/eom.profile +/etc/firejail/uudeview.profile -- cgit v1.2.3-70-g09d2 From 340a6b2eeb010367180e530af976810c9d762580 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Jul 2016 10:54:05 -0400 Subject: added netfilter-default config option in /etc/firejail/firejail.config --- RELNOTES | 3 ++- etc/firejail.config | 7 +++++++ etc/nolocal.net | 3 ++- src/firejail/checkcfg.c | 23 +++++++++++++++++++++++ src/firejail/firejail.h | 1 + src/firejail/netfilter.c | 2 ++ 6 files changed, 37 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index be65b9fca..4a6ae81ed 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,4 @@ -firejail (0.9.42~rc1) baseline; urgency=low +firejail (0.9.42~rc2) baseline; urgency=low * deprecated --user option, please use "sudo -u username firejail" instead * --read-write option rework * allow symlinks in home directory for --whitelist option @@ -12,6 +12,7 @@ firejail (0.9.42~rc1) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom diff --git a/etc/firejail.config b/etc/firejail.config index 59bbd77a5..20c4d7a5f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -27,6 +27,13 @@ # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no +# Change default netfilter configuration. When using --netfilter option without +# a file argument, the default filter is hardcoded (see man 1 firejail). This +# configuration entry allows the user to change the default by specifying +# a file containing the filter configuration. The filter file format is the +# format of iptables-save and iptable-restore commands. Example: +# netfilter-default /etc/iptables.iptables.rules + # Enable or disable seccomp support, default enabled. # seccomp yes diff --git a/etc/nolocal.net b/etc/nolocal.net index 9c0c6e125..9fa785450 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net @@ -4,7 +4,8 @@ :OUTPUT ACCEPT [0:0] ################################################################### -# Client filter rejecting local network traffic, with the exception of DNS traffic +# Client filter rejecting local network traffic, with the exception of +# DNS traffic # # Usage: # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6636e7efe..6929988ae 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -26,6 +26,7 @@ static int initialized = 0; static int cfg_val[CFG_MAX]; char *xephyr_screen = "800x600"; char *xephyr_extra_params = ""; +char *netfilter_default = NULL; int checkcfg(int val) { EUID_ASSERT(); @@ -159,6 +160,28 @@ int checkcfg(int val) { else goto errout; } + // netfilter + else if (strncmp(ptr, "netfilter-default ", 18) == 0) { + char *fname = ptr + 18; + while (*fname == ' ' || *fname == '\t') + ptr++; + char *end = strchr(fname, ' '); + if (end) + *end = '\0'; + + // is the file present? + struct stat s; + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); + exit(1); + } + + netfilter_default = strdup(fname); + if (!netfilter_default) + errExit("strdup"); + if (arg_debug) + printf("netfilter default file %s\n", fname); + } // Xephyr screen size else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 29bb6c494..7a538327d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -582,6 +582,7 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_MAX 11 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; +extern char *netfilter_default; int checkcfg(int val); // appimage.c diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 71abfb53d..b50d61039 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -66,6 +66,8 @@ void netfilter(const char *fname) { // custom filter int allocated = 0; + if (netfilter_default) + fname = netfilter_default; if (fname) { // buffer the filter struct stat s; -- cgit v1.2.3-70-g09d2 From 44ec35dc99641a54a58d5af71bab17e92f03772f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 29 Jul 2016 07:45:19 -0400 Subject: noexec fix --- src/firejail/fs.c | 32 +++++++++++--------------------- src/man/firejail.txt | 2 +- 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 630458549..ff5887c10 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -716,10 +716,8 @@ void fs_proc_sys_dev_boot(void) { } // disable firejail configuration in /etc/firejail and in ~/.config/firejail -static void disable_firejail_config(void) { +static void disable_config(void) { struct stat s; -// if (stat("/etc/firejail", &s) == 0) -// disable_file(BLACKLIST_FILE, "/etc/firejail"); char *fname; if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) @@ -728,18 +726,6 @@ static void disable_firejail_config(void) { disable_file(BLACKLIST_FILE, fname); free(fname); -// if (stat("/usr/local/etc/firejail", &s) == 0) -// disable_file(BLACKLIST_FILE, "/usr/local/etc/firejail"); -// -// if (strcmp(PREFIX, "/usr/local")) { -// if (asprintf(&fname, "%s/etc/firejail", PREFIX) == -1) -// errExit("asprintf"); -// if (stat(fname, &s) == 0) -// disable_file(BLACKLIST_FILE, fname); -// free(fname); -// } - - // disable run time information if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); @@ -754,16 +740,20 @@ static void disable_firejail_config(void) { // build a basic read-only filesystem void fs_basic_fs(void) { + uid_t uid = getuid(); + if (arg_debug) printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); if (!arg_writable_etc) { fs_rdonly("/etc"); - fs_noexec("/etc"); + if (uid) + fs_noexec("/etc"); if (arg_debug) printf(", /etc"); } if (!arg_writable_var) { fs_rdonly("/var"); - fs_noexec("/var"); + if (uid) + fs_noexec("/var"); if (arg_debug) printf(", /var"); } if (arg_debug) printf("\n"); @@ -791,8 +781,8 @@ void fs_basic_fs(void) { // when starting as root, firejail config is not disabled; // this mode could be used to install and test new software by chaining // firejail sandboxes (firejail --force) - if (getuid() != 0) - disable_firejail_config(); + if (uid) + disable_config(); } @@ -1028,7 +1018,7 @@ void fs_overlayfs(void) { // this mode could be used to install and test new software by chaining // firejail sandboxes (firejail --force) if (getuid() != 0) - disable_firejail_config(); + disable_config(); // cleanup and exit free(option); @@ -1185,7 +1175,7 @@ void fs_chroot(const char *rootdir) { // this mode could be used to install and test new software by chaining // firejail sandboxes (firejail --force) if (getuid() != 0) - disable_firejail_config(); + disable_config(); } #endif diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2ddbc9f88..d34cfdb20 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -862,7 +862,7 @@ $ firejail \-\-noexec=/tmp .br .br -/etc and /var are noexec by default. If there are more than one mount operation +/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox. .TP -- cgit v1.2.3-70-g09d2 From 71f6f53bbf71b1c1e1be8516dcc24e3ece44cd72 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 29 Jul 2016 08:00:52 -0400 Subject: config file fix --- src/firejail/checkcfg.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6929988ae..7de491f5f 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -58,6 +58,15 @@ int checkcfg(int val) { #endif } + // if the file exists, it should be owned by root + struct stat s; + if (stat(fname, &s) == -1) + errExit("stat"); + if (s.st_uid != 0 || s.st_gid != 0) { + fprintf(stderr, "Error: configuration file should be owned by root\n"); + exit(1); + } + // read configuration file char buf[MAX_READ]; while (fgets(buf,MAX_READ, fp)) { -- cgit v1.2.3-70-g09d2 From bfcf7e53cad17f726a894023f6c02dc84f606e07 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 29 Jul 2016 08:52:32 -0400 Subject: fix Makefile.in --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 6c0e464e4..3008ba703 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5 MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/libtracelog src/faudit +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit prefix=@prefix@ exec_prefix=@exec_prefix@ -- cgit v1.2.3-70-g09d2 From bdcb2be80f78082650283e13fcb9a90d75e02eba Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 29 Jul 2016 09:37:51 -0400 Subject: using UID_MIN/GID_MIN values from /etc/login.def --- Makefile.in | 2 +- configure | 6 ++++++ configure.ac | 6 ++++++ mkuid.sh | 20 ++++++++++++++++++++ src/firejail/restrict_users.c | 9 +++++---- 5 files changed, 38 insertions(+), 5 deletions(-) create mode 100755 mkuid.sh diff --git a/Makefile.in b/Makefile.in index 3008ba703..7bb59db6e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -66,7 +66,7 @@ distclean: clean for dir in $(MYLIBS); do \ $(MAKE) -C $$dir distclean; \ done - rm -fr Makefile autom4te.cache config.log config.status config.h + rm -fr Makefile autom4te.cache config.log config.status config.h uids.h realinstall: # firejail executable diff --git a/configure b/configure index cd4be9296..050b4df9c 100755 --- a/configure +++ b/configure @@ -3673,6 +3673,9 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi +# extract UID_MIN and GID_MIN from login.def +./mkuid.sh + ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" cat >confcache <<\_ACEOF @@ -4861,6 +4864,9 @@ echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" +printf " uid_min: "; grep UID_MIN uids.h +printf " gid_min: "; grep GID_MIN uids.h echo + diff --git a/configure.ac b/configure.ac index c22228d0f..a84396ad4 100644 --- a/configure.ac +++ b/configure.ac @@ -106,6 +106,9 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi +# extract UID_MIN and GID_MIN from login.def +./mkuid.sh + AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) echo @@ -123,6 +126,9 @@ echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" +printf " uid_min: "; grep UID_MIN uids.h +printf " gid_min: "; grep GID_MIN uids.h echo + diff --git a/mkuid.sh b/mkuid.sh new file mode 100755 index 000000000..f03fdaf94 --- /dev/null +++ b/mkuid.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +echo "extracting UID_MIN and GID_MIN" +echo "#ifndef FIREJAIL_UIDS_H" > uids.h +echo "#define FIREJAIL_UIDS_H" >> uids.h + +if [ -f /etc/login.defs ] +then + echo "// using values extracted from /etc/login.defs" >> uids.h + UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` + GID_MIN=`awk '/^\s*GID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` + echo "#define UID_MIN $UID_MIN" >> uids.h + echo "#define GID_MIN $GID_MIN" >> uids.h +else + echo "// using default values" >> uids.h + echo "#define UID_MIN 1000" >> uids.h + echo "#define GID_MIN 1000" >> uids.h +fi + +echo "#endif" >> uids.h diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5a41c441b..de798037f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -26,6 +26,7 @@ #include #include #include +#include "../../uids.h" #define MAXBUF 1024 @@ -118,7 +119,7 @@ static void sanitize_passwd(void) { if (stat("/etc/passwd", &s) == -1) return; if (arg_debug) - printf("Sanitizing /etc/passwd\n"); + printf("Sanitizing /etc/passwd, UID_MIN %d\n", UID_MIN); if (is_link("/etc/passwd")) { fprintf(stderr, "Error: invalid /etc/passwd\n"); exit(1); @@ -170,7 +171,7 @@ static void sanitize_passwd(void) { int rv = sscanf(ptr, "%d:", &uid); if (rv == 0 || uid < 0) goto errout; - if (uid < 1000) { // todo extract UID_MIN from /etc/login.def + if (uid < UID_MIN) { fprintf(fpout, "%s", buf); continue; } @@ -255,7 +256,7 @@ static void sanitize_group(void) { if (stat("/etc/group", &s) == -1) return; if (arg_debug) - printf("Sanitizing /etc/group\n"); + printf("Sanitizing /etc/group, GID_MIN %d\n", GID_MIN); if (is_link("/etc/group")) { fprintf(stderr, "Error: invalid /etc/group\n"); exit(1); @@ -306,7 +307,7 @@ static void sanitize_group(void) { int rv = sscanf(ptr, "%d:", &gid); if (rv == 0 || gid < 0) goto errout; - if (gid < 1000) { // todo extract GID_MIN from /etc/login.def + if (gid < GID_MIN) { if (copy_line(fpout, buf, ptr)) goto errout; continue; -- cgit v1.2.3-70-g09d2 From e84b0693a5c6333ae8ab35ca37f787cbf6e3176f Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Mon, 25 Jul 2016 21:40:34 +0200 Subject: Don't assume that current directory is inside /home --- test/environment/doubledash.exp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp index 668468980..7abf4b918 100755 --- a/test/environment/doubledash.exp +++ b/test/environment/doubledash.exp @@ -36,23 +36,23 @@ expect { sleep 3 spawn $env(SHELL) -send -- "firejail --list;pwd\r" +send -- "firejail --list;ls -d /tmp\r" expect { timeout {puts "TESTING ERROR 6\n";exit} "name=testing" } expect { timeout {puts "TESTING ERROR 7\n";exit} - "home" + "/tmp" } -send -- "firejail --list;pwd\r" +send -- "firejail --list;ls -d /tmp\r" expect { timeout {puts "TESTING ERROR 8 (join)\n";exit} "join=testing" } expect { timeout {puts "TESTING ERROR 9\n";exit} - "home" + "/tmp" } sleep 1 -- cgit v1.2.3-70-g09d2 From 1b197acd944b1ff164c988f23cdbb3ce0d29d3e2 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 29 Jul 2016 21:40:58 +0200 Subject: Build argtest if it doesn't exist --- test/arguments/arguments.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh index a9b3f9587..2f53eb3fa 100755 --- a/test/arguments/arguments.sh +++ b/test/arguments/arguments.sh @@ -1,5 +1,7 @@ #!/bin/bash +[ -f argtest ] || make argtest + echo "TESTING: 1. regular bash session" ./bashrun.exp -- cgit v1.2.3-70-g09d2 From b4c7c48bc6c3121107d3c727ffa27a5dfc750583 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 29 Jul 2016 23:01:38 +0200 Subject: Run correct shell script during test --- test/arguments/symrun.exp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp index 1466b791e..10e7ac6c8 100755 --- a/test/arguments/symrun.exp +++ b/test/arguments/symrun.exp @@ -4,7 +4,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "./bashrun.sh\r" +send -- "./symrun.sh\r" expect { timeout {puts "TESTING ERROR 2.1.1\n";exit} "Arguments:" -- cgit v1.2.3-70-g09d2 From 4a6a0b01609891c47943db8807cb0d906a823b91 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 29 Jul 2016 23:22:14 +0200 Subject: Look for argtest in test directory to not require it being installed --- test/arguments/symrun.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh index b46803ae2..d28f024a8 100755 --- a/test/arguments/symrun.sh +++ b/test/arguments/symrun.sh @@ -3,6 +3,9 @@ mkdir symtest ln -s /usr/bin/firejail symtest/argtest +# search for argtest in current directory +export PATH=$PATH:. + echo "TESTING: 2.1 - simple args" symtest/argtest arg1 arg2 -- cgit v1.2.3-70-g09d2 From ffb984626b5ab22f72857ead453e275b9f85582d Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 30 Jul 2016 00:32:03 +0200 Subject: Use wildcard for qdisc --- test/network/bandwidth.exp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index bccb0b9f3..2913c6b14 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -18,7 +18,7 @@ spawn $env(SHELL) send -- "firejail --bandwidth=test status\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "qdisc pfifo_fast 0: dev eth0" + "qdisc * 0: dev eth0" } sleep 1 -- cgit v1.2.3-70-g09d2 From d222f18b9e0556ecca90ca3883c0628427d18c14 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Fri, 29 Jul 2016 21:20:53 -0700 Subject: Allow BitlBee to write /var/lib/bitlbee Bitlbee stores its configuration in /var/lib/bitlbee. It must be able to write to this directory in order to save config changes (adding accounts, writing OTR keys, etc). --- etc/bitlbee.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 4666d2fe7..87d2e843a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -11,4 +11,4 @@ private-dev protocol unix,inet,inet6 seccomp nosound - +read-write /var/lib/bitlbee -- cgit v1.2.3-70-g09d2 From 17e3bdd35ef08cb2768398acb6bea9628ffeff85 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 10:10:32 +0200 Subject: Sort profiles alphabetically That way it's easy to check if a profile is already listed. --- Makefile.in | 220 ++++++++++++++++++++++----------------------- platform/debian/conffiles | 222 +++++++++++++++++++++++----------------------- 2 files changed, 221 insertions(+), 221 deletions(-) diff --git a/Makefile.in b/Makefile.in index 7bb59db6e..0d91f6288 100644 --- a/Makefile.in +++ b/Makefile.in @@ -93,114 +93,70 @@ realinstall: # etc files ./mketc.sh $(sysconfdir) install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail + install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/flashpeak-slimjet.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/localc.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lodraw.profile $(DESTDIR)/$(sysconfdir)/firejail/. @@ -210,22 +166,66 @@ realinstall: install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6e0f86473..5367edfe5 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -1,134 +1,134 @@ -/etc/firejail/evince.profile -/etc/firejail/chromium.profile -/etc/firejail/chromium-browser.profile -/etc/firejail/google-chrome.profile -/etc/firejail/google-chrome-stable.profile -/etc/firejail/google-chrome-beta.profile -/etc/firejail/google-chrome-unstable.profile -/etc/firejail/midori.profile -/etc/firejail/icedove.profile -/etc/firejail/iceweasel.profile -/etc/firejail/dropbox.profile -/etc/firejail/login.users -/etc/firejail/firefox.profile -/etc/firejail/firefox-esr.profile -/etc/firejail/opera.profile -/etc/firejail/opera-beta.profile -/etc/firejail/thunderbird.profile -/etc/firejail/transmission-gtk.profile -/etc/firejail/transmission-qt.profile -/etc/firejail/vlc.profile +/etc/firejail/0ad.profile +/etc/firejail/Cyberfox.profile +/etc/firejail/Mathematica.profile +/etc/firejail/Telegram.profile +/etc/firejail/abrowser.profile +/etc/firejail/atom-beta.profile +/etc/firejail/atom.profile +/etc/firejail/atril.profile /etc/firejail/audacious.profile +/etc/firejail/audacity.profile +/etc/firejail/aweather.profile +/etc/firejail/bitlbee.profile +/etc/firejail/brave.profile +/etc/firejail/cherrytree.profile +/etc/firejail/chromium-browser.profile +/etc/firejail/chromium.profile /etc/firejail/clementine.profile -/etc/firejail/epiphany.profile -/etc/firejail/qtox.profile -/etc/firejail/polari.profile -/etc/firejail/gnome-mplayer.profile -/etc/firejail/rhythmbox.profile -/etc/firejail/totem.profile -/etc/firejail/deluge.profile -/etc/firejail/qbittorrent.profile +/etc/firejail/cmus.profile +/etc/firejail/conkeror.profile +/etc/firejail/corebird.profile +/etc/firejail/cpio.profile +/etc/firejail/cyberfox.profile +/etc/firejail/deadbeef.profile /etc/firejail/default.profile -/etc/firejail/xchat.profile -/etc/firejail/server.profile -/etc/firejail/quassel.profile -/etc/firejail/pidgin.profile -/etc/firejail/filezilla.profile -/etc/firejail/empathy.profile +/etc/firejail/deluge.profile +/etc/firejail/dillo.profile /etc/firejail/disable-common.inc -/etc/firejail/deadbeef.profile -/etc/firejail/icecat.profile -/etc/firejail/fbreader.profile -/etc/firejail/spotify.profile -/etc/firejail/skype.profile -/etc/firejail/steam.profile -/etc/firejail/wine.profile /etc/firejail/disable-devel.inc -/etc/firejail/conkeror.profile -/etc/firejail/unbound.profile +/etc/firejail/disable-passwdmgr.inc +/etc/firejail/disable-programs.inc /etc/firejail/dnscrypt-proxy.profile -/etc/firejail/whitelist-common.inc -/etc/firejail/nolocal.net -/etc/firejail/webserver.net -/etc/firejail/bitlbee.profile -/etc/firejail/weechat.profile -/etc/firejail/weechat-curses.profile -/etc/firejail/hexchat.profile -/etc/firejail/rtorrent.profile -/etc/firejail/parole.profile -/etc/firejail/kmail.profile -/etc/firejail/seamonkey.profile -/etc/firejail/seamonkey-bin.profile -/etc/firejail/telegram.profile -/etc/firejail/mathematica.profile -/etc/firejail/Mathematica.profile -/etc/firejail/uget-gtk.profile -/etc/firejail/mupen64plus.profile -/etc/firejail/lxterminal.profile -/etc/firejail/cherrytree.profile -/etc/firejail/wesnoth.profile -/etc/firejail/hedgewars.profile -/etc/firejail/vivaldi.profile -/etc/firejail/vivaldi-beta.profile -/etc/firejail/atril.profile +/etc/firejail/dnsmasq.profile +/etc/firejail/dropbox.profile +/etc/firejail/empathy.profile +/etc/firejail/eom.profile +/etc/firejail/epiphany.profile +/etc/firejail/evince.profile +/etc/firejail/fbreader.profile +/etc/firejail/filezilla.profile +/etc/firejail/firefox-esr.profile +/etc/firejail/firefox.profile /etc/firejail/firejail.config -/etc/firejail/qutebrowser.profile /etc/firejail/flashpeak-slimjet.profile -/etc/firejail/ssh.profile -/etc/firejail/openbox.profile -/etc/firejail/disable-programs.inc -/etc/firejail/disable-passwdmgr.inc -/etc/firejail/dillo.profile -/etc/firejail/cmus.profile -/etc/firejail/dnsmasq.profile -/etc/firejail/palemoon.profile -/etc/firejail/abrowser.profile -/etc/firejail/0ad.profile -/etc/firejail/netsurf.profile -/etc/firejail/warzone2100.profile -/etc/firejail/okular.profile -/etc/firejail/gwenview.profile -/etc/firejail/gpredict.profile -/etc/firejail/aweather.profile -/etc/firejail/stellarium.profile -/etc/firejail/google-play-music-desktop-player.profile -/etc/firejail/quiterss.profile -/etc/firejail/cyberfox.profile -/etc/firejail/Cyberfox.profile -/etc/firejail/snap.profile -/etc/firejail/xplayer.profile -/etc/firejail/xreader.profile -/etc/firejail/xviewer.profile -/etc/firejail/mcabber.profile -/etc/firejail/corebird.profile -/etc/firejail/konversation.profile -/etc/firejail/psi-plus.profile -/etc/firejail/brave.profile +/etc/firejail/franz.profile /etc/firejail/gitter.profile +/etc/firejail/gnome-mplayer.profile +/etc/firejail/google-chrome-beta.profile +/etc/firejail/google-chrome-stable.profile +/etc/firejail/google-chrome-unstable.profile +/etc/firejail/google-chrome.profile +/etc/firejail/google-play-music-desktop-player.profile +/etc/firejail/gpredict.profile /etc/firejail/gthumb.profile -/etc/firejail/mpv.profile -/etc/firejail/franz.profile +/etc/firejail/gwenview.profile +/etc/firejail/gzip.profile +/etc/firejail/hedgewars.profile +/etc/firejail/hexchat.profile +/etc/firejail/icecat.profile +/etc/firejail/icedove.profile +/etc/firejail/iceweasel.profile +/etc/firejail/jitsi.profile +/etc/firejail/kmail.profile +/etc/firejail/konversation.profile +/etc/firejail/less.profile /etc/firejail/libreoffice.profile /etc/firejail/localc.profile /etc/firejail/lodraw.profile /etc/firejail/loffice.profile /etc/firejail/lofromtemplate.profile +/etc/firejail/login.users /etc/firejail/loimpress.profile /etc/firejail/lomath.profile /etc/firejail/loweb.profile /etc/firejail/lowriter.profile +/etc/firejail/lxterminal.profile +/etc/firejail/mathematica.profile +/etc/firejail/mcabber.profile +/etc/firejail/midori.profile +/etc/firejail/mpv.profile +/etc/firejail/mupen64plus.profile +/etc/firejail/netsurf.profile +/etc/firejail/nolocal.net +/etc/firejail/okular.profile +/etc/firejail/openbox.profile +/etc/firejail/opera-beta.profile +/etc/firejail/opera.profile +/etc/firejail/palemoon.profile +/etc/firejail/parole.profile +/etc/firejail/pidgin.profile /etc/firejail/pix.profile +/etc/firejail/polari.profile +/etc/firejail/psi-plus.profile +/etc/firejail/qbittorrent.profile +/etc/firejail/qtox.profile +/etc/firejail/quassel.profile +/etc/firejail/quiterss.profile +/etc/firejail/qutebrowser.profile +/etc/firejail/rhythmbox.profile +/etc/firejail/rtorrent.profile +/etc/firejail/seamonkey-bin.profile +/etc/firejail/seamonkey.profile +/etc/firejail/server.profile +/etc/firejail/skype.profile +/etc/firejail/snap.profile /etc/firejail/soffice.profile -/etc/firejail/audacity.profile -/etc/firejail/cpio.profile -/etc/firejail/gzip.profile -/etc/firejail/xzdec.profile +/etc/firejail/spotify.profile +/etc/firejail/ssh.profile +/etc/firejail/steam.profile +/etc/firejail/stellarium.profile /etc/firejail/strings.profile -/etc/firejail/xz.profile -/etc/firejail/less.profile -/etc/firejail/Telegram.profile -/etc/firejail/atom-beta.profile -/etc/firejail/atom.profile -/etc/firejail/jitsi.profile -/etc/firejail/eom.profile +/etc/firejail/telegram.profile +/etc/firejail/thunderbird.profile +/etc/firejail/totem.profile +/etc/firejail/transmission-gtk.profile +/etc/firejail/transmission-qt.profile +/etc/firejail/uget-gtk.profile +/etc/firejail/unbound.profile /etc/firejail/uudeview.profile +/etc/firejail/vivaldi-beta.profile +/etc/firejail/vivaldi.profile +/etc/firejail/vlc.profile +/etc/firejail/warzone2100.profile +/etc/firejail/webserver.net +/etc/firejail/weechat-curses.profile +/etc/firejail/weechat.profile +/etc/firejail/wesnoth.profile +/etc/firejail/whitelist-common.inc +/etc/firejail/wine.profile +/etc/firejail/xchat.profile +/etc/firejail/xplayer.profile +/etc/firejail/xreader.profile +/etc/firejail/xviewer.profile +/etc/firejail/xz.profile +/etc/firejail/xzdec.profile -- cgit v1.2.3-70-g09d2 From b1bfd95157c23fd0bc5ed6eaf37a351e7e6fdee9 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 10:16:09 +0200 Subject: Remove double-listed icedove.profile Also checked Makefile.in and platform/debian/conffiles for missing / duplicate files. --- Makefile.in | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 0d91f6288..44833021e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -151,7 +151,6 @@ realinstall: install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. -- cgit v1.2.3-70-g09d2 From c2046e3bfd6df89362b7cc564377c6326393d009 Mon Sep 17 00:00:00 2001 From: Al S Date: Sat, 30 Jul 2016 13:47:27 +0300 Subject: Add new skypeforlinux profile. Per recommendation of @netblue30, allow use of the netlink protocol in order for skypeforlinux to properly function in a firejail environment, per discussion in Github issue #656. --- etc/skypeforlinux.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 etc/skypeforlinux.profile diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile new file mode 100644 index 000000000..a1d8487c8 --- /dev/null +++ b/etc/skypeforlinux.profile @@ -0,0 +1,12 @@ +# skypeforlinux profile +noblacklist ${HOME}/.config/skypeforlinux +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-terminals.inc +caps.drop all +netfilter +noroot +seccomp +protocol unix,inet,inet6,netlink -- cgit v1.2.3-70-g09d2 From 8643c07e5e33756be57571793e076b8177c4a3b0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Jul 2016 07:48:54 -0400 Subject: fixes --- README | 12 ++++++++---- todo | 11 +++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/README b/README index 7b28226e4..200a7ef72 100644 --- a/README +++ b/README @@ -25,9 +25,16 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +xee5ch (https://github.com/xee5ch) + - skypeforlinux profile +Peter Hogg (https://github.com/pigmonkey) + - WeeChat profile + - rtorrent profile + - bitlbee profile fixes Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile + - improved profile list Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) @@ -35,7 +42,7 @@ Aleksey Manevich (https://github.com/manevich) - fix problem with relative path in storage_find function - fix build for systems without bash - fix double quotes/single quotes problem - - big rework of argument processing subsytem + - big rework of argument processing subsystem - --join fixes Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles @@ -180,9 +187,6 @@ Veeti Paananen (https://github.com/veeti) - fixed Spotify profile Rahiel Kasim (https://github.com/rahiel) - whitelist keysnail config for firefox -Peter Hogg (https://github.com/pigmonkey) - - WeeChat profile - - rtorrent profile rogshdo (https://github.com/rogshdo) - BitlBee profile Bruno Nova (https://github.com/brunonova) diff --git a/todo b/todo index 30e8f3949..97632fa9c 100644 --- a/todo +++ b/todo @@ -246,3 +246,14 @@ References https://twit.tv/shows/floss-weekly/episodes/389 22. add support for read-write and noexec to Firetools + + +23. AppArmor + +$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub +$ sudo update-grub +$ sudo reboot + +$ ps auxZ | grep -v '^unconfined' + + -- cgit v1.2.3-70-g09d2 From 51b6070aec91b3ac294131fdf2e0663eb4992a42 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 30 Jul 2016 15:13:35 +0300 Subject: fix cmdline quoting on --join + move cmdline quoting code to functions --- src/firejail/cmdline.c | 147 +++++++++++++++++++++++++++++++++++++++++++++++++ src/firejail/join.c | 24 +------- src/firejail/main.c | 104 +--------------------------------- 3 files changed, 150 insertions(+), 125 deletions(-) create mode 100644 src/firejail/cmdline.c diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c new file mode 100644 index 000000000..9818f8ffa --- /dev/null +++ b/src/firejail/cmdline.c @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "firejail.h" +#include +#include +#include +#include +#include +#include + +int cmdline_length(int argc, char **argv, int index) { + int i,j; + int len = 0; + int argcnt = argc - index; + bool in_quotes = false; + + for (i = 0; i < argcnt; i++) { + in_quotes = false; + for (j = 0; j < strlen(argv[i + index]); j++) { + if (argv[i + index][j] == '\'') { + if (in_quotes) + len++; + if (j > 0 && argv[i + index][j-1] == '\'') + len++; + else + len += 3; + in_quotes = false; + } else { + if (!in_quotes) + len++; + len++; + in_quotes = true; + } + } + if (in_quotes) { + len++; + } + if (strlen(argv[i + index]) == 0) { + len += 2; + } + len++; + } + + return len; +} + +void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { + int i,j; + int argcnt = argc - index; + bool in_quotes = false; + char *ptr1 = command_line; + char *ptr2 = window_title; + + for (i = 0; i < argcnt; i++) { + + // enclose args by single quotes, + // and since single quote can't be represented in single quoted text + // each occurence of it should be enclosed by double quotes + in_quotes = false; + for (j = 0; j < strlen(argv[i + index]); j++) { + // single quote + if (argv[i + index][j] == '\'') { + if (in_quotes) { + // close quotes + ptr1[0] = '\''; + ptr1++; + } + // previous char was single quote too + if (j > 0 && argv[i + index][j-1] == '\'') { + ptr1--; + sprintf(ptr1, "\'\""); + } + // this first in series + else + { + sprintf(ptr1, "\"\'\""); + } + ptr1 += strlen(ptr1); + in_quotes = false; + } + // anything other + else + { + if (!in_quotes) { + // open quotes + ptr1[0] = '\''; + ptr1++; + } + ptr1[0] = argv[i + index][j]; + ptr1++; + in_quotes = true; + } + } + // close quotes + if (in_quotes) { + ptr1[0] = '\''; + ptr1++; + } + // handle empty argument case + if (strlen(argv[i + index]) == 0) { + sprintf(ptr1, "\'\'"); + ptr1 += strlen(ptr1); + } + // add space + sprintf(ptr1, " "); + ptr1 += strlen(ptr1); + + sprintf(ptr2, "%s ", argv[i + index]); + ptr2 += strlen(ptr2); + } + + assert(len == strlen(command_line)); +} + +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { + int len = cmdline_length(argc, argv, index); + + *command_line = malloc(len + 1); + if (!*command_line) + errExit("malloc"); + *window_title = malloc(len + 1); + if (!*window_title) + errExit("malloc"); + + quote_cmdline(*command_line, *window_title, len, argc, argv, index); + + assert(*command_line); + assert(*window_title); +} diff --git a/src/firejail/join.c b/src/firejail/join.c index c14108986..0b5b6a34a 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -49,29 +49,9 @@ static void extract_command(int argc, char **argv, int index) { exit(1); } - - int len = 0; - int i; - // calculate command length - for (i = index; i < argc; i++) { - len += strlen(argv[i]) + 3; - } - assert(len > 0); - // build command - cfg.command_line = malloc(len + 1); - *cfg.command_line = '\0'; - for (i = index; i < argc; i++) { - if (strchr(argv[i], '&')) { - strcat(cfg.command_line, "\'"); - strcat(cfg.command_line, argv[i]); - strcat(cfg.command_line, "\' "); - } - else { - strcat(cfg.command_line, argv[i]); - strcat(cfg.command_line, " "); - } - } + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); + if (arg_debug) printf("Extracted command #%s#\n", cfg.command_line); } diff --git a/src/firejail/main.c b/src/firejail/main.c index cbc3d57cf..e86d78ff1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2004,109 +2004,7 @@ int main(int argc, char **argv) { cfg.window_title = "appimage"; } else { - // calculate the length of the command - int i; - int len = 0; - int argcnt = argc - prog_index; - int j; - bool in_quotes = false; - - for (i = 0; i < argcnt; i++) { - in_quotes = false; - for (j = 0; j < strlen(argv[i + prog_index]); j++) { - if (argv[i + prog_index][j] == '\'') { - if (in_quotes) - len++; - if (j > 0 && argv[i + prog_index][j-1] == '\'') - len++; - else - len += 3; - in_quotes = false; - } else { - if (!in_quotes) - len++; - len++; - in_quotes = true; - } - } - if (in_quotes) { - len++; - } - if (strlen(argv[i + prog_index]) == 0) { - len += 2; - } - len++; - } - - // build the string - cfg.command_line = malloc(len + 1); // + '\0' - if (!cfg.command_line) - errExit("malloc"); - cfg.window_title = malloc(len + 1); // + '\0' - if (!cfg.window_title) - errExit("malloc"); - - char *ptr1 = cfg.command_line; - char *ptr2 = cfg.window_title; - for (i = 0; i < argcnt; i++) { - - // enclose args by single quotes, - // and since single quote can't be represented in single quoted text - // each occurence of it should be enclosed by double quotes - in_quotes = false; - for (j = 0; j < strlen(argv[i + prog_index]); j++) { - // single quote - if (argv[i + prog_index][j] == '\'') { - if (in_quotes) { - // close quotes - ptr1[0] = '\''; - ptr1++; - } - // previous char was single quote too - if (j > 0 && argv[i + prog_index][j-1] == '\'') { - ptr1--; - sprintf(ptr1, "\'\""); - } - // this first in series - else - { - sprintf(ptr1, "\"\'\""); - } - ptr1 += strlen(ptr1); - in_quotes = false; - } - // anything other - else - { - if (!in_quotes) { - // open quotes - ptr1[0] = '\''; - ptr1++; - } - ptr1[0] = argv[i + prog_index][j]; - ptr1++; - in_quotes = true; - } - } - // close quotes - if (in_quotes) { - ptr1[0] = '\''; - ptr1++; - } - // handle empty argument case - if (strlen(argv[i + prog_index]) == 0) { - sprintf(ptr1, "\'\'"); - ptr1 += strlen(ptr1); - } - // add space - sprintf(ptr1, " "); - ptr1 += strlen(ptr1); - - sprintf(ptr2, "%s ", argv[i + prog_index]); - ptr2 += strlen(ptr2); - } - - assert(len == strlen(cfg.command_line)); + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); } assert(cfg.command_name); -- cgit v1.2.3-70-g09d2 From 0545762da33ad670681f7c2570eadcd831d14278 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 30 Jul 2016 15:30:47 +0300 Subject: exit with error if length of quoted command line is longer than ARG_MAX --- src/firejail/cmdline.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 9818f8ffa..517124d9e 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c @@ -132,6 +132,10 @@ void quote_cmdline(char *command_line, char *window_title, int len, int argc, ch void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { int len = cmdline_length(argc, argv, index); + if (len > ARG_MAX) { + errno = E2BIG; + errExit("cmdline_length"); + } *command_line = malloc(len + 1); if (!*command_line) -- cgit v1.2.3-70-g09d2 From 4bc2b1184eb52efdbf1892e2258ff617447b95f7 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 30 Jul 2016 15:22:27 +0200 Subject: Use xz compression for source tarball --- Makefile.in | 4 ++-- mkdeb.sh | 4 ++-- src/tools/mkcoverit.sh | 6 +++--- test/dist-compile/compile.sh | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile.in b/Makefile.in index 44833021e..b5b74c231 100644 --- a/Makefile.in +++ b/Makefile.in @@ -290,13 +290,13 @@ DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/ut dist: make distclean - rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.bz2 + rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz mkdir -p $(NAME)-$(VERSION)/test cp -a "$(DISTFILES)" $(NAME)-$(VERSION) cp -a "$(DISTFILES_TEST)" $(NAME)-$(VERSION)/test rm -rf $(NAME)-$(VERSION)/src/tools find $(NAME)-$(VERSION) -name .svn -delete - tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) + tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) deb: dist diff --git a/mkdeb.sh b/mkdeb.sh index 71c3b9a04..be8d618e1 100755 --- a/mkdeb.sh +++ b/mkdeb.sh @@ -3,7 +3,7 @@ # a code archive should already be available TOP=`pwd` -CODE_ARCHIVE="$1-$2.tar.bz2" +CODE_ARCHIVE="$1-$2.tar.xz" CODE_DIR="$1-$2" INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" @@ -15,7 +15,7 @@ echo "install directory: $INSTALL_DIR" echo "debian control directory: $DEBIAN_CTRL_DIR" echo "*****************************************" -tar -xjvf $CODE_ARCHIVE +tar -xJvf $CODE_ARCHIVE #mkdir -p $INSTALL_DIR cd $CODE_DIR ./configure --prefix=/usr diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh index 4af84a7a1..65b06f9fa 100755 --- a/src/tools/mkcoverit.sh +++ b/src/tools/mkcoverit.sh @@ -1,13 +1,13 @@ #!/bin/bash # unpack firejail archive -ARCFIREJAIL=`ls *.tar.bz2| grep firejail` +ARCFIREJAIL=`ls *.tar.xz| grep firejail` if [ "$?" -eq 0 ]; then echo "preparing $ARCFIREJAIL" - DIRFIREJAIL=`basename $ARCFIREJAIL .tar.bz2` + DIRFIREJAIL=`basename $ARCFIREJAIL .tar.xz` rm -fr $DIRFIREJAIL - tar -xjvf $ARCFIREJAIL + tar -xJvf $ARCFIREJAIL cd $DIRFIREJAIL ./configure --prefix=/usr cd .. diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index 2d055c1bd..6332bee9a 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -55,7 +55,7 @@ cleanup #***************************************************************** print_title "${arr[1]}" echo "$DIST" -tar -xjvf ../../$DIST.tar.bz2 +tar -xJvf ../../$DIST.tar.xz mv $DIST firejail cd firejail -- cgit v1.2.3-70-g09d2 From 6d9b627bc2c9884068078842d941aa8daa78b777 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 30 Jul 2016 15:31:10 +0200 Subject: Create detached signature for source tarball (Closes #204) --- mkasc.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/mkasc.sh b/mkasc.sh index 2c9836f17..4d5b73e20 100755 --- a/mkasc.sh +++ b/mkasc.sh @@ -6,5 +6,6 @@ cd /transfer sha256sum * > firejail-$1-unsigned gpg --clearsign --digest-algo SHA256 < firejail-$1-unsigned > firejail-$1.asc gpg --verify firejail-$1.asc +gpg --detach-sign --armor firejail-$1.tar.xz rm firejail-$1-unsigned -- cgit v1.2.3-70-g09d2 From d5fbe94f06bcb52fb017883546e0d477fac097ba Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 16:16:30 +0200 Subject: Include mkuid.sh in "make dist" Fixes the rpm build from the tarball. --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 44833021e..04e93eec2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -285,7 +285,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg -DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES" +DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils" dist: -- cgit v1.2.3-70-g09d2 From 0657c20377d6f8d80f143e9c6a336601c8bbd2e2 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 30 Jul 2016 17:58:25 +0200 Subject: Allow recursive mkdir (Closes #305) --- etc/0ad.profile | 4 ---- etc/abrowser.profile | 2 -- etc/aweather.profile | 1 - etc/brave.profile | 1 - etc/cherrytree.profile | 2 -- etc/chromium.profile | 2 -- etc/cyberfox.profile | 1 - etc/dropbox.profile | 1 - etc/epiphany.profile | 4 ---- etc/firefox.profile | 2 -- etc/flashpeak-slimjet.profile | 2 -- etc/franz.profile | 2 -- etc/google-chrome-beta.profile | 2 -- etc/google-chrome-unstable.profile | 2 -- etc/google-chrome.profile | 2 -- etc/gpredict.profile | 1 - etc/hexchat.profile | 1 - etc/icedove.profile | 1 - etc/mupen64plus.profile | 3 --- etc/netsurf.profile | 2 -- etc/opera-beta.profile | 2 -- etc/opera.profile | 2 -- etc/palemoon.profile | 2 -- etc/polari.profile | 4 ---- etc/psi-plus.profile | 4 ---- etc/quiterss.profile | 3 --- etc/qutebrowser.profile | 1 - etc/seamonkey.profile | 3 --- etc/spotify.profile | 4 ---- etc/stellarium.profile | 1 - etc/thunderbird.profile | 1 - etc/uget-gtk.profile | 1 - etc/vivaldi.profile | 2 -- etc/wesnoth.profile | 4 ---- etc/whitelist-common.inc | 1 - src/firejail/fs_mkdir.c | 39 +++++++++++++++++++++++++++++++++----- src/man/firejail-profile.txt | 8 ++------ test/fs/fs.sh | 3 ++- test/fs/mkdir.exp | 20 +++++++++++++++++++ test/fs/mkdir.profile | 2 ++ 40 files changed, 60 insertions(+), 85 deletions(-) create mode 100755 test/fs/mkdir.exp create mode 100644 test/fs/mkdir.profile diff --git a/etc/0ad.profile b/etc/0ad.profile index 11fb45463..217cdeee0 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -8,16 +8,12 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelists -mkdir ~/.cache mkdir ~/.cache/0ad whitelist ~/.cache/0ad -mkdir ~/.config mkdir ~/.config/0ad whitelist ~/.config/0ad -mkdir ~/.local -mkdir ~/.local/share mkdir ~/.local/share/0ad whitelist ~/.local/share/0ad diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 65247e7d3..4aa18aa90 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -17,8 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla whitelist ~/.mozilla -mkdir ~/.cache -mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/abrowser whitelist ~/.cache/mozilla/abrowser whitelist ~/dwhelper diff --git a/etc/aweather.profile b/etc/aweather.profile index d617fb701..da93e8ba3 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -6,7 +6,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config mkdir ~/.config/aweather whitelist ~/.config/aweather diff --git a/etc/brave.profile b/etc/brave.profile index 4c42e9faa..4fc3a5bb0 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -14,6 +14,5 @@ seccomp whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/brave whitelist ~/.config/brave diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7b6238d98..76ee70679 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -7,10 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc whitelist ${HOME}/cherrytree -mkdir ~/.config mkdir ~/.config/cherrytree whitelist ${HOME}/.config/cherrytree/ -mkdir ~/.local mkdir ~/.local/share whitelist ${HOME}/.local/share/ diff --git a/etc/chromium.profile b/etc/chromium.profile index 7cf2853ca..0d383aebf 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/chromium whitelist ~/.config/chromium -mkdir ~/.cache mkdir ~/.cache/chromium whitelist ~/.cache/chromium mkdir ~/.pki diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index afa77d1d4..ae487fa3c 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -17,7 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.8pecxstudios whitelist ~/.8pecxstudios -mkdir ~/.cache mkdir ~/.cache/8pecxstudios whitelist ~/.cache/8pecxstudios whitelist ~/dwhelper diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 71e019f8c..40efd62b2 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -17,6 +17,5 @@ whitelist ~/.dropbox mkdir ~/.dropbox-dist whitelist ~/.dropbox-dist -mkdir ~/.config/autostart mkfile ~/.config/autostart/dropbox.desktop whitelist ~/.config/autostart/dropbox.desktop diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 57191429a..0e898f02b 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -8,14 +8,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc whitelist ${DOWNLOADS} -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/epiphany whitelist ${HOME}/.local/share/epiphany -mkdir ${HOME}/.config mkdir ${HOME}/.config/epiphany whitelist ${HOME}/.config/epiphany -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/epiphany whitelist ${HOME}/.cache/epiphany include /etc/firejail/whitelist-common.inc diff --git a/etc/firefox.profile b/etc/firefox.profile index 2cc4d3cd8..170d0fe10 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -17,8 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla whitelist ~/.mozilla -mkdir ~/.cache -mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/firefox whitelist ~/.cache/mozilla/firefox whitelist ~/dwhelper diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index f248c385a..7e0eb486b 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -22,10 +22,8 @@ protocol unix,inet,inet6,netlink seccomp whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/slimjet whitelist ~/.config/slimjet -mkdir ~/.cache mkdir ~/.cache/slimjet whitelist ~/.cache/slimjet mkdir ~/.pki diff --git a/etc/franz.profile b/etc/franz.profile index fc4a665de..3cb7942ab 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -14,10 +14,8 @@ nonewprivs noroot whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/Franz whitelist ~/.config/Franz -mkdir ~/.cache mkdir ~/.cache/Franz whitelist ~/.cache/Franz mkdir ~/.pki diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 11f9f9e33..fe870274f 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/google-chrome-beta whitelist ~/.config/google-chrome-beta -mkdir ~/.cache mkdir ~/.cache/google-chrome-beta whitelist ~/.cache/google-chrome-beta mkdir ~/.pki diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index f253e5a90..f6680ac2d 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/google-chrome-unstable whitelist ~/.config/google-chrome-unstable -mkdir ~/.cache mkdir ~/.cache/google-chrome-unstable whitelist ~/.cache/google-chrome-unstable mkdir ~/.pki diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 5e168aae5..a9fcebe73 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/google-chrome whitelist ~/.config/google-chrome -mkdir ~/.cache mkdir ~/.cache/google-chrome whitelist ~/.cache/google-chrome mkdir ~/.pki diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 02bb4d24d..a8378a66e 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -6,7 +6,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config mkdir ~/.config/Gpredict whitelist ~/.config/Gpredict diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 4e829c379..0d7ee6594 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -13,7 +13,6 @@ netfilter protocol unix,inet,inet6 seccomp -mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc diff --git a/etc/icedove.profile b/etc/icedove.profile index e9a63c8dd..23254751b 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -11,7 +11,6 @@ mkdir ~/.icedove whitelist ~/.icedove noblacklist ~/.cache/icedove -mkdir ~/.cache mkdir ~/.cache/icedove whitelist ~/.cache/icedove diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index d4b442df8..acb13e6b9 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -8,11 +8,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/mupen64plus whitelist ${HOME}/.local/share/mupen64plus/ -mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 3de6be238..1ed2163c2 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -15,10 +15,8 @@ seccomp tracelog whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/netsurf whitelist ~/.config/netsurf -mkdir ~/.cache mkdir ~/.cache/netsurf whitelist ~/.cache/netsurf diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3d6edb286..12c91c744 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/opera-beta whitelist ~/.config/opera-beta -mkdir ~/.cache mkdir ~/.cache/opera-beta whitelist ~/.cache/opera-beta mkdir ~/.pki diff --git a/etc/opera.profile b/etc/opera.profile index ff00eb349..e0c89a195 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/opera whitelist ~/.config/opera -mkdir ~/.cache mkdir ~/.cache/opera whitelist ~/.cache/opera mkdir ~/.opera diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 302c20d7d..acedaebb7 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -9,8 +9,6 @@ include /etc/firejail/whitelist-common.inc whitelist ${DOWNLOADS} mkdir ~/.moonchild productions whitelist ~/.moonchild productions -mkdir ~/.cache -mkdir ~/.cache/moonchild productions mkdir ~/.cache/moonchild productions/pale moon whitelist ~/.cache/moonchild productions/pale moon diff --git a/etc/polari.profile b/etc/polari.profile index 366883c83..ac9530c40 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share/ mkdir ${HOME}/.local/share/Empathy whitelist ${HOME}/.local/share/Empathy mkdir ${HOME}/.local/share/telepathy whitelist ${HOME}/.local/share/telepathy mkdir ${HOME}/.local/share/TpLogger whitelist ${HOME}/.local/share/TpLogger -mkdir ${HOME}/.config mkdir ${HOME}/.config/telepathy-account-widgets whitelist ${HOME}/.config/telepathy-account-widgets -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/telepathy whitelist ${HOME}/.cache/telepathy mkdir ${HOME}/.purple diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 9380237be..22c5bafc5 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -7,14 +7,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/psi+ whitelist ~/.config/psi+ -mkdir ~/.local -mkdir ~/.local/share mkdir ~/.local/share/psi+ whitelist ~/.local/share/psi+ -mkdir ~/.cache mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ diff --git a/etc/quiterss.profile b/etc/quiterss.profile index f2b9959f6..2ab5d8a8e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -4,14 +4,11 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc whitelist ${HOME}/quiterssfeeds.opml -mkdir ~/.config mkdir ~/.config/QuiteRss whitelist ${HOME}/.config/QuiteRss/ whitelist ${HOME}/.config/QuiteRssrc -mkdir ~/.local mkdir ~/.local/share whitelist ${HOME}/.local/share/ -mkdir ~/.cache mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index b590f0ef1..0efb7b629 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -17,7 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser whitelist ~/.config/qutebrowser -mkdir ~/.cache mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser include /etc/firejail/whitelist-common.inc diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 9ce4164c1..b981d9516 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -14,11 +14,8 @@ seccomp tracelog whitelist ${DOWNLOADS} -mkdir ~/.mozilla mkdir ~/.mozilla/seamonkey whitelist ~/.mozilla/seamonkey -mkdir ~/.cache -mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/seamonkey whitelist ~/.cache/mozilla/seamonkey whitelist ~/dwhelper diff --git a/etc/spotify.profile b/etc/spotify.profile index ca575970b..6bcb99e0f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -10,14 +10,10 @@ include /etc/firejail/disable-passwdmgr.inc # Whitelist the folders needed by Spotify - This is more restrictive # than a blacklist though, but this is all spotify requires for # streaming audio -mkdir ${HOME}/.config mkdir ${HOME}/.config/spotify whitelist ${HOME}/.config/spotify -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/spotify whitelist ${HOME}/.local/share/spotify -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify include /etc/firejail/whitelist-common.inc diff --git a/etc/stellarium.profile b/etc/stellarium.profile index d0c1326b3..adefa75ff 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -9,7 +9,6 @@ include /etc/firejail/disable-programs.inc # Whitelist mkdir ~/.stellarium whitelist ~/.stellarium -mkdir ~/.config mkdir ~/.config/stellarium whitelist ~/.config/stellarium diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 7882367b9..5db50da4d 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -11,7 +11,6 @@ mkdir ~/.thunderbird whitelist ~/.thunderbird noblacklist ~/.cache/thunderbird -mkdir ~/.cache mkdir ~/.cache/thunderbird whitelist ~/.cache/thunderbird diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 269f8f0fd..522b4bd1e 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -13,7 +13,6 @@ protocol unix,inet,inet6 seccomp whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 2049d2bd9..3c608dccb 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -9,10 +9,8 @@ netfilter nonewprivs whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/vivaldi whitelist ~/.config/vivaldi -mkdir ~/.cache mkdir ~/.cache/vivaldi whitelist ~/.cache/vivaldi include /etc/firejail/whitelist-common.inc diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index cd0c6406f..2ddb59d11 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -18,12 +18,8 @@ private-dev whitelist /tmp/.X11-unix -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/wesnoth -mkdir ${HOME}/.config mkdir ${HOME}/.config/wesnoth -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/wesnoth whitelist ${HOME}/.local/share/wesnoth whitelist ${HOME}/.config/wesnoth diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index b3a1a1d30..2317133c5 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -24,6 +24,5 @@ whitelist ~/.config/gtk-3.0 whitelist ~/.themes # dconf -mkdir ~/.config mkdir ~/.config/dconf whitelist ~/.config/dconf diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 50bcc613b..5bc2df2cc 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -22,8 +22,38 @@ #include #include #include - #include - +#include +#include + +static void mkdir_recursive(char *path) { + char *subdir = NULL; + struct stat s; + + if (chdir("/")) { + fprintf(stderr, "Error: can't chdir to /"); + return; + } + + subdir = strtok(path, "/"); + while(subdir) { + if (stat(subdir, &s) == -1) { + if (mkdir(subdir, 0700) == -1) { + fprintf(stderr, "Warning: cannot create %s directory\n", subdir); + return; + } + } else if (!S_ISDIR(s.st_mode)) { + fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir); + return; + } + if (chdir(subdir)) { + fprintf(stderr, "Error: can't chdir to %s", subdir); + return; + } + + subdir = strtok(NULL, "/"); + } +} + void fs_mkdir(const char *name) { EUID_ASSERT(); @@ -50,8 +80,7 @@ void fs_mkdir(const char *name) { drop_privs(0); // create directory - if (mkdir(expanded, 0700) == -1) - fprintf(stderr, "Warning: cannot create %s directory\n", expanded); + mkdir_recursive(expanded); exit(0); } // wait for the child to finish @@ -101,4 +130,4 @@ void fs_mkfile(const char *name) { doexit: free(expanded); -} \ No newline at end of file +} diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 504842a9e..7e33a6b45 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -136,7 +136,7 @@ The directory is created if it doesn't already exist. .br Use this command for whitelisted directories you need to preserve when the sandbox is closed. Without it, the application will create the directory, and the directory -will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from +will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from firefox profile: .br @@ -145,17 +145,13 @@ mkdir ~/.mozilla .br whitelist ~/.mozilla .br -mkdir ~/.cache -.br -mkdir ~/.cache/mozilla -.br mkdir ~/.cache/mozilla/firefox .br whitelist ~/.cache/mozilla/firefox .TP \fBmkfile file Similar to mkdir, this command creates a file in user home before the sandbox is started. -The file is created if it doesn't already exist. +The file is created if it doesn't already exist, but it's target directory has to exist. .TP \fBnoexec file_or_directory Remount the file or the directory noexec, nodev and nosuid. diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 08888020c..00e6e29c2 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -51,5 +51,6 @@ echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" echo "TESTING: bind as user (test/fs/option_bind_user.exp)" ./option_bind_user.exp - +echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" +./mkdir.exp diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp new file mode 100755 index 000000000..111db06db --- /dev/null +++ b/test/fs/mkdir.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2016 Firejail Authors +# License GPL v2 + +set timeout 3 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit} + "No such file or directory" { puts "TESTING ERROR 1.3\n";exit} + ".firejail_test/a/b/c/d.txt" +} +send -- "rm -rf ~/.firejail_test\r" +after 100 + +puts "\nall done\n" diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile new file mode 100644 index 000000000..61b44c9ac --- /dev/null +++ b/test/fs/mkdir.profile @@ -0,0 +1,2 @@ +mkdir ~/.firejail_test/a/b/c +mkfile ~/.firejail_test/a/b/c/d.txt -- cgit v1.2.3-70-g09d2 From fa4af69fd481256b2aea3803f63e957c501aa764 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 23:52:43 +0200 Subject: Add uids.h to .gitignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 34a228a76..0d5979c8b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,4 +18,4 @@ src/firecfg/firecfg src/ftee/ftee src/tags src/faudit/faudit - +uids.h -- cgit v1.2.3-70-g09d2 From 2d60937932a44ed5dfe3afecdae846386275a25a Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 23:10:50 +0200 Subject: Add profiles for tar (gtar), unzip and unrar I've tested compression and uncompression of various tar formats and also straced unzip/unrar regarding their file access in /etc. -> should be fine. If you want to unpack files in /usr/bin, then use the --ignore=private-bin switch. Same for /etc: --ignore=private-etc --- Makefile.in | 4 ++++ README | 1 + README.md | 1 + etc/gtar.profile | 1 + etc/tar.profile | 13 +++++++++++++ etc/unrar.profile | 11 +++++++++++ etc/unzip.profile | 11 +++++++++++ platform/debian/conffiles | 4 ++++ 8 files changed, 46 insertions(+) create mode 100644 etc/gtar.profile create mode 100644 etc/tar.profile create mode 100644 etc/unrar.profile create mode 100644 etc/unzip.profile diff --git a/Makefile.in b/Makefile.in index 44833021e..50210fcd9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -144,6 +144,7 @@ realinstall: install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gtar.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. @@ -201,6 +202,7 @@ realinstall: install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/tar.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. @@ -208,6 +210,8 @@ realinstall: install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/unrar.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/unzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README b/README index 200a7ef72..76c0ed30d 100644 --- a/README +++ b/README @@ -34,6 +34,7 @@ Peter Hogg (https://github.com/pigmonkey) Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile + - added tar (gtar), unzip and unrar profile - improved profile list Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client diff --git a/README.md b/README.md index 26dc2c4e3..faa647125 100644 --- a/README.md +++ b/README.md @@ -156,4 +156,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview +tar (gtar), unzip, unrar diff --git a/etc/gtar.profile b/etc/gtar.profile new file mode 100644 index 000000000..5dbc550f6 --- /dev/null +++ b/etc/gtar.profile @@ -0,0 +1 @@ +include /etc/firejail/tar.profile diff --git a/etc/tar.profile b/etc/tar.profile new file mode 100644 index 000000000..4ce3e59f0 --- /dev/null +++ b/etc/tar.profile @@ -0,0 +1,13 @@ +# tar profile +include /etc/firejail/default.profile + +tracelog +net none +shell none + +# support compressed archives +private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-dev +private-etc passwd,group,localtime +hostname tar +nosound diff --git a/etc/unrar.profile b/etc/unrar.profile new file mode 100644 index 000000000..ccd144699 --- /dev/null +++ b/etc/unrar.profile @@ -0,0 +1,11 @@ +# unrar profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unrar +private-dev +private-etc passwd,group,localtime +hostname unrar +nosound diff --git a/etc/unzip.profile b/etc/unzip.profile new file mode 100644 index 000000000..d4862004c --- /dev/null +++ b/etc/unzip.profile @@ -0,0 +1,11 @@ +# unzip profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unzip +private-dev +private-etc passwd,group,localtime +hostname unzip +nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5367edfe5..d302c5732 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -50,6 +50,7 @@ /etc/firejail/google-chrome.profile /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/gpredict.profile +/etc/firejail/gtar.profile /etc/firejail/gthumb.profile /etc/firejail/gwenview.profile /etc/firejail/gzip.profile @@ -108,6 +109,7 @@ /etc/firejail/steam.profile /etc/firejail/stellarium.profile /etc/firejail/strings.profile +/etc/firejail/tar.profile /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile /etc/firejail/totem.profile @@ -115,6 +117,8 @@ /etc/firejail/transmission-qt.profile /etc/firejail/uget-gtk.profile /etc/firejail/unbound.profile +/etc/firejail/unrar.profile +/etc/firejail/unzip.profile /etc/firejail/uudeview.profile /etc/firejail/vivaldi-beta.profile /etc/firejail/vivaldi.profile -- cgit v1.2.3-70-g09d2 From a733a5092b404276af646b522430466df19a1612 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 23:40:55 +0200 Subject: Fix wrong pointer variable in stat64 wrapper If a program would have called stat() and then stat64(), the traced program probably would crash with a NULL pointer access on orig_stat64. I've checked for similiar glitches in the other wrappers -> they looked ok. --- README | 1 + src/libtrace/libtrace.c | 4 ++-- src/libtracelog/libtracelog.c | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README b/README index 200a7ef72..775a3f008 100644 --- a/README +++ b/README @@ -35,6 +35,7 @@ Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile - improved profile list + - fixed small variable glitch in stat64() / lstat64() (libtracelog) Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index a3d1571f7..9f2622c00 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -423,11 +423,11 @@ int stat(const char *pathname, struct stat *buf) { typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf); static orig_stat64_t orig_stat64 = NULL; int stat64(const char *pathname, struct stat64 *buf) { - if (!orig_stat) + if (!orig_stat64) orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); int rv = orig_stat64(pathname, buf); - printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv); + printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv); return rv; } #endif /* __GLIBC__ */ diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 3e65587c4..dedba5513 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -562,7 +562,7 @@ int stat64(const char *pathname, struct stat64 *buf) { #ifdef DEBUG printf("%s %s\n", __FUNCTION__, pathname); #endif - if (!orig_stat) + if (!orig_stat64) orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); if (!blacklist_loaded) load_blacklist(); @@ -598,7 +598,7 @@ int lstat64(const char *pathname, struct stat64 *buf) { #ifdef DEBUG printf("%s %s\n", __FUNCTION__, pathname); #endif - if (!orig_lstat) + if (!orig_lstat64) orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); if (!blacklist_loaded) load_blacklist(); -- cgit v1.2.3-70-g09d2 From 183eb02508f538e8200b62bbefc1c48aa0675d28 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 23:42:53 +0200 Subject: libtrace: Add support for lstat() / lstat64() --- README | 1 + src/libtrace/libtrace.c | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/README b/README index 775a3f008..dfd101b7e 100644 --- a/README +++ b/README @@ -36,6 +36,7 @@ Thomas Jarosch (https://github.com/thomasjfox) - added uudeview profile - improved profile list - fixed small variable glitch in stat64() / lstat64() (libtracelog) + - added lstat() / lstat64() support to libtrace Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 9f2622c00..dde3df2ea 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -432,6 +432,31 @@ int stat64(const char *pathname, struct stat64 *buf) { } #endif /* __GLIBC__ */ +// lstat +typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf); +static orig_lstat_t orig_lstat = NULL; +int lstat(const char *pathname, struct stat *buf) { + if (!orig_lstat) + orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); + + int rv = orig_lstat(pathname, buf); + printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv); + return rv; +} + +#ifdef __GLIBC__ +typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf); +static orig_lstat64_t orig_lstat64 = NULL; +int lstat64(const char *pathname, struct stat64 *buf) { + if (!orig_lstat64) + orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); + + int rv = orig_lstat64(pathname, buf); + printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv); + return rv; +} +#endif /* __GLIBC__ */ + // opendir typedef DIR *(*orig_opendir_t)(const char *pathname); static orig_opendir_t orig_opendir = NULL; -- cgit v1.2.3-70-g09d2 From f72ac8eab33b4c923d75e010545721cc8fe552ce Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sun, 31 Jul 2016 00:22:46 +0200 Subject: Add file.profile --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 1 + etc/file.profile | 11 +++++++++++ platform/debian/conffiles | 1 + 6 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 etc/file.profile diff --git a/Makefile.in b/Makefile.in index 50210fcd9..6837d59cd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -131,6 +131,7 @@ realinstall: install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/file.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README b/README index 76c0ed30d..9e2073e66 100644 --- a/README +++ b/README @@ -35,6 +35,7 @@ Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile - added tar (gtar), unzip and unrar profile + - added file profile - improved profile list Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client diff --git a/README.md b/README.md index faa647125..b186db8db 100644 --- a/README.md +++ b/README.md @@ -156,5 +156,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar +tar (gtar), unzip, unrar, file diff --git a/RELNOTES b/RELNOTES index e37e24778..4d7f67bda 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview + * new profiles: tar (gtar), unzip, unrar, file -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/file.profile b/etc/file.profile new file mode 100644 index 000000000..357576040 --- /dev/null +++ b/etc/file.profile @@ -0,0 +1,11 @@ +# file profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin file +private-dev +private-etc magic.mgc,magic,localtime +hostname file +nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d302c5732..76ca9d44e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -36,6 +36,7 @@ /etc/firejail/epiphany.profile /etc/firejail/evince.profile /etc/firejail/fbreader.profile +/etc/firejail/file.profile /etc/firejail/filezilla.profile /etc/firejail/firefox-esr.profile /etc/firejail/firefox.profile -- cgit v1.2.3-70-g09d2 From 59cd5a6b6bb90d316d7f628fd6fc2df9ff2b17ab Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 31 Jul 2016 10:06:41 -0400 Subject: cleanup and some new tests --- README | 5 +++++ RELNOTES | 1 + etc/file.profile | 1 + etc/tar.profile | 1 + etc/unrar.profile | 1 + etc/unzip.profile | 1 + src/firejail/cmdline.c | 10 +++++----- src/firejail/firejail.h | 3 +++ src/firejail/fs_bin.c | 2 +- src/firejail/main.c | 5 +++++ test/sysutils/file.exp | 16 ++++++++++++++++ test/sysutils/sysutils.sh | 18 ++++++++++++++++++ test/sysutils/tar.exp | 35 +++++++++++++++++++++++++++++++++++ todo | 6 +++++- 14 files changed, 98 insertions(+), 7 deletions(-) create mode 100755 test/sysutils/file.exp create mode 100755 test/sysutils/tar.exp diff --git a/README b/README index 58503d0c7..4e610cb4a 100644 --- a/README +++ b/README @@ -25,6 +25,9 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework + - moved build to .xz + - detached signatures for source archive + - recursive mkdir xee5ch (https://github.com/xee5ch) - skypeforlinux profile Peter Hogg (https://github.com/pigmonkey) @@ -39,6 +42,7 @@ Thomas Jarosch (https://github.com/thomasjfox) - improved profile list - fixed small variable glitch in stat64() / lstat64() (libtracelog) - added lstat() / lstat64() support to libtrace + - include mkuid.sh in make dist Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) @@ -48,6 +52,7 @@ Aleksey Manevich (https://github.com/manevich) - fix double quotes/single quotes problem - big rework of argument processing subsystem - --join fixes + - spliting up cmdline.c Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/RELNOTES b/RELNOTES index 4d7f67bda..1746e03a1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,6 +9,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command + * recursive mkdir * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file diff --git a/etc/file.profile b/etc/file.profile index 357576040..1569b42c7 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,4 +1,5 @@ # file profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/tar.profile b/etc/tar.profile index 4ce3e59f0..769a3cd4e 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,4 +1,5 @@ # tar profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/unrar.profile b/etc/unrar.profile index ccd144699..74079e7b9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,4 +1,5 @@ # unrar profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/unzip.profile b/etc/unzip.profile index d4862004c..502839b98 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,4 +1,5 @@ # unzip profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 517124d9e..48cbaffb7 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c @@ -27,9 +27,9 @@ #include int cmdline_length(int argc, char **argv, int index) { - int i,j; + unsigned i,j; int len = 0; - int argcnt = argc - index; + unsigned argcnt = argc - index; bool in_quotes = false; for (i = 0; i < argcnt; i++) { @@ -63,8 +63,8 @@ int cmdline_length(int argc, char **argv, int index) { } void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { - int i,j; - int argcnt = argc - index; + unsigned i,j; + unsigned argcnt = argc - index; bool in_quotes = false; char *ptr1 = command_line; char *ptr2 = window_title; @@ -127,7 +127,7 @@ void quote_cmdline(char *command_line, char *window_title, int len, int argc, ch ptr2 += strlen(ptr2); } - assert(len == strlen(command_line)); + assert((unsigned) len == strlen(command_line)); } void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7a538327d..1546dc403 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -590,5 +590,8 @@ void appimage_set(const char *appimage_path); void appimage_clear(void); const char *appimage_getdir(void); +// cmdline.c +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); + #endif diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index ac731c246..dca66888c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -136,7 +136,7 @@ void fs_check_bin_list(void) { ptr = strrchr(newlist, ','); assert(ptr); *ptr = '\0'; - if (notfound) + if (notfound && !arg_quiet) fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist); cfg.bin_private_keep = newlist; diff --git a/src/firejail/main.c b/src/firejail/main.c index e86d78ff1..d5ac7ad1d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -704,6 +704,11 @@ static void detect_quiet(int argc, char **argv) { "gzip", "xz", "xzdec", + "file", + "gtar", + "tar", + "unrar", + "unzip", NULL }; diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp new file mode 100755 index 000000000..e40b83197 --- /dev/null +++ b/test/sysutils/file.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail file ~/.bashrc\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "ASCII text" +} + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index d75738f97..315b73c9d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -60,3 +60,21 @@ else echo "TESTING SKIP: less not found" fi +which file +if [ "$?" -eq 0 ]; +then + echo "TESTING: file" + ./file.exp +else + echo "TESTING SKIP: file not found" +fi + +which tar +if [ "$?" -eq 0 ]; +then + echo "TESTING: tar" + ./tar.exp +else + echo "TESTING SKIP: tar not found" +fi + diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp new file mode 100755 index 000000000..af569f5ac --- /dev/null +++ b/test/sysutils/tar.exp @@ -0,0 +1,35 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/usr/share/doc/firejail/README" +} +after 100 + +send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + " 0 0 0" +} +sleep 1 +send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + " 0 0 0" +} +sleep 1 + + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/todo b/todo index 97632fa9c..009f9fe99 100644 --- a/todo +++ b/todo @@ -250,10 +250,14 @@ References 23. AppArmor +$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify + $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo update-grub $ sudo reboot -$ ps auxZ | grep -v '^unconfined' +If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. +$ sudo aa-notify -p -f /var/log/audit/audit.log + -- cgit v1.2.3-70-g09d2 From 2f2e4d61c73d2ef61721f7a353b648c46bab8bf8 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sun, 31 Jul 2016 16:28:14 +0200 Subject: detect_quiet(): Sort alphabetically --- src/firejail/main.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index d5ac7ad1d..f6cb91581 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -698,17 +698,17 @@ static void delete_x11_file(pid_t pid) { static void detect_quiet(int argc, char **argv) { int i; char *progs[] = { - "less", "cpio", - "strings", - "gzip", - "xz", - "xzdec", "file", "gtar", + "gzip", + "less", + "strings", "tar", "unrar", "unzip", + "xz", + "xzdec", NULL }; -- cgit v1.2.3-70-g09d2 From e40707231ca2d3da34367af8af3908d70a93ad86 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sun, 31 Jul 2016 16:29:09 +0200 Subject: Add uudeview to detect_quiet() --- src/firejail/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index f6cb91581..de1dcc044 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -707,6 +707,7 @@ static void detect_quiet(int argc, char **argv) { "tar", "unrar", "unzip", + "uudeview", "xz", "xzdec", NULL -- cgit v1.2.3-70-g09d2 From f5f26e4a4b8b9890a1828d6b4501c64527f60217 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 31 Jul 2016 10:40:49 -0400 Subject: integrate skypeforlinux profile --- Makefile.in | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + etc/skypeforlinux.profile | 7 +++---- platform/debian/conffiles | 1 + 6 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Makefile.in b/Makefile.in index 405087433..98ecbd252 100644 --- a/Makefile.in +++ b/Makefile.in @@ -196,6 +196,7 @@ realinstall: install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/skypeforlinux.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README.md b/README.md index b186db8db..17c7a89de 100644 --- a/README.md +++ b/README.md @@ -156,5 +156,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file +tar (gtar), unzip, unrar, file, skypeforlinux diff --git a/RELNOTES b/RELNOTES index 1746e03a1..a4fc92671 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,7 +17,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview - * new profiles: tar (gtar), unzip, unrar, file + * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0f155351d..ed7710728 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -71,6 +71,7 @@ blacklist ${HOME}/.retroshare blacklist ${HOME}/.weechat blacklist ${HOME}/.config/xchat blacklist ${HOME}/.Skype +blacklist ${HOME}/.config/skypeforlinux blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index a1d8487c8..3f0a274f9 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -1,10 +1,9 @@ # skypeforlinux profile noblacklist ${HOME}/.config/skypeforlinux -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-terminals.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + caps.drop all netfilter noroot diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 76ca9d44e..c8eda3cb4 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -103,6 +103,7 @@ /etc/firejail/seamonkey.profile /etc/firejail/server.profile /etc/firejail/skype.profile +/etc/firejail/skypeforlinux.profile /etc/firejail/snap.profile /etc/firejail/soffice.profile /etc/firejail/spotify.profile -- cgit v1.2.3-70-g09d2 From 369dd18d206945080780f35b502f61b88448bab1 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 31 Jul 2016 21:10:40 +0200 Subject: Simplify installation of profiles and manpages --- Makefile.in | 211 +++++++----------------------------------------------------- mketc.sh | 20 +----- 2 files changed, 27 insertions(+), 204 deletions(-) diff --git a/Makefile.in b/Makefile.in index 98ecbd252..e47e109d3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,7 @@ -all: apps firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5 +all: apps man MYLIBS = src/lib APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit +MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5 prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -25,27 +26,16 @@ apps: $(APPS) $(APPS): $(MYLIBS) $(MAKE) -C $@ -firemon.1: src/man/firemon.txt - ./mkman.sh $(VERSION) src/man/firemon.txt firemon.1 -firejail.1: src/man/firejail.txt - ./mkman.sh $(VERSION) src/man/firejail.txt firejail.1 -firecfg.1: src/man/firecfg.txt - ./mkman.sh $(VERSION) src/man/firecfg.txt firecfg.1 -firejail-profile.5: src/man/firejail-profile.txt - ./mkman.sh $(VERSION) src/man/firejail-profile.txt firejail-profile.5 -firejail-login.5: src/man/firejail-login.txt - ./mkman.sh $(VERSION) src/man/firejail-login.txt firejail-login.5 -firejail-config.5: src/man/firejail-config.txt - ./mkman.sh $(VERSION) src/man/firejail-config.txt firejail-config.5 +$(MANPAGES): $(wildcard src/man/*.txt) + ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@ + +man: $(MANPAGES) clean: - for dir in $(APPS); do \ - $(MAKE) -C $$dir clean; \ - done - for dir in $(MYLIBS); do \ + for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir clean; \ done - rm -f firejail.1 firejail.1.gz firemon.1 firemon.1.gz firecfg.1 firecfg.gz firejail-profile.5 firejail-profile.5.gz firejail-login.5 firejail-login.5.gz firejail-config.5 firejail-config.5.gz firejail*.rpm + rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm rm -f test/utils/index.html* rm -f test/utils/wget-log rm -f test/utils/lstesting @@ -60,10 +50,7 @@ clean: cd test/dist-compile; ./compile.sh --clean; cd ../.. distclean: clean - for dir in $(APPS); do \ - $(MAKE) -C $$dir distclean; \ - done - for dir in $(MYLIBS); do \ + for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir distclean; \ done rm -fr Makefile autom4te.cache config.log config.status config.h uids.h @@ -93,169 +80,23 @@ realinstall: # etc files ./mketc.sh $(sysconfdir) install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail - install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/Mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/atril.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/audacious.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/bitlbee.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/chromium-browser.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/chromium.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/clementine.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cmus.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/conkeror.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/deadbeef.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dillo.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-devel.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dnsmasq.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/dropbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/file.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/flashpeak-slimjet.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gnome-mplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome-stable.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome-unstable.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gtar.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/hedgewars.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/hexchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/icecat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/kmail.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/localc.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/lodraw.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/loffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/lofromtemplate.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/loimpress.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mathematica.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mcabber.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/openbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/opera-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/opera.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/palemoon.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/parole.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/polari.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/qtox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/quassel.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/qutebrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/rtorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/seamonkey-bin.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/skypeforlinux.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/ssh.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/tar.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/transmission-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/unrar.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/unzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/weechat-curses.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/weechat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/wine.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. + for file in .etc/* etc/firejail.config; do \ + install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ + done sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" - install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc # man pages - rm -f firejail.1.gz - gzip -9n firejail.1 - rm -f firemon.1.gz - gzip -9n firemon.1 - rm -f firecfg.1.gz - gzip -9n firecfg.1 - rm -f firejail-profile.5.gz - gzip -9n firejail-profile.5 - rm -f firejail-login.5.gz - gzip -9n firejail-login.5 - rm -f firejail-config.5.gz - gzip -9n firejail-config.5 install -m 0755 -d $(DESTDIR)/$(mandir)/man1 - install -c -m 0644 firejail.1.gz $(DESTDIR)/$(mandir)/man1/. - install -c -m 0644 firemon.1.gz $(DESTDIR)/$(mandir)/man1/. - install -c -m 0644 firecfg.1.gz $(DESTDIR)/$(mandir)/man1/. install -m 0755 -d $(DESTDIR)/$(mandir)/man5 - install -c -m 0644 firejail-profile.5.gz $(DESTDIR)/$(mandir)/man5/. - install -c -m 0644 firejail-login.5.gz $(DESTDIR)/$(mandir)/man5/. - install -c -m 0644 firejail-config.5.gz $(DESTDIR)/$(mandir)/man5/. - rm -f firejail.1.gz firemon.1.gz firecfg.1.gz firejail-profile.5.gz firejail-login.5.gz firejail-config.5.gz + for man in $(MANPAGES); do \ + rm -f $$man.gz; \ + gzip -9n $$man; \ + case "$$man" in \ + *.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \ + *.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \ + esac; \ + done + rm -f $(MANPAGES) $(MANPAGES:%=%.gz) # bash completion install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail @@ -281,12 +122,10 @@ uninstall: rm -f $(DESTDIR)/$(bindir)/firecfg rm -fr $(DESTDIR)/$(libdir)/firejail rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail - rm -f $(DESTDIR)/$(mandir)/man1/firejail.1* - rm -f $(DESTDIR)/$(mandir)/man1/firemon.1* - rm -f $(DESTDIR)/$(mandir)/man1/firecfg.1* - rm -f $(DESTDIR)/$(mandir)/man5/firejail-profile.5* - rm -f $(DESTDIR)/$(mandir)/man5/firejail-login.5* - rm -f $(DESTDIR)/$(mandir)/man5/firejail-config.5* + for man in $(MANPAGES); do \ + rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \ + rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \ + done rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg diff --git a/mketc.sh b/mketc.sh index f44238968..94fad8f10 100755 --- a/mketc.sh +++ b/mketc.sh @@ -2,23 +2,7 @@ rm -fr .etc mkdir .etc -result=$(echo $1 | sed 's/\//\\\//g') -echo $result - -FILES=`ls etc/*.profile` -for file in $FILES -do - sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file -done - -FILES=`ls etc/*.inc` -for file in $FILES -do - sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file -done - -FILES=`ls etc/*.net` -for file in $FILES +for file in etc/*.profile etc/*.inc etc/*.net; do - sed "s/\/etc\/firejail/$result\/firejail/g" $file > .$file + sed "s;/etc/firejail;$1/firejail;g" $file > .$file done -- cgit v1.2.3-70-g09d2 From 5ef59391e909ca4bdc1794b97bb9c829e30276e8 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 1 Aug 2016 15:14:34 +0300 Subject: change Xephyr option from -noreset to -terminate --- src/firejail/x11.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2accaeb71..c284bb882 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -158,7 +158,7 @@ void fs_x11(void) { #ifdef HAVE_X11 -//$ Xephyr -ac -br -noreset -screen 800x600 :22 & +//$ Xephyr -ac -br -terminate -screen 800x600 :22 & //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox void x11_start_xephyr(int argc, char **argv) { EUID_ASSERT(); @@ -190,11 +190,11 @@ void x11_start_xephyr(int argc, char **argv) { // start xephyr char *cmd1; if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { - if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -terminate -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) errExit("asprintf"); } else { - if (asprintf(&cmd1, "Xephyr -ac -br %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + if (asprintf(&cmd1, "Xephyr -ac -br %s -terminate -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) errExit("asprintf"); } -- cgit v1.2.3-70-g09d2 From 531c3401e4ead91118e33610c97128efdc786a53 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 1 Aug 2016 16:21:35 +0300 Subject: change order of arguments to Xephyr to allow override --- src/firejail/x11.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c284bb882..090ff6f3b 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -190,11 +190,11 @@ void x11_start_xephyr(int argc, char **argv) { // start xephyr char *cmd1; if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { - if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -terminate -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" -terminate -screen %s %s :%d", xephyr_screen, xephyr_extra_params, display) == -1) errExit("asprintf"); } else { - if (asprintf(&cmd1, "Xephyr -ac -br %s -terminate -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + if (asprintf(&cmd1, "Xephyr -ac -br -terminate -screen %s %s :%d", xephyr_screen, xephyr_extra_params, display) == -1) errExit("asprintf"); } -- cgit v1.2.3-70-g09d2 From 19a9166bd3f8ac58acc5b3cbe04d72d79d82c881 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 1 Aug 2016 09:55:12 -0400 Subject: added quiet profile command --- RELNOTES | 1 + etc/cpio.profile | 2 +- etc/file.profile | 1 + etc/gtar.profile | 2 ++ etc/gzip.profile | 2 ++ etc/less.profile | 2 ++ etc/strings.profile | 2 ++ etc/tar.profile | 1 + etc/unrar.profile | 1 + etc/unzip.profile | 1 + etc/uudeview.profile | 2 ++ etc/xz.profile | 1 + etc/xzdec.profile | 2 ++ src/firejail/main.c | 35 ----------------------------------- src/firejail/profile.c | 14 ++++++++++++-- src/man/firejail-profile.txt | 8 +++++++- 16 files changed, 38 insertions(+), 39 deletions(-) diff --git a/RELNOTES b/RELNOTES index a4fc92671..3bdd21caa 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,6 +9,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command + * added quiet profile command * recursive mkdir * seccomp filter updated * compile time and run time support to disable whitelists diff --git a/etc/cpio.profile b/etc/cpio.profile index b4d232496..5772c7368 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,7 +1,7 @@ # cpio profile # /sbin and /usr/sbin are visible inside the sandbox # /boot is not visible and /var is heavily modified - +quiet noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc diff --git a/etc/file.profile b/etc/file.profile index 1569b42c7..c2d7b0b0f 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,4 +1,5 @@ # file profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/gtar.profile b/etc/gtar.profile index 5dbc550f6..2f675cd9d 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile @@ -1 +1,3 @@ +# gtar profile +quiet include /etc/firejail/tar.profile diff --git a/etc/gzip.profile b/etc/gzip.profile index cc19e7608..ce4aa3c4b 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,4 +1,6 @@ # gzip profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/etc/less.profile b/etc/less.profile index 0c43111d7..802e4196d 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -1,4 +1,6 @@ # less profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/etc/strings.profile b/etc/strings.profile index 881edf4ad..6ebe81d09 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,4 +1,6 @@ # strings profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/etc/tar.profile b/etc/tar.profile index 769a3cd4e..6daa7396a 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,4 +1,5 @@ # tar profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/unrar.profile b/etc/unrar.profile index 74079e7b9..e941a8f2a 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,4 +1,5 @@ # unrar profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/unzip.profile b/etc/unzip.profile index 502839b98..ab69e932e 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,4 +1,5 @@ # unzip profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8218ac959..f6fe0abf1 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,5 +1,7 @@ # uudeview profile # the default profile will disable root user, enable seccomp filter etc. +quiet +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/xz.profile b/etc/xz.profile index 709585acd..5b29f7338 100644 --- a/etc/xz.profile +++ b/etc/xz.profile @@ -1,2 +1,3 @@ # xz profile +quiet include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index ddf2061bf..3692160e6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,4 +1,6 @@ # xzdec profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/src/firejail/main.c b/src/firejail/main.c index de1dcc044..8bb438ba4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -697,21 +697,6 @@ static void delete_x11_file(pid_t pid) { static void detect_quiet(int argc, char **argv) { int i; - char *progs[] = { - "cpio", - "file", - "gtar", - "gzip", - "less", - "strings", - "tar", - "unrar", - "unzip", - "uudeview", - "xz", - "xzdec", - NULL - }; // detect --quiet for (i = 1; i < argc; i++) { @@ -726,26 +711,6 @@ static void detect_quiet(int argc, char **argv) { if (strncmp(argv[i], "--", 2) != 0) break; } - - // argv[i] is the program name if --quiet was not already detected - if (arg_quiet || i == argc) - return; - - // extract the name of the program without the leading path - char *ptr = strrchr(argv[i], '/'); - char *name = (ptr)? (ptr + 1): argv[i]; - if (*name == '\0') - return; - - // look for the program in the list - int j = 0; - while (progs[j] != NULL) { - if (strcmp(name, progs[j]) == 0) { - arg_quiet = 1; - return; - } - j++; - } } //******************************************* diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 46ef0921d..8c2970639 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -817,8 +817,7 @@ void profile_read(const char *fname) { exit(1); } - if (!arg_quiet) - fprintf(stderr, "Reading profile %s\n", fname); + int msg_printed = 0; // read the file line by line char buf[MAX_READ + 1]; @@ -836,6 +835,17 @@ void profile_read(const char *fname) { continue; } + // process quiet + if (strcmp(ptr, "quiet") == 0) { + arg_quiet = 1; + continue; + } + if (!msg_printed) { + if (!arg_quiet) + fprintf(stderr, "Reading profile %s\n", fname); + msg_printed = 1; + } + // process include if (strncmp(ptr, "include ", 8) == 0) { include_level++; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7e33a6b45..b6908dd00 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac Example: "noblacklist ${HOME}/.mozilla" .TP -\fBignore command +\fBignore Ignore command. Example: "ignore seccomp" +.TP +\fBquiet +Disable Firejail's output. This should be the first uncommented command in the profile file. + +Example: "quiet" + .SH Filesystem These profile entries define a chroot filesystem built on top of the existing host filesystem. Each line describes a file element that is removed from -- cgit v1.2.3-70-g09d2 From 6f4da149a2aff4f2ac42dc8a488eeef5642beb11 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 1 Aug 2016 14:40:36 -0400 Subject: fixed make test-profile broken by previous commit --- test/profiles/test-profile.exp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index 590b42652..a6b4a5aad 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp @@ -13,10 +13,10 @@ if { $argc != 1 } { exit } -send -- "firejail --profile=$argv /bin/bash\r" +send -- "firejail --profile=$argv echo done\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + "done" } send -- "exit\r" after 100 -- cgit v1.2.3-70-g09d2 From 355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 2 Aug 2016 10:03:28 -0400 Subject: apparmor --- Makefile.in | 2 + configure | 492 +++++++++++++++++++++++++---------------------- configure.ac | 23 +++ etc/firejail-default | 129 +++++++++++++ src/firejail/Makefile.in | 6 +- src/firejail/sandbox.c | 12 +- todo | 3 + 7 files changed, 438 insertions(+), 229 deletions(-) create mode 100644 etc/firejail-default diff --git a/Makefile.in b/Makefile.in index e47e109d3..4d7526826 100644 --- a/Makefile.in +++ b/Makefile.in @@ -85,6 +85,8 @@ realinstall: done sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc + # install apparmor profile + sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 install -m 0755 -d $(DESTDIR)/$(mandir)/man5 diff --git a/configure b/configure index 050b4df9c..0f6f8f7fb 100755 --- a/configure +++ b/configure @@ -625,9 +625,6 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H -EGREP -GREP -CPP HAVE_FATAL_WARNINGS HAVE_WHITELIST HAVE_FILE_TRANSFER @@ -638,6 +635,11 @@ HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP +EXTRA_LDFLAGS +EGREP +GREP +CPP +HAVE_APPARMOR RANLIB INSTALL_DATA INSTALL_SCRIPT @@ -690,6 +692,7 @@ SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking +enable_apparmor enable_seccomp enable_chroot enable_bind @@ -1319,6 +1322,7 @@ Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --enable-apparmor enable apparmor --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind @@ -1462,52 +1466,6 @@ fi } # ac_fn_c_try_compile -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link - # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. @@ -1708,6 +1666,52 @@ $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. @@ -3069,189 +3073,23 @@ else fi -HAVE_SECCOMP="" -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -if test "x$enable_seccomp" != "xno"; then : - - HAVE_SECCOMP="-DHAVE_SECCOMP" - - -fi - -HAVE_CHROOT="" -# Check whether --enable-chroot was given. -if test "${enable_chroot+set}" = set; then : - enableval=$enable_chroot; -fi - -if test "x$enable_chroot" != "xno"; then : - - HAVE_CHROOT="-DHAVE_CHROOT" - - -fi - -HAVE_BIND="" -# Check whether --enable-bind was given. -if test "${enable_bind+set}" = set; then : - enableval=$enable_bind; -fi - -if test "x$enable_bind" != "xno"; then : - - HAVE_BIND="-DHAVE_BIND" - - -fi - -HAVE_GLOBALCFG="" -# Check whether --enable-globalcfg was given. -if test "${enable_globalcfg+set}" = set; then : - enableval=$enable_globalcfg; -fi - -if test "x$enable_globalcfg" != "xno"; then : - - HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" - - -fi - -HAVE_NETWORK="" -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -if test "x$enable_network" != "xno"; then : - - HAVE_NETWORK="-DHAVE_NETWORK" - if test "x$enable_network" = "xrestricted"; then : - - HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" - -fi - - -fi - -HAVE_USERNS="" -# Check whether --enable-userns was given. -if test "${enable_userns+set}" = set; then : - enableval=$enable_userns; -fi - -if test "x$enable_userns" != "xno"; then : - - HAVE_USERNS="-DHAVE_USERNS" - - -fi - -HAVE_X11="" -# Check whether --enable-x11 was given. -if test "${enable_x11+set}" = set; then : - enableval=$enable_x11; -fi - -if test "x$enable_x11" != "xno"; then : - - HAVE_X11="-DHAVE_X11" - - -fi - -HAVE_FILE_TRANSFER="" -# Check whether --enable-file-transfer was given. -if test "${enable_file_transfer+set}" = set; then : - enableval=$enable_file_transfer; -fi - -if test "x$enable_file_transfer" != "xno"; then : - - HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" - - -fi - -HAVE_WHITELIST="" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; -fi - -if test "x$enable_whitelist" != "xno"; then : - - HAVE_WHITELIST="-DHAVE_WHITELIST" - - -fi - -HAVE_FATAL_WARNINGS="" -# Check whether --enable-fatal_warnings was given. -if test "${enable_fatal_warnings+set}" = set; then : - enableval=$enable_fatal_warnings; -fi - -if test "x$enable_fatal_warnings" = "xyes"; then : - - HAVE_FATAL_WARNINGS="-W -Wall -Werror" - - +# Allow to build without apparmor support by calling: +# ./configure --disable-apparmor +# This makes it possible to run snaps in devmode on almost any host, +# regardless of the kernel version. +HAVE_APPARMOR="" +# Check whether --enable-apparmor was given. +if test "${enable_apparmor+set}" = set; then : + enableval=$enable_apparmor; fi +if test "x$enable_apparmor" = "xyes"; then : -# checking pthread library - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 -$as_echo_n "checking for main in -lpthread... " >&6; } -if ${ac_cv_lib_pthread_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpthread $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ + HAVE_APPARMOR="-DHAVE_APPARMOR" -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_pthread_main=yes -else - ac_cv_lib_pthread_main=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 -$as_echo "$ac_cv_lib_pthread_main" >&6; } -if test "x$ac_cv_lib_pthread_main" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPTHREAD 1 -_ACEOF - LIBS="-lpthread $LIBS" - -else - as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 -fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -3650,6 +3488,208 @@ fi done +if test "x$enable_apparmor" = "xyes"; then : + + ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : + +else + as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5 +fi + + + +fi +if test "x$enable_apparmor" = "xyes"; then : + + EXTRA_LDFLAGS="-lapparmor" + +fi + + +HAVE_SECCOMP="" +# Check whether --enable-seccomp was given. +if test "${enable_seccomp+set}" = set; then : + enableval=$enable_seccomp; +fi + +if test "x$enable_seccomp" != "xno"; then : + + HAVE_SECCOMP="-DHAVE_SECCOMP" + + +fi + +HAVE_CHROOT="" +# Check whether --enable-chroot was given. +if test "${enable_chroot+set}" = set; then : + enableval=$enable_chroot; +fi + +if test "x$enable_chroot" != "xno"; then : + + HAVE_CHROOT="-DHAVE_CHROOT" + + +fi + +HAVE_BIND="" +# Check whether --enable-bind was given. +if test "${enable_bind+set}" = set; then : + enableval=$enable_bind; +fi + +if test "x$enable_bind" != "xno"; then : + + HAVE_BIND="-DHAVE_BIND" + + +fi + +HAVE_GLOBALCFG="" +# Check whether --enable-globalcfg was given. +if test "${enable_globalcfg+set}" = set; then : + enableval=$enable_globalcfg; +fi + +if test "x$enable_globalcfg" != "xno"; then : + + HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" + + +fi + +HAVE_NETWORK="" +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +if test "x$enable_network" != "xno"; then : + + HAVE_NETWORK="-DHAVE_NETWORK" + if test "x$enable_network" = "xrestricted"; then : + + HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" + +fi + + +fi + +HAVE_USERNS="" +# Check whether --enable-userns was given. +if test "${enable_userns+set}" = set; then : + enableval=$enable_userns; +fi + +if test "x$enable_userns" != "xno"; then : + + HAVE_USERNS="-DHAVE_USERNS" + + +fi + +HAVE_X11="" +# Check whether --enable-x11 was given. +if test "${enable_x11+set}" = set; then : + enableval=$enable_x11; +fi + +if test "x$enable_x11" != "xno"; then : + + HAVE_X11="-DHAVE_X11" + + +fi + +HAVE_FILE_TRANSFER="" +# Check whether --enable-file-transfer was given. +if test "${enable_file_transfer+set}" = set; then : + enableval=$enable_file_transfer; +fi + +if test "x$enable_file_transfer" != "xno"; then : + + HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" + + +fi + +HAVE_WHITELIST="" +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; +fi + +if test "x$enable_whitelist" != "xno"; then : + + HAVE_WHITELIST="-DHAVE_WHITELIST" + + +fi + +HAVE_FATAL_WARNINGS="" +# Check whether --enable-fatal_warnings was given. +if test "${enable_fatal_warnings+set}" = set; then : + enableval=$enable_fatal_warnings; +fi + +if test "x$enable_fatal_warnings" = "xyes"; then : + + HAVE_FATAL_WARNINGS="-W -Wall -Werror" + + +fi + + +# checking pthread library +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 +$as_echo_n "checking for main in -lpthread... " >&6; } +if ${ac_cv_lib_pthread_main+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +int +main () +{ +return main (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pthread_main=yes +else + ac_cv_lib_pthread_main=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 +$as_echo "$ac_cv_lib_pthread_main" >&6; } +if test "x$ac_cv_lib_pthread_main" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 +fi + ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" if test "x$ac_cv_header_pthread_h" = xyes; then : @@ -4855,6 +4895,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" @@ -4866,6 +4907,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h +printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/configure.ac b/configure.ac index a84396ad4..315c25038 100644 --- a/configure.ac +++ b/configure.ac @@ -9,6 +9,27 @@ AC_PROG_CC AC_PROG_INSTALL AC_PROG_RANLIB +# Allow to build without apparmor support by calling: +# ./configure --disable-apparmor +# This makes it possible to run snaps in devmode on almost any host, +# regardless of the kernel version. +HAVE_APPARMOR="" +AC_ARG_ENABLE([apparmor], + AS_HELP_STRING([--enable-apparmor], [enable apparmor])) +AS_IF([test "x$enable_apparmor" = "xyes"], [ + HAVE_APPARMOR="-DHAVE_APPARMOR" + AC_SUBST(HAVE_APPARMOR) +]) + +AS_IF([test "x$enable_apparmor" = "xyes"], [ + AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( + [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) +]) +AS_IF([test "x$enable_apparmor" = "xyes"], [ + EXTRA_LDFLAGS="-lapparmor" +]) +AC_SUBST([EXTRA_LDFLAGS]) + HAVE_SECCOMP="" AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [disable seccomp])) @@ -117,6 +138,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" @@ -128,6 +150,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h +printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..609ab6c19 --- /dev/null +++ b/etc/firejail-default @@ -0,0 +1,129 @@ +#include + +profile firejail-default { + +##### +# D-Bus is a huge security hole, we disable it here. Uncomment this line if you +# need D-Bus functionality. +# +#dbus, + +##### +# Mask /proc and /sys information leakage. The configuration here is barely +# enough to run "top" or "ps aux". +# +/ r, +/[^proc,^sys]** mrwlk, + +/proc/ r, +/proc/meminfo r, +/proc/cpuinfo r, +/proc/filesystems r, +/proc/uptime r, +/proc/loadavg r, +/proc/stat r, +/proc/@{pid}/ r, +/proc/@{pid}/fd/ r, +/proc/@{pid}/task/ r, +/proc/@{pid}/cmdline r, +/proc/@{pid}/comm r, +/proc/@{pid}/stat r, +/proc/@{pid}/statm r, +/proc/@{pid}/status r, +/proc/sys/kernel/pid_max r, +/proc/sys/kernel/shmmax r, +/sys/ r, +/sys/bus/ r, +/sys/bus/** r, +/sys/class/ r, +/sys/class/** r, +/sys/devices/ r, +/sys/devices/** r, + +/proc/@{pid}/maps r, +/proc/@{pid}/mounts r, +/proc/@{pid}/mountinfo r, +/proc/@{pid}/oom_score_adj r, + +/{,var/}run/firejail/mnt/fslogger r, +/{,var/}run/user/**/dconf/ r, +/{,var/}run/user/**/dconf/user r, + +##### +# Allow running programs only from well-known system directories. If you need +# to run programs from your home directory, uncomment /home line. +# +/lib/** ix, +/lib64/** ix, +/bin/** ix, +/sbin/** ix, +/usr/bin/** ix, +/usr/sbin/** ix, +/usr/local/** ix, +/usr/lib/** ix, +/usr/games/** ix, +/opt/** ix, +#/home/** ix, + +##### +# Allow all networking functionality, and control it from Firejail. +# +network inet, +network inet6, +network unix, +network netlink, +network raw, + +##### +# There is no equivalent in Firejail for filtering signals. +# +signal, + +##### +# Disable all capabilities. If you run your sandbox as root, you might need to +# enable/uncomment some of them. +# +capability chown, +capability dac_override, +capability dac_read_search, +capability fowner, +capability fsetid, +capability kill, +capability setgid, +capability setuid, +capability setpcap, +capability linux_immutable, +capability net_bind_service, +capability net_broadcast, +capability net_admin, +capability net_raw, +capability ipc_lock, +capability ipc_owner, +capability sys_module, +capability sys_rawio, +capability sys_chroot, +capability sys_ptrace, +capability sys_pacct, +capability sys_admin, +capability sys_boot, +capability sys_nice, +capability sys_resource, +capability sys_time, +capability sys_tty_config, +capability mknod, +capability lease, +capability audit_write, +capability audit_control, +capability setfcap, +capability mac_override, +capability mac_admin, + +##### +# No mount/umount functionality when running as regular user. +# +mount, +remount, +umount, +pivot_root, + +} diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 21f415ba5..15253b5ab 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -f *.o firejail firejail.1 firejail.1.gz diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0fd81979f..1502a0312 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -39,6 +39,9 @@ # define PR_SET_NO_NEW_PRIVS 38 #endif +#ifdef HAVE_APPARMOR +#include +#endif static int monitored_pid = 0; @@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) { if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); + //**************************** // set hostname //**************************** @@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) { else fs_basic_fs(); - //**************************** // set hostname in /etc/hostname //**************************** @@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) { pid_t app_pid = fork(); if (app_pid == -1) errExit("fork"); - + if (app_pid == 0) { +#ifdef HAVE_APPARMOR + errno = 0; + if (aa_change_onexec("firejail-default")) + fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); +#endif prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died start_application(); // start app } diff --git a/todo b/todo index 009f9fe99..7a96bb2c4 100644 --- a/todo +++ b/todo @@ -251,6 +251,7 @@ References 23. AppArmor $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify +$ sudo apt-get install libapparmor-dev $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo update-grub @@ -259,5 +260,7 @@ $ sudo reboot If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. $ sudo aa-notify -p -f /var/log/audit/audit.log +/sys/module/apparmor/parameters/enabled +/sys/kernel/security/apparmor -- cgit v1.2.3-70-g09d2 From 48dd1fbece66d6e13a099da24e651d57c3491028 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 2 Aug 2016 13:09:23 -0400 Subject: apparmor --- RELNOTES | 1 + src/firejail/checkcfg.c | 81 ++++++++++++++++++++++++++++++++++++++++++++ src/firejail/firejail.h | 2 ++ src/firejail/main.c | 36 +++++--------------- src/firejail/profile.c | 7 ++++ src/firejail/sandbox.c | 14 ++++++-- src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 3 ++ src/man/firejail.txt | 41 ++++++++++++++++++++++ 9 files changed, 156 insertions(+), 30 deletions(-) diff --git a/RELNOTES b/RELNOTES index 3bdd21caa..ca3683838 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,6 +3,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * --read-write option rework * allow symlinks in home directory for --whitelist option * AppImage support (--appimage) + * AppArmor support (--apparmor) * Sandbox auditing support (--audit) * remove environment variable (--rmenv) * noexec support (--noexec) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 7de491f5f..12921e294 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -239,3 +239,84 @@ errout: exit(1); } + +void print_compiletime_support(void) { + printf("Compile time support:\n"); + printf("\t- AppArmor support is %s\n", +#ifdef HAVE_APPARMOR + "enabled" +#else + "disabled" +#endif + ); + + + printf("\t- bind support is %s\n", +#ifdef HAVE_BIND + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- chroot support is %s\n", +#ifdef HAVE_CHROOT + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- file and directory whitelisting support is %s\n", +#ifdef HAVE_WHITELIST + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- file transfer support is %s\n", +#ifdef HAVE_FILE_TRANSFER + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- networking support is %s\n", +#ifdef HAVE_NETWORK + "enabled" +#else + "disabled" +#endif + ); + + +#ifdef HAVE_NETWORK_RESTRICTED + printf("\t- networking features are available only to root user\n"); +#endif + + printf("\t- seccomp-bpf support is %s\n", +#ifdef HAVE_SECCOMP + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- user namespace support is %s\n", +#ifdef HAVE_USERNS + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- X11 snadboxing support is %s\n", +#ifdef HAVE_X11 + "enabled" +#else + "disabled" +#endif + ); +} diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1546dc403..821a8e003 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -263,6 +263,7 @@ extern int arg_writable_var; // writable var extern int arg_appimage; // appimage extern int arg_audit; // audit extern char *arg_audit_prog; // audit +extern int arg_apparmor; // apparmor extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; @@ -584,6 +585,7 @@ extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; int checkcfg(int val); +void print_compiletime_support(void); // appimage.c void appimage_set(const char *appimage_path); diff --git a/src/firejail/main.c b/src/firejail/main.c index 8bb438ba4..b6fd745a2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -102,6 +102,7 @@ int arg_writable_var = 0; // writable var int arg_appimage = 0; // appimage int arg_audit = 0; // audit char *arg_audit_prog; // audit +int arg_apparmor; // apparmor int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -241,6 +242,7 @@ void check_user_namespace(void) { } #endif + // exit commands static void run_cmd_and_exit(int i, int argc, char **argv) { EUID_ASSERT(); @@ -255,33 +257,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } else if (strcmp(argv[i], "--version") == 0) { printf("firejail version %s\n", VERSION); -#ifndef HAVE_NETWORK - printf("Networking support is disabled.\n"); -#endif -#ifdef HAVE_NETWORK_RESTRICTED - printf("Networking support is allowed only to root user.\n"); -#endif -#ifndef HAVE_USERNS - printf("User namespace support is disabled.\n"); -#endif -#ifndef HAVE_SECCOMP - printf("Seccomp-bpf support is disabled.\n"); -#endif -#ifndef HAVE_BIND - printf("Bind support is disabled.\n"); -#endif -#ifndef HAVE_CHROOT - printf("Chroot support is disabled.\n"); -#endif -#ifndef HAVE_X11 - printf("X11 support is disabled.\n"); -#endif -#ifndef HAVE_FILE_TRANSFER - printf("File transfer support is disabled.\n"); -#endif -#ifndef HAVE_WHITELIST - printf("whitelisting support is disabled.\n"); -#endif + printf("\n"); + print_compiletime_support(); + printf("\n"); exit(0); } #ifdef HAVE_X11 @@ -905,6 +883,10 @@ int main(int argc, char **argv) { //************************************* // filtering //************************************* +#ifdef HAVE_APPARMOR + else if (strcmp(argv[i], "--apparmor") == 0) + arg_apparmor = 1; +#endif #ifdef HAVE_SECCOMP else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8c2970639..15cc1e55a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -446,6 +446,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "apparmor") == 0) { +#ifdef HAVE_APPARMOR + arg_apparmor = 1; +#endif + return 0; + } + if (strncmp(ptr, "protocol ", 9) == 0) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 1502a0312..9bf2a0a39 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -804,9 +804,17 @@ int sandbox(void* sandbox_arg) { if (app_pid == 0) { #ifdef HAVE_APPARMOR - errno = 0; - if (aa_change_onexec("firejail-default")) - fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); + if (arg_apparmor) { + errno = 0; + if (aa_change_onexec("firejail-default")) { + fprintf(stderr, "Error: cannot confine the application using AppArmor.\n"); + fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"); + fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n"); + exit(1); + } + else if (arg_debug) + printf("AppArmor enabled\n"); + } #endif prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died start_application(); // start app diff --git a/src/firejail/usage.c b/src/firejail/usage.c index f7a93174f..958a16da7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -34,6 +34,7 @@ void usage(void) { printf("\n"); printf("Options:\n\n"); printf(" -- - signal the end of options and disables further option processing.\n\n"); + printf(" --apparmor - enable AppArmor confinement\n\n"); printf(" --appimage - sandbox an AppImage application\n\n"); printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b6908dd00..637519902 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -210,6 +210,9 @@ Mount /var directory read-write. .SH Security filters The following security filters are currently implemented: +.TP +\fBapparmor +Enable AppArmor confinement. .TP \fBcaps Enable default Linux capabilities filter. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d34cfdb20..9e6916534 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -75,6 +75,9 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox \fB\-\- Signal the end of options and disables further option processing. .TP +\fB\-\-apparmor +Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. +.TP \fB\-\-appimage Sandbox an AppImage (http://appimage.org/) application. .br @@ -1672,6 +1675,44 @@ $ firejail --tree 1221:netblue:/usr/lib/firefox/firefox .RE +.SH APPARMOR +.TP +AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: +.br + +.br +$ ./configure --prefix=/usr --enable-apparmor +.TP +During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root: +.br + +.br +# aa-enforce firejail-default +.TP +The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity: +.br + +.br +- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running +commands such as "top" and "ps aux". +.br + +.br +- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running +programs and scripts from user home or other directories writable by the user is not allowed. +.br + +.br +- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. +You should have no problems running Chromium or Firefox. + +.TP +To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: +.br + +.br +$ firejail --apparmor firefox + .SH FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files from the container to the host filesystem. -- cgit v1.2.3-70-g09d2 From c963e7364359353bd7734dd79e81cdfbc3df568b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 2 Aug 2016 13:10:40 -0400 Subject: apparmor --- README.md | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 17c7a89de..4eea1aafc 100644 --- a/README.md +++ b/README.md @@ -59,8 +59,49 @@ Symlinks outside user home directories are allowed: $ firejail "--whitelist=/home/username/My Virtual Machines" ````` +## AppArmor support -## AppImage +So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and +Chromium running. There is more testing to come. + +````` +APPARMOR + AppArmor support is disabled by default at compile time. Use --enable- + apparmor configuration option to enable it: + + $ ./configure --prefix=/usr --enable-apparmor + + During software install, a generic AppArmor profile file, firejail- + default, is placed in /etc/apparmor.d directory. The profile needs to + be loaded into the kernel by running the following command as root: + + # aa-enforce firejail-default + + The installed profile tries to replicate some advanced security fea‐ + tures inspired by kernel-based Grsecurity: + + - Prevent information leakage in /proc and /sys directories. The + resulting file system is barely enough for running commands such + as "top" and "ps aux". + + - Allow running programs only from well-known system paths, such + as /bin, /sbin, /usr/bin etc. Running programs and scripts from + user home or other directories writable by the user is not + allowed. + + - Disable D-Bus. D-Bus has long been a huge security hole, and + most programs don't use it anyway. You should have no problems + running Chromium or Firefox. + + To enable AppArmor confinement on top of your current Firejail security + features, pass --apparmor flag to Firejail command line. You can also + include apparmor command in a Fireajail profile file. Example: + + $ firejail --apparmor firefox + +````` + +## AppImage support AppImage (http://appimage.org/) is a distribution-agnostic packaging format. The package is a regular ISO file containing all binaries, libraries and resources -- cgit v1.2.3-70-g09d2 From 11a21b7b4e129e3d860914618dd863eaf41e04f7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 07:27:06 -0400 Subject: added /usr/games and /usr/local/games to private-bin default list --- src/firejail/fs_bin.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index dca66888c..cc2aa8f4d 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -28,6 +28,8 @@ static char *paths[] = { "/usr/local/bin", "/usr/bin", "/bin", + "/usr/games", + "/usr/local/games", "/usr/local/sbin", "/usr/sbin", "/sbin", @@ -76,7 +78,8 @@ static char *check_dir_or_file(const char *name) { } if (!fname) { -// fprintf(stderr, "Warning: file %s not found\n", name); + if (arg_debug) + fprintf(stderr, "Warning: file %s not found\n", name); return NULL; } -- cgit v1.2.3-70-g09d2 From e1b33b552f7915f2a7fa407fc50e09fde143b2d4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 07:37:04 -0400 Subject: firecfg fix --- src/firecfg/main.c | 10 ++++++++-- src/man/firecfg.txt | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index f0f2aaeb7..30064de40 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -26,6 +26,7 @@ #include #include #include "../include/common.h" +static int arg_debug = 0; static void usage(void) { printf("firecfg - version %s\n\n", VERSION); @@ -37,6 +38,7 @@ static void usage(void) { printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n"); printf("Usage: firecfg [OPTIONS]\n\n"); printf(" --clean - remove all firejail symbolic links.\n\n"); + printf(" --debug - print debug messages.\n\n"); printf(" --help, -? - this help screen.\n\n"); printf(" --list - list all firejail symbolic links.\n\n"); printf(" --version - print program version and exit.\n\n"); @@ -206,8 +208,10 @@ static void set_file(const char *name, const char *firejail_exec) { errExit("asprintf"); struct stat s; - if (stat(fname, &s) == 0) - ; //printf("%s already present\n", fname); + if (stat(fname, &s) == 0) { + if (arg_debug) + printf("%s is already present in /usr/local/bin directory, skipping...\n", fname); + } else { int rv = symlink(firejail_exec, fname); if (rv) { @@ -289,6 +293,8 @@ int main(int argc, char **argv) { usage(); return 0; } + else if (strcmp(argv[i], "--debug") == 0) + arg_debug = 1; else if (strcmp(argv[i], "--version") == 0) { printf("firecfg version %s\n\n", VERSION); return 0; diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index c12bf7731..9458c4b67 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -17,6 +17,9 @@ The symbolic links are placed in /usr/local/bin. For more information, see \fB\-\-clean Remove all firejail symbolic links. .TP +\fB\-\-debug +Print debug messages. +.TP \fB\-?\fR, \fB\-\-help\fR Print options end exit. .TP -- cgit v1.2.3-70-g09d2 From ce45908b7c540231a7d44347a14e13285d362e13 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 07:55:30 -0400 Subject: fix --blacklist=/proc --- src/firejail/sandbox.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9bf2a0a39..dc107f00a 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -537,6 +537,11 @@ int sandbox(void* sandbox_arg) { if (arg_private_tmp) fs_private_tmp(); + //**************************** + // update /proc, /sys, /dev, /boot directorymy + //**************************** + fs_proc_sys_dev_boot(); + //**************************** // apply the profile file //**************************** @@ -554,11 +559,6 @@ int sandbox(void* sandbox_arg) { if (arg_trace || arg_tracelog) fs_trace(); - //**************************** - // update /proc, /dev, /boot directorymy - //**************************** - fs_proc_sys_dev_boot(); - //**************************** // --nosound and fix for pulseaudio 7.0 //**************************** -- cgit v1.2.3-70-g09d2 From dbc29506b1e971639fa7e55217ea21c343a31001 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 07:57:34 -0400 Subject: fix --blacklist=/proc --- todo | 2 ++ 1 file changed, 2 insertions(+) diff --git a/todo b/todo index 7a96bb2c4..323374525 100644 --- a/todo +++ b/todo @@ -263,4 +263,6 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log /sys/module/apparmor/parameters/enabled /sys/kernel/security/apparmor +24. check monitor proc behaviour for sandboxes with --blacklist=/proc +also check --apparmor in this case -- cgit v1.2.3-70-g09d2 From 8d955f3a117eec0edd0943e61d4cce83380432ca Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 08:18:24 -0400 Subject: firecfg fix --- src/firecfg/main.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 30064de40..9c7c49e1d 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -69,9 +69,12 @@ static int find(const char *program, const char *directory) { errExit("asprintf"); struct stat s; - if (stat(fname, &s) == 0) + if (stat(fname, &s) == 0) { + if (arg_debug) + printf("found %s in directory %s\n", program, directory); retval = 1; - + } + free(fname); return retval; } @@ -209,8 +212,7 @@ static void set_file(const char *name, const char *firejail_exec) { struct stat s; if (stat(fname, &s) == 0) { - if (arg_debug) - printf("%s is already present in /usr/local/bin directory, skipping...\n", fname); + printf("%s is already present, skipping...\n", fname); } else { int rv = symlink(firejail_exec, fname); -- cgit v1.2.3-70-g09d2 From 15b4792c7728a807b517b94d164b0a097d82b1d9 Mon Sep 17 00:00:00 2001 From: "Franco (nextime) Lanza" Date: Thu, 4 Aug 2016 00:09:40 +0200 Subject: Add --private-template --- src/firejail/firejail.h | 9 +++++- src/firejail/fs_home.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 14 +++++++++ src/firejail/profile.c | 13 +++++++++ src/firejail/sandbox.c | 3 ++ 5 files changed, 115 insertions(+), 1 deletion(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 821a8e003..02a4966bc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -136,6 +136,7 @@ typedef struct config_t { char *bin_private_keep; // keep list for private bin directory char *cwd; // current working directory char *overlay_dir; + char *private_template; // template dir for tmpfs home // networking char *name; // sandbox name @@ -327,6 +328,9 @@ void fs_chroot(const char *rootdir); int fs_check_chroot_dir(const char *rootdir); void fs_private_tmp(void); +// copy all (normal) files and directory recursively +int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw); + // profile.c // find and read the profile specified by name from dir directory int profile_find(const char *name, const char *dir); @@ -417,9 +421,12 @@ void fs_dev_disable_sound(); void fs_private(void); // private mode (--private=homedir) void fs_private_homedir(void); +// private template (--private-template=templatedir) +void fs_private_template(void); // check new private home directory (--private= option) - exit if it fails void fs_check_private_dir(void); - +// check new private template home directory (--private-template= option) exit if it fails +void fs_check_private_template(void); // seccomp.c int seccomp_filter_drop(int enforce_seccomp); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 41092de2b..76f99cead 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -28,6 +28,7 @@ #include #include #include +#include static void skel(const char *homedir, uid_t u, gid_t g) { char *fname; @@ -334,6 +335,43 @@ void fs_private(void) { } +int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) +{ + + char *homedir = cfg.homedir; + char *dest; + int srcbaselen = 0; + assert(homedir); + uid_t u = getuid(); + gid_t g = getgid(); + srcbaselen = strlen(cfg.private_template); + + if(ftype == FTW_F || ftype == FTW_D) { + if (asprintf(&dest, "%s/%s", homedir, path + srcbaselen) == -1) + errExit("asprintf"); + struct stat s; + // don't copy it if we already have the file + if (stat(dest, &s) == 0) + return 0; + if (stat(path, &s) == 0) { + if (copy_file(path, dest) == 0) { + if (chown(dest, u, g) == -1) + errExit("chown"); + fs_logger("clone %s", path); + } + } + free(dest); + } + return(0); +} + +void fs_private_template(void) { + fs_private(); + if(!nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS)) { + fprintf(stderr, "Error: unable to copy template dir\n"); + exit(1); + } +} // check new private home directory (--private= option) - exit if it fails void fs_check_private_dir(void) { @@ -373,3 +411,42 @@ void fs_check_private_dir(void) { } } +// check new template home directoty (--private-template= option) - exit if it fails +void fs_check_private_template(void) { + EUID_ASSERT(); + invalid_filename(cfg.private_template); + + // Expand the home directory + char *tmp = expand_home(cfg.private_template, cfg.homedir); + cfg.private_template = realpath(tmp, NULL); + free(tmp); + + if (!cfg.private_template + || !is_dir(cfg.private_template) + || is_link(cfg.private_template) + || strstr(cfg.private_template, "..")) { + fprintf(stderr, "Error: invalid private template directory\n"); + exit(1); + } + + // check home directory and chroot home directory have the same owner + struct stat s2; + int rv = stat(cfg.private_template, &s2); + if (rv < 0) { + fprintf(stderr, "Error: cannot find %s directory\n", cfg.private_template); + exit(1); + } + + struct stat s1; + rv = stat(cfg.homedir, &s1); + if (rv < 0) { + fprintf(stderr, "Error: cannot find %s directory, full path name required\n", cfg.homedir); + exit(1); + } + if (s1.st_uid != s2.st_uid) { + printf("Error: --private-template directory should be owned by the current user\n"); + exit(1); + } +} + + diff --git a/src/firejail/main.c b/src/firejail/main.c index b6fd745a2..b6b97c98c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -51,6 +51,7 @@ uid_t firejail_uid = 0; static char child_stack[STACK_SIZE]; // space for child's stack Config cfg; // configuration int arg_private = 0; // mount private /home and /tmp directoryu +int arg_private_template = 0; // mount private /home using a template int arg_debug = 0; // print debug messages int arg_debug_check_filename; // print debug messages for filename checking int arg_debug_blacklists; // print debug messages for blacklists @@ -1360,6 +1361,19 @@ int main(int argc, char **argv) { fs_check_private_dir(); arg_private = 1; } + else if (strcmp(argv[i], "--private-template=", 19) == 0) { + cfg.private_template = argv[i] + 14; + if (arg_private) { + fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); + exit(1); + } + if (*cfg.private_template == '\0') { + fprintf(stderr, "Error: invalid private-template option\n"); + exit(1); + } + fs_check_private_template(); + arg_private_template = 1; + } else if (strcmp(argv[i], "--private-dev") == 0) { arg_private_dev = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 15cc1e55a..5aeba2f55 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -169,6 +169,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } + else if (strcmp(ptr, "private-template") == 0) { + arg_private_template = 1; + return 0; + } else if (strcmp(ptr, "private-dev") == 0) { arg_private_dev = 1; return 0; @@ -614,6 +618,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strncmp(ptr, "private-template ", 17) == 0) { + if (arg_private) { + fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); + exit(1); + } + cfg.private_template = ptr + 17; + fs_check_private_template(); + arg_private_template = 1; + } // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { if (arg_writable_etc) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9bf2a0a39..d9866385e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -524,6 +524,9 @@ int sandbox(void* sandbox_arg) { fs_private(); } + if (arg_private_template) + fs_private_template(); + if (arg_private_dev) fs_private_dev(); if (arg_private_etc) { -- cgit v1.2.3-70-g09d2 From bc8314c8c6e8f8e757c8c5ddb49ec5e41368444f Mon Sep 17 00:00:00 2001 From: nextime Date: Thu, 4 Aug 2016 00:51:45 +0200 Subject: Fix minor bugs --- src/firejail/firejail.h | 4 +--- src/firejail/fs_home.c | 5 ++++- src/firejail/main.c | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 02a4966bc..333cd92f4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -213,6 +213,7 @@ static inline int any_interface_configured(void) { void clear_run_files(pid_t pid); extern int arg_private; // mount private /home +extern int arg_private_template; // private /home template extern int arg_debug; // print debug messages extern int arg_debug_check_filename; // print debug messages for filename checking extern int arg_debug_blacklists; // print debug messages for blacklists @@ -328,9 +329,6 @@ void fs_chroot(const char *rootdir); int fs_check_chroot_dir(const char *rootdir); void fs_private_tmp(void); -// copy all (normal) files and directory recursively -int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw); - // profile.c // find and read the profile specified by name from dir directory int profile_find(const char *name, const char *dir); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 76f99cead..3cb410569 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -335,6 +335,9 @@ void fs_private(void) { } +int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw); + + int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) { @@ -357,7 +360,7 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s if (copy_file(path, dest) == 0) { if (chown(dest, u, g) == -1) errExit("chown"); - fs_logger("clone %s", path); + fs_logger2("clone", path); } } free(dest); diff --git a/src/firejail/main.c b/src/firejail/main.c index b6b97c98c..a6c96f956 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1361,7 +1361,7 @@ int main(int argc, char **argv) { fs_check_private_dir(); arg_private = 1; } - else if (strcmp(argv[i], "--private-template=", 19) == 0) { + else if (strncmp(argv[i], "--private-template=", 19) == 0) { cfg.private_template = argv[i] + 14; if (arg_private) { fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); -- cgit v1.2.3-70-g09d2 From 1351c4f7e62e7e123c4e9e33fdd071075c473103 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 19:02:15 -0400 Subject: apparmor --- etc/firejail-default | 87 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 51 insertions(+), 36 deletions(-) diff --git a/etc/firejail-default b/etc/firejail-default index 609ab6c19..cf4524648 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -1,19 +1,36 @@ -#include +######################################### +# Generic Firejail AppArmor profile +######################################### + +########## +# A simple PID declaration based on Ubuntu's @{pid} +# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. +# We don't know if this definition is available outside Debian and Ubuntu, so +# we declare our own here. +########## +@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} profile firejail-default { -##### -# D-Bus is a huge security hole, we disable it here. Uncomment this line if you -# need D-Bus functionality. -# +########## +# D-Bus is a huge security hole. Uncomment this line if you need D-Bus +# functionality. +########## #dbus, -##### +########## # Mask /proc and /sys information leakage. The configuration here is barely # enough to run "top" or "ps aux". -# +########## / r, /[^proc,^sys]** mrwlk, +/{,var/}run/ r, +/{,var/}run/** r, +/{,var/}run/user/**/dconf/ rw, +/{,var/}run/user/**/dconf/user rw, +/{,var/}run/firejail/mnt/fslogger r, +/{run,dev}/shm/ r, +/{run,dev}/shm/** rmwk, /proc/ r, /proc/meminfo r, @@ -22,14 +39,16 @@ profile firejail-default { /proc/uptime r, /proc/loadavg r, /proc/stat r, -/proc/@{pid}/ r, -/proc/@{pid}/fd/ r, -/proc/@{pid}/task/ r, -/proc/@{pid}/cmdline r, -/proc/@{pid}/comm r, -/proc/@{pid}/stat r, -/proc/@{pid}/statm r, -/proc/@{pid}/status r, + +/proc/@{PID}/ r, +/proc/@{PID}/fd/ r, +/proc/@{PID}/task/ r, +/proc/@{PID}/cmdline r, +/proc/@{PID}/comm r, +/proc/@{PID}/stat r, +/proc/@{PID}/statm r, +/proc/@{PID}/status r, +/proc/@{PID}/task/@{PID}/stat r, /proc/sys/kernel/pid_max r, /proc/sys/kernel/shmmax r, /sys/ r, @@ -40,19 +59,15 @@ profile firejail-default { /sys/devices/ r, /sys/devices/** r, -/proc/@{pid}/maps r, -/proc/@{pid}/mounts r, -/proc/@{pid}/mountinfo r, -/proc/@{pid}/oom_score_adj r, +/proc/@{PID}/maps r, +/proc/@{PID}/mounts r, +/proc/@{PID}/mountinfo r, +/proc/@{PID}/oom_score_adj r, -/{,var/}run/firejail/mnt/fslogger r, -/{,var/}run/user/**/dconf/ r, -/{,var/}run/user/**/dconf/user r, - -##### +########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, uncomment /home line. -# +########## /lib/** ix, /lib64/** ix, /bin/** ix, @@ -65,24 +80,23 @@ profile firejail-default { /opt/** ix, #/home/** ix, -##### +########## # Allow all networking functionality, and control it from Firejail. -# +########## network inet, network inet6, network unix, network netlink, network raw, -##### +########## # There is no equivalent in Firejail for filtering signals. -# +########## signal, -##### -# Disable all capabilities. If you run your sandbox as root, you might need to -# enable/uncomment some of them. -# +########## +# We let Firejail deal with capabilities. +########## capability chown, capability dac_override, capability dac_read_search, @@ -118,12 +132,13 @@ capability setfcap, capability mac_override, capability mac_admin, -##### -# No mount/umount functionality when running as regular user. -# +########## +# We let Firejail deal with mount/umount functionality. +########## mount, remount, umount, pivot_root, } + -- cgit v1.2.3-70-g09d2 From 8f512407ddb2abc3e2b7ae71f848916e7e3fc64d Mon Sep 17 00:00:00 2001 From: nextime Date: Thu, 4 Aug 2016 02:15:43 +0200 Subject: Make copydir work as expected --- src/firejail/fs_home.c | 23 ++++++++++++++++++----- src/firejail/main.c | 13 +++++++++++-- src/firejail/usage.c | 3 +++ src/man/firejail.txt | 12 ++++++++++++ 4 files changed, 44 insertions(+), 7 deletions(-) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 3cb410569..604bba0e4 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -355,11 +355,22 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s struct stat s; // don't copy it if we already have the file if (stat(dest, &s) == 0) - return 0; + return(0); if (stat(path, &s) == 0) { - if (copy_file(path, dest) == 0) { - if (chown(dest, u, g) == -1) - errExit("chown"); + if(ftype == FTW_F) { + if (copy_file(path, dest) == 0) { + if (arg_debug) + printf("copy from %s to %s\n", path, dest); + if (chown(dest, u, g) == -1) + errExit("chown"); + fs_logger2("clone", path); + } + } + else if(ftype == FTW_D) { + if (mkdir(dest, s.st_mode) == -1) + errExit("mkdir"); + if (arg_debug) + printf("copy from %s to %s\n", path, dest); fs_logger2("clone", path); } } @@ -369,11 +380,13 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s } void fs_private_template(void) { + fs_private(); - if(!nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS)) { + if(nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS) != 0) { fprintf(stderr, "Error: unable to copy template dir\n"); exit(1); } + } // check new private home directory (--private= option) - exit if it fails diff --git a/src/firejail/main.c b/src/firejail/main.c index a6c96f956..9f6fa5142 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1349,9 +1349,18 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } - else if (strcmp(argv[i], "--private") == 0) + else if (strcmp(argv[i], "--private") == 0) { + if (arg_private_template) { + fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); + exit(1); + } arg_private = 1; + } else if (strncmp(argv[i], "--private=", 10) == 0) { + if (arg_private_template) { + fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); + exit(1); + } // extract private home dirname cfg.home_private = argv[i] + 10; if (*cfg.home_private == '\0') { @@ -1362,7 +1371,7 @@ int main(int argc, char **argv) { arg_private = 1; } else if (strncmp(argv[i], "--private-template=", 19) == 0) { - cfg.private_template = argv[i] + 14; + cfg.private_template = argv[i] + 19; if (arg_private) { fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); exit(1); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 958a16da7..baba93791 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -189,6 +189,9 @@ void usage(void) { printf("\tclosed.\n\n"); printf(" --private=directory - use directory as user home.\n\n"); + printf(" --private-template=directory - same as --private but copy the\n"); + printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n"); + printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); printf("\tand copy the programs in the list.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9e6916534..c6b73f428 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1044,6 +1044,18 @@ Example: .br $ firejail \-\-private=/home/netblue/firefox-home firefox +.TP +\fB\-\-private-template=templatedir +Mount new /root and /home/user directories in temporary +filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is +closed. +.br + +.br +Example: +.br +$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox + .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. -- cgit v1.2.3-70-g09d2 From 841c794e12e694695cbf537d1b10f63a5c622556 Mon Sep 17 00:00:00 2001 From: nextime Date: Thu, 4 Aug 2016 09:06:26 +0200 Subject: Fix profile for --private-template --- src/firejail/profile.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5aeba2f55..1403db704 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -169,10 +169,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } - else if (strcmp(ptr, "private-template") == 0) { - arg_private_template = 1; - return 0; - } else if (strcmp(ptr, "private-dev") == 0) { arg_private_dev = 1; return 0; @@ -626,6 +622,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.private_template = ptr + 17; fs_check_private_template(); arg_private_template = 1; + + return 0; } // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { -- cgit v1.2.3-70-g09d2 From 713807e8f93e95763308bd1cc6aa5fd1b75ed13d Mon Sep 17 00:00:00 2001 From: nextime Date: Thu, 4 Aug 2016 09:23:26 +0200 Subject: Fix dir creation owner --- src/firejail/fs_home.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 604bba0e4..105092036 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -369,6 +369,8 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s else if(ftype == FTW_D) { if (mkdir(dest, s.st_mode) == -1) errExit("mkdir"); + if (chown(dest, u, g) < 0) + errExit("chown"); if (arg_debug) printf("copy from %s to %s\n", path, dest); fs_logger2("clone", path); -- cgit v1.2.3-70-g09d2 From 25fa6746617e034e13e8d14cf7e2a0e7661d37ed Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 4 Aug 2016 09:15:42 -0400 Subject: apparmor fixes for Arch Linux --- Makefile.in | 3 ++- etc/firejail-default | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 4d7526826..978cbf92d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -86,7 +86,8 @@ realinstall: sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc # install apparmor profile - sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" + install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 install -m 0755 -d $(DESTDIR)/$(mandir)/man5 diff --git a/etc/firejail-default b/etc/firejail-default index cf4524648..8abf2400b 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -28,6 +28,8 @@ profile firejail-default { /{,var/}run/** r, /{,var/}run/user/**/dconf/ rw, /{,var/}run/user/**/dconf/user rw, +/{,var/}run/user/**/pulse/ rw, +/{,var/}run/user/**/pulse/** rw, /{,var/}run/firejail/mnt/fslogger r, /{run,dev}/shm/ r, /{run,dev}/shm/** rmwk, @@ -51,6 +53,9 @@ profile firejail-default { /proc/@{PID}/task/@{PID}/stat r, /proc/sys/kernel/pid_max r, /proc/sys/kernel/shmmax r, +/proc/sys/vm/overcommit_memory r, +/proc/sys/vm/overcommit_ratio r, + /sys/ r, /sys/bus/ r, /sys/bus/** r, -- cgit v1.2.3-70-g09d2 From 46715fc5aa7e5c3291ec3a1c8aa85340d4a67f89 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 4 Aug 2016 09:19:34 -0400 Subject: apparmor fixes for Arch Linux --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 978cbf92d..4e55e5ea1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -86,7 +86,7 @@ realinstall: sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc # install apparmor profile - sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 -- cgit v1.2.3-70-g09d2 From b1ad3357d8de5bb19fcf3bb15ef1443d2f43749c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 4 Aug 2016 12:23:18 -0400 Subject: private-template --- README | 2 ++ RELNOTES | 1 + 2 files changed, 3 insertions(+) diff --git a/README b/README index 4e610cb4a..f742dd506 100644 --- a/README +++ b/README @@ -28,6 +28,8 @@ Reiner Herrmann (https://github.com/reinerh) - moved build to .xz - detached signatures for source archive - recursive mkdir +Franco (nextime) Lanza (https://github.com/nextime) + - added --private-template xee5ch (https://github.com/xee5ch) - skypeforlinux profile Peter Hogg (https://github.com/pigmonkey) diff --git a/RELNOTES b/RELNOTES index ca3683838..b0d93c141 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,6 +2,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * deprecated --user option, please use "sudo -u username firejail" instead * --read-write option rework * allow symlinks in home directory for --whitelist option + * --private-template (very simillar to the former --private-home) * AppImage support (--appimage) * AppArmor support (--apparmor) * Sandbox auditing support (--audit) -- cgit v1.2.3-70-g09d2 From 323c26b4add843757020ca542010a7397530e21f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 4 Aug 2016 14:28:58 -0400 Subject: apparmor fix --- Makefile.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile.in b/Makefile.in index 4e55e5ea1..5269170c2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -15,6 +15,7 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ PACKAGE_TARNAME=@PACKAGE_TARNAME@ DOCDIR=@docdir@ +HAVE_APPARMOR=@HAVE_APPARMOR@ .PHONY: mylibs $(MYLIBS) mylibs: $(MYLIBS) @@ -85,9 +86,11 @@ realinstall: done sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc +ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) # install apparmor profile sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. +endif # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 install -m 0755 -d $(DESTDIR)/$(mandir)/man5 -- cgit v1.2.3-70-g09d2 From 9c3de20c36539a7752298cbb9eec674e24e191a9 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 5 Aug 2016 12:47:24 +1000 Subject: Added gnome-chess profile --- etc/gnome-chess.profile | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 etc/gnome-chess.profile diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile new file mode 100644 index 000000000..e93970f7d --- /dev/null +++ b/etc/gnome-chess.profile @@ -0,0 +1,20 @@ +# Firejail profile for gnome-chess +noblacklist /.local/share/gnome-chess + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin gnome-chess +private-dev -- cgit v1.2.3-70-g09d2 From 7962d6ee8b6372e84a6de43180ae489a145f60da Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 5 Aug 2016 12:47:54 +1000 Subject: extra gnome-chess files --- README | 1 + README.md | 4 ++-- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README b/README index f742dd506..a690a9b65 100644 --- a/README +++ b/README @@ -83,6 +83,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added jitsi profile - pidgin private-bin conversion - added eom profile + - added gnome-chess profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index 4eea1aafc..96c4b26b2 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,7 @@ Office: evince, gthumb, fbreader, pix, atril, xreader, Chat/messaging: qtox, gitter, pidgin -Games: warzone2100 +Games: warzone2100, gnome-chess Weather/climate: aweather @@ -197,5 +197,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ed7710728..01e68506d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -128,3 +128,4 @@ blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/gnome-chess diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c8eda3cb4..d2ee3a83e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -44,6 +44,7 @@ /etc/firejail/flashpeak-slimjet.profile /etc/firejail/franz.profile /etc/firejail/gitter.profile +/etc/firejail/gnome-chess.profile /etc/firejail/gnome-mplayer.profile /etc/firejail/google-chrome-beta.profile /etc/firejail/google-chrome-stable.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 48e205a58..c909e6903 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -78,6 +78,7 @@ wine # games 0ad +gnome-chess hedgewars steam wesnot -- cgit v1.2.3-70-g09d2 From 1bfbc86b893a41670759c9f7abb0864b28c62eeb Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 5 Aug 2016 12:54:15 +1000 Subject: tightened vlc --- etc/vlc.profile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/vlc.profile b/etc/vlc.profile index 1a6e5a151..c82247dd2 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -8,12 +8,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp - - -# to test shell none +tracelog + private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc -- cgit v1.2.3-70-g09d2 From 265cd772fc7852d2deaacd886a26253006235d59 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 5 Aug 2016 08:39:56 -0400 Subject: fix whitelist ~/deletme problem --- src/firejail/fs_whitelist.c | 16 ++++++++++------ test/fs/fs.sh | 2 ++ test/fs/whitelist-double.exp | 42 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 6 deletions(-) create mode 100755 test/fs/whitelist-double.exp diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index f94040d0f..90b91f9dd 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -268,13 +268,17 @@ static void whitelist_path(ProfileEntry *entry) { // process regular file else { - // create an empty file - FILE *fp = fopen(path, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create empty file in home directory\n"); - exit(1); + if (access(path, R_OK)) { + // create an empty file + FILE *fp = fopen(path, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot create empty file in home directory\n"); + exit(1); + } + fclose(fp); } - fclose(fp); + else + return; // the file is already present } // set file properties diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 00e6e29c2..ee6351e2e 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -54,3 +54,5 @@ echo "TESTING: bind as user (test/fs/option_bind_user.exp)" echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" ./mkdir.exp +echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" +./whitelist-double.exp diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp new file mode 100755 index 000000000..87d6ed686 --- /dev/null +++ b/test/fs/whitelist-double.exp @@ -0,0 +1,42 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +send -- "echo 123 > /tmp/firejal-deleteme\r" +sleep 1 + +send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /tmp/firejal-deleteme\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "123" +} + +send -- "exit\r" +sleep 1 + +send -- "cat /tmp/firejal-deleteme\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "123" +} + +send -- "rm/tmp/firejal-deleteme \r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "0" +} +sleep 1 + +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 2775b37ed206e5650b1ec4398d33718562f4d657 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 5 Aug 2016 12:37:53 -0400 Subject: whitelist test --- test/fs/fs.sh | 13 +++ test/fs/whitelist-double.exp | 2 +- test/fs/whitelist.exp | 226 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 240 insertions(+), 1 deletion(-) create mode 100755 test/fs/whitelist.exp diff --git a/test/fs/fs.sh b/test/fs/fs.sh index ee6351e2e..d45ef48bd 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -56,3 +56,16 @@ echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" ./whitelist-double.exp + + +echo "TESTING: whitelist (test/fs/whitelist.exp)" +./whitelist.exp +rm -fr ~/fjtest-dir +rm -fr ~/fjtest-dir-lnk +rm -f ~/fjtest-file +rm -f ~/fjtest-file-lnk +rm -f /tmp/fjtest-file +rm -fr /tmp/fjtest-dir + + + diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 87d6ed686..43e4d6fc0 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -3,7 +3,7 @@ # Copyright (C) 2014-2016 Firejail Authors # License GPL v2 -set timeout 30 +set timeout 10 spawn $env(SHELL) match_max 100000 diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp new file mode 100755 index 000000000..9a9a0f353 --- /dev/null +++ b/test/fs/whitelist.exp @@ -0,0 +1,226 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# cleanup +send -- "rm -fr ~/fjtest-dir\r" +after 200 +send -- "rm -fr ~/fjtest-dir-lnk\r" +after 200 +send -- "rm ~/fjtest-file\r" +after 200 +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "rm /tmp/fjtest-file\r" +after 200 +send -- "rm -fr /tmp/fjtest-dir\r" +after 200 + + +# simple files and directories +send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r" +after 200 +send -- "echo 123 > ~/fjtest-file\r" +after 200 +send -- "echo 123 > ~/fjtest-dir/fjtest-file\r" +after 200 +send -- "echo 123 > ~/fjtest-dir/fjtest-dir/fjtest-file\r" +after 200 +send -- "ln -s ~/fjtest-file ~/fjtest-file-lnk\r" +after 200 +send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" +after 200 + +send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} + +send -- "cat fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "123" +} + +send -- "exit\r" +sleep 1 + + + +# simple files and directories +send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "1" +} + +send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "123" +} + +send -- "exit\r" +sleep 1 + + + +# symlinks +send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "4" +} + +send -- "cat fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "123" +} + +send -- "cat fjtest-file-lnk\r" +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "123" +} + +send -- "cat fjtest-dir-lnk/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 26\n";exit} + "123" +} + +send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "123" +} +send -- "exit\r" +sleep 1 + +# symlinks outside home to a file we don't own +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r" +after 200 +send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" +expect { + timeout {puts "TESTING ERROR 30\n";exit} + "invalid whitelist path" +} +expect { + timeout {puts "TESTING ERROR 31\n";exit} + "exiting" +} +sleep 1 + +# symlinks outside home to a file we own +send -- "rm -fr ~/fjtest-dir-lnk\r" +after 200 +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "echo 123 > /tmp/fjtest-file\r" +after 200 +send -- "mkdir /tmp/fjtest-dir\r" +after 200 +send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r" +after 200 +send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r" +after 200 +send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r" +after 200 +send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" +expect { + timeout {puts "TESTING ERROR 40\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 41\n";exit} + "2" +} + +send -- "cat fjtest-file-lnk\r" +expect { + timeout {puts "TESTING ERROR 42\n";exit} + "123" +} + +send -- "cat fjtest-dir-lnk/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 43\n";exit} + "123" +} +send -- "exit\r" +sleep 1 + +# cleanup +send -- "rm -fr ~/fjtest-dir\r" +after 200 +send -- "rm -fr ~/fjtest-dir-lnk\r" +after 200 +send -- "rm ~/fjtest-file\r" +after 200 +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "rm /tmp/fjtest-file\r" +after 200 +send -- "rm -fr /tmp/fjtest-dir\r" +after 200 + + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From ababab246b4fe0a03d4d9a745fa6e040903d0c06 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 5 Aug 2016 17:33:09 -0400 Subject: testing --- src/firejail/fs_home.c | 3 ++- test/dist-compile/compile.sh | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 105092036..c1e983c16 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -340,7 +340,8 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) { - +(void) st; +(void) sftw; char *homedir = cfg.homedir; char *dest; int srcbaselen = 0; diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index 6332bee9a..b33f0660a 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -11,6 +11,7 @@ arr[8]="TEST 8: compile network restricted" arr[9]="TEST 9: compile file transfer disabled" arr[10]="TEST 10: compile disable whitelist" arr[11]="TEST 11: compile disable global config" +arr[12]="TEST 12: compile apparmor" # remove previous reports and output file cleanup() { @@ -261,6 +262,25 @@ cp output-configure oc11 cp output-make om11 rm output-configure output-make +#***************************************************************** +# TEST 12 +#***************************************************************** +# - enable apparmor +# - check compilation +#***************************************************************** +print_title "${arr[11]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test12 +grep Error output-configure output-make >> ./report-test12 +cp output-configure oc12 +cp output-make om12 +rm output-configure output-make + #***************************************************************** # PRINT REPORTS @@ -287,3 +307,4 @@ echo ${arr[8]} echo ${arr[9]} echo ${arr[10]} echo ${arr[11]} +echo ${arr[12]} -- cgit v1.2.3-70-g09d2 From dd9e7b00d82d4312e08f66b38ad6749bcf051363 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 6 Aug 2016 12:59:05 +0200 Subject: Typo --- test/fs/whitelist-double.exp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 87d6ed686..08b15e04b 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -28,11 +28,11 @@ sleep 1 send -- "cat /tmp/firejal-deleteme\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "123" } -send -- "rm/tmp/firejal-deleteme \r" +send -- "rm /tmp/firejal-deleteme\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "0" -- cgit v1.2.3-70-g09d2 From 0d203630124fddbf6919f58ca6f633ae490ed2c8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 6 Aug 2016 09:33:51 -0400 Subject: implemented --overlay-clean --- README | 1 + RELNOTES | 1 + src/firejail/main.c | 18 +++++++++++++ src/firejail/usage.c | 4 ++- src/firejail/util.c | 71 +++++++++++++++++++++++++++++++++---------------- src/firemon/procevent.c | 2 +- src/man/firejail.txt | 10 +++++++ 7 files changed, 82 insertions(+), 25 deletions(-) diff --git a/README b/README index a690a9b65..6ea10c901 100644 --- a/README +++ b/README @@ -127,6 +127,7 @@ Vasya Novikov (https://github.com/vn971) - Hedegewars profile - manpage fixes - fixed firecfg clean/clear issue + - found the ugliest bug so far curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile diff --git a/RELNOTES b/RELNOTES index b0d93c141..0eb9db370 100644 --- a/RELNOTES +++ b/RELNOTES @@ -8,6 +8,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * Sandbox auditing support (--audit) * remove environment variable (--rmenv) * noexec support (--noexec) + * --overlay-clean option * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command diff --git a/src/firejail/main.c b/src/firejail/main.c index 9f6fa5142..acae7c3dd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -263,6 +263,23 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { printf("\n"); exit(0); } + else if (strcmp(argv[i], "--overlay-clean") == 0) { + char *path; + if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + EUID_ROOT(); + if (setreuid(0, 0) < 0) + errExit("setreuid"); + if (setregid(0, 0) < 0) + errExit("setregid"); + errno = 0; + int rv = remove_directory(path); + if (rv) { + fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); + exit(1); + } + exit(0); + } #ifdef HAVE_X11 else if (strcmp(argv[i], "--x11") == 0) { if (checkcfg(CFG_X11)) { @@ -744,6 +761,7 @@ int main(int argc, char **argv) { strcmp(argv[i], "--debug-protocols") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "--version") == 0 || + strcmp(argv[i], "--overlay-clean") == 0 || strncmp(argv[i], "--dns.print=", 12) == 0 || strncmp(argv[i], "--bandwidth=", 12) == 0 || strncmp(argv[i], "--caps.print=", 13) == 0 || diff --git a/src/firejail/usage.c b/src/firejail/usage.c index baba93791..03558cca7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -179,11 +179,13 @@ void usage(void) { printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n"); printf("\tLinux kernel for this option to work). \n\n"); + printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n\n"); + printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n"); printf("\tsupport is required in Linux kernel for this option to work).\n\n"); - + printf(" --private - mount new /root and /home/user directories in temporary\n"); printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); printf("\tclosed.\n\n"); diff --git a/src/firejail/util.c b/src/firejail/util.c index dc906532f..24bb71e4c 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -17,7 +17,9 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#define _XOPEN_SOURCE 500 #include "firejail.h" +#include #include #include #include @@ -78,7 +80,7 @@ void drop_privs(int nogroups) { int mkpath_as_root(const char* path) { assert(path && *path); - + // work on a copy of the path char *file_path = strdup(path); if (!file_path) @@ -101,19 +103,18 @@ int mkpath_as_root(const char* path) { if (chown(file_path, 0, 0) == -1) errExit("chown"); done = 1; - } + } *p='/'; } if (done) fs_logger2("mkpath", path); - + free(file_path); return 0; } - void logsignal(int s) { if (!arg_debug) return; @@ -211,12 +212,13 @@ int copy_file(const char *srcname, const char *destname) { return 0; } + // return 1 if the file is a directory int is_dir(const char *fname) { assert(fname); if (*fname == '\0') return 0; - + // if fname doesn't end in '/', add one int rv; struct stat s; @@ -227,20 +229,21 @@ int is_dir(const char *fname) { if (asprintf(&tmp, "%s/", fname) == -1) { fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); errExit("asprintf"); - } + } rv = stat(tmp, &s); free(tmp); } - + if (rv == -1) return 0; - + if (S_ISDIR(s.st_mode)) return 1; return 0; } + // return 1 if the file is a link int is_link(const char *fname) { assert(fname); @@ -325,7 +328,7 @@ char *split_comma(char *str) { int not_unsigned(const char *str) { EUID_ASSERT(); - + int rv = 0; const char *ptr = str; while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') { @@ -347,7 +350,7 @@ int find_child(pid_t parent, pid_t *child) { *child = 0; // use it to flag a found child DIR *dir; - EUID_ROOT(); // grsecurity fix + EUID_ROOT(); // grsecurity fix if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again sleep(2); @@ -404,13 +407,11 @@ int find_child(pid_t parent, pid_t *child) { } - void extract_command_name(int index, char **argv) { EUID_ASSERT(); assert(argv); assert(argv[index]); - // configure command index cfg.original_program_index = index; @@ -447,7 +448,6 @@ void extract_command_name(int index, char **argv) { exit(1); } - char *tmp = strdup(ptr); if (!tmp) errExit("strdup"); @@ -533,6 +533,7 @@ void notify_other(int fd) { fclose(stream); } + // This function takes a pathname supplied by the user and expands '~' and // '${HOME}' at the start, to refer to a path relative to the user's home // directory (supplied). @@ -541,7 +542,7 @@ void notify_other(int fd) { char *expand_home(const char *path, const char* homedir) { assert(path); assert(homedir); - + // Replace home macro char *new_name = NULL; if (strncmp(path, "${HOME}", 7) == 0) { @@ -554,10 +555,11 @@ char *expand_home(const char *path, const char* homedir) { errExit("asprintf"); return new_name; } - + return strdup(path); } + // Equivalent to the GNU version of basename, which is incompatible with // the POSIX basename. A few lines of code saves any portability pain. // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename @@ -568,17 +570,18 @@ const char *gnu_basename(const char *path) { return last_slash+1; } + uid_t pid_get_uid(pid_t pid) { EUID_ASSERT(); uid_t rv = 0; - + // open status file char *file; if (asprintf(&file, "/proc/%u/status", pid) == -1) { perror("asprintf"); exit(1); } - EUID_ROOT(); // grsecurity fix + EUID_ROOT(); // grsecurity fix FILE *fp = fopen(file, "r"); if (!fp) { free(file); @@ -597,16 +600,16 @@ uid_t pid_get_uid(pid_t pid) { } if (*ptr == '\0') break; - + rv = atoi(ptr); - break; // break regardless! + break; // break regardless! } } fclose(fp); free(file); - EUID_USER(); // grsecurity fix - + EUID_USER(); // grsecurity fix + if (rv == 0) { fprintf(stderr, "Error: cannot read /proc file\n"); exit(1); @@ -614,14 +617,15 @@ uid_t pid_get_uid(pid_t pid) { return rv; } + void invalid_filename(const char *fname) { EUID_ASSERT(); assert(fname); const char *ptr = fname; - + if (arg_debug_check_filename) printf("Checking filename %s\n", fname); - + if (strncmp(ptr, "${HOME}", 7) == 0) ptr = fname + 7; else if (strncmp(ptr, "${PATH}", 7) == 0) @@ -637,6 +641,7 @@ void invalid_filename(const char *fname) { } } + uid_t get_tty_gid(void) { // find tty group id gid_t ttygid = 0; @@ -647,6 +652,7 @@ uid_t get_tty_gid(void) { return ttygid; } + uid_t get_audio_gid(void) { // find tty group id gid_t audiogid = 0; @@ -656,3 +662,22 @@ uid_t get_audio_gid(void) { return audiogid; } + + +static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) { + (void) sb; + (void) typeflag; + (void) ftwbuf; + + int rv = remove(fpath); + if (rv) + perror(fpath); + + return rv; +} + + +int remove_directory(const char *path) { + // FTW_PHYS - do not follow symbolic links + return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS); +} diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 7c961adde..188c10183 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -90,7 +90,7 @@ static int pid_is_firejail(pid_t pid) { // list of firejail arguments that don't trigger sandbox creation // the initial -- is not included char *firejail_args = "ls list tree x11 help version top netstats debug-syscalls debug-errnos debug-protocols " - "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get "; + "protocol.print debug.caps shutdown bandwidth caps.print cpu.print debug-caps fs.print get overlay-clean "; int i; char *start; diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c6b73f428..fb8cb630b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1007,6 +1007,16 @@ Example: .br $ firejail \-\-overlay firefox +.TP +\fB\-\-overlay-clean +Clean all overlays stored in $HOME/.firejail directory. +.br + +.br +Example: +.br +$ firejail \-\-overlay-clean + .TP \fB\-\-overlay-tmpfs Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, -- cgit v1.2.3-70-g09d2 From 173a90129e73e81fa80bb12f6ec19e3943c74ca5 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 7 Aug 2016 18:05:45 +0200 Subject: tar requires shell for executing compressors like bzip2 --- etc/tar.profile | 2 +- test/sysutils/tar.exp | 17 ++++++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/etc/tar.profile b/etc/tar.profile index 6daa7396a..78bf7ad13 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -8,7 +8,7 @@ net none shell none # support compressed archives -private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev private-etc passwd,group,localtime hostname tar diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp index af569f5ac..f41d67d6f 100755 --- a/test/sysutils/tar.exp +++ b/test/sysutils/tar.exp @@ -9,20 +9,31 @@ match_max 100000 send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 1.1\n";exit} + "Error" {puts "TESTING ERROR 1.2\n";exit} "/usr/share/doc/firejail/README" } after 100 +send -- "stat -c '|%s|' firejail_t2; uname -s\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "|0|" {puts "TESTING ERROR 2.2\n";exit} + "Linux" +} +sleep 1 + send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3.1\n";exit} + "This does not look like a tar archive" {puts "TESTING ERROR 3.2\n"; exit} " 0 0 0" } sleep 1 send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4.1\n";exit} + "This does not look like a tar archive" {puts "TESTING ERROR 4.2\n"; exit} " 0 0 0" } sleep 1 -- cgit v1.2.3-70-g09d2 From 7f31ebff5c7401c16b1b179380ba782ac4934d65 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 7 Aug 2016 18:06:49 +0200 Subject: Don't assume ~/.bashrc exists --- test/sysutils/file.exp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp index e40b83197..a8ad84d12 100755 --- a/test/sysutils/file.exp +++ b/test/sysutils/file.exp @@ -7,10 +7,12 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail file ~/.bashrc\r" +send -- "echo 'test string for firejail test' > /tmp/firejail_test.txt; firejail file /tmp/firejail_test.txt\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "ASCII text" } +send -- "rm /tmp/firejail_test.txt\r" +sleep 1 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 10d4d20a1e20587d7fab36e7679bf1991199f66d Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sun, 7 Aug 2016 22:06:59 +0300 Subject: remove unnecessary asprintf --- src/firejail/env.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/firejail/env.c b/src/firejail/env.c index 1a6236407..a5b3ccfb3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -132,12 +132,8 @@ void env_defaults(void) { if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); - // build the window title and set it - char *title; - if (asprintf(&title, "\033]0;firejail %s\007\n", cfg.window_title) == -1) - errExit("asprintf"); - printf("%s", title); - free(title); + // set the window title + printf("\033]0;firejail %s\007\n", cfg.window_title); } // parse and store the environment setting -- cgit v1.2.3-70-g09d2 From 808605ba86a49f39bfd2d477cf010a83ce6491b4 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sun, 7 Aug 2016 22:27:23 +0300 Subject: fix "PATH_MAX undeclared" error on musl systems --- src/libtracelog/libtracelog.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index dedba5513..ff884c7d7 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -31,6 +31,7 @@ #include #include #include +#include //#define DEBUG -- cgit v1.2.3-70-g09d2 From da36dcdb1619a28722cb9683653b61541dfbcfb2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 8 Aug 2016 08:37:53 -0400 Subject: --private-bin and --private-etc fix --- src/firejail/firejail.h | 1 + src/firejail/fs_bin.c | 21 ++++++++++++++------- src/firejail/fs_etc.c | 36 +++++++++++++++++++++++------------- 3 files changed, 38 insertions(+), 20 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 333cd92f4..16b9d468f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -398,6 +398,7 @@ uid_t pid_get_uid(pid_t pid); void invalid_filename(const char *fname); uid_t get_tty_gid(void); uid_t get_audio_gid(void); +int remove_directory(const char *path); // fs_var.c void fs_var_log(void); // mounting /var/log diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index cc2aa8f4d..6bd407346 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -149,7 +149,6 @@ void fs_check_bin_list(void) { } static void duplicate(char *fname) { - char *cmd; char *path = check_dir_or_file(fname); if (!path) return; @@ -175,13 +174,21 @@ static void duplicate(char *fname) { } else { // copy the file - if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1) - errExit("asprintf"); if (arg_debug) - printf("%s\n", cmd); - if (system(cmd)) - errExit("system cp -a"); - free(cmd); + printf("running: %s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname); + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + char *f; + if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) + errExit("asprintf"); + execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); + } + // wait for the child to finish + waitpid(child, NULL, 0); + } free(actual_path); } diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 2ff36f5d2..6b9a4395b 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -28,7 +28,7 @@ static int check_dir_or_file(const char *name) { assert(name); invalid_filename(name); - + struct stat s; char *fname; if (asprintf(&fname, "/etc/%s", name) == -1) @@ -40,7 +40,11 @@ static int check_dir_or_file(const char *name) { printf("Warning: file %s not found.\n", fname); return 0; } - + + // read access + if (access(fname, R_OK) == -1) + goto errexit; + // dir or regular file if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { free(fname); @@ -52,6 +56,8 @@ static int check_dir_or_file(const char *name) { return 1; } + +errexit: fprintf(stderr, "Error: invalid file type, %s.\n", fname); exit(1); } @@ -88,18 +94,22 @@ void fs_check_etc_list(void) { } static void duplicate(char *fname) { - char *cmd; - - // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc - if (asprintf(&cmd, "%s -a --parents /etc/%s %s", RUN_CP_COMMAND, fname, RUN_MNT_DIR) == -1) - errExit("asprintf"); + // copy the file if (arg_debug) - printf("%s\n", cmd); - if (system(cmd)) - fprintf(stderr, "Warning (fs_etc): error copying file /etc/%s, skipping...\n", fname); + printf("running: %s -a --parents /etc/%s %s\n", RUN_CP_COMMAND, fname, RUN_MNT_DIR); + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + char *f; + if (asprintf(&f, "/etc/%s", fname) == -1) + errExit("asprintf"); + execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); + } + // wait for the child to finish + waitpid(child, NULL, 0); - free(cmd); - char *name; if (asprintf(&name, "/etc/%s", fname) == -1) errExit("asprintf"); @@ -133,7 +143,7 @@ void fs_private_etc_list(void) { // copy the list of files in the new etc directory - // using a new child process without root privileges + // using a new child process with root privileges if (*private_list != '\0') { pid_t child = fork(); if (child < 0) -- cgit v1.2.3-70-g09d2 From 01a5140d1c5797b9522693fe0ec489e9ff6648d6 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 9 Aug 2016 00:50:44 +1000 Subject: typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 96c4b26b2..67dd017a7 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ APPARMOR To enable AppArmor confinement on top of your current Firejail security features, pass --apparmor flag to Firejail command line. You can also - include apparmor command in a Fireajail profile file. Example: + include apparmor command in a Firejail profile file. Example: $ firejail --apparmor firefox -- cgit v1.2.3-70-g09d2 From 1b19e521c4f007e16010e1c935bc4392bd333145 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 9 Aug 2016 01:29:55 +0300 Subject: workaround for systems where common UNIX utilities are symlinks to busybox --- Makefile.in | 3 ++- configure | 19 +++++++++++++++++++ configure.ac | 10 ++++++++++ mketc.sh | 14 ++++++++++++++ 4 files changed, 45 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 5269170c2..6c98742b7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -16,6 +16,7 @@ NAME=@PACKAGE_NAME@ PACKAGE_TARNAME=@PACKAGE_TARNAME@ DOCDIR=@docdir@ HAVE_APPARMOR=@HAVE_APPARMOR@ +BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ .PHONY: mylibs $(MYLIBS) mylibs: $(MYLIBS) @@ -79,7 +80,7 @@ realinstall: install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. # etc files - ./mketc.sh $(sysconfdir) + ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND) install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail for file in .etc/* etc/firejail.config; do \ install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \ diff --git a/configure b/configure index 0f6f8f7fb..29792969c 100755 --- a/configure +++ b/configure @@ -625,6 +625,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H +BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS HAVE_WHITELIST HAVE_FILE_TRANSFER @@ -703,6 +704,7 @@ enable_x11 enable_file_transfer enable_whitelist enable_fatal_warnings +enable_busybox_workaround ' ac_precious_vars='build_alias host_alias @@ -1336,6 +1338,8 @@ Optional Features: --disable-file-transfer disable file transfer --disable-whitelist disable whitelist --enable-fatal-warnings -W -Wall -Werror + --enable-busybox-workaround + enable busybox workaround Some influential environment variables: CC C compiler command @@ -3647,6 +3651,20 @@ if test "x$enable_fatal_warnings" = "xyes"; then : fi +BUSYBOX_WORKAROUND="no" +# Check whether --enable-busybox-workaround was given. +if test "${enable_busybox_workaround+set}" = set; then : + enableval=$enable_busybox_workaround; +fi + +if test "x$enable_busybox_workaround" = "xyes"; then : + + BUSYBOX_WORKAROUND="yes" + + +fi + + # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 @@ -4905,6 +4923,7 @@ echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" +echo " busybox workaround: $BUSYBOX_WORKAROUND" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" diff --git a/configure.ac b/configure.ac index 315c25038..149f76eae 100644 --- a/configure.ac +++ b/configure.ac @@ -115,6 +115,15 @@ AS_IF([test "x$enable_fatal_warnings" = "xyes"], [ AC_SUBST(HAVE_FATAL_WARNINGS) ]) +BUSYBOX_WORKAROUND="no" +AC_ARG_ENABLE([busybox-workaround], + AS_HELP_STRING([--enable-busybox-workaround], [enable busybox workaround])) +AS_IF([test "x$enable_busybox_workaround" = "xyes"], [ + BUSYBOX_WORKAROUND="yes" + AC_SUBST(BUSYBOX_WORKAROUND) +]) + + # checking pthread library AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) @@ -148,6 +157,7 @@ echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" +echo " busybox workaround: $BUSYBOX_WORKAROUND" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" diff --git a/mketc.sh b/mketc.sh index 94fad8f10..f98c5479f 100755 --- a/mketc.sh +++ b/mketc.sh @@ -6,3 +6,17 @@ for file in etc/*.profile etc/*.inc etc/*.net; do sed "s;/etc/firejail;$1/firejail;g" $file > .$file done + +if [ "x$2" = "xyes" ] +then +sed -i -e ' +1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\ +# If this is not your case you can remove --enable-busybox-workaround from\ +# ./configure options, for added security.\ +noblacklist \${PATH}/mount\ +noblacklist \${PATH}/umount\ +noblacklist \${PATH}/su\ +noblacklist \${PATH}/sudo\ +noblacklist \${PATH}/nc\ +' .etc/disable-common.inc +fi -- cgit v1.2.3-70-g09d2 From c22f9de02db17cb10b08f3d4893987228799ca89 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 9 Aug 2016 07:46:28 -0400 Subject: various fixes --- src/firejail/sandbox.c | 27 ++++++++++++++++++--------- src/firejail/seccomp.c | 12 ++++++++++++ test/features/1.2.exp | 24 ++++++++++++------------ test/features/3.6.exp | 11 ++++++++--- test/features/3.8.exp | 8 ++++++-- 5 files changed, 56 insertions(+), 26 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f37605e20..a131d9e91 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -460,8 +460,9 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); - // redo cp command - fs_build_cp_command(); + +// // redo cp command +// fs_build_cp_command(); // force caps and seccomp if not started as root if (getuid() != 0) { @@ -482,7 +483,7 @@ int sandbox(void* sandbox_arg) { // disable all capabilities if (arg_caps_default_filter || arg_caps_list) - fprintf(stderr, "Warning: all capabilities disabled for a regular user during chroot\n"); + fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot @@ -530,13 +531,21 @@ int sandbox(void* sandbox_arg) { if (arg_private_dev) fs_private_dev(); if (arg_private_etc) { - fs_private_etc_list(); - // create /etc/ld.so.preload file again - if (arg_trace || arg_tracelog) - fs_trace_preload(); + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); + else { + fs_private_etc_list(); + // create /etc/ld.so.preload file again + if (arg_trace || arg_tracelog) + fs_trace_preload(); + } + } + if (arg_private_bin) { + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); + else + fs_private_bin_list(); } - if (arg_private_bin) - fs_private_bin_list(); if (arg_private_tmp) fs_private_tmp(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index efe24a211..88620d1dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -101,10 +101,22 @@ static void filter_init(void) { sfilter_alloc_size = SECSIZE; // copy the start entries +#if defined(__x86_64__) +#define X32_SYSCALL_BIT 0x40000000 + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + // handle X32 ABI + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), + RETURN_ERRNO(EPERM) + }; +#else struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, EXAMINE_SYSCALL }; +#endif sfilter_index = sizeof(filter) / sizeof(struct sock_filter); memcpy(sfilter, filter, sizeof(filter)); } diff --git a/test/features/1.2.exp b/test/features/1.2.exp index 685acf737..bcb227304 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp @@ -115,22 +115,22 @@ if { $chroot == "chroot" } { timeout {puts "TESTING ERROR 5.3\n";exit} "proc /proc/sys proc" } - expect { - timeout {puts "TESTING ERROR 5.4\n";exit} - "proc /proc/sysrq-trigger proc" - } +# expect { +# timeout {puts "TESTING ERROR 5.4\n";exit} +# "proc /proc/sysrq-trigger proc" +# } # expect { # timeout {puts "TESTING ERROR 5.5\n";exit} # "proc /proc/sys/kernel/hotplug" # } - expect { - timeout {puts "TESTING ERROR 5.6\n";exit} - "proc /proc/irq proc" - } - expect { - timeout {puts "TESTING ERROR 5.7\n";exit} - "proc /proc/bus proc" - } +# expect { +# timeout {puts "TESTING ERROR 5.6\n";exit} +# "proc /proc/irq proc" +# } +# expect { +# timeout {puts "TESTING ERROR 5.7\n";exit} +# "proc /proc/bus proc" +# } after 100 send -- "exit\r" sleep 1 diff --git a/test/features/3.6.exp b/test/features/3.6.exp index a00517716..389e63a1d 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp @@ -60,14 +60,19 @@ if { $chroot == "chroot" } { expect { timeout {puts "TESTING ERROR 4\n";exit} "chroot option is not available" {puts "grsecurity\n"; exit} + "private-etc feature is disabled in chroot" + } + expect { + timeout {puts "TESTING ERROR 5\n";exit} + "chroot option is not available" {puts "grsecurity\n"; exit} "Child process initialized" } sleep 1 - send -- "ls -al /etc | wc -l\r" + send -- "ls /etc | grep firejail\r" expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "10" + timeout {puts "TESTING ERROR 6\n";exit} + "firejail" } after 100 diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 94a1abf67..d941fa9b7 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp @@ -61,14 +61,18 @@ if { $chroot == "chroot" } { send -- "firejail --noprofile --chroot=/tmp/chroot --private-bin=bash,cat,cp,ls,wc\r" expect { timeout {puts "TESTING ERROR 4\n";exit} + "private-bin feature is disabled in chroot" + } + expect { + timeout {puts "TESTING ERROR 5\n";exit} "Child process initialized" } sleep 1 send -- "ls -l /usr/bin | wc -l\r" expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "6" + timeout {puts "TESTING ERROR 6\n";exit} + "9" } after 100 -- cgit v1.2.3-70-g09d2 From 9834016feaa57d08d5719def13cf302086957d2e Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 10 Aug 2016 01:47:25 +0300 Subject: expand ${PATH} macro in noblacklist entries --- src/firejail/fs.c | 40 ++++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ff5887c10..5bcfa6066 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -478,12 +478,40 @@ void fs_blacklist(void) { // Process noblacklist command if (strncmp(entry->data, "noblacklist ", 12) == 0) { - if (noblacklist_c >= noblacklist_m) { - noblacklist_m *= 2; - noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); - if (noblacklist == NULL) - errExit("failed increasing memory for noblacklist entries");} - noblacklist[noblacklist_c++] = expand_home(entry->data + 12, homedir); + char **paths = build_paths(); + + char *enames[sizeof(paths)+1] = {0}; + int i = 0; + + if (strncmp(entry->data + 12, "${PATH}", 7) == 0) { + // expand ${PATH} macro + while (paths[i] != NULL) { + if (asprintf(&enames[i], "%s%s", paths[i], entry->data + 19) == -1) + errExit("asprintf"); + i++; + } + } else { + // expand ${HOME} macro if found or pass as is + enames[0] = expand_home(entry->data + 12, homedir); + enames[1] = NULL; + } + + i = 0; + while (enames[i] != NULL) { + if (noblacklist_c >= noblacklist_m) { + noblacklist_m *= 2; + noblacklist = realloc(noblacklist, sizeof(*noblacklist) * noblacklist_m); + if (noblacklist == NULL) + errExit("failed increasing memory for noblacklist entries"); + } + noblacklist[noblacklist_c++] = enames[i]; + i++; + } + + while (enames[i] != NULL) { + free(enames[i]); + } + entry = entry->next; continue; } -- cgit v1.2.3-70-g09d2 From cb5091633c6dc6b6d9f5498da7ded61bc698bf82 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 10 Aug 2016 09:08:52 -0400 Subject: Busybox workaround --- README | 17 +++++++++-------- RELNOTES | 1 + test/dist-compile/compile.sh | 21 +++++++++++++++++++++ 3 files changed, 31 insertions(+), 8 deletions(-) diff --git a/README b/README index 6ea10c901..6e6411619 100644 --- a/README +++ b/README @@ -28,6 +28,15 @@ Reiner Herrmann (https://github.com/reinerh) - moved build to .xz - detached signatures for source archive - recursive mkdir +Aleksey Manevich (https://github.com/manevich) + - several profile fixes + - fix problem with relative path in storage_find function + - fix build for systems without bash + - fix double quotes/single quotes problem + - big rework of argument processing subsystem + - --join fixes + - spliting up cmdline.c + - Busybox support Franco (nextime) Lanza (https://github.com/nextime) - added --private-template xee5ch (https://github.com/xee5ch) @@ -47,14 +56,6 @@ Thomas Jarosch (https://github.com/thomasjfox) - include mkuid.sh in make dist Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client -Aleksey Manevich (https://github.com/manevich) - - several profile fixes - - fix problem with relative path in storage_find function - - fix build for systems without bash - - fix double quotes/single quotes problem - - big rework of argument processing subsystem - - --join fixes - - spliting up cmdline.c Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/RELNOTES b/RELNOTES index 0eb9db370..77270987e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,6 +5,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * --private-template (very simillar to the former --private-home) * AppImage support (--appimage) * AppArmor support (--apparmor) + * compile time support for Busybox * Sandbox auditing support (--audit) * remove environment variable (--rmenv) * noexec support (--noexec) diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index b33f0660a..f762b457d 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -12,6 +12,7 @@ arr[9]="TEST 9: compile file transfer disabled" arr[10]="TEST 10: compile disable whitelist" arr[11]="TEST 11: compile disable global config" arr[12]="TEST 12: compile apparmor" +arr[12]="TEST 13: compile busybox" # remove previous reports and output file cleanup() { @@ -281,6 +282,25 @@ cp output-configure oc12 cp output-make om12 rm output-configure output-make +#***************************************************************** +# TEST 13 +#***************************************************************** +# - enable busybox workaround +# - check compilation +#***************************************************************** +print_title "${arr[11]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test13 +grep Error output-configure output-make >> ./report-test13 +cp output-configure oc13 +cp output-make om13 +rm output-configure output-make + #***************************************************************** # PRINT REPORTS @@ -308,3 +328,4 @@ echo ${arr[9]} echo ${arr[10]} echo ${arr[11]} echo ${arr[12]} +echo ${arr[13]} -- cgit v1.2.3-70-g09d2 From 22a1bd30e405e3fdd1cf007d39dbc4939c5175b9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 10 Aug 2016 09:28:08 -0400 Subject: chroot fix --- src/firejail/fs.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5bcfa6066..86126672e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1064,6 +1064,16 @@ int fs_check_chroot_dir(const char *rootdir) { struct stat s; char *name; + // rootdir has to be owned by root + if (stat(rootdir, &s) != 0) { + fprintf(stderr, "Error: cannot find chroot directory\n"); + return 1; + } + if (s.st_uid != 0) { + fprintf(stderr, "Error: chroot directory should be owned by root\n"); + return 1; + } + // check /dev if (asprintf(&name, "%s/dev", rootdir) == -1) errExit("asprintf"); -- cgit v1.2.3-70-g09d2 From 8da2daba9de828a965a085e15c7346f53bea2121 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 10 Aug 2016 09:30:45 -0400 Subject: removed github-compile make target --- Makefile.in | 3 - test/compile/compile.sh | 243 ------------------------------------------------ 2 files changed, 246 deletions(-) delete mode 100755 test/compile/compile.sh diff --git a/Makefile.in b/Makefile.in index 6c98742b7..1142059a5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -160,9 +160,6 @@ snap: all install-snap: snap sudo snap remove faudit; sudo snap install faudit*.snap -github-compile: - cd test/compile; ./compile.sh - dist-compile: dist cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION) diff --git a/test/compile/compile.sh b/test/compile/compile.sh deleted file mode 100755 index 1207ef518..000000000 --- a/test/compile/compile.sh +++ /dev/null @@ -1,243 +0,0 @@ -#!/bin/bash - -arr[1]="TEST 1: standard compilation" -arr[2]="TEST 2: compile seccomp disabled" -arr[3]="TEST 3: compile chroot disabled" -arr[4]="TEST 4: compile bind disabled" -arr[5]="TEST 5: compile user namespace disabled" -arr[6]="TEST 6: compile network disabled" -arr[7]="TEST 7: compile X11 disabled" -arr[8]="TEST 8: compile network restricted" -arr[9]="TEST 9: compile file transfer disabled" - - -# remove previous reports and output file -cleanup() { - rm -f report* - rm -fr firejail - rm -f oc* om* -} - -print_title() { - echo - echo - echo - echo "**************************************************" - echo $1 - echo "**************************************************" -} - -while [ $# -gt 0 ]; do # Until you run out of parameters . . . - case "$1" in - --clean) - cleanup - exit - ;; - --help) - echo "./compile.sh [--clean|--help]" - exit - ;; - esac - shift # Check next set of parameters. -done - -cleanup - -#***************************************************************** -# TEST 1 -#***************************************************************** -# - checkout source code -# - check compilation -# - install -#***************************************************************** -print_title "${arr[1]}" -git clone https://github.com/netblue30/firejail.git -cd firejail -./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test1 -grep Error output-configure output-make >> ./report-test1 -cp output-configure oc1 -cp output-make om1 -rm output-configure output-make - - -#***************************************************************** -# TEST 2 -#***************************************************************** -# - disable seccomp configuration -# - check compilation -#***************************************************************** -print_title "${arr[2]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test2 -grep Error output-configure output-make >> ./report-test2 -cp output-configure oc2 -cp output-make om2 -rm output-configure output-make - -#***************************************************************** -# TEST 3 -#***************************************************************** -# - disable chroot configuration -# - check compilation -#***************************************************************** -print_title "${arr[3]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test3 -grep Error output-configure output-make >> ./report-test3 -cp output-configure oc3 -cp output-make om3 -rm output-configure output-make - -#***************************************************************** -# TEST 4 -#***************************************************************** -# - disable bind configuration -# - check compilation -#***************************************************************** -print_title "${arr[4]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test4 -grep Error output-configure output-make >> ./report-test4 -cp output-configure oc4 -cp output-make om4 -rm output-configure output-make - -#***************************************************************** -# TEST 5 -#***************************************************************** -# - disable user namespace configuration -# - check compilation -#***************************************************************** -print_title "${arr[5]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test5 -grep Error output-configure output-make >> ./report-test5 -cp output-configure oc5 -cp output-make om5 -rm output-configure output-make - -#***************************************************************** -# TEST 6 -#***************************************************************** -# - disable user namespace configuration -# - check compilation -#***************************************************************** -print_title "${arr[6]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test6 -grep Error output-configure output-make >> ./report-test6 -cp output-configure oc6 -cp output-make om6 -rm output-configure output-make - -#***************************************************************** -# TEST 7 -#***************************************************************** -# - disable X11 support -# - check compilation -#***************************************************************** -print_title "${arr[7]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test7 -grep Error output-configure output-make >> ./report-test7 -cp output-configure oc7 -cp output-make om7 -rm output-configure output-make - - -#***************************************************************** -# TEST 8 -#***************************************************************** -# - enable network restricted -# - check compilation -#***************************************************************** -print_title "${arr[8]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test8 -grep Error output-configure output-make >> ./report-test8 -cp output-configure oc8 -cp output-make om8 -rm output-configure output-make - - -#***************************************************************** -# TEST 9 -#***************************************************************** -# - disable file transfer -# - check compilation -#***************************************************************** -print_title "${arr[9]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test9 -grep Error output-configure output-make >> ./report-test9 -cp output-configure oc9 -cp output-make om9 -rm output-configure output-make - - -#***************************************************************** -# PRINT REPORTS -#***************************************************************** -echo -echo -echo -echo -echo "**********************************************************" -echo "TEST RESULTS" -echo "**********************************************************" - -wc -l report-test* -echo -echo "Legend:" -echo ${arr[1]} -echo ${arr[2]} -echo ${arr[3]} -echo ${arr[4]} -echo ${arr[5]} -echo ${arr[6]} -echo ${arr[7]} -echo ${arr[8]} -echo ${arr[9]} -- cgit v1.2.3-70-g09d2 From b6febe802a93ffe5a90fae25da3a4467dbbcb47b Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 11 Aug 2016 05:19:27 +1000 Subject: Fixed & tightened gnome-chess --- etc/gnome-chess.profile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index e93970f7d..297f7e6a9 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -7,14 +7,16 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -net none nogroups nonewprivs noroot nosound +protocol unix seccomp shell none tracelog -private-bin gnome-chess +private-bin fairymax,gnome-chess,hoichess private-dev +private-etc fonts,gnome-chess +private-tmp -- cgit v1.2.3-70-g09d2 From 28ae6fa41bd585b127e23f6a336673484711a919 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Aug 2016 07:43:17 -0400 Subject: removed strings profile --- README | 9 +++------ README.md | 2 +- etc/strings.profile | 10 ---------- platform/debian/conffiles | 1 - test/sysutils/sysutils.sh | 16 ++++++++-------- todo | 13 +++++++++++++ 6 files changed, 25 insertions(+), 26 deletions(-) delete mode 100644 etc/strings.profile diff --git a/README b/README index 6e6411619..4145d5165 100644 --- a/README +++ b/README @@ -158,6 +158,7 @@ yumkam (https://github.com/yumkam) - man page fixes mahdi1234 (https://github.com/mahdi1234) - cherrytree profile + - Seamonkey profiles jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -176,6 +177,7 @@ pszxzsd (https://github.com/pszxzsd) Rahiel Kasim (https://github.com/rahiel) - Mathematica profile - whitelisted Dropbox profile + - whitelisted keysnail config for firefox creideiki (https://github.com/creideiki) - make the sandbox process reap all children sinkuu (https://github.com/sinkuu) @@ -187,8 +189,7 @@ Holger Heinz (https://github.com/hheinz) - manpage work Andrey Alekseenko (https://github.com/al42and) - fixing lintian warnings -mahdi1234 (https://github.com/mahdi1234) - - Seamonkey profiles + - fixed Skype profile Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Christian Stadelmann (https://github.com/genodeftest) @@ -199,8 +200,6 @@ Kaan Genç (https://github.com/SeriousBug) - dynamic allocation of noblacklist buffer Veeti Paananen (https://github.com/veeti) - fixed Spotify profile -Rahiel Kasim (https://github.com/rahiel) - - whitelist keysnail config for firefox rogshdo (https://github.com/rogshdo) - BitlBee profile Bruno Nova (https://github.com/brunonova) @@ -208,8 +207,6 @@ Bruno Nova (https://github.com/brunonova) - bash arguments fix Matt Parnell (https://github.com/ilikenwf) - whitelisting for core firefox related functionality -Andrey Alekseenko (https://github.com/al42and) - - fixed Skype profile Ondra Nekola (https://github.com/satai) - allow firefox theming with non-global themes emacsomancer (https://github.com/emacsomancer) diff --git a/README.md b/README.md index 67dd017a7..3047bf908 100644 --- a/README.md +++ b/README.md @@ -196,6 +196,6 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess diff --git a/etc/strings.profile b/etc/strings.profile deleted file mode 100644 index 6ebe81d09..000000000 --- a/etc/strings.profile +++ /dev/null @@ -1,10 +0,0 @@ -# strings profile -quiet -ignore noroot -include /etc/firejail/default.profile -tracelog -net none -shell none -private-dev -private-tmp -nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d2ee3a83e..633123e92 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -111,7 +111,6 @@ /etc/firejail/ssh.profile /etc/firejail/steam.profile /etc/firejail/stellarium.profile -/etc/firejail/strings.profile /etc/firejail/tar.profile /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 315b73c9d..99939133d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -15,14 +15,14 @@ else echo "TESTING SKIP: cpio not found" fi -which strings -if [ "$?" -eq 0 ]; -then - echo "TESTING: strings" - ./strings.exp -else - echo "TESTING SKIP: strings not found" -fi +#which strings +#if [ "$?" -eq 0 ]; +#then +# echo "TESTING: strings" +# ./strings.exp +#else +# echo "TESTING SKIP: strings not found" +#fi which gzip if [ "$?" -eq 0 ]; diff --git a/todo b/todo index 323374525..8fe3904da 100644 --- a/todo +++ b/todo @@ -266,3 +266,16 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log 24. check monitor proc behaviour for sandboxes with --blacklist=/proc also check --apparmor in this case +25. bring back strings.profile + +# strings profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp +nosound + -- cgit v1.2.3-70-g09d2 From 61d16b4abf6d0abdafb7217ec0327a546705ad1c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Aug 2016 07:43:36 -0400 Subject: removed strings profile --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 77270987e..6449a13f2 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * compile time support to disable global configuration file * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice - * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less + * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From e8de54d45ea884aa5e6f67e3d75ddb1372741c7f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Aug 2016 13:00:30 -0400 Subject: added quiet-by-default config option in /etc/firejail/firejail.config --- RELNOTES | 1 + etc/firejail.config | 6 +++++- src/firejail/checkcfg.c | 7 ++++++- src/firejail/env.c | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/RELNOTES b/RELNOTES index 6449a13f2..79f634dcd 100644 --- a/RELNOTES +++ b/RELNOTES @@ -18,6 +18,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less diff --git a/etc/firejail.config b/etc/firejail.config index 20c4d7a5f..82fe65ac7 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -15,12 +15,16 @@ # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration -# that is partially under their control. Default disabled +# that is partially under their control. Default disabled. # force-nonewprivs no # Enable or disable networking features, default enabled. # network yes +# Enable --quiet as default every time the sandbox is started. Default disabled. +# quiet-by-default no + + # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 12921e294..3b60dafb6 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -220,7 +220,12 @@ int checkcfg(int val) { if (!xephyr_extra_params) errExit("strdup"); } - + + // quiet by default + else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + arg_quiet = 1; + } else goto errout; diff --git a/src/firejail/env.c b/src/firejail/env.c index a5b3ccfb3..79d6b81e3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -133,7 +133,7 @@ void env_defaults(void) { errExit("setenv"); // set the window title - printf("\033]0;firejail %s\007\n", cfg.window_title); + printf("\033]0;firejail %s\007", cfg.window_title);fflush(0); } // parse and store the environment setting -- cgit v1.2.3-70-g09d2 From ff025c119c6e77074e7d101d4c644820418ac19f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Aug 2016 13:18:54 -0400 Subject: don't allow --x11 and --audit together --- src/firejail/x11.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 090ff6f3b..15d600991 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -216,6 +216,10 @@ void x11_start_xephyr(int argc, char **argv) { continue; if (strcmp(argv[i], "--x11=xephyr") == 0) continue; + if (strcmp(argv[i], "--audit") == 0 || strncmp(argv[i], "--audit=", 8) == 0) { + fprintf(stderr, "Error: auditing x11 sandboxes is not supported\n"); + exit(1); + } ptr += sprintf(ptr, "%s ", argv[i]); } if (arg_debug) @@ -335,6 +339,10 @@ void x11_start_xpra(int argc, char **argv) { continue; if (strcmp(argv[i], "--x11=xephyr") == 0) continue; + if (strcmp(argv[i], "--audit") == 0 || strncmp(argv[i], "--audit=", 8) == 0) { + fprintf(stderr, "Error: auditing x11 sandboxes is not supported\n"); + exit(1); + } ptr += sprintf(ptr, "%s ", argv[i]); } sprintf(ptr, "\""); -- cgit v1.2.3-70-g09d2 From 6243b04031e0d6acad08ad808ebc0a233d1852c3 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 12 Aug 2016 06:10:36 +0300 Subject: --x11=xephyr rewrite --- src/firejail/x11.c | 147 +++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 103 insertions(+), 44 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 090ff6f3b..9e818ab67 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -158,16 +158,15 @@ void fs_x11(void) { #ifdef HAVE_X11 -//$ Xephyr -ac -br -terminate -screen 800x600 :22 & +//$ Xephyr -ac -br -noreset -screen 800x600 :22 & //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox void x11_start_xephyr(int argc, char **argv) { EUID_ASSERT(); - int i; + size_t i; struct stat s; pid_t client = 0; pid_t server = 0; - setenv("FIREJAIL_X11", "yes", 1); // unfortunately, xephyr does a number of weird things when started by root user!!! @@ -186,29 +185,78 @@ void x11_start_xephyr(int argc, char **argv) { } int display = random_display_number(); + char *display_str; + if (asprintf(&display_str, ":%d", display) == -1) + errExit("asprintf"); - // start xephyr - char *cmd1; + assert(xephyr_screen); + char *server_argv[256] = { "Xephyr", "-ac", "-br", "-noreset", "-screen", xephyr_screen }; // rest initialyzed to NULL + unsigned pos = 0; + while (server_argv[pos] != NULL) pos++; if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { - if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" -terminate -screen %s %s :%d", xephyr_screen, xephyr_extra_params, display) == -1) - errExit("asprintf"); - } - else { - if (asprintf(&cmd1, "Xephyr -ac -br -terminate -screen %s %s :%d", xephyr_screen, xephyr_extra_params, display) == -1) - errExit("asprintf"); + server_argv[pos++] = "-title"; + server_argv[pos++] = "firejail x11 sandbox"; } - int len = 50; // DISPLAY... - for (i = 0; i < argc; i++) { - len += strlen(argv[i]) + 1; // + ' ' + assert(xephyr_extra_params); // should be "" if empty + + // parse xephyr_extra_params + // very basic quoting support + char *temp = strdup(xephyr_extra_params); + if (xephyr_extra_params != "") { + if (!temp) + errExit("strdup"); + bool dquote = false; + bool squote = false; + for (i = 0; i < strlen(xephyr_extra_params); i++) { + if (temp[i] == '\"') { + dquote = !dquote; + if (dquote) temp[i] = '\0'; // replace closing quote by \0 + } + if (temp[i] == '\'') { + squote = !squote; + if (squote) temp[i] = '\0'; // replace closing quote by \0 + } + if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0'; + if (dquote && squote) { + fprintf(stderr, "Error: mixed quoting found while parsing xephyr_extra_params\n"); + exit(1); + } + } + if (dquote) { + fprintf(stderr, "Error: unclosed quote found while parsing xephyr_extra_params\n"); + exit(1); + } + + for (i = 0; i < strlen(xephyr_extra_params)-1; i++) { + if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { + fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); + exit(1); + } + if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) server_argv[pos++] = temp + i + 2; + else if (temp[i] == '\0' && temp[i+1] != '\0') server_argv[pos++] = temp + i + 1; + } } - char *cmd2 = malloc(len + 1); // + '\0' - if (!cmd2) - errExit("malloc"); + server_argv[pos++] = display_str; + server_argv[pos++] = NULL; + + assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); // no overrun + assert(server_argv[pos-1] == NULL); // last element is null - sprintf(cmd2, "DISPLAY=:%d ", display); - char *ptr = cmd2 + strlen(cmd2); + if (arg_debug) { + size_t i = 0; + printf("xephyr server:"); + while (server_argv[i]!=NULL) { + printf(" \"%s\"", server_argv[i]); + i++; + } + putchar('\n'); + } + + // remove --x11 arg + char *client_argv[argc+2]; + size_t j = 0; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "--x11") == 0) continue; @@ -216,14 +264,23 @@ void x11_start_xephyr(int argc, char **argv) { continue; if (strcmp(argv[i], "--x11=xephyr") == 0) continue; - ptr += sprintf(ptr, "%s ", argv[i]); + client_argv[j] = argv[i]; + j++; + } + client_argv[j] = NULL; + + assert(j < argc+2); // no overrun + + if (arg_debug) { + size_t i = 0; + printf("xephyr client:"); + while (client_argv[i]!=NULL) { + printf(" \"%s\"", client_argv[i]); + i++; + } + putchar('\n'); } - if (arg_debug) - printf("xephyr server: %s\n", cmd1); - if (arg_debug) - printf("xephyr client: %s\n", cmd2); - signal(SIGHUP,SIG_IGN); // fix sleep(1) below server = fork(); if (server < 0) errExit("fork"); @@ -231,17 +288,14 @@ void x11_start_xephyr(int argc, char **argv) { if (arg_debug) printf("Starting xephyr...\n"); - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd1; - a[3] = NULL; - - execvp(a[0], a); + execvp(server_argv[0], server_argv); perror("execvp"); exit(1); } + if (arg_debug) + printf("xephyr server pid %d\n", server); + // check X11 socket char *fname; if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) @@ -259,7 +313,6 @@ void x11_start_xephyr(int argc, char **argv) { exit(1); } free(fname); - sleep(1); if (arg_debug) { printf("X11 sockets: "); fflush(0); @@ -267,26 +320,32 @@ void x11_start_xephyr(int argc, char **argv) { (void) rv; } + setenv("DISPLAY", display_str, 1); // run attach command client = fork(); if (client < 0) errExit("fork"); if (client == 0) { printf("\n*** Attaching to Xephyr display %d ***\n\n", display); - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd2; - a[3] = NULL; - - execvp(a[0], a); + + execvp(client_argv[0], client_argv); perror("execvp"); exit(1); } - sleep(1); - - if (!arg_quiet) - printf("Xephyr server pid %d, client pid %d\n", server, client); + + // cleanup + free(display_str); + free(temp); + + // wait for either server or client termination + pid_t pid = wait(); + + // see which process terminated and kill other + if (pid == server) { + kill(client, SIGTERM); + } else if (pid == client) { + kill(server, SIGTERM); + } exit(0); } -- cgit v1.2.3-70-g09d2 From 702f7b804f940a271b9eca03f70366eae3fe0f60 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 12 Aug 2016 08:43:06 +0300 Subject: --x11=xpra rewrite --- src/firejail/x11.c | 118 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 66 insertions(+), 52 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 9e818ab67..58908e9df 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -352,7 +352,7 @@ void x11_start_xephyr(int argc, char **argv) { void x11_start_xpra(int argc, char **argv) { EUID_ASSERT(); - int i; + size_t i; struct stat s; pid_t client = 0; pid_t server = 0; @@ -374,40 +374,14 @@ void x11_start_xpra(int argc, char **argv) { } int display = random_display_number(); + char *display_str; + if (asprintf(&display_str, ":%d", display) == -1) + errExit("asprintf"); // build the start command - int len = 50; // xpra start... - for (i = 0; i < argc; i++) { - len += strlen(argv[i]) + 1; // + ' ' - } - - char *cmd1 = malloc(len + 1); // + '\0' - if (!cmd1) - errExit("malloc"); - - sprintf(cmd1, "xpra start :%d --exit-with-children --start-child=\"", display); - char *ptr = cmd1 + strlen(cmd1); - for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "--x11") == 0) - continue; - if (strcmp(argv[i], "--x11=xpra") == 0) - continue; - if (strcmp(argv[i], "--x11=xephyr") == 0) - continue; - ptr += sprintf(ptr, "%s ", argv[i]); - } - sprintf(ptr, "\""); - if (arg_debug) - printf("xpra server: %s\n", cmd1); - - // build the attach command - char *cmd2; - if (asprintf(&cmd2, "xpra --title=\"firejail x11 sandbox\" attach :%d", display) == -1) - errExit("asprintf"); - if (arg_debug) - printf("xpra client: %s\n", cmd2); + char *server_argv[] = { "xpra", "start", display_str, "--no-daemon", NULL }; - signal(SIGHUP,SIG_IGN); // fix sleep(1) below + // start server = fork(); if (server < 0) errExit("fork"); @@ -415,13 +389,7 @@ void x11_start_xpra(int argc, char **argv) { if (arg_debug) printf("Starting xpra...\n"); - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd1; - a[3] = NULL; - - execvp(a[0], a); + execvp(server_argv[0], server_argv); perror("execvp"); exit(1); } @@ -437,13 +405,13 @@ void x11_start_xpra(int argc, char **argv) { if (stat(fname, &s) == 0) break; }; +// sleep(1); if (n == 10) { fprintf(stderr, "Error: failed to start xpra\n"); exit(1); } free(fname); - sleep(1); if (arg_debug) { printf("X11 sockets: "); fflush(0); @@ -451,28 +419,74 @@ void x11_start_xpra(int argc, char **argv) { (void) rv; } + // build attach command + char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str }; + // run attach command client = fork(); if (client < 0) errExit("fork"); if (client == 0) { printf("\n*** Attaching to xpra display %d ***\n\n", display); - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd2; - a[3] = NULL; - - execvp(a[0], a); + execvp(attach_argv[0], attach_argv); perror("execvp"); exit(1); } - sleep(1); - - if (!arg_quiet) - printf("Xpra server pid %d, client pid %d\n", server, client); - exit(0); + setenv("DISPLAY", display_str, 1); + + // build jail command + char *firejail_argv[argc+2]; + unsigned pos = 0; + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "--x11") == 0) + continue; + if (strcmp(argv[i], "--x11=xpra") == 0) + continue; + if (strcmp(argv[i], "--x11=xephyr") == 0) + continue; + firejail_argv[pos] = argv[i]; + pos++; + } + firejail_argv[pos] = NULL; + + assert(pos < argc+2); + assert(!firejail_argv[pos]); + + // start jail + pid_t jail = fork(); + if (jail < 0) + errExit("fork"); + if (jail == 0) { + execvp(firejail_argv[0], firejail_argv); + perror("execvp"); + exit(1); + } + + if (!arg_quiet) + printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail); + + // wait for jail or server to end + while (1) { + pid_t pid = wait(); + + if (pid == jail) { + sleep(3); // FIXME: find better way to wait for xpra + char *stop_argv[] = { "xpra", "stop", display_str, NULL }; + pid_t stop = fork(); + if (stop < 0) + errExit("fork"); + if (stop == 0) { + execvp(stop_argv[0], stop_argv); + perror("execvp"); + exit(1); + } + sleep(3); + kill(client, SIGTERM); + kill(server, SIGTERM); + exit(0); + } + } } void x11_start(int argc, char **argv) { -- cgit v1.2.3-70-g09d2 From 457d47224c20e8a65d6f20bf64d2eff365017bbe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 12 Aug 2016 10:21:54 -0400 Subject: reverted audit/x11 --- src/firejail/x11.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 15d600991..090ff6f3b 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -216,10 +216,6 @@ void x11_start_xephyr(int argc, char **argv) { continue; if (strcmp(argv[i], "--x11=xephyr") == 0) continue; - if (strcmp(argv[i], "--audit") == 0 || strncmp(argv[i], "--audit=", 8) == 0) { - fprintf(stderr, "Error: auditing x11 sandboxes is not supported\n"); - exit(1); - } ptr += sprintf(ptr, "%s ", argv[i]); } if (arg_debug) @@ -339,10 +335,6 @@ void x11_start_xpra(int argc, char **argv) { continue; if (strcmp(argv[i], "--x11=xephyr") == 0) continue; - if (strcmp(argv[i], "--audit") == 0 || strncmp(argv[i], "--audit=", 8) == 0) { - fprintf(stderr, "Error: auditing x11 sandboxes is not supported\n"); - exit(1); - } ptr += sprintf(ptr, "%s ", argv[i]); } sprintf(ptr, "\""); -- cgit v1.2.3-70-g09d2 From 016f7dc5d178d8fffa6212b55b1898a7305eb382 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 12 Aug 2016 10:27:27 -0400 Subject: x11 support rewrite --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 4145d5165..292d9a522 100644 --- a/README +++ b/README @@ -37,6 +37,7 @@ Aleksey Manevich (https://github.com/manevich) - --join fixes - spliting up cmdline.c - Busybox support + - X11 support rewrite Franco (nextime) Lanza (https://github.com/nextime) - added --private-template xee5ch (https://github.com/xee5ch) -- cgit v1.2.3-70-g09d2 From 32e6cb2b6425b48c9cc2d456f81460ec6b3fc5b3 Mon Sep 17 00:00:00 2001 From: Adis Hamzić Date: Fri, 12 Aug 2016 18:06:47 +0200 Subject: added more overlay options --- src/firejail/firejail.h | 3 +- src/firejail/fs.c | 54 ++++++++++++++++++++------ src/firejail/main.c | 100 +++++++++++++++++++++++++++++++++++++----------- src/firejail/usage.c | 18 +++++++-- src/man/firejail.txt | 44 +++++++++++++++++++-- 5 files changed, 176 insertions(+), 43 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 16b9d468f..ee70f19f1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -221,7 +221,8 @@ extern int arg_debug_whitelists; // print debug messages for whitelists extern int arg_nonetwork; // --net=none extern int arg_command; // -c extern int arg_overlay; // overlay option -extern int arg_overlay_keep; // place overlay diff directory in ~/.firejail +extern int arg_overlay_keep; // place overlay diff in a known directory +extern int arg_overlay_reuse; // allow the reuse of overlays extern int arg_zsh; // use zsh as default shell extern int arg_csh; // use csh as default shell diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 86126672e..c152abe0d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -879,21 +879,37 @@ void fs_overlayfs(void) { if (chmod(oroot, 0755) < 0) errExit("chmod"); + struct stat s; char *basedir = RUN_MNT_DIR; if (arg_overlay_keep) { // set base for working and diff directories basedir = cfg.overlay_dir; - if (mkdir(basedir, 0755) != 0) { - fprintf(stderr, "Error: cannot create overlay directory\n"); - exit(1); + + // does the overlay exist? + if (stat(basedir, &s) == 0) { + if (arg_overlay_reuse == 0) { + fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n"); + exit(1); + } + } + else { + if (mkdir(basedir, 0755) != 0) { + fprintf(stderr, "Error: cannot create overlay directory\n"); + exit(1); + } } } char *odiff; if(asprintf(&odiff, "%s/odiff", basedir) == -1) errExit("asprintf"); - if (mkdir(odiff, 0755)) - errExit("mkdir"); + + // no need to check arg_overlay_reuse + if (stat(odiff, &s) != 0) { + if (mkdir(odiff, 0755)) + errExit("mkdir"); + } + if (chown(odiff, 0, 0) < 0) errExit("chown"); if (chmod(odiff, 0755) < 0) @@ -902,8 +918,13 @@ void fs_overlayfs(void) { char *owork; if(asprintf(&owork, "%s/owork", basedir) == -1) errExit("asprintf"); - if (mkdir(owork, 0755)) - errExit("mkdir"); + + // no need to check arg_overlay_reuse + if (stat(owork, &s) != 0) { + if (mkdir(owork, 0755)) + errExit("mkdir"); + } + if (chown(owork, 0, 0) < 0) errExit("chown"); if (chmod(owork, 0755) < 0) @@ -959,8 +980,13 @@ void fs_overlayfs(void) { if(asprintf(&hdiff, "%s/hdiff", basedir) == -1) errExit("asprintf"); - if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO)) - errExit("mkdir"); + + // no need to check arg_overlay_reuse + if (stat(hdiff, &s) != 0) { + if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO)) + errExit("mkdir"); + } + if (chown(hdiff, 0, 0) < 0) errExit("chown"); if (chmod(hdiff, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) @@ -968,8 +994,13 @@ void fs_overlayfs(void) { if(asprintf(&hwork, "%s/hwork", basedir) == -1) errExit("asprintf"); - if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO)) - errExit("mkdir"); + + // no need to check arg_overlay_reuse + if (stat(hwork, &s) != 0) { + if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO)) + errExit("mkdir"); + } + if (chown(hwork, 0, 0) < 0) errExit("chown"); if (chmod(hwork, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) @@ -1011,7 +1042,6 @@ void fs_overlayfs(void) { fs_logger("whitelist /run"); // mount-bind /tmp/.X11-unix directory - struct stat s; if (stat("/tmp/.X11-unix", &s) == 0) { if (arg_debug) printf("Mounting /tmp/.X11-unix\n"); diff --git a/src/firejail/main.c b/src/firejail/main.c index acae7c3dd..120809456 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -59,7 +59,8 @@ int arg_debug_whitelists; // print debug messages for whitelists int arg_nonetwork = 0; // --net=none int arg_command = 0; // -c int arg_overlay = 0; // overlay option -int arg_overlay_keep = 0; // place overlay diff directory in ~/.firejail +int arg_overlay_keep = 0; // place overlay diff in a known directory +int arg_overlay_reuse = 0; // allow the reuse of overlays int arg_zsh = 0; // use zsh as default shell int arg_csh = 0; // use csh as default shell @@ -691,6 +692,41 @@ static void delete_x11_file(pid_t pid) { free(fname); } +static char *create_and_check_overlay_dir(const char *subdirname, int allow_reuse) { + // create ~/.firejail directory + struct stat s; + char *dirname; + if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dirname, &s) == -1) { + /* coverity[toctou] */ + if (mkdir(dirname, 0700)) + errExit("mkdir"); + if (chown(dirname, getuid(), getgid()) < 0) + errExit("chown"); + if (chmod(dirname, 0700) < 0) + errExit("chmod"); + } + else if (is_link(dirname)) { + fprintf(stderr, "Error: invalid ~/.firejail directory\n"); + exit(1); + } + + free(dirname); + + // check overlay directory + if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) + errExit("asprintf"); + if (allow_reuse == 0) { + if (stat(dirname, &s) == 0) { + fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); + exit(1); + } + } + + return dirname; +} + static void detect_quiet(int argc, char **argv) { int i; @@ -1193,34 +1229,54 @@ int main(int argc, char **argv) { arg_overlay = 1; arg_overlay_keep = 1; - // create ~/.firejail directory - char *dirname; - if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) + char *subdirname; + if (asprintf(&subdirname, "%d", getpid()) == -1) errExit("asprintf"); - if (stat(dirname, &s) == -1) { - /* coverity[toctou] */ - if (mkdir(dirname, 0700)) - errExit("mkdir"); - if (chown(dirname, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dirname, 0700) < 0) - errExit("chmod"); - } - else if (is_link(dirname)) { - fprintf(stderr, "Error: invalid ~/.firejail directory\n"); + cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); + + free(subdirname); + } + else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); exit(1); } + arg_overlay = 1; + arg_overlay_keep = 1; + arg_overlay_reuse = 1; - free(dirname); + char *subdirname = argv[i] + 16; + if (subdirname == '\0') { + fprintf(stderr, "Error: invalid overlay option\n"); + exit(1); + } + cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); + } + else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + arg_overlay_reuse = 1; - // check overlay directory - if (asprintf(&dirname, "%s/.firejail/%d", cfg.homedir, getpid()) == -1) - errExit("asprintf"); - if (stat(dirname, &s) == 0) { - fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); + char *dirname = argv[i] + 15; + if (dirname == '\0') { + fprintf(stderr, "Error: invalid overlay option\n"); exit(1); } - cfg.overlay_dir = dirname; + cfg.overlay_dir = expand_home(dirname, cfg.homedir); } else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { if (cfg.chrootdir) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 03558cca7..ed6d22e69 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -176,16 +176,26 @@ void usage(void) { printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); printf("\tThe upper filesystem layer is persistent, and stored in\n"); - printf("\t$HOME/.firejail directory. (OverlayFS support is required in\n"); - printf("\tLinux kernel for this option to work). \n\n"); + printf("\t$HOME/.firejail/ directory. (OverlayFS support is required in\n"); + printf("\tLinux kernel for this option to work). \n\n"); + + printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); + printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); + printf("\t$HOME/.firejail/ directory. (OverlayFS support is required in\n"); + printf("\tLinux kernel for this option to work). \n\n"); + + printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); + printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); + printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); + printf("\tthis option to work). \n\n"); - printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n\n"); - printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n"); printf("\tsupport is required in Linux kernel for this option to work).\n\n"); + printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n\n"); + printf(" --private - mount new /root and /home/user directories in temporary\n"); printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); printf("\tclosed.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fb8cb630b..3cc9a8401 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -994,7 +994,7 @@ $ ls -l sandboxlog* \fB\-\-overlay Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. -The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems. +The overlay is stored in $HOME/.firejail/ directory. This option is not available on Grsecurity systems. .br .br @@ -1008,14 +1008,40 @@ Example: $ firejail \-\-overlay firefox .TP -\fB\-\-overlay-clean -Clean all overlays stored in $HOME/.firejail directory. +\fB\-\-overlay-named=name +Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. All filesystem modifications go into the overlay. +The overlay is stored in $HOME/.firejail/ directory. The created overlay can be reused between multiple +sessions. This option is not available on Grsecurity systems. +.br + +.br +OverlayFS support is required in Linux kernel for this option to work. +OverlayFS was officially introduced in Linux kernel version 3.18 .br .br Example: .br -$ firejail \-\-overlay-clean +$ firejail \-\-overlay-named=jail1 firefox + +.TP +\fB\-\-overlay-path=path +Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. All filesystem modifications go into the overlay. +The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. +This option is not available on Grsecurity systems. +.br + +.br +OverlayFS support is required in Linux kernel for this option to work. +OverlayFS was officially introduced in Linux kernel version 3.18 +.br + +.br +Example: +.br +$ firejail \-\-overlay-path=~/jails/jail1 firefox .TP \fB\-\-overlay-tmpfs @@ -1033,6 +1059,16 @@ Example: .br $ firejail \-\-overlay-tmpfs firefox +.TP +\fB\-\-overlay-clean +Clean all overlays stored in $HOME/.firejail directory. +.br + +.br +Example: +.br +$ firejail \-\-overlay-clean + .TP \fB\-\-private Mount new /root and /home/user directories in temporary -- cgit v1.2.3-70-g09d2 From a706d5f482bd3a82f9ed6b6188bef868ce5bc87b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 12 Aug 2016 20:06:37 -0400 Subject: fix make dist/make deb --- Makefile.in | 3 +-- todo | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index 1142059a5..c91db3bc7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -48,7 +48,6 @@ clean: rm -f test/environment/index.html rm -f test/environment/wget-log rm -f test/sysutils/firejail_t* - cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. distclean: clean @@ -138,7 +137,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/dist-compile test/filters test/network test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/dist-compile test/filters test/network test/fs test/sysutils" dist: make distclean diff --git a/todo b/todo index 8fe3904da..02eacdda9 100644 --- a/todo +++ b/todo @@ -279,3 +279,6 @@ private-dev private-tmp nosound +26. fix firemon and firetools on systems with hidepid=2 + +sudo mount -o remount,rw,hidepid=2 /proc -- cgit v1.2.3-70-g09d2 From 5b52a6ec651bc01378ea692e008115fef3e69b7d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 12 Aug 2016 20:29:22 -0400 Subject: removed /bin/bash check for chroot --- src/firejail/fs.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 86126672e..bf78a2e3b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1111,13 +1111,13 @@ int fs_check_chroot_dir(const char *rootdir) { free(name); // check /bin/bash - if (asprintf(&name, "%s/bin/bash", rootdir) == -1) - errExit("asprintf"); - if (stat(name, &s) == -1) { - fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n"); - return 1; - } - free(name); +// if (asprintf(&name, "%s/bin/bash", rootdir) == -1) +// errExit("asprintf"); +// if (stat(name, &s) == -1) { +// fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n"); +// return 1; +// } +// free(name); // check x11 socket directory if (getenv("FIREJAIL_X11")) { -- cgit v1.2.3-70-g09d2 From 9614b8ac4bf2661f6378abc7db18169fb867d6bb Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 13 Aug 2016 21:12:22 +0300 Subject: shell selection --- src/firejail/bandwidth.c | 8 +++--- src/firejail/env.c | 4 --- src/firejail/firejail.h | 1 + src/firejail/fs.c | 15 +++++------ src/firejail/join.c | 59 +++++++++++++++++------------------------ src/firejail/main.c | 69 ++++++++++++++++++++++++++++++++++-------------- src/firejail/sandbox.c | 17 +++--------- 7 files changed, 90 insertions(+), 83 deletions(-) diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 34c5ca509..5ff67b644 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -459,13 +459,15 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in if (setregid(0, 0)) errExit("setregid"); + assert(cfg.shell); + char *arg[4]; - arg[0] = "/bin/bash"; + arg[0] = cfg.shell; arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; - execvp("/bin/bash", arg); + execvp(arg[0], arg); // it will never get here - exit(0); + errExit("execvp"); } diff --git a/src/firejail/env.c b/src/firejail/env.c index 79d6b81e3..fdfa80ea8 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -121,10 +121,6 @@ void env_defaults(void) { errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); - if (arg_zsh && setenv("SHELL", "/usr/bin/zsh", 1) < 0) - errExit("setenv"); - if (arg_csh && setenv("SHELL", "/bin/csh", 1) < 0) - errExit("setenv"); if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) errExit("setenv"); // set prompt color to green diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 16b9d468f..0de2a354d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -277,6 +277,7 @@ extern int fullargc; // main.c void check_user_namespace(void); +char *guess_shell(void); // sandbox.c int sandbox(void* sandbox_arg); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index bf78a2e3b..5fe31cec8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1110,14 +1110,13 @@ int fs_check_chroot_dir(const char *rootdir) { } free(name); - // check /bin/bash -// if (asprintf(&name, "%s/bin/bash", rootdir) == -1) -// errExit("asprintf"); -// if (stat(name, &s) == -1) { -// fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n"); -// return 1; -// } -// free(name); + // check shell + if (!arg_shell_none) { + if (stat(cfg.shell, &s) == -1) { + fprintf(stderr, "Error: cannot find %s in chroot directory\n", cfg.shell); + return 1; + } + } // check x11 socket directory if (getenv("FIREJAIL_X11")) { diff --git a/src/firejail/join.c b/src/firejail/join.c index 0b5b6a34a..80ed1dc51 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -330,32 +330,21 @@ void join(pid_t pid, int argc, char **argv, int index) { } } - // run cmdline trough /bin/bash + // run cmdline trough shell if (cfg.command_line == NULL) { + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); + exit(1); + } + if (arg_debug) + printf("Autoselecting %s as shell\n", cfg.shell); // replace the process with a shell - if (cfg.shell) - execlp(cfg.shell, cfg.shell, NULL); - else if (arg_zsh) - execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); - else if (arg_csh) - execlp("/bin/csh", "/bin/csh", NULL); - else { - struct stat s; - if (stat("/bin/bash", &s) == 0) - execlp("/bin/bash", "/bin/bash", NULL); - else if (stat("/usr/bin/zsh", &s) == 0) - execlp("/usr/bin/zsh", "/usr/bin/zsh", NULL); - else if (stat("/bin/csh", &s) == 0) - execlp("/bin/csh", "/bin/csh", NULL); - else if (stat("/bin/sh", &s) == 0) - execlp("/bin/sh", "/bin/sh", NULL); - } + execlp(cfg.shell, cfg.shell, NULL); - // no shell found, print an error and exit - fprintf(stderr, "Error: no POSIX shell found\n"); - sleep(5); - exit(1); + // it should never get here + errExit("execlp"); } else { // run the command supplied by the user @@ -398,19 +387,16 @@ void join(pid_t pid, int argc, char **argv, int index) { execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); exit(1); } else { - // choose the shell requested by the user, or use bash as default - char *sh; - if (cfg.shell) - sh = cfg.shell; - else if (arg_zsh) - sh = "/usr/bin/zsh"; - else if (arg_csh) - sh = "/bin/csh"; - else - sh = "/bin/bash"; - +// assert(cfg.shell); + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); + exit(1); + } + if (arg_debug) + printf("Autoselecting %s as shell\n", cfg.shell); char *arg[5]; - arg[0] = sh; + arg[0] = cfg.shell; arg[1] = "-c"; if (arg_debug) printf("Starting %s\n", cfg.command_line); @@ -423,7 +409,10 @@ void join(pid_t pid, int argc, char **argv, int index) { arg[3] = cfg.command_line; arg[4] = NULL; } - execvp("/bin/bash", arg); + execvp(arg[0], arg); + + // it should never get here + errExit("execvp"); } } diff --git a/src/firejail/main.c b/src/firejail/main.c index acae7c3dd..8a4d627f3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -709,6 +709,32 @@ static void detect_quiet(int argc, char **argv) { } } +char *guess_shell(void) { + char *shell; + // shells in order of preference + char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; + + int i = 0; + while (shells[i] != NULL) { + struct stat s; + // access call checks as real UID/GID, not as effective UID/GID + if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) { + shell = shells[i]; + break; + } + i++; + } + + + // FIXME get rid of arg_csh and arg_zsh completely + if (strcmp(shell,"/bin/csh")) + arg_csh = 1; + if (strcmp(shell,"/usr/bin/zsh") || strcmp(shell,"/bin/zsh")) + arg_zsh = 1; + + return shell; +} + //******************************************* // Main program //******************************************* @@ -1857,26 +1883,28 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: --shell=none was already specified.\n"); return 1; } - if (arg_zsh || cfg.shell ) { + if (cfg.shell) { fprintf(stderr, "Error: only one default user shell can be specified\n"); return 1; } arg_csh = 1; + cfg.shell = "/bin/csh"; } else if (strcmp(argv[i], "--zsh") == 0) { if (arg_shell_none) { fprintf(stderr, "Error: --shell=none was already specified.\n"); return 1; } - if (arg_csh || cfg.shell ) { + if (cfg.shell) { fprintf(stderr, "Error: only one default user shell can be specified\n"); return 1; } arg_zsh = 1; + cfg.shell = "/bin/zsh"; } else if (strcmp(argv[i], "--shell=none") == 0) { arg_shell_none = 1; - if (arg_csh || arg_zsh || cfg.shell) { + if (cfg.shell) { fprintf(stderr, "Error: a shell was already specified\n"); return 1; } @@ -1888,7 +1916,7 @@ int main(int argc, char **argv) { } invalid_filename(argv[i] + 8); - if (arg_csh || arg_zsh || cfg.shell) { + if (cfg.shell) { fprintf(stderr, "Error: only one user shell can be specified\n"); return 1; } @@ -1970,27 +1998,24 @@ int main(int argc, char **argv) { free(msg); } - // build the sandbox command - if (prog_index == -1 && arg_zsh) { - cfg.command_line = "/usr/bin/zsh"; - cfg.window_title = "/usr/bin/zsh"; - cfg.command_name = "zsh"; - } - else if (prog_index == -1 && arg_csh) { - cfg.command_line = "/bin/csh"; - cfg.window_title = "/bin/csh"; - cfg.command_name = "csh"; + // guess shell if unspecified +// if (!arg_shell_none && !cfg.shell) { + if (prog_index == -1 && !cfg.shell) { + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); + exit(1); + } + if (arg_debug) + printf("Autoselecting %s as shell\n", cfg.shell); } - else if (prog_index == -1 && cfg.shell) { + + // build the sandbox command + if (prog_index == -1 && cfg.shell) { cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; cfg.command_name = cfg.shell; } - else if (prog_index == -1) { - cfg.command_line = "/bin/bash"; - cfg.window_title = "/bin/bash"; - cfg.command_name = "bash"; - } else if (arg_appimage) { if (arg_debug) printf("Configuring appimage environment\n"); @@ -2000,6 +2025,10 @@ int main(int argc, char **argv) { else { build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); } +/* else { + fprintf(stderr, "Error: command must be specified when --shell=none used.\n"); + exit(1); + }*/ assert(cfg.command_name); if (arg_debug) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a131d9e91..5451c6d6c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -325,20 +325,11 @@ static void start_application(void) { // start the program using a shell //**************************************** else { - // choose the shell requested by the user, or use bash as default - char *sh; - if (cfg.shell) - sh = cfg.shell; - else if (arg_zsh) - sh = "/usr/bin/zsh"; - else if (arg_csh) - sh = "/bin/csh"; - else - sh = "/bin/bash"; - + assert(cfg.shell); + char *arg[5]; int index = 0; - arg[index++] = sh; + arg[index++] = cfg.shell; arg[index++] = "-c"; assert(cfg.command_line); if (arg_debug) @@ -368,7 +359,7 @@ static void start_application(void) { if (!arg_command && !arg_quiet) printf("Child process initialized\n"); - execvp(sh, arg); + execvp(arg[0], arg); } perror("execvp"); -- cgit v1.2.3-70-g09d2 From f3b5873b745ce4faf05407bf52c8ab38100dc217 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 13 Aug 2016 14:42:39 -0400 Subject: various fixes --- src/faudit/dbus.c | 2 -- src/firejail/checkcfg.c | 4 ++-- src/firejail/env.c | 3 ++- src/firejail/main.c | 30 ++++++++++++++++++++---------- src/firejail/x11.c | 3 ++- 5 files changed, 26 insertions(+), 16 deletions(-) diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1edce5802..64f5d8ae4 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -63,8 +63,6 @@ void dbus_test(void) { if (ptr) *ptr = '\0'; check_session_bus(sockfile); - - sockfile -= 13; } free(bus); } diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3b60dafb6..019b54773 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -50,7 +50,7 @@ int checkcfg(int val) { FILE *fp = fopen(fname, "r"); if (!fp) { #ifdef HAVE_GLOBALCFG - fprintf(stderr, "Warning: Firejail configuration file %s not found\n", fname); + fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); exit(1); #else initialized = 1; @@ -317,7 +317,7 @@ void print_compiletime_support(void) { #endif ); - printf("\t- X11 snadboxing support is %s\n", + printf("\t- X11 sandboxing support is %s\n", #ifdef HAVE_X11 "enabled" #else diff --git a/src/firejail/env.c b/src/firejail/env.c index 79d6b81e3..dd51b0a78 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -133,7 +133,8 @@ void env_defaults(void) { errExit("setenv"); // set the window title - printf("\033]0;firejail %s\007", cfg.window_title);fflush(0); + printf("\033]0;firejail %s\007", cfg.window_title); + fflush(0); } // parse and store the environment setting diff --git a/src/firejail/main.c b/src/firejail/main.c index acae7c3dd..7b8b770ab 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -237,7 +237,8 @@ void check_user_namespace(void) { stat("/proc/self/gid_map", &s3) == 0) arg_noroot = 1; else { - fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n"); + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n"); arg_noroot = 0; } } @@ -1526,7 +1527,8 @@ int main(int argc, char **argv) { errExit("strdup"); if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { - fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); } intf->configured = 1; } @@ -1945,8 +1947,10 @@ int main(int argc, char **argv) { } // check trace configuration - if (arg_trace && arg_tracelog) - fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); + if (arg_trace && arg_tracelog) { + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); + } // check user namespace (--noroot) options if (arg_noroot) { @@ -2030,10 +2034,14 @@ int main(int argc, char **argv) { // use default.profile as the default if (!custom_profile && !arg_noprofile) { - if (cfg.chrootdir) - fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); - else if (arg_overlay) - fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); + if (cfg.chrootdir) { + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); + } + else if (arg_overlay) { + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); + } else { // try to load a default profile char *profile_name = DEFAULT_USER_PROFILE; @@ -2096,11 +2104,13 @@ int main(int argc, char **argv) { errExit("pipe"); if (arg_noroot && arg_overlay) { - fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n"); + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n"); arg_noroot = 0; } else if (arg_noroot && cfg.chrootdir) { - fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n"); + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n"); arg_noroot = 0; } diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 58908e9df..90ce1fc36 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -458,7 +458,8 @@ void x11_start_xpra(int argc, char **argv) { if (jail < 0) errExit("fork"); if (jail == 0) { - execvp(firejail_argv[0], firejail_argv); + if (firejail_argv[0]) // shut up llvm scan-build + execvp(firejail_argv[0], firejail_argv); perror("execvp"); exit(1); } -- cgit v1.2.3-70-g09d2 From ba27a763ad86978857a8c50bdd83a9bf894e74d7 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 13 Aug 2016 22:54:29 +0300 Subject: small fix --- src/firejail/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 8a4d627f3..87c8389ad 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1999,8 +1999,7 @@ int main(int argc, char **argv) { } // guess shell if unspecified -// if (!arg_shell_none && !cfg.shell) { - if (prog_index == -1 && !cfg.shell) { + if (!arg_shell_none && !cfg.shell) { cfg.shell = guess_shell(); if (!cfg.shell) { fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); -- cgit v1.2.3-70-g09d2 From 9e6b7e3b715dfe60d83b367783d57b021a9a608e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 14 Aug 2016 08:02:16 +1000 Subject: typo --- src/firejail/network.txt | 2 +- test/network/net_arp.exp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/network.txt b/src/firejail/network.txt index 673d5b941..f6df0f485 100644 --- a/src/firejail/network.txt +++ b/src/firejail/network.txt @@ -13,7 +13,7 @@ net_configure_bridge(br, device) { } net_configure_sandbox_ip(br) { - if br->ip_snadbox + if br->ip_sandbox check br->ipsandbox inside the bridge network arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address else diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp index f27f85814..fdd30f218 100755 --- a/test/network/net_arp.exp +++ b/test/network/net_arp.exp @@ -69,6 +69,6 @@ expect { "sleep 20" } -# wait for snadboxes to be shutdown +# wait for sandboxes to be shutdown sleep 30 puts "\n" -- cgit v1.2.3-70-g09d2 From 9f5dfa5964f82fa03b5b86c705b1f599c9887316 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sun, 14 Aug 2016 13:33:22 +0300 Subject: join fixes --- src/firejail/firejail.h | 2 -- src/firejail/fs_home.c | 5 +++-- src/firejail/join.c | 18 +++--------------- src/firejail/main.c | 25 +++++++++++++------------ 4 files changed, 19 insertions(+), 31 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0de2a354d..c45b324fc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -222,8 +222,6 @@ extern int arg_nonetwork; // --net=none extern int arg_command; // -c extern int arg_overlay; // overlay option extern int arg_overlay_keep; // place overlay diff directory in ~/.firejail -extern int arg_zsh; // use zsh as default shell -extern int arg_csh; // use csh as default shell extern int arg_seccomp; // enable default seccomp filter diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index c1e983c16..d328d5f1c 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -32,8 +32,9 @@ static void skel(const char *homedir, uid_t u, gid_t g) { char *fname; + // zsh - if (arg_zsh) { + if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) { // copy skel files if (asprintf(&fname, "%s/.zshrc", homedir) == -1) errExit("asprintf"); @@ -63,7 +64,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { free(fname); } // csh - else if (arg_csh) { + else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) { // copy skel files if (asprintf(&fname, "%s/.cshrc", homedir) == -1) errExit("asprintf"); diff --git a/src/firejail/join.c b/src/firejail/join.c index 80ed1dc51..632715fea 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -332,13 +332,7 @@ void join(pid_t pid, int argc, char **argv, int index) { // run cmdline trough shell if (cfg.command_line == NULL) { - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); - exit(1); - } - if (arg_debug) - printf("Autoselecting %s as shell\n", cfg.shell); + assert(cfg.shell); // replace the process with a shell execlp(cfg.shell, cfg.shell, NULL); @@ -387,14 +381,8 @@ void join(pid_t pid, int argc, char **argv, int index) { execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); exit(1); } else { -// assert(cfg.shell); - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); - exit(1); - } - if (arg_debug) - printf("Autoselecting %s as shell\n", cfg.shell); + assert(cfg.shell); + char *arg[5]; arg[0] = cfg.shell; arg[1] = "-c"; diff --git a/src/firejail/main.c b/src/firejail/main.c index 87c8389ad..e0f2a676c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -60,8 +60,6 @@ int arg_nonetwork = 0; // --net=none int arg_command = 0; // -c int arg_overlay = 0; // overlay option int arg_overlay_keep = 0; // place overlay diff directory in ~/.firejail -int arg_zsh = 0; // use zsh as default shell -int arg_csh = 0; // use csh as default shell int arg_seccomp = 0; // enable default seccomp filter @@ -565,7 +563,18 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { #endif else if (strncmp(argv[i], "--join=", 7) == 0) { logargs(argc, argv); - + + if (arg_shell_none) { + if (argc <= (i+1)) { + fprintf(stderr, "Error: --shell=none set, but no command specified\n"); + exit(1); + } + cfg.original_program_index = i + 1; + } + + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); + // join sandbox by pid or by name pid_t pid; if (read_pid(argv[i] + 7, &pid) == 0) @@ -573,6 +582,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else join_name(argv[i] + 7, argc, argv, i + 1); exit(0); + } #ifdef HAVE_NETWORK else if (strncmp(argv[i], "--join-network=", 15) == 0) { @@ -725,13 +735,6 @@ char *guess_shell(void) { i++; } - - // FIXME get rid of arg_csh and arg_zsh completely - if (strcmp(shell,"/bin/csh")) - arg_csh = 1; - if (strcmp(shell,"/usr/bin/zsh") || strcmp(shell,"/bin/zsh")) - arg_zsh = 1; - return shell; } @@ -1887,7 +1890,6 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: only one default user shell can be specified\n"); return 1; } - arg_csh = 1; cfg.shell = "/bin/csh"; } else if (strcmp(argv[i], "--zsh") == 0) { @@ -1899,7 +1901,6 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: only one default user shell can be specified\n"); return 1; } - arg_zsh = 1; cfg.shell = "/bin/zsh"; } else if (strcmp(argv[i], "--shell=none") == 0) { -- cgit v1.2.3-70-g09d2 From c85c8d2c7f23ab03276fcd7ae052a18a68e05d16 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 14 Aug 2016 10:06:13 -0400 Subject: gether shell selection code in one place --- README | 1 + src/firejail/cmdline.c | 12 ++++++++++-- src/firejail/main.c | 8 ++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/README b/README index 292d9a522..c843610a0 100644 --- a/README +++ b/README @@ -38,6 +38,7 @@ Aleksey Manevich (https://github.com/manevich) - spliting up cmdline.c - Busybox support - X11 support rewrite + - gether shell selection code in one place Franco (nextime) Lanza (https://github.com/nextime) - added --private-template xee5ch (https://github.com/xee5ch) diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 48cbaffb7..cadf4795d 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c @@ -26,7 +26,9 @@ #include #include -int cmdline_length(int argc, char **argv, int index) { +static int cmdline_length(int argc, char **argv, int index) { + assert(index != -1); + unsigned i,j; int len = 0; unsigned argcnt = argc - index; @@ -62,7 +64,9 @@ int cmdline_length(int argc, char **argv, int index) { return len; } -void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { +static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { + assert(index != -1); + unsigned i,j; unsigned argcnt = argc - index; bool in_quotes = false; @@ -131,6 +135,10 @@ void quote_cmdline(char *command_line, char *window_title, int len, int argc, ch } void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { + // index == -1 could happen if we have --shell=none and no program was specified + // the program should exit with an error before entering this function + assert(index != -1); + int len = cmdline_length(argc, argv, index); if (len > ARG_MAX) { errno = E2BIG; diff --git a/src/firejail/main.c b/src/firejail/main.c index 7cc9f9bf6..49018860a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1974,6 +1974,12 @@ int main(int argc, char **argv) { break; } } + + // prog_index could still be -1 if no program was specified + if (prog_index == -1 && arg_shell_none) { + fprintf(stderr, "shell=none configured, but no program specified\n"); + exit(1); + } // check trace configuration if (arg_trace && arg_tracelog) { @@ -2027,7 +2033,9 @@ int main(int argc, char **argv) { cfg.window_title = "appimage"; } else { +printf("here %d\n", __LINE__); build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); +printf("here %d\n", __LINE__); } /* else { fprintf(stderr, "Error: command must be specified when --shell=none used.\n"); -- cgit v1.2.3-70-g09d2 From 9a6316a55ba8483695213a320d744303b6c0a4ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 14 Aug 2016 10:21:26 -0400 Subject: cleanup --- src/firejail/main.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 49018860a..c8cc3f460 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2033,9 +2033,7 @@ int main(int argc, char **argv) { cfg.window_title = "appimage"; } else { -printf("here %d\n", __LINE__); build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); -printf("here %d\n", __LINE__); } /* else { fprintf(stderr, "Error: command must be specified when --shell=none used.\n"); -- cgit v1.2.3-70-g09d2 From bb9df33faeae2a7f89267307aa39735c1d3a56e6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 14 Aug 2016 10:56:58 -0400 Subject: branch status --- README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/README.md b/README.md index 3047bf908..8db004c15 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,39 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ Version 0.9.41~rc1 was released. +# Branch status: unstable + +A number of problems are being worked on. This is the output of "make test": +````` +[...] +cd test/sysutils; ./sysutils.sh | grep TESTING +TESTING: cpio +netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 +TESTING: gzip +netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 +TESTING: xzdec +netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 +TESTING: xz +netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 +TESTING: less +TESTING: file +TESTING: tar +netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1 +[...] +cd test/apps-x11; ./apps-x11.sh | grep TESTING +TESTING: xterm x11 +netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 +TESTING: firefox x11 +netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 +TESTING: chromium x11 +TESTING: transmission-gtk x11 +netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 +TESTING: icedove x11 +netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 +[...] +````` +"firemon --seccomp" and "firemon --caps" are misbehaving at the moment. + ## Deprecated --user --user option was deprecated, please use "sudo -u username firejail application" instead. -- cgit v1.2.3-70-g09d2 From 62edc4b5d4bfdb81690a4a955763285760657079 Mon Sep 17 00:00:00 2001 From: Laurent Declercq Date: Sun, 14 Aug 2016 19:41:44 +0200 Subject: Fixed #712 --- src/firejail/fs.c | 17 ++++++++++------- src/firejail/main.c | 12 +++++++++++- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5fe31cec8..98b661028 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1110,13 +1110,16 @@ int fs_check_chroot_dir(const char *rootdir) { } free(name); - // check shell - if (!arg_shell_none) { - if (stat(cfg.shell, &s) == -1) { - fprintf(stderr, "Error: cannot find %s in chroot directory\n", cfg.shell); - return 1; - } - } + // check shell (test not needed. We already test access in main.c) + //if (!arg_shell_none) { + // if (asprintf(&name, "%s%s", rootdir, (char *)&cfg.shell) == -1) + // errExit("asprintf"); + // if (stat(name, &s) == -1) { + // fprintf(stderr, "Error: cannot find %s in chroot directory\n", name); + // return 1; + // } + // free(name); + //} // check x11 socket directory if (getenv("FIREJAIL_X11")) { diff --git a/src/firejail/main.c b/src/firejail/main.c index c8cc3f460..13270314b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1929,9 +1929,19 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid shell\n"); exit(1); } - + // access call checks as real UID/GID, not as effective UID/GID if (access(cfg.shell, R_OK)) { + if(cfg.chrootdir) { + char *shellpath; + if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) + errExit("asprintf"); + if (access(shellpath, R_OK)) { + fprintf(stderr, "Error: cannot access shell file in chroot\n"); + exit(1); + } + free(shellpath); + } else if (access(cfg.shell, R_OK)) { fprintf(stderr, "Error: cannot access shell file\n"); exit(1); } -- cgit v1.2.3-70-g09d2 From c844234739feb7aae98bd27efba8af83c729528b Mon Sep 17 00:00:00 2001 From: Laurent Declercq Date: Sun, 14 Aug 2016 19:46:19 +0200 Subject: Small fix --- src/firejail/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 13270314b..6b5f97779 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1931,8 +1931,7 @@ int main(int argc, char **argv) { } // access call checks as real UID/GID, not as effective UID/GID - if (access(cfg.shell, R_OK)) { - if(cfg.chrootdir) { + if(cfg.chrootdir) { char *shellpath; if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) errExit("asprintf"); -- cgit v1.2.3-70-g09d2 From 1a1f0f253c11caaaac7411611b070f091f8353cc Mon Sep 17 00:00:00 2001 From: Laurent Declercq Date: Sun, 14 Aug 2016 20:01:06 +0200 Subject: CS fixes --- src/firejail/main.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 6b5f97779..75ad69ce4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1932,14 +1932,14 @@ int main(int argc, char **argv) { // access call checks as real UID/GID, not as effective UID/GID if(cfg.chrootdir) { - char *shellpath; - if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) - errExit("asprintf"); - if (access(shellpath, R_OK)) { - fprintf(stderr, "Error: cannot access shell file in chroot\n"); - exit(1); - } - free(shellpath); + char *shellpath; + if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) + errExit("asprintf"); + if (access(shellpath, R_OK)) { + fprintf(stderr, "Error: cannot access shell file in chroot\n"); + exit(1); + } + free(shellpath); } else if (access(cfg.shell, R_OK)) { fprintf(stderr, "Error: cannot access shell file\n"); exit(1); -- cgit v1.2.3-70-g09d2 From 35ff4ef959ba3bfc66ad1fd2eb1244fb49335ac0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 14 Aug 2016 15:28:31 -0400 Subject: fixed login shell --- src/firejail/firejail.h | 2 +- src/firejail/main.c | 27 +++++++++++++++++++++++++++ src/firejail/no_sandbox.c | 7 +++++-- src/firejail/restricted_shell.c | 1 - src/firejail/sandbox.c | 4 +++- 5 files changed, 36 insertions(+), 5 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c45b324fc..2a96afa1b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -265,6 +265,7 @@ extern int arg_audit; // audit extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor +extern int login_shell; extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; extern pid_t sandbox_pid; @@ -356,7 +357,6 @@ void shut(pid_t pid); void shut_name(const char *name); // restricted_shell.c -extern char *restricted_user; int restricted_shell(const char *user); // arp.c diff --git a/src/firejail/main.c b/src/firejail/main.c index c8cc3f460..fbffedbde 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -102,6 +102,7 @@ int arg_appimage = 0; // appimage int arg_audit = 0; // audit char *arg_audit_prog; // audit int arg_apparmor; // apparmor +int login_shell = 0; int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -877,6 +878,31 @@ int main(int argc, char **argv) { if (strcmp(comm, "sshd") == 0) { arg_quiet = 1; parent_sshd = 1; + +#if 0 +EUID_ROOT(); +FILE *fp = fopen("/mylog", "w"); +if (fp) { + int i; + for (i = 0; i < argc; i++) + fprintf(fp, "#%s# ", argv[i]); + fprintf(fp, "\n"); + fclose(fp); +} +EUID_USER(); +#endif + + // run sftp and ssh directly without any sandboxing + // regular login has argv[0] == "-firejail" + if (*argv[0] != '-') { + if (strcmp(argv[1], "-c") == 0 && argc > 2) { + if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 || + strncmp(argv[2], "scp ", 4) == 0) { + drop_privs(1); + run_no_sandbox(argc, argv); + } + } + } } free(comm); } @@ -884,6 +910,7 @@ int main(int argc, char **argv) { // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users if (*argv[0] == '-' || parent_sshd) { + login_shell = 1; fullargc = restricted_shell(cfg.username); if (fullargc) { int j; diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index f1fd04aec..933922ece 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -172,6 +172,8 @@ void run_no_sandbox(int argc, char **argv) { int len = 0; int i; for (i = 1; i < argc; i++) { +// if (i == 1 && strcmp(argv[i], "-c") == 0) +// continue; if (*argv[i] == '-') continue; break; @@ -202,8 +204,9 @@ void run_no_sandbox(int argc, char **argv) { } // start the program in /bin/sh - fprintf(stderr, "Warning: an existing sandbox was detected. " - "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); +// if (!arg_quiet) + fprintf(stderr, "Warning: an existing sandbox was detected. " + "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); int rv = system(command); (void) rv; if (allocated) diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index ee6e94957..1920da40a 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -76,7 +76,6 @@ int restricted_shell(const char *user) { // process user if (strcmp(user, usr) == 0) { - restricted_user = strdup(user); // extract program arguments fullargv[0] = "firejail"; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5451c6d6c..3e8b5f934 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -327,9 +327,11 @@ static void start_application(void) { else { assert(cfg.shell); - char *arg[5]; + char *arg[6]; int index = 0; arg[index++] = cfg.shell; + if (login_shell) + arg[index++] = "-l"; arg[index++] = "-c"; assert(cfg.command_line); if (arg_debug) -- cgit v1.2.3-70-g09d2 From 2e43a1143044fb6e7fb337975bfae4d6b8724940 Mon Sep 17 00:00:00 2001 From: Laurent Declercq Date: Mon, 15 Aug 2016 01:18:04 +0200 Subject: Fixes remaining issues related to #704 --- src/firejail/sandbox.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3e8b5f934..6b3d5ea89 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -326,22 +326,26 @@ static void start_application(void) { //**************************************** else { assert(cfg.shell); + assert(cfg.command_line); - char *arg[6]; + char *arg[5]; int index = 0; arg[index++] = cfg.shell; - if (login_shell) + if (login_shell && cfg.shell == cfg.command_line) { arg[index++] = "-l"; - arg[index++] = "-c"; - assert(cfg.command_line); - if (arg_debug) - printf("Starting %s\n", cfg.command_line); - if (arg_doubledash) - arg[index++] = "--"; - arg[index++] = cfg.command_line; + if (arg_debug) + printf("Starting %s login shell\n", cfg.shell); + } else { + arg[index++] = "-c"; + if (arg_debug) + printf("Running %s command through %s\n", cfg.command_line, cfg.shell); + if (arg_doubledash) + arg[index++] = "--"; + arg[index++] = cfg.command_line; + } arg[index] = NULL; assert(index < 5); - + if (arg_debug) { char *msg; if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1) @@ -349,7 +353,7 @@ static void start_application(void) { logmsg(msg); free(msg); } - + if (arg_debug) { int i; for (i = 0; i < 5; i++) { @@ -358,12 +362,12 @@ static void start_application(void) { printf("execvp argument %d: %s\n", i, arg[i]); } } - + if (!arg_command && !arg_quiet) printf("Child process initialized\n"); execvp(arg[0], arg); } - + perror("execvp"); exit(1); // it should never get here!!! } -- cgit v1.2.3-70-g09d2 From 35a2e4e5f998de19c1a092531f2dbbd1d55bcf0f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 15 Aug 2016 07:18:47 -0400 Subject: README --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index c843610a0..e9e47dc2d 100644 --- a/README +++ b/README @@ -39,6 +39,8 @@ Aleksey Manevich (https://github.com/manevich) - Busybox support - X11 support rewrite - gether shell selection code in one place +Laurent Declercq (https://github.com/nuxwin) + - fixed test for shell interpreter in chroots Franco (nextime) Lanza (https://github.com/nextime) - added --private-template xee5ch (https://github.com/xee5ch) -- cgit v1.2.3-70-g09d2 From 87f450843f70211c9d7d95de61aab504afe0e778 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 15 Aug 2016 07:24:11 -0400 Subject: ssh fixes --- src/firejail/main.c | 5 +++-- src/firejail/sandbox.c | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 3e5663a9b..c6c1bc866 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -892,7 +892,7 @@ if (fp) { EUID_USER(); #endif - // run sftp and ssh directly without any sandboxing + // run sftp and scp directly without any sandboxing // regular login has argv[0] == "-firejail" if (*argv[0] != '-') { if (strcmp(argv[1], "-c") == 0 && argc > 2) { @@ -910,7 +910,8 @@ EUID_USER(); // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users if (*argv[0] == '-' || parent_sshd) { - login_shell = 1; + if (argc == 1) + login_shell = 1; fullargc = restricted_shell(cfg.username); if (fullargc) { int j; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6b3d5ea89..8178cfc8e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -331,7 +331,7 @@ static void start_application(void) { char *arg[5]; int index = 0; arg[index++] = cfg.shell; - if (login_shell && cfg.shell == cfg.command_line) { + if (login_shell) { arg[index++] = "-l"; if (arg_debug) printf("Starting %s login shell\n", cfg.shell); -- cgit v1.2.3-70-g09d2 From 31413e510b9822c5632dbde3c7cb4417f66bc808 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 15 Aug 2016 08:01:50 -0400 Subject: more ssh fixes --- src/firejail/main.c | 2 +- src/firejail/no_sandbox.c | 6 +++--- src/firejail/restricted_shell.c | 8 +++++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index c6c1bc866..6f1e7531a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -891,7 +891,7 @@ if (fp) { } EUID_USER(); #endif - + // run sftp and scp directly without any sandboxing // regular login has argv[0] == "-firejail" if (*argv[0] != '-') { diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 933922ece..80ed72dca 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -172,8 +172,8 @@ void run_no_sandbox(int argc, char **argv) { int len = 0; int i; for (i = 1; i < argc; i++) { -// if (i == 1 && strcmp(argv[i], "-c") == 0) -// continue; + if (i == 1 && strcmp(argv[i], "-c") == 0) + continue; if (*argv[i] == '-') continue; break; @@ -204,7 +204,7 @@ void run_no_sandbox(int argc, char **argv) { } // start the program in /bin/sh -// if (!arg_quiet) + if (!arg_quiet) fprintf(stderr, "Warning: an existing sandbox was detected. " "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); int rv = system(command); diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 1920da40a..e66ed0e6b 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -40,7 +40,7 @@ int restricted_shell(const char *user) { char buf[MAX_READ]; while (fgets(buf, MAX_READ, fp)) { lineno++; - + // remove empty spaces at the beginning of the line char *ptr = buf; while (*ptr == ' ' || *ptr == '\t') { @@ -48,7 +48,7 @@ int restricted_shell(const char *user) { } if (*ptr == '\n' || *ptr == '#') continue; - + // parse line char *usr = ptr; char *args = strchr(usr, ':'); @@ -56,6 +56,7 @@ int restricted_shell(const char *user) { fprintf(stderr, "Error: users.conf line %d\n", lineno); exit(1); } + *args = '\0'; args++; ptr = strchr(args, '\n'); @@ -70,6 +71,7 @@ int restricted_shell(const char *user) { found = 1; break; } + ptr2++; } if (!found) continue; @@ -107,7 +109,7 @@ int restricted_shell(const char *user) { } } fclose(fp); - + return 0; } -- cgit v1.2.3-70-g09d2 From 00258a8e5c1f31b60020302cf1560cd0d13260ad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 15 Aug 2016 09:44:54 -0400 Subject: removed prompt, ssh fixes --- src/firejail/env.c | 4 +-- src/firejail/firejail.h | 2 ++ src/firejail/main.c | 63 +++++++++++++++++++++++++++++++++-------- src/firejail/restricted_shell.c | 24 ++++++++++++---- 4 files changed, 73 insertions(+), 20 deletions(-) diff --git a/src/firejail/env.c b/src/firejail/env.c index 328b19c5b..c05abadca 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -125,8 +125,8 @@ void env_defaults(void) { errExit("setenv"); // set prompt color to green //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' - if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) - errExit("setenv"); +// if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) +// errExit("setenv"); // set the window title printf("\033]0;firejail %s\007", cfg.window_title); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a96afa1b..ce232ace5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -22,6 +22,8 @@ #include "../include/common.h" #include "../include/euid_common.h" +// debug restricted shell +//#define DEBUG_RESTRICTED_SHELL // filesystem #define RUN_FIREJAIL_BASEDIR "/run" diff --git a/src/firejail/main.c b/src/firejail/main.c index 6f1e7531a..047d1a010 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -879,25 +879,35 @@ int main(int argc, char **argv) { arg_quiet = 1; parent_sshd = 1; -#if 0 -EUID_ROOT(); -FILE *fp = fopen("/mylog", "w"); -if (fp) { - int i; - for (i = 0; i < argc; i++) - fprintf(fp, "#%s# ", argv[i]); - fprintf(fp, "\n"); - fclose(fp); -} -EUID_USER(); +#ifdef DEBUG_RESTRICTED_SHELL + {EUID_ROOT(); + FILE *fp = fopen("/firelog", "w"); + if (fp) { + int i; + fprintf(fp, "argc %d: ", argc); + for (i = 0; i < argc; i++) + fprintf(fp, "#%s# ", argv[i]); + fprintf(fp, "\n"); + fclose(fp); + } + EUID_USER();} #endif - // run sftp and scp directly without any sandboxing // regular login has argv[0] == "-firejail" if (*argv[0] != '-') { if (strcmp(argv[1], "-c") == 0 && argc > 2) { if (strcmp(argv[2], "/usr/lib/openssh/sftp-server") == 0 || strncmp(argv[2], "scp ", 4) == 0) { +#ifdef DEBUG_RESTRICTED_SHELL + {EUID_ROOT(); + FILE *fp = fopen("/firelog", "a"); + if (fp) { + fprintf(fp, "run without a sandbox\n"); + fclose(fp); + } + EUID_USER();} +#endif + drop_privs(1); run_no_sandbox(argc, argv); } @@ -914,6 +924,21 @@ EUID_USER(); login_shell = 1; fullargc = restricted_shell(cfg.username); if (fullargc) { + +#ifdef DEBUG_RESTRICTED_SHELL + {EUID_ROOT(); + FILE *fp = fopen("/firelog", "a"); + if (fp) { + fprintf(fp, "fullargc %d: ", fullargc); + int i; + for (i = 0; i < fullargc; i++) + fprintf(fp, "#%s# ", fullargv[i]); + fprintf(fp, "\n"); + fclose(fp); + } + EUID_USER();} +#endif + int j; for (i = 1, j = fullargc; i < argc && j < MAX_ARGS; i++, j++, fullargc++) fullargv[j] = argv[i]; @@ -921,6 +946,20 @@ EUID_USER(); // replace argc/argv with fullargc/fullargv argv = fullargv; argc = j; + +#ifdef DEBUG_RESTRICTED_SHELL + {EUID_ROOT(); + FILE *fp = fopen("/firelog", "a"); + if (fp) { + fprintf(fp, "argc %d: ", argc); + int i; + for (i = 0; i < argc; i++) + fprintf(fp, "#%s# ", argv[i]); + fprintf(fp, "\n"); + fclose(fp); + } + EUID_USER();} +#endif } } else { diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index e66ed0e6b..24ce27c2e 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -84,16 +84,28 @@ int restricted_shell(const char *user) { int i; ptr = args; for (i = 1; i < MAX_ARGS; i++) { - fullargv[i] = ptr; - while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') + // skip blanks + while (*ptr == ' ' || *ptr == '\t') ptr++; + fullargv[i] = ptr; +#ifdef DEBUG_RESTRICTED_SHELL + {EUID_ROOT(); + FILE *fp = fopen("/firelog", "a"); + if (fp) { + fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); + fclose(fp); + } + EUID_USER();} +#endif + if (*ptr != '\0') { + // go to the end of the word + while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') + ptr++; *ptr ='\0'; fullargv[i] = strdup(fullargv[i]); - if (fullargv[i] == NULL) { - fprintf(stderr, "Error: cannot allocate memory\n"); - exit(1); - } + if (fullargv[i] == NULL) + errExit("strdup"); ptr++; while (*ptr == ' ' || *ptr == '\t') ptr++; -- cgit v1.2.3-70-g09d2 From a0ea44171a0eb2b08452ff352effe974d4feb80e Mon Sep 17 00:00:00 2001 From: Gaman Gabriel Date: Mon, 15 Aug 2016 21:11:50 +0300 Subject: Create inox.profile Inox is a privacy-focused browser based on Chromium. This profile will work with Inox, the Chromium profile is not compatible. --- etc/inox.profile | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 etc/inox.profile diff --git a/etc/inox.profile b/etc/inox.profile new file mode 100644 index 000000000..49d2f2835 --- /dev/null +++ b/etc/inox.profile @@ -0,0 +1,24 @@ +# Inox browser profile +noblacklist ~/.config/inox +noblacklist ~/.cache/inox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/inox +whitelist ~/.config/inox +mkdir ~/.cache/inox +whitelist ~/.cache/inox +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From cc24d1eed7ff784d35c584704838c8d48feb1f65 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 15 Aug 2016 21:23:13 +0300 Subject: x11 fixes --- src/firejail/x11.c | 97 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 76 insertions(+), 21 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 90ce1fc36..ed6fa3741 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -20,6 +20,7 @@ #include "firejail.h" #include #include +#include #include #include #include @@ -164,7 +165,7 @@ void x11_start_xephyr(int argc, char **argv) { EUID_ASSERT(); size_t i; struct stat s; - pid_t client = 0; + pid_t jail = 0; pid_t server = 0; setenv("FIREJAIL_X11", "yes", 1); @@ -255,7 +256,7 @@ void x11_start_xephyr(int argc, char **argv) { } // remove --x11 arg - char *client_argv[argc+2]; + char *jail_argv[argc+2]; size_t j = 0; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "--x11") == 0) @@ -264,18 +265,18 @@ void x11_start_xephyr(int argc, char **argv) { continue; if (strcmp(argv[i], "--x11=xephyr") == 0) continue; - client_argv[j] = argv[i]; + jail_argv[j] = argv[i]; j++; } - client_argv[j] = NULL; + jail_argv[j] = NULL; assert(j < argc+2); // no overrun if (arg_debug) { size_t i = 0; printf("xephyr client:"); - while (client_argv[i]!=NULL) { - printf(" \"%s\"", client_argv[i]); + while (jail_argv[i]!=NULL) { + printf(" \"%s\"", jail_argv[i]); i++; } putchar('\n'); @@ -322,13 +323,14 @@ void x11_start_xephyr(int argc, char **argv) { setenv("DISPLAY", display_str, 1); // run attach command - client = fork(); - if (client < 0) + jail = fork(); + if (jail < 0) errExit("fork"); - if (client == 0) { - printf("\n*** Attaching to Xephyr display %d ***\n\n", display); + if (jail == 0) { + if (!arg_quiet) + printf("\n*** Attaching to Xephyr display %d ***\n\n", display); - execvp(client_argv[0], client_argv); + execvp(jail_argv[0], jail_argv); perror("execvp"); exit(1); } @@ -337,16 +339,21 @@ void x11_start_xephyr(int argc, char **argv) { free(display_str); free(temp); - // wait for either server or client termination - pid_t pid = wait(); + // wait for either server or jail termination + pid_t pid = wait(NULL); // see which process terminated and kill other if (pid == server) { - kill(client, SIGTERM); - } else if (pid == client) { + kill(jail, SIGTERM); + } else if (pid == jail) { kill(server, SIGTERM); } + // without this closing Xephyr window may mess your terminal: + // "monitoring" process will release terminal before + // jail process ends and releases terminal + wait(NULL); // fulneral + exit(0); } @@ -381,6 +388,13 @@ void x11_start_xpra(int argc, char **argv) { // build the start command char *server_argv[] = { "xpra", "start", display_str, "--no-daemon", NULL }; + int fd_null = -1; + if (arg_quiet) { + fd_null = open("/dev/null", O_RDWR); + if (fd_null == -1) + errExit("open"); + } + // start server = fork(); if (server < 0) @@ -388,6 +402,12 @@ void x11_start_xpra(int argc, char **argv) { if (server == 0) { if (arg_debug) printf("Starting xpra...\n"); + + if (arg_quiet && fd_null != -1) { + dup2(fd_null,0); + dup2(fd_null,1); + dup2(fd_null,2); + } execvp(server_argv[0], server_argv); perror("execvp"); @@ -404,8 +424,7 @@ void x11_start_xpra(int argc, char **argv) { sleep(1); if (stat(fname, &s) == 0) break; - }; -// sleep(1); + } if (n == 10) { fprintf(stderr, "Error: failed to start xpra\n"); @@ -427,7 +446,15 @@ void x11_start_xpra(int argc, char **argv) { if (client < 0) errExit("fork"); if (client == 0) { - printf("\n*** Attaching to xpra display %d ***\n\n", display); + if (arg_quiet && fd_null != -1) { + dup2(fd_null,0); + dup2(fd_null,1); + dup2(fd_null,2); + } + + if (!arg_quiet) + printf("\n*** Attaching to xpra display %d ***\n\n", display); + execvp(attach_argv[0], attach_argv); perror("execvp"); exit(1); @@ -467,26 +494,54 @@ void x11_start_xpra(int argc, char **argv) { if (!arg_quiet) printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail); + sleep(1); // let jail start + // wait for jail or server to end while (1) { - pid_t pid = wait(); + pid_t pid = wait(NULL); if (pid == jail) { - sleep(3); // FIXME: find better way to wait for xpra char *stop_argv[] = { "xpra", "stop", display_str, NULL }; pid_t stop = fork(); if (stop < 0) errExit("fork"); if (stop == 0) { + if (arg_quiet && fd_null != -1) { + dup2(fd_null,0); + dup2(fd_null,1); + dup2(fd_null,2); + } execvp(stop_argv[0], stop_argv); perror("execvp"); exit(1); } - sleep(3); + + // wait for xpra server to stop, 10 seconds limit + while (++n < 10) { + sleep(1); + pid = waitpid(server, NULL, WNOHANG); + if (pid == server) + break; + } + + if (arg_debug) + if (n == 10) + printf("failed to stop xpra server gratefully\n"); + else + printf("xpra server successfully stoped in %d secs\n", n); + + // kill xpra server and xpra client kill(client, SIGTERM); kill(server, SIGTERM); exit(0); } + else if (pid == server) { + // kill firejail process + kill(jail, SIGTERM); + // kill xpra client (should die with server, but...) + kill(client, SIGTERM); + exit(0); + } } } -- cgit v1.2.3-70-g09d2 From 9c51201f57eee96f2da54d34d6ff8cff9f37d06e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 07:54:55 -0400 Subject: inox profile integration --- README | 2 ++ README.md | 2 +- RELNOTES | 2 +- platform/debian/conffiles | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README b/README index e9e47dc2d..12bb8bf49 100644 --- a/README +++ b/README @@ -39,6 +39,8 @@ Aleksey Manevich (https://github.com/manevich) - Busybox support - X11 support rewrite - gether shell selection code in one place +Gaman Gabriel (https://github.com/stelariusinfinitek) + - inox profile Laurent Declercq (https://github.com/nuxwin) - fixed test for shell interpreter in chroots Franco (nextime) Lanza (https://github.com/nextime) diff --git a/README.md b/README.md index 8db004c15..04965a97a 100644 --- a/README.md +++ b/README.md @@ -230,5 +230,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox diff --git a/RELNOTES b/RELNOTES index 79f634dcd..a40808c23 100644 --- a/RELNOTES +++ b/RELNOTES @@ -23,7 +23,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview - * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux + * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, inox -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 633123e92..59f0b35e7 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -61,6 +61,7 @@ /etc/firejail/icecat.profile /etc/firejail/icedove.profile /etc/firejail/iceweasel.profile +/etc/firejail/inox.profile /etc/firejail/jitsi.profile /etc/firejail/kmail.profile /etc/firejail/konversation.profile -- cgit v1.2.3-70-g09d2 From 4ed1dbe846474869f1766cf95ed2a3a9cc40850d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 08:17:46 -0400 Subject: inox profile integration --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 01e68506d..140417b01 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -60,6 +60,7 @@ blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/inox # Instant Messaging blacklist ${HOME}/.config/hexchat -- cgit v1.2.3-70-g09d2 From cf6d7bdf6bc70f59696efd9de38ae8c910c71021 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 09:40:51 -0400 Subject: reseting fs.c - overlay merge coming up --- src/firejail/fs.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 98b661028..bf78a2e3b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1110,16 +1110,14 @@ int fs_check_chroot_dir(const char *rootdir) { } free(name); - // check shell (test not needed. We already test access in main.c) - //if (!arg_shell_none) { - // if (asprintf(&name, "%s%s", rootdir, (char *)&cfg.shell) == -1) - // errExit("asprintf"); - // if (stat(name, &s) == -1) { - // fprintf(stderr, "Error: cannot find %s in chroot directory\n", name); - // return 1; - // } - // free(name); - //} + // check /bin/bash +// if (asprintf(&name, "%s/bin/bash", rootdir) == -1) +// errExit("asprintf"); +// if (stat(name, &s) == -1) { +// fprintf(stderr, "Error: cannot find /bin/bash in chroot directory\n"); +// return 1; +// } +// free(name); // check x11 socket directory if (getenv("FIREJAIL_X11")) { -- cgit v1.2.3-70-g09d2 From 595741964d053fcf869443d2ccc7057ef6e080bc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 09:50:25 -0400 Subject: merging overlayfs --- src/firejail/firejail.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ce232ace5..90943dca2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -223,6 +223,7 @@ extern int arg_debug_whitelists; // print debug messages for whitelists extern int arg_nonetwork; // --net=none extern int arg_command; // -c extern int arg_overlay; // overlay option +extern int arg_overlay_reuse; // allow the reuse of overlays extern int arg_overlay_keep; // place overlay diff directory in ~/.firejail extern int arg_seccomp; // enable default seccomp filter -- cgit v1.2.3-70-g09d2 From 030f80b4f236a48bffc2a78f1db1675c1d18fa67 Mon Sep 17 00:00:00 2001 From: netblue Date: Tue, 16 Aug 2016 09:59:33 -0400 Subject: merging overlay --- src/firejail/firejail.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 90943dca2..9a7f89a4a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -223,8 +223,8 @@ extern int arg_debug_whitelists; // print debug messages for whitelists extern int arg_nonetwork; // --net=none extern int arg_command; // -c extern int arg_overlay; // overlay option +extern int arg_overlay_keep; // place overlay diff in a known directory extern int arg_overlay_reuse; // allow the reuse of overlays -extern int arg_overlay_keep; // place overlay diff directory in ~/.firejail extern int arg_seccomp; // enable default seccomp filter -- cgit v1.2.3-70-g09d2 From 3104aeac054dce098d0d57c45806f87f1719b184 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 10:08:41 -0400 Subject: merging overlay --- src/firejail/firejail.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9a7f89a4a..1fed3fcdf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -225,6 +225,8 @@ extern int arg_command; // -c extern int arg_overlay; // overlay option extern int arg_overlay_keep; // place overlay diff in a known directory extern int arg_overlay_reuse; // allow the reuse of overlays +extern int arg_zsh; // use zsh as default shell +extern int arg_csh; // use csh as default shell extern int arg_seccomp; // enable default seccomp filter -- cgit v1.2.3-70-g09d2 From 17b3604d49ed8f137d000796ff13c5636720aa05 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 10:15:04 -0400 Subject: overlay merge --- src/firejail/main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 047d1a010..782c9998e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -59,7 +59,10 @@ int arg_debug_whitelists; // print debug messages for whitelists int arg_nonetwork = 0; // --net=none int arg_command = 0; // -c int arg_overlay = 0; // overlay option -int arg_overlay_keep = 0; // place overlay diff directory in ~/.firejail +int arg_overlay_keep = 0; // place overlay diff in a known directory +int arg_overlay_reuse = 0; // allow the reuse of overlays +int arg_zsh = 0; // use zsh as default shell +int arg_csh = 0; // use csh as default shell int arg_seccomp = 0; // enable default seccomp filter -- cgit v1.2.3-70-g09d2 From e42261e64f5d982723be463ce737bf5c3d94be34 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 10:32:43 -0400 Subject: arg_zsh and arg_csh cleanup --- src/firejail/firejail.h | 2 -- src/firejail/main.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1fed3fcdf..9a7f89a4a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -225,8 +225,6 @@ extern int arg_command; // -c extern int arg_overlay; // overlay option extern int arg_overlay_keep; // place overlay diff in a known directory extern int arg_overlay_reuse; // allow the reuse of overlays -extern int arg_zsh; // use zsh as default shell -extern int arg_csh; // use csh as default shell extern int arg_seccomp; // enable default seccomp filter diff --git a/src/firejail/main.c b/src/firejail/main.c index 8de5f9a6e..1fa68e2f4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -61,8 +61,6 @@ int arg_command = 0; // -c int arg_overlay = 0; // overlay option int arg_overlay_keep = 0; // place overlay diff in a known directory int arg_overlay_reuse = 0; // allow the reuse of overlays -int arg_zsh = 0; // use zsh as default shell -int arg_csh = 0; // use csh as default shell int arg_seccomp = 0; // enable default seccomp filter -- cgit v1.2.3-70-g09d2 From cf70d33717a94af25ae250f0cf5ebda1f38bd27c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 10:52:12 -0400 Subject: overlay etc. --- README | 2 ++ RELNOTES | 2 ++ src/firejail/firejail.h | 1 + src/firejail/fs.c | 38 ++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 39 ++------------------------------------- src/man/firejail.txt | 22 +++++++++++++--------- 6 files changed, 58 insertions(+), 46 deletions(-) diff --git a/README b/README index 12bb8bf49..f27a80a34 100644 --- a/README +++ b/README @@ -39,6 +39,8 @@ Aleksey Manevich (https://github.com/manevich) - Busybox support - X11 support rewrite - gether shell selection code in one place +hamzadis (https://github.com/hamzadis) + - added --overlay-named=name and --overlay-path=path Gaman Gabriel (https://github.com/stelariusinfinitek) - inox profile Laurent Declercq (https://github.com/nuxwin) diff --git a/RELNOTES b/RELNOTES index a40808c23..4e2ad9b6c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,6 +10,8 @@ firejail (0.9.42~rc2) baseline; urgency=low * remove environment variable (--rmenv) * noexec support (--noexec) * --overlay-clean option + * --overlay-named=name option + * --overlay-path=path option * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9a7f89a4a..633935108 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -326,6 +326,7 @@ void fs_proc_sys_dev_boot(void); // build a basic read-only filesystem void fs_basic_fs(void); // mount overlayfs on top of / directory +char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); void fs_overlayfs(void); // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf void fs_chroot(const char *rootdir); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 484b99537..63ffa8bff 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -814,6 +814,44 @@ void fs_basic_fs(void) { } + +char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { + // create ~/.firejail directory + struct stat s; + char *dirname; + if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dirname, &s) == -1) { + /* coverity[toctou] */ + if (mkdir(dirname, 0700)) + errExit("mkdir"); + if (chown(dirname, getuid(), getgid()) < 0) + errExit("chown"); + if (chmod(dirname, 0700) < 0) + errExit("chmod"); + } + else if (is_link(dirname)) { + fprintf(stderr, "Error: invalid ~/.firejail directory\n"); + exit(1); + } + + free(dirname); + + // check overlay directory + if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) + errExit("asprintf"); + if (allow_reuse == 0) { + if (stat(dirname, &s) == 0) { + fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); + exit(1); + } + } + + return dirname; +} + + + // mount overlayfs on top of / directory // mounting an overlay and chrooting into it: // diff --git a/src/firejail/main.c b/src/firejail/main.c index 1fa68e2f4..4946db2bd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -704,41 +704,6 @@ static void delete_x11_file(pid_t pid) { free(fname); } -static char *create_and_check_overlay_dir(const char *subdirname, int allow_reuse) { - // create ~/.firejail directory - struct stat s; - char *dirname; - if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - if (stat(dirname, &s) == -1) { - /* coverity[toctou] */ - if (mkdir(dirname, 0700)) - errExit("mkdir"); - if (chown(dirname, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dirname, 0700) < 0) - errExit("chmod"); - } - else if (is_link(dirname)) { - fprintf(stderr, "Error: invalid ~/.firejail directory\n"); - exit(1); - } - - free(dirname); - - // check overlay directory - if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) - errExit("asprintf"); - if (allow_reuse == 0) { - if (stat(dirname, &s) == 0) { - fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); - exit(1); - } - } - - return dirname; -} - static void detect_quiet(int argc, char **argv) { int i; @@ -1329,7 +1294,7 @@ int main(int argc, char **argv) { char *subdirname; if (asprintf(&subdirname, "%d", getpid()) == -1) errExit("asprintf"); - cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); free(subdirname); } @@ -1352,7 +1317,7 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid overlay option\n"); exit(1); } - cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { if (cfg.chrootdir) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3cc9a8401..732d14624 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -994,12 +994,13 @@ $ ls -l sandboxlog* \fB\-\-overlay Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. -The overlay is stored in $HOME/.firejail/ directory. This option is not available on Grsecurity systems. +The overlay is stored in $HOME/.firejail/ directory. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1012,12 +1013,13 @@ $ firejail \-\-overlay firefox Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. The overlay is stored in $HOME/.firejail/ directory. The created overlay can be reused between multiple -sessions. This option is not available on Grsecurity systems. +sessions. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1030,12 +1032,12 @@ $ firejail \-\-overlay-named=jail1 firefox Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. -This option is not available on Grsecurity systems. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1046,12 +1048,13 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox .TP \fB\-\-overlay-tmpfs Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, -and are discarded when the sandbox is closed. This option is not available on Grsecurity systems. +and are discarded when the sandbox is closed. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1061,7 +1064,8 @@ $ firejail \-\-overlay-tmpfs firefox .TP \fB\-\-overlay-clean -Clean all overlays stored in $HOME/.firejail directory. +Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path +outside $HOME/.firejail will not be deleted. .br .br -- cgit v1.2.3-70-g09d2 From 0773b2791af79418572373ac8297bea6060d65a9 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Wed, 17 Aug 2016 09:18:20 +1000 Subject: tightened profiles --- etc/gnome-mplayer.profile | 5 ++++- etc/gpredict.profile | 3 ++- etc/gthumb.profile | 3 ++- etc/hedgewars.profile | 6 +++++- etc/hexchat.profile | 6 +++++- etc/jitsi.profile | 1 + etc/kmail.profile | 4 ++++ etc/konversation.profile | 3 +++ 8 files changed, 26 insertions(+), 5 deletions(-) diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1caea177d..1b0fc9807 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -5,10 +5,13 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp - shell none + private-bin gnome-mplayer +private-dev +private-tmp diff --git a/etc/gpredict.profile b/etc/gpredict.profile index a8378a66e..353ecceae 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -15,10 +15,11 @@ nonewprivs nogroups noroot nosound -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp shell none tracelog private-bin gpredict private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3c02576aa..e043c7229 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -19,3 +19,4 @@ tracelog private-bin gthumb whitelist /tmp/.X11-unix private-dev +private-tmp diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..7910b7eb0 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -7,12 +7,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +nogroups nonewprivs noroot -private-dev seccomp tracelog +private-dev +private-tmp + mkdir ~/.hedgewars whitelist ~/.hedgewars include /etc/firejail/whitelist-common.inc diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0d7ee6594..0ff64aef5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,9 +7,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all +netfilter +nogroups nonewprivs noroot -netfilter +nosound protocol unix,inet,inet6 seccomp @@ -18,3 +20,5 @@ whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc # private-bin requires perl, python, etc. +private-dev +private-tmp diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 8baf1ad94..c61158f8b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -14,3 +14,4 @@ seccomp shell none tracelog +private-tmp diff --git a/etc/kmail.profile b/etc/kmail.profile index 44a53e258..8c8fd18c4 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -9,7 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6,netlink seccomp tracelog + +private-dev +private-tmp diff --git a/etc/konversation.profile b/etc/konversation.profile index 190061618..e9546fd1b 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -7,6 +7,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups noroot seccomp protocol unix,inet,inet6 + +private-tmp -- cgit v1.2.3-70-g09d2 From 3adedf90bf9ecc2695bac0edd3f900300a48d562 Mon Sep 17 00:00:00 2001 From: greigdp Date: Wed, 17 Aug 2016 11:42:14 +0100 Subject: Add profile support for Slack --- etc/disable-programs.inc | 1 + etc/slack.profile | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 etc/slack.profile diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 140417b01..c94bcc9f4 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -78,6 +78,7 @@ blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Franz blacklist ${HOME}/.jitsi +blacklist ${HOME}/.config/Slack # Games blacklist ${HOME}/.hedgewars diff --git a/etc/slack.profile b/etc/slack.profile new file mode 100644 index 000000000..ea7b715f9 --- /dev/null +++ b/etc/slack.profile @@ -0,0 +1,27 @@ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ~/Downloads + +protocol unix,inet,inet6,netlink +private-dev +private-tmp +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +name slack +blacklist /var + +include /etc/firejail/whitelist-common.inc + +caps.drop all +seccomp +netfilter +nonewprivs +nogroups +noroot +shell none +private-bin slack -- cgit v1.2.3-70-g09d2 From 68f20d089d8df3813bfce9811553c4f938d5bd9b Mon Sep 17 00:00:00 2001 From: greigdp Date: Wed, 17 Aug 2016 11:44:33 +0100 Subject: Fix Spotify - "private-bin spotify" prevents Spotify loading --- etc/spotify.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/spotify.profile b/etc/spotify.profile index 6bcb99e0f..73d427db3 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -27,5 +27,5 @@ protocol unix,inet,inet6,netlink seccomp shell none -private-bin spotify +#private-bin spotify private-dev -- cgit v1.2.3-70-g09d2 From b32f7914ec6b14590e7aa7625dabd606ac022db2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 17 Aug 2016 08:44:23 -0400 Subject: slack profile integration --- README | 3 +++ README.md | 2 +- RELNOTES | 3 ++- platform/debian/conffiles | 1 + 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README b/README index f27a80a34..13c324a02 100644 --- a/README +++ b/README @@ -43,6 +43,9 @@ hamzadis (https://github.com/hamzadis) - added --overlay-named=name and --overlay-path=path Gaman Gabriel (https://github.com/stelariusinfinitek) - inox profile +greigdp (https://github.com/greigdp) + - fixed spotify profile + - added Slack profile Laurent Declercq (https://github.com/nuxwin) - fixed test for shell interpreter in chroots Franco (nextime) Lanza (https://github.com/nextime) diff --git a/README.md b/README.md index 04965a97a..ddb614620 100644 --- a/README.md +++ b/README.md @@ -230,5 +230,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack diff --git a/RELNOTES b/RELNOTES index 4e2ad9b6c..eec3117ed 100644 --- a/RELNOTES +++ b/RELNOTES @@ -25,7 +25,8 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview - * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, inox + * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, + * new profiles: inox, Slack, gnome-chess -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 59f0b35e7..fb19a135f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -106,6 +106,7 @@ /etc/firejail/server.profile /etc/firejail/skype.profile /etc/firejail/skypeforlinux.profile +/etc/firejail/slack.profile /etc/firejail/snap.profile /etc/firejail/soffice.profile /etc/firejail/spotify.profile -- cgit v1.2.3-70-g09d2 From 46a15d38d347fe012b25a913c381a128a392edb0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 17 Aug 2016 10:27:58 -0400 Subject: firemon fixes for x11 sandboxes --- src/lib/common.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/lib/pid.c | 18 +++++++---------- 2 files changed, 66 insertions(+), 11 deletions(-) diff --git a/src/lib/common.c b/src/lib/common.c index 8ea926df1..885f31881 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -199,3 +199,62 @@ char *pid_proc_cmdline(const pid_t pid) { } return rv; } + +// return 1 if firejail --x11 on command line +int pid_proc_cmdline_x11(const pid_t pid) { + // if comm is not firejail return 0 + char *comm = pid_proc_comm(pid); + if (strcmp(comm, "firejail") != 0) { + free(comm); + return 0; + } + free(comm); + + // open /proc/pid/cmdline file + char *fname; + int fd; + if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1) + return 0; + if ((fd = open(fname, O_RDONLY)) < 0) { + free(fname); + return 0; + } + free(fname); + + // read file + unsigned char buffer[BUFLEN]; + ssize_t len; + if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { + close(fd); + return 0; + } + buffer[len] = '\0'; + close(fd); + + // skip the first argument + int i; + for (i = 0; buffer[i] != '\0'; i++); + + // parse remaining command line options + while (1) { + // extract argument + i++; + if (i >= len) + break; + char *arg = buffer + i; + + // detect the last command line option + if (strcmp(arg, "--") == 0) + break; + if (strncmp(arg, "--", 2) != 0) + break; + + // check x11 + if (strcmp(arg, "--x11") == 0 || strncmp(arg, "--x11=", 6) == 0) + return 1; + } + return 0; +} + + + diff --git a/src/lib/pid.c b/src/lib/pid.c index d1ade389e..4540247a0 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -340,18 +340,14 @@ void pid_read(pid_t mon_pid) { exit(1); } - if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) { - pids[pid].level = 1; + if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { + if (pid_proc_cmdline_x11(pid)) { + printf("--x11 detected for pid %d\n", pid); + pids[pid].level = -1; + } + else + pids[pid].level = 1; } - else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) { - pids[pid].level = 1; - } -// else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) { -// pids[pid].level = 1; -// } -// else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) { -// pids[pid].level = 1; -// } else pids[pid].level = -1; } -- cgit v1.2.3-70-g09d2 From 20e643e967f67e08889f05a197d378faa3665343 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 17 Aug 2016 12:51:18 -0400 Subject: firemon fixes --- README.md | 12 ------------ src/include/common.h | 1 + src/lib/common.c | 5 +++-- src/lib/pid.c | 4 +--- 4 files changed, 5 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index ddb614620..13aeb51b0 100644 --- a/README.md +++ b/README.md @@ -57,19 +57,7 @@ TESTING: file TESTING: tar netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1 [...] -cd test/apps-x11; ./apps-x11.sh | grep TESTING -TESTING: xterm x11 -netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 -TESTING: firefox x11 -netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 -TESTING: chromium x11 -TESTING: transmission-gtk x11 -netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 -TESTING: icedove x11 -netblue@debian:~/work/github/firejail/test/apps-x11$ TESTING ERROR 5.1 -[...] ````` -"firemon --seccomp" and "firemon --caps" are misbehaving at the moment. ## Deprecated --user diff --git a/src/include/common.h b/src/include/common.h index cd4b9c874..762a0262a 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -113,4 +113,5 @@ int join_namespace(pid_t pid, char *type); int name2pid(const char *name, pid_t *pid); char *pid_proc_comm(const pid_t pid); char *pid_proc_cmdline(const pid_t pid); +int pid_proc_cmdline_x11(const pid_t pid); #endif diff --git a/src/lib/common.c b/src/lib/common.c index 885f31881..fe5c62536 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -242,7 +242,7 @@ int pid_proc_cmdline_x11(const pid_t pid) { if (i >= len) break; char *arg = buffer + i; - + // detect the last command line option if (strcmp(arg, "--") == 0) break; @@ -250,8 +250,9 @@ int pid_proc_cmdline_x11(const pid_t pid) { break; // check x11 - if (strcmp(arg, "--x11") == 0 || strncmp(arg, "--x11=", 6) == 0) + if (strncmp(arg, "--x11", 5) == 0) return 1; + i += strlen(arg); } return 0; } diff --git a/src/lib/pid.c b/src/lib/pid.c index 4540247a0..bbb123b81 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -341,10 +341,8 @@ void pid_read(pid_t mon_pid) { } if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { - if (pid_proc_cmdline_x11(pid)) { - printf("--x11 detected for pid %d\n", pid); + if (pid_proc_cmdline_x11(pid)) pids[pid].level = -1; - } else pids[pid].level = 1; } -- cgit v1.2.3-70-g09d2 From 30ce7015e8d8d44640c2d26580cdcd0ad54357d5 Mon Sep 17 00:00:00 2001 From: Icaro Perseo Date: Wed, 17 Aug 2016 21:25:55 -0500 Subject: New GTK paths added. --- etc/whitelist-common.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 2317133c5..abbb4a9fc 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -20,8 +20,11 @@ whitelist ~/.cache/fontconfig # gtk whitelist ~/.gtkrc whitelist ~/.gtkrc-2.0 +whitelist ~/.config/gtk-2.0 whitelist ~/.config/gtk-3.0 whitelist ~/.themes +whitelist ~/.kde/share/config/gtkrc +whitelist ~/.kde/share/config/gtkrc-2.0 # dconf mkdir ~/.config/dconf -- cgit v1.2.3-70-g09d2 From 9f5fc0e2a4aff2cde18aa34b3161a744e4a19aad Mon Sep 17 00:00:00 2001 From: Icaro Perseo Date: Wed, 17 Aug 2016 21:30:04 -0500 Subject: New KDE apps and settings path added. --- etc/disable-common.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index d18ee0287..ed6ee315b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -14,6 +14,7 @@ blacklist /etc/xdg/autostart blacklist ${HOME}/.kde4/Autostart blacklist ${HOME}/.kde4/share/autostart blacklist ${HOME}/.kde/Autostart +blacklist ${HOME}/.kde/share/autostart blacklist ${HOME}/.config/plasma-workspace/shutdown blacklist ${HOME}/.config/plasma-workspace/env blacklist ${HOME}/.config/lxsession/LXDE/autostart @@ -168,3 +169,5 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd +blacklist ${PATH}/konsole +blacklist ${PATH}/yakuake -- cgit v1.2.3-70-g09d2 From 9888f2d3c7f9ea3823f135a67b37f4f217f0f185 Mon Sep 17 00:00:00 2001 From: Icaro Perseo Date: Wed, 17 Aug 2016 21:42:06 -0500 Subject: 'icecat.profile' updated. --- etc/icecat.profile | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/etc/icecat.profile b/etc/icecat.profile index 25d426ad2..2f8e2df7f 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,2 +1,51 @@ # Firejail profile for GNU Icecat -include /etc/firejail/firefox.profile + +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/icecat +whitelist ~/.cache/mozilla/icecat +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + -- cgit v1.2.3-70-g09d2 From 6ffdc467370c4d4964ced120e5a2cddc0bc38490 Mon Sep 17 00:00:00 2001 From: greigdp Date: Thu, 18 Aug 2016 12:00:46 +0100 Subject: Add profile for Gajim IM client --- etc/disable-programs.inc | 3 +++ etc/gajim.profile | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 etc/gajim.profile diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c94bcc9f4..26d9cf22b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -79,6 +79,9 @@ blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Franz blacklist ${HOME}/.jitsi blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.config/gajim # Games blacklist ${HOME}/.hedgewars diff --git a/etc/gajim.profile b/etc/gajim.profile new file mode 100644 index 000000000..04902a734 --- /dev/null +++ b/etc/gajim.profile @@ -0,0 +1,33 @@ +# Firejail profile for Gajim + +mkdir ${HOME}/.cache/gajim +mkdir ${HOME}/.local/share/gajim +mkdir ${HOME}/.config/gajim +mkdir ${HOME}/Downloads + +# Allow the local python 2.7 site packages, in case any plugins are using these +mkdir ${HOME}/.local/lib/python2.7/site-packages/ +whitelist ${HOME}/.local/lib/python2.7/site-packages/ +read-only ${HOME}/.local/lib/python2.7/site-packages/ + +whitelist ${HOME}/.cache/gajim +whitelist ${HOME}/.local/share/gajim +whitelist ${HOME}/.config/gajim +whitelist ${HOME}/Downloads + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none + +#private-bin python2.7 gajim +private-dev -- cgit v1.2.3-70-g09d2 From 3f69d4f42c45bfca9e68f9c3fec02edd0ae53c07 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 18 Aug 2016 18:03:24 +0300 Subject: run_no_sandbox fix --- src/firejail/firejail.h | 1 + src/firejail/no_sandbox.c | 151 +++++++++++++++++++++++++++++++++------------- src/firejail/sandbox.c | 2 +- 3 files changed, 110 insertions(+), 44 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 633935108..8301a79a0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -283,6 +283,7 @@ char *guess_shell(void); // sandbox.c int sandbox(void* sandbox_arg); +void start_application(void); // network_main.c void net_configure_bridge(Bridge *br, char *dev_name); diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 80ed72dca..090c06761 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -162,54 +162,119 @@ int check_kernel_procs(void) { void run_no_sandbox(int argc, char **argv) { EUID_ASSERT(); - // build command - char *command = NULL; - int allocated = 0; - if (argc == 1) - command = "/bin/bash"; - else { - // calculate length - int len = 0; - int i; - for (i = 1; i < argc; i++) { - if (i == 1 && strcmp(argv[i], "-c") == 0) - continue; - if (*argv[i] == '-') - continue; - break; + // process limited subset of options + int i; + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "--csh") == 0) { + if (arg_shell_none) { + fprintf(stderr, "Error: --shell=none was already specified.\n"); + exit(1); + } + if (cfg.shell) { + fprintf(stderr, "Error: only one default user shell can be specified\n"); + exit(1); + } + cfg.shell = "/bin/csh"; } - int start_index = i; - for (i = start_index; i < argc; i++) - len += strlen(argv[i]) + 3; - - // allocate - command = malloc(len + 1); - if (!command) - errExit("malloc"); - memset(command, 0, len + 1); - allocated = 1; - - // copy - for (i = start_index; i < argc; i++) { - if (strchr(argv[i], '&')) { - strcat(command, "\""); - strcat(command, argv[i]); - strcat(command, "\" "); + else if (strcmp(argv[i], "--zsh") == 0) { + if (arg_shell_none) { + fprintf(stderr, "Error: --shell=none was already specified.\n"); + exit(1); + } + if (cfg.shell) { + fprintf(stderr, "Error: only one default user shell can be specified\n"); + exit(1); + } + cfg.shell = "/bin/zsh"; + } + else if (strcmp(argv[i], "--shell=none") == 0) { + arg_shell_none = 1; + if (cfg.shell) { + fprintf(stderr, "Error: a shell was already specified\n"); + exit(1); + } + } + else if (strncmp(argv[i], "--shell=", 8) == 0) { + if (arg_shell_none) { + fprintf(stderr, "Error: --shell=none was already specified.\n"); + exit(1); + } + invalid_filename(argv[i] + 8); + + if (cfg.shell) { + fprintf(stderr, "Error: only one user shell can be specified\n"); + exit(1); + } + cfg.shell = argv[i] + 8; + + if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) { + fprintf(stderr, "Error: invalid shell\n"); + exit(1); } - else { - strcat(command, argv[i]); - strcat(command, " "); + + // access call checks as real UID/GID, not as effective UID/GID + if(cfg.chrootdir) { + char *shellpath; + if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) + errExit("asprintf"); + if (access(shellpath, R_OK)) { + fprintf(stderr, "Error: cannot access shell file in chroot\n"); + exit(1); + } + free(shellpath); + } else if (access(cfg.shell, R_OK)) { + fprintf(stderr, "Error: cannot access shell file\n"); + exit(1); } } } - - // start the program in /bin/sh + + // use $SHELL to get shell used in sandbox + if (!arg_shell_none && !cfg.shell) { + char *shell = secure_getenv("SHELL"); + if (access(shell, R_OK) == 0) + cfg.shell = shell; + } + // guess shell otherwise + if (!arg_shell_none && !cfg.shell) { + guess_shell(); + if (arg_debug) + printf("Autoselecting %s as shell\n", cfg.shell); + } + if (!arg_shell_none && !cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); + exit(1); + } + + int prog_index = 0; + // find first non option arg + for (i = 1; i < argc; i++) { + if (strncmp(argv[i],"--",2) != 0) { + prog_index = i; + break; + } + } + + if (!arg_shell_none) { + if (prog_index == 0) { + cfg.command_line = cfg.shell; + cfg.window_title = cfg.shell; + } else { + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); + } + } + + cfg.original_argv = argv; + cfg.original_program_index = prog_index; + + char *command; + if (prog_index == 0) + command = cfg.shell; + else + command = argv[prog_index]; if (!arg_quiet) fprintf(stderr, "Warning: an existing sandbox was detected. " - "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); - int rv = system(command); - (void) rv; - if (allocated) - free(command); - exit(1); + "%s will run without any additional sandboxing features\n", command); + + start_application(); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8178cfc8e..c40ff1d03 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -284,7 +284,7 @@ void start_audit(void) { exit(1); } -static void start_application(void) { +void start_application(void) { //**************************************** // audit //**************************************** -- cgit v1.2.3-70-g09d2 From 1e34df8bc3dccd8aca3854412ff6b748c8a8ba24 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 18 Aug 2016 18:23:18 -0400 Subject: gajim profile integration --- README | 5 +++++ README.md | 2 +- RELNOTES | 2 +- platform/debian/conffiles | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README b/README index 13c324a02..51adbaf86 100644 --- a/README +++ b/README @@ -39,6 +39,11 @@ Aleksey Manevich (https://github.com/manevich) - Busybox support - X11 support rewrite - gether shell selection code in one place +greigdp (https://github.com/greigdp) + - Gajim IM client profile +Icaro Perseo (https://github.com/icaroperseo) + - Icecat profile + - several profile fixes hamzadis (https://github.com/hamzadis) - added --overlay-named=name and --overlay-path=path Gaman Gabriel (https://github.com/stelariusinfinitek) diff --git a/README.md b/README.md index 13aeb51b0..14dcd4d56 100644 --- a/README.md +++ b/README.md @@ -218,5 +218,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client diff --git a/RELNOTES b/RELNOTES index eec3117ed..363526417 100644 --- a/RELNOTES +++ b/RELNOTES @@ -26,7 +26,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, - * new profiles: inox, Slack, gnome-chess + * new profiles: inox, Slack, gnome-chess. Gajim IM client -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/platform/debian/conffiles b/platform/debian/conffiles index fb19a135f..4c6b0ebef 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -43,6 +43,7 @@ /etc/firejail/firejail.config /etc/firejail/flashpeak-slimjet.profile /etc/firejail/franz.profile +/etc/firejail/gajim.profile /etc/firejail/gitter.profile /etc/firejail/gnome-chess.profile /etc/firejail/gnome-mplayer.profile -- cgit v1.2.3-70-g09d2 From 3e4772ecadd9c2c820204c6fc88a48c38b5131fb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 18 Aug 2016 21:13:26 -0400 Subject: small fixes for command args --- src/firejail/main.c | 5 +++-- src/firejail/no_sandbox.c | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 4946db2bd..8e18ec724 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -723,7 +723,7 @@ static void detect_quiet(int argc, char **argv) { } char *guess_shell(void) { - char *shell; + char *shell = NULL; // shells in order of preference char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; @@ -910,7 +910,8 @@ int main(int argc, char **argv) { #endif drop_privs(1); - run_no_sandbox(argc, argv); + int rv = system(argv[2]); + exit(rv); } } } diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 090c06761..f7d62f90c 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -237,7 +237,7 @@ void run_no_sandbox(int argc, char **argv) { } // guess shell otherwise if (!arg_shell_none && !cfg.shell) { - guess_shell(); + cfg.shell = guess_shell(); if (arg_debug) printf("Autoselecting %s as shell\n", cfg.shell); } @@ -247,8 +247,19 @@ void run_no_sandbox(int argc, char **argv) { } int prog_index = 0; - // find first non option arg + // find first non option arg: + // - first argument not starting wiht --, + // - whatever follows after -c (example: firejail -c ls) for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-c") == 0) { + prog_index = i + 1; + if (prog_index == argc) { + fprintf(stderr, "Error: option -c requires an argument\n"); + exit(1); + } + break; + } + // check first argument not starting with -- if (strncmp(argv[i],"--",2) != 0) { prog_index = i; break; -- cgit v1.2.3-70-g09d2 From 1c030e81348376f64288ad70f88deb7bfb6cff08 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 20 Aug 2016 14:20:24 +0300 Subject: audit for existing sandbox --- src/firejail/join.c | 82 ++++++++++++----------------------------------------- 1 file changed, 18 insertions(+), 64 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 632715fea..672913480 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -333,77 +333,31 @@ void join(pid_t pid, int argc, char **argv, int index) { // run cmdline trough shell if (cfg.command_line == NULL) { assert(cfg.shell); + cfg.command_line = cfg.shell; + cfg.window_title = cfg.shell; + } - // replace the process with a shell - execlp(cfg.shell, cfg.shell, NULL); - - // it should never get here - errExit("execlp"); + int cwd = 0; + if (cfg.cwd) { + if (chdir(cfg.cwd) == 0) + cwd = 1; } - else { - // run the command supplied by the user - int cwd = 0; - if (cfg.cwd) { - if (chdir(cfg.cwd) == 0) - cwd = 1; - } - - if (!cwd) { - if (chdir("/") < 0) - errExit("chdir"); - if (cfg.homedir) { - struct stat s; - if (stat(cfg.homedir, &s) == 0) { - if (chdir(cfg.homedir) < 0) - errExit("chdir"); - } - } - } - if (arg_shell_none) { - if (arg_debug) { - int i; - for (i = cfg.original_program_index; i < cfg.original_argc; i++) { - if (cfg.original_argv[i] == NULL) - break; - printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]); - } - } - - if (cfg.original_program_index == 0) { - fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); - exit(1); - } - - if (!arg_command && !arg_quiet) - printf("Child process initialized\n"); - - execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); - exit(1); - } else { - assert(cfg.shell); - - char *arg[5]; - arg[0] = cfg.shell; - arg[1] = "-c"; - if (arg_debug) - printf("Starting %s\n", cfg.command_line); - if (!arg_doubledash) { - arg[2] = cfg.command_line; - arg[3] = NULL; - } - else { - arg[2] = "--"; - arg[3] = cfg.command_line; - arg[4] = NULL; + if (!cwd) { + if (chdir("/") < 0) + errExit("chdir"); + if (cfg.homedir) { + struct stat s; + if (stat(cfg.homedir, &s) == 0) { + /* coverity[toctou] */ + if (chdir(cfg.homedir) < 0) + errExit("chdir"); } - execvp(arg[0], arg); - - // it should never get here - errExit("execvp"); } } + start_application(); + // it will never get here!!! } -- cgit v1.2.3-70-g09d2 From ccf7230e0b4e74d21ba9030793b4486250d30507 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 07:54:20 -0400 Subject: compile time config option for overlayfs --- configure | 17 +++++++++++++++++ configure.ac | 9 +++++++++ src/firejail/Makefile.in | 3 ++- src/firejail/checkcfg.c | 8 ++++++++ src/firejail/fs.c | 3 ++- src/firejail/main.c | 4 ++++ src/firejail/sandbox.c | 2 ++ src/firejail/x11.c | 22 ++++++++++++---------- src/lib/common.c | 2 +- test/dist-compile/compile.sh | 39 +++++++++++++++++++++++---------------- 10 files changed, 80 insertions(+), 29 deletions(-) diff --git a/configure b/configure index 29792969c..5505b01c2 100755 --- a/configure +++ b/configure @@ -636,6 +636,7 @@ HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP +HAVE_OVERLAYFS EXTRA_LDFLAGS EGREP GREP @@ -694,6 +695,7 @@ ac_subst_files='' ac_user_opts=' enable_option_checking enable_apparmor +enable_overlayfs enable_seccomp enable_chroot enable_bind @@ -1325,6 +1327,7 @@ Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-apparmor enable apparmor + --disable-overlayfs disable overlayfs --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind @@ -3511,6 +3514,19 @@ if test "x$enable_apparmor" = "xyes"; then : fi +HAVE_OVERLAYFS="" +# Check whether --enable-overlayfs was given. +if test "${enable_overlayfs+set}" = set; then : + enableval=$enable_overlayfs; +fi + +if test "x$enable_overlayfs" != "xno"; then : + + HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" + + +fi + HAVE_SECCOMP="" # Check whether --enable-seccomp was given. if test "${enable_seccomp+set}" = set; then : @@ -4922,6 +4938,7 @@ echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" +echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" printf " uid_min: "; grep UID_MIN uids.h diff --git a/configure.ac b/configure.ac index 149f76eae..2a5bd5e54 100644 --- a/configure.ac +++ b/configure.ac @@ -30,6 +30,14 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ ]) AC_SUBST([EXTRA_LDFLAGS]) +HAVE_OVERLAYFS="" +AC_ARG_ENABLE([overlayfs], + AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) +AS_IF([test "x$enable_overlayfs" != "xno"], [ + HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" + AC_SUBST(HAVE_OVERLAYFS) +]) + HAVE_SECCOMP="" AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [disable seccomp])) @@ -156,6 +164,7 @@ echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" +echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" printf " uid_min: "; grep UID_MIN uids.h diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 15253b5ab..f56137308 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -19,13 +19,14 @@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 019b54773..f5ea7439b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -272,6 +272,14 @@ void print_compiletime_support(void) { #endif ); + printf("\t- overlayfs support is %s\n", +#ifdef HAVE_OVERLAYFS + "enabled" +#else + "disabled" +#endif + ); + printf("\t- file and directory whitelisting support is %s\n", #ifdef HAVE_WHITELIST "enabled" diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 63ffa8bff..ddb25c2dd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -815,6 +815,7 @@ void fs_basic_fs(void) { +#ifdef HAVE_OVERLAYFS char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { // create ~/.firejail directory struct stat s; @@ -1121,7 +1122,7 @@ void fs_overlayfs(void) { free(oroot); free(odiff); } - +#endif #ifdef HAVE_CHROOT diff --git a/src/firejail/main.c b/src/firejail/main.c index 8e18ec724..c366390cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -264,6 +264,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { printf("\n"); exit(0); } +#ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay-clean") == 0) { char *path; if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) @@ -281,6 +282,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } exit(0); } +#endif #ifdef HAVE_X11 else if (strcmp(argv[i], "--x11") == 0) { if (checkcfg(CFG_X11)) { @@ -1279,6 +1281,7 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } +#ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay") == 0) { if (cfg.chrootdir) { fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); @@ -1353,6 +1356,7 @@ int main(int argc, char **argv) { } arg_overlay = 1; } +#endif else if (strncmp(argv[i], "--profile=", 10) == 0) { if (arg_noprofile) { fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c40ff1d03..a33c81937 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -500,9 +500,11 @@ int sandbox(void* sandbox_arg) { } else #endif +#ifdef HAVE_OVERLAYFS if (arg_overlay) fs_overlayfs(); else +#endif fs_basic_fs(); //**************************** diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ed6fa3741..3d0918b2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -26,6 +26,7 @@ #include #include #include +#include #ifdef HAVE_X11 // return 1 if xpra is installed on the system @@ -163,7 +164,7 @@ void fs_x11(void) { //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox void x11_start_xephyr(int argc, char **argv) { EUID_ASSERT(); - size_t i; + int i; struct stat s; pid_t jail = 0; pid_t server = 0; @@ -204,12 +205,12 @@ void x11_start_xephyr(int argc, char **argv) { // parse xephyr_extra_params // very basic quoting support char *temp = strdup(xephyr_extra_params); - if (xephyr_extra_params != "") { + if (*xephyr_extra_params != '\0') { if (!temp) errExit("strdup"); bool dquote = false; bool squote = false; - for (i = 0; i < strlen(xephyr_extra_params); i++) { + for (i = 0; i < (int) strlen(xephyr_extra_params); i++) { if (temp[i] == '\"') { dquote = !dquote; if (dquote) temp[i] = '\0'; // replace closing quote by \0 @@ -229,7 +230,7 @@ void x11_start_xephyr(int argc, char **argv) { exit(1); } - for (i = 0; i < strlen(xephyr_extra_params)-1; i++) { + for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); exit(1); @@ -257,7 +258,7 @@ void x11_start_xephyr(int argc, char **argv) { // remove --x11 arg char *jail_argv[argc+2]; - size_t j = 0; + int j = 0; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "--x11") == 0) continue; @@ -359,7 +360,7 @@ void x11_start_xephyr(int argc, char **argv) { void x11_start_xpra(int argc, char **argv) { EUID_ASSERT(); - size_t i; + int i; struct stat s; pid_t client = 0; pid_t server = 0; @@ -464,7 +465,7 @@ void x11_start_xpra(int argc, char **argv) { // build jail command char *firejail_argv[argc+2]; - unsigned pos = 0; + int pos = 0; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "--x11") == 0) continue; @@ -477,7 +478,7 @@ void x11_start_xpra(int argc, char **argv) { } firejail_argv[pos] = NULL; - assert(pos < argc+2); + assert(pos < (argc+2)); assert(!firejail_argv[pos]); // start jail @@ -524,12 +525,13 @@ void x11_start_xpra(int argc, char **argv) { break; } - if (arg_debug) + if (arg_debug) { if (n == 10) printf("failed to stop xpra server gratefully\n"); else printf("xpra server successfully stoped in %d secs\n", n); - + } + // kill xpra server and xpra client kill(client, SIGTERM); kill(server, SIGTERM); diff --git a/src/lib/common.c b/src/lib/common.c index fe5c62536..acb6bd3b4 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -241,7 +241,7 @@ int pid_proc_cmdline_x11(const pid_t pid) { i++; if (i >= len) break; - char *arg = buffer + i; + char *arg = (char *)buffer + i; // detect the last command line option if (strcmp(arg, "--") == 0) diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh index f762b457d..76a7162b7 100755 --- a/test/dist-compile/compile.sh +++ b/test/dist-compile/compile.sh @@ -12,7 +12,8 @@ arr[9]="TEST 9: compile file transfer disabled" arr[10]="TEST 10: compile disable whitelist" arr[11]="TEST 11: compile disable global config" arr[12]="TEST 12: compile apparmor" -arr[12]="TEST 13: compile busybox" +arr[13]="TEST 13: compile busybox" +arr[14]="TEST 14: compile overlayfs disabled" # remove previous reports and output file cleanup() { @@ -52,8 +53,6 @@ cleanup # TEST 1 #***************************************************************** # - checkout source code -# - check compilation -# - install #***************************************************************** print_title "${arr[1]}" echo "$DIST" @@ -75,7 +74,6 @@ rm output-configure output-make # TEST 2 #***************************************************************** # - disable seccomp configuration -# - check compilation #***************************************************************** print_title "${arr[2]}" # seccomp @@ -94,7 +92,6 @@ rm output-configure output-make # TEST 3 #***************************************************************** # - disable chroot configuration -# - check compilation #***************************************************************** print_title "${arr[3]}" # seccomp @@ -113,7 +110,6 @@ rm output-configure output-make # TEST 4 #***************************************************************** # - disable bind configuration -# - check compilation #***************************************************************** print_title "${arr[4]}" # seccomp @@ -132,7 +128,6 @@ rm output-configure output-make # TEST 5 #***************************************************************** # - disable user namespace configuration -# - check compilation #***************************************************************** print_title "${arr[5]}" # seccomp @@ -170,7 +165,6 @@ rm output-configure output-make # TEST 7 #***************************************************************** # - disable X11 support -# - check compilation #***************************************************************** print_title "${arr[7]}" # seccomp @@ -190,7 +184,6 @@ rm output-configure output-make # TEST 8 #***************************************************************** # - enable network restricted -# - check compilation #***************************************************************** print_title "${arr[8]}" # seccomp @@ -210,7 +203,6 @@ rm output-configure output-make # TEST 9 #***************************************************************** # - disable file transfer -# - check compilation #***************************************************************** print_title "${arr[9]}" # seccomp @@ -229,7 +221,6 @@ rm output-configure output-make # TEST 10 #***************************************************************** # - disable whitelist -# - check compilation #***************************************************************** print_title "${arr[10]}" # seccomp @@ -248,7 +239,6 @@ rm output-configure output-make # TEST 11 #***************************************************************** # - disable global config -# - check compilation #***************************************************************** print_title "${arr[11]}" # seccomp @@ -267,9 +257,8 @@ rm output-configure output-make # TEST 12 #***************************************************************** # - enable apparmor -# - check compilation #***************************************************************** -print_title "${arr[11]}" +print_title "${arr[12]}" # seccomp cd firejail make distclean @@ -286,9 +275,8 @@ rm output-configure output-make # TEST 13 #***************************************************************** # - enable busybox workaround -# - check compilation #***************************************************************** -print_title "${arr[11]}" +print_title "${arr[13]}" # seccomp cd firejail make distclean @@ -301,6 +289,24 @@ cp output-configure oc13 cp output-make om13 rm output-configure output-make +#***************************************************************** +# TEST 14 +#***************************************************************** +# - disable overlayfs +#***************************************************************** +print_title "${arr[14]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test14 +grep Error output-configure output-make >> ./report-test14 +cp output-configure oc14 +cp output-make om14 +rm output-configure output-make + #***************************************************************** # PRINT REPORTS @@ -329,3 +335,4 @@ echo ${arr[10]} echo ${arr[11]} echo ${arr[12]} echo ${arr[13]} +echo ${arr[14]} -- cgit v1.2.3-70-g09d2 From 01b80e1d268951be29ac09af526b5e23f675c346 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 08:15:59 -0400 Subject: testing --- Makefile.in | 8 +- test/compile/compile.sh | 338 +++++++++++++++++++++++++++++++++++++++++++ test/dist-compile/compile.sh | 338 ------------------------------------------- 3 files changed, 342 insertions(+), 342 deletions(-) create mode 100755 test/compile/compile.sh delete mode 100755 test/dist-compile/compile.sh diff --git a/Makefile.in b/Makefile.in index c91db3bc7..d1b3d3be8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -48,7 +48,7 @@ clean: rm -f test/environment/index.html rm -f test/environment/wget-log rm -f test/sysutils/firejail_t* - cd test/dist-compile; ./compile.sh --clean; cd ../.. + cd test/compile; ./compile.sh --clean; cd ../.. distclean: clean for dir in $(APPS) $(MYLIBS); do \ @@ -137,7 +137,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/dist-compile test/filters test/network test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" dist: make distclean @@ -159,8 +159,8 @@ snap: all install-snap: snap sudo snap remove faudit; sudo snap install faudit*.snap -dist-compile: dist - cd test/dist-compile; ./compile.sh $(NAME)-$(VERSION) +test-compile: dist + cd test/compile; ./compile.sh $(NAME)-$(VERSION) .PHONY: rpms rpms: diff --git a/test/compile/compile.sh b/test/compile/compile.sh new file mode 100755 index 000000000..76a7162b7 --- /dev/null +++ b/test/compile/compile.sh @@ -0,0 +1,338 @@ +#!/bin/bash + +arr[1]="TEST 1: standard compilation" +arr[2]="TEST 2: compile seccomp disabled" +arr[3]="TEST 3: compile chroot disabled" +arr[4]="TEST 4: compile bind disabled" +arr[5]="TEST 5: compile user namespace disabled" +arr[6]="TEST 6: compile network disabled" +arr[7]="TEST 7: compile X11 disabled" +arr[8]="TEST 8: compile network restricted" +arr[9]="TEST 9: compile file transfer disabled" +arr[10]="TEST 10: compile disable whitelist" +arr[11]="TEST 11: compile disable global config" +arr[12]="TEST 12: compile apparmor" +arr[13]="TEST 13: compile busybox" +arr[14]="TEST 14: compile overlayfs disabled" + +# remove previous reports and output file +cleanup() { + rm -f report* + rm -fr firejail + rm -f oc* om* +} + +print_title() { + echo + echo + echo + echo "**************************************************" + echo $1 + echo "**************************************************" +} + +DIST="$1" +while [ $# -gt 0 ]; do # Until you run out of parameters . . . + case "$1" in + --clean) + cleanup + exit + ;; + --help) + echo "./compile.sh [--clean|--help]" + exit + ;; + esac + shift # Check next set of parameters. +done + +cleanup + + +#***************************************************************** +# TEST 1 +#***************************************************************** +# - checkout source code +#***************************************************************** +print_title "${arr[1]}" +echo "$DIST" +tar -xJvf ../../$DIST.tar.xz +mv $DIST firejail + +cd firejail +./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test1 +grep Error output-configure output-make >> ./report-test1 +cp output-configure oc1 +cp output-make om1 +rm output-configure output-make + + +#***************************************************************** +# TEST 2 +#***************************************************************** +# - disable seccomp configuration +#***************************************************************** +print_title "${arr[2]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test2 +grep Error output-configure output-make >> ./report-test2 +cp output-configure oc2 +cp output-make om2 +rm output-configure output-make + +#***************************************************************** +# TEST 3 +#***************************************************************** +# - disable chroot configuration +#***************************************************************** +print_title "${arr[3]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test3 +grep Error output-configure output-make >> ./report-test3 +cp output-configure oc3 +cp output-make om3 +rm output-configure output-make + +#***************************************************************** +# TEST 4 +#***************************************************************** +# - disable bind configuration +#***************************************************************** +print_title "${arr[4]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test4 +grep Error output-configure output-make >> ./report-test4 +cp output-configure oc4 +cp output-make om4 +rm output-configure output-make + +#***************************************************************** +# TEST 5 +#***************************************************************** +# - disable user namespace configuration +#***************************************************************** +print_title "${arr[5]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test5 +grep Error output-configure output-make >> ./report-test5 +cp output-configure oc5 +cp output-make om5 +rm output-configure output-make + +#***************************************************************** +# TEST 6 +#***************************************************************** +# - disable user namespace configuration +# - check compilation +#***************************************************************** +print_title "${arr[6]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test6 +grep Error output-configure output-make >> ./report-test6 +cp output-configure oc6 +cp output-make om6 +rm output-configure output-make + +#***************************************************************** +# TEST 7 +#***************************************************************** +# - disable X11 support +#***************************************************************** +print_title "${arr[7]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test7 +grep Error output-configure output-make >> ./report-test7 +cp output-configure oc7 +cp output-make om7 +rm output-configure output-make + + +#***************************************************************** +# TEST 8 +#***************************************************************** +# - enable network restricted +#***************************************************************** +print_title "${arr[8]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test8 +grep Error output-configure output-make >> ./report-test8 +cp output-configure oc8 +cp output-make om8 +rm output-configure output-make + + +#***************************************************************** +# TEST 9 +#***************************************************************** +# - disable file transfer +#***************************************************************** +print_title "${arr[9]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test9 +grep Error output-configure output-make >> ./report-test9 +cp output-configure oc9 +cp output-make om9 +rm output-configure output-make + +#***************************************************************** +# TEST 10 +#***************************************************************** +# - disable whitelist +#***************************************************************** +print_title "${arr[10]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test10 +grep Error output-configure output-make >> ./report-test10 +cp output-configure oc10 +cp output-make om10 +rm output-configure output-make + +#***************************************************************** +# TEST 11 +#***************************************************************** +# - disable global config +#***************************************************************** +print_title "${arr[11]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test11 +grep Error output-configure output-make >> ./report-test11 +cp output-configure oc11 +cp output-make om11 +rm output-configure output-make + +#***************************************************************** +# TEST 12 +#***************************************************************** +# - enable apparmor +#***************************************************************** +print_title "${arr[12]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test12 +grep Error output-configure output-make >> ./report-test12 +cp output-configure oc12 +cp output-make om12 +rm output-configure output-make + +#***************************************************************** +# TEST 13 +#***************************************************************** +# - enable busybox workaround +#***************************************************************** +print_title "${arr[13]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test13 +grep Error output-configure output-make >> ./report-test13 +cp output-configure oc13 +cp output-make om13 +rm output-configure output-make + +#***************************************************************** +# TEST 14 +#***************************************************************** +# - disable overlayfs +#***************************************************************** +print_title "${arr[14]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test14 +grep Error output-configure output-make >> ./report-test14 +cp output-configure oc14 +cp output-make om14 +rm output-configure output-make + + +#***************************************************************** +# PRINT REPORTS +#***************************************************************** +echo +echo +echo +echo +echo "**********************************************************" +echo "TEST RESULTS" +echo "**********************************************************" + +wc -l report-test* +echo +echo "Legend:" +echo ${arr[1]} +echo ${arr[2]} +echo ${arr[3]} +echo ${arr[4]} +echo ${arr[5]} +echo ${arr[6]} +echo ${arr[7]} +echo ${arr[8]} +echo ${arr[9]} +echo ${arr[10]} +echo ${arr[11]} +echo ${arr[12]} +echo ${arr[13]} +echo ${arr[14]} diff --git a/test/dist-compile/compile.sh b/test/dist-compile/compile.sh deleted file mode 100755 index 76a7162b7..000000000 --- a/test/dist-compile/compile.sh +++ /dev/null @@ -1,338 +0,0 @@ -#!/bin/bash - -arr[1]="TEST 1: standard compilation" -arr[2]="TEST 2: compile seccomp disabled" -arr[3]="TEST 3: compile chroot disabled" -arr[4]="TEST 4: compile bind disabled" -arr[5]="TEST 5: compile user namespace disabled" -arr[6]="TEST 6: compile network disabled" -arr[7]="TEST 7: compile X11 disabled" -arr[8]="TEST 8: compile network restricted" -arr[9]="TEST 9: compile file transfer disabled" -arr[10]="TEST 10: compile disable whitelist" -arr[11]="TEST 11: compile disable global config" -arr[12]="TEST 12: compile apparmor" -arr[13]="TEST 13: compile busybox" -arr[14]="TEST 14: compile overlayfs disabled" - -# remove previous reports and output file -cleanup() { - rm -f report* - rm -fr firejail - rm -f oc* om* -} - -print_title() { - echo - echo - echo - echo "**************************************************" - echo $1 - echo "**************************************************" -} - -DIST="$1" -while [ $# -gt 0 ]; do # Until you run out of parameters . . . - case "$1" in - --clean) - cleanup - exit - ;; - --help) - echo "./compile.sh [--clean|--help]" - exit - ;; - esac - shift # Check next set of parameters. -done - -cleanup - - -#***************************************************************** -# TEST 1 -#***************************************************************** -# - checkout source code -#***************************************************************** -print_title "${arr[1]}" -echo "$DIST" -tar -xJvf ../../$DIST.tar.xz -mv $DIST firejail - -cd firejail -./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test1 -grep Error output-configure output-make >> ./report-test1 -cp output-configure oc1 -cp output-make om1 -rm output-configure output-make - - -#***************************************************************** -# TEST 2 -#***************************************************************** -# - disable seccomp configuration -#***************************************************************** -print_title "${arr[2]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test2 -grep Error output-configure output-make >> ./report-test2 -cp output-configure oc2 -cp output-make om2 -rm output-configure output-make - -#***************************************************************** -# TEST 3 -#***************************************************************** -# - disable chroot configuration -#***************************************************************** -print_title "${arr[3]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test3 -grep Error output-configure output-make >> ./report-test3 -cp output-configure oc3 -cp output-make om3 -rm output-configure output-make - -#***************************************************************** -# TEST 4 -#***************************************************************** -# - disable bind configuration -#***************************************************************** -print_title "${arr[4]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-bind --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test4 -grep Error output-configure output-make >> ./report-test4 -cp output-configure oc4 -cp output-make om4 -rm output-configure output-make - -#***************************************************************** -# TEST 5 -#***************************************************************** -# - disable user namespace configuration -#***************************************************************** -print_title "${arr[5]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test5 -grep Error output-configure output-make >> ./report-test5 -cp output-configure oc5 -cp output-make om5 -rm output-configure output-make - -#***************************************************************** -# TEST 6 -#***************************************************************** -# - disable user namespace configuration -# - check compilation -#***************************************************************** -print_title "${arr[6]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test6 -grep Error output-configure output-make >> ./report-test6 -cp output-configure oc6 -cp output-make om6 -rm output-configure output-make - -#***************************************************************** -# TEST 7 -#***************************************************************** -# - disable X11 support -#***************************************************************** -print_title "${arr[7]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test7 -grep Error output-configure output-make >> ./report-test7 -cp output-configure oc7 -cp output-make om7 -rm output-configure output-make - - -#***************************************************************** -# TEST 8 -#***************************************************************** -# - enable network restricted -#***************************************************************** -print_title "${arr[8]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --enable-network=restricted --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test8 -grep Error output-configure output-make >> ./report-test8 -cp output-configure oc8 -cp output-make om8 -rm output-configure output-make - - -#***************************************************************** -# TEST 9 -#***************************************************************** -# - disable file transfer -#***************************************************************** -print_title "${arr[9]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test9 -grep Error output-configure output-make >> ./report-test9 -cp output-configure oc9 -cp output-make om9 -rm output-configure output-make - -#***************************************************************** -# TEST 10 -#***************************************************************** -# - disable whitelist -#***************************************************************** -print_title "${arr[10]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test10 -grep Error output-configure output-make >> ./report-test10 -cp output-configure oc10 -cp output-make om10 -rm output-configure output-make - -#***************************************************************** -# TEST 11 -#***************************************************************** -# - disable global config -#***************************************************************** -print_title "${arr[11]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test11 -grep Error output-configure output-make >> ./report-test11 -cp output-configure oc11 -cp output-make om11 -rm output-configure output-make - -#***************************************************************** -# TEST 12 -#***************************************************************** -# - enable apparmor -#***************************************************************** -print_title "${arr[12]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test12 -grep Error output-configure output-make >> ./report-test12 -cp output-configure oc12 -cp output-make om12 -rm output-configure output-make - -#***************************************************************** -# TEST 13 -#***************************************************************** -# - enable busybox workaround -#***************************************************************** -print_title "${arr[13]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test13 -grep Error output-configure output-make >> ./report-test13 -cp output-configure oc13 -cp output-make om13 -rm output-configure output-make - -#***************************************************************** -# TEST 14 -#***************************************************************** -# - disable overlayfs -#***************************************************************** -print_title "${arr[14]}" -# seccomp -cd firejail -make distclean -./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure -make -j4 2>&1 | tee ../output-make -cd .. -grep Warning output-configure output-make > ./report-test14 -grep Error output-configure output-make >> ./report-test14 -cp output-configure oc14 -cp output-make om14 -rm output-configure output-make - - -#***************************************************************** -# PRINT REPORTS -#***************************************************************** -echo -echo -echo -echo -echo "**********************************************************" -echo "TEST RESULTS" -echo "**********************************************************" - -wc -l report-test* -echo -echo "Legend:" -echo ${arr[1]} -echo ${arr[2]} -echo ${arr[3]} -echo ${arr[4]} -echo ${arr[5]} -echo ${arr[6]} -echo ${arr[7]} -echo ${arr[8]} -echo ${arr[9]} -echo ${arr[10]} -echo ${arr[11]} -echo ${arr[12]} -echo ${arr[13]} -echo ${arr[14]} -- cgit v1.2.3-70-g09d2 From 5b9ac21d4e98fd05549051f8dc9f92f9f0159ce3 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 20 Aug 2016 15:56:07 +0300 Subject: set caps filter when joining --- src/firejail/join.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 672913480..37bac7e65 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -122,7 +122,7 @@ static void extract_caps_seccomp(pid_t pid) { break; } else if (strncmp(buf, "CapBnd:", 7) == 0) { - char *ptr = buf + 8; + char *ptr = buf + 7; unsigned long long val; sscanf(ptr, "%llx", &val); apply_caps = 1; @@ -295,9 +295,8 @@ void join(pid_t pid, int argc, char **argv, int index) { // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 seccomp_set(); - #endif - + // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); @@ -314,6 +313,11 @@ void join(pid_t pid, int argc, char **argv, int index) { else drop_privs(arg_nogroups); // nogroups not available for uid 0 + // user namespace resets capabilities + // set caps filter + if (apply_caps == 1) // not available for uid 0 + caps_set(caps); + // set prompt color to green //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) -- cgit v1.2.3-70-g09d2 From fa68d0ca996a792b0c919d50888726fc3395f5c3 Mon Sep 17 00:00:00 2001 From: greigdp Date: Sat, 20 Aug 2016 18:44:30 +0100 Subject: Fix error in Slack profile noblacklist must appear before the includes, to avoid the default profiles from invoking blacklists. --- etc/slack.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/slack.profile b/etc/slack.profile index ea7b715f9..1009f7ee0 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,3 +1,6 @@ +noblacklist ${HOME}/.config/Slack +noblacklist ${HOME}/Downloads + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -6,7 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.config mkdir ${HOME}/.config/Slack whitelist ${HOME}/.config/Slack -whitelist ~/Downloads +whitelist ${HOME}/Downloads protocol unix,inet,inet6,netlink private-dev -- cgit v1.2.3-70-g09d2 From d366639fa538139776f7ee0d317f64e8e07ba15f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 17:52:27 -0400 Subject: fixes --- RELNOTES | 4 ++++ etc/disable-common.inc | 4 +--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/RELNOTES b/RELNOTES index 363526417..52eef6a0e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,8 @@ firejail (0.9.42~rc2) baseline; urgency=low + * security: --whitelist deleted files, submitted by Vasya Novikov + * security: disable x32 ABI, submitted by Jann Horn + * security: tighten --chroot, submitted by Jann Horn + * security: terminal sandbox escape, submitted by Stephan Sokolow * deprecated --user option, please use "sudo -u username firejail" instead * --read-write option rework * allow symlinks in home directory for --whitelist option diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ed6ee315b..c4169db8a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -155,7 +155,7 @@ blacklist /usr/local/sbin # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -# disable terminals running as server +# disable terminals running as server resulting in sandbox escape blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper blacklist ${PATH}/xfce4-terminal @@ -169,5 +169,3 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd -blacklist ${PATH}/konsole -blacklist ${PATH}/yakuake -- cgit v1.2.3-70-g09d2 From 0169ebe193abdfeddbd17a764688d5f9e7a3cb78 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 21:06:21 -0400 Subject: run time support to disable remounting of /proc and /sys --- README | 1 + RELNOTES | 1 + etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 11 +++++++++-- src/firejail/firejail.h | 3 ++- src/firejail/sandbox.c | 9 ++++++++- 6 files changed, 24 insertions(+), 4 deletions(-) diff --git a/README b/README index 51adbaf86..fe9ddaaae 100644 --- a/README +++ b/README @@ -41,6 +41,7 @@ Aleksey Manevich (https://github.com/manevich) - gether shell selection code in one place greigdp (https://github.com/greigdp) - Gajim IM client profile + - fix Slack profile Icaro Perseo (https://github.com/icaroperseo) - Icecat profile - several profile fixes diff --git a/RELNOTES b/RELNOTES index 52eef6a0e..d9e4314ba 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,6 +24,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * run time support to disable remounting of /proc and /sys * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice diff --git a/etc/firejail.config b/etc/firejail.config index 82fe65ac7..1b8d5f4e3 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -3,6 +3,9 @@ # Most features are enabled by default. Use 'yes' or 'no' as configuration # values. +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes + # Enable or disable bind support, default enabled. # bind yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f5ea7439b..c4a6888a9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -29,7 +29,6 @@ char *xephyr_extra_params = ""; char *netfilter_default = NULL; int checkcfg(int val) { - EUID_ASSERT(); assert(val < CFG_MAX); int line = 0; @@ -38,7 +37,6 @@ int checkcfg(int val) { int i; for (i = 0; i < CFG_MAX; i++) cfg_val[i] = 1; // most of them are enabled by default - cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default @@ -226,6 +224,15 @@ int checkcfg(int val) { if (strcmp(ptr + 17, "yes") == 0) arg_quiet = 1; } + // remount /proc and /sys + else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + cfg_val[CFG_REMOUNT_PROC_SYS] = 1; + else if (strcmp(ptr + 17, "no") == 0) + cfg_val[CFG_REMOUNT_PROC_SYS] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8301a79a0..067d788a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_FORCE_NONEWPRIVS 8 #define CFG_WHITELIST 9 #define CFG_XEPHYR_WINDOW_TITLE 10 -#define CFG_MAX 11 // this should always be the last entry +#define CFG_REMOUNT_PROC_SYS 11 +#define CFG_MAX 12 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a33c81937..0818bf450 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) { if (arg_debug) printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); + // if /proc is not remounted, we cannot check /proc directory, + // for now we just get out of here + // todo: find another way of checking child processes! + if (!checkcfg(CFG_REMOUNT_PROC_SYS)) + break; + DIR *dir; if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again @@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) { //**************************** // update /proc, /sys, /dev, /boot directorymy //**************************** - fs_proc_sys_dev_boot(); + if (checkcfg(CFG_REMOUNT_PROC_SYS)) + fs_proc_sys_dev_boot(); //**************************** // apply the profile file -- cgit v1.2.3-70-g09d2 From e6ee65a48c1d17da1cd2058b1e61dc838513a49e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 21 Aug 2016 15:01:10 -0400 Subject: run time support to disable overlayfs --- RELNOTES | 1 + etc/firejail.config | 8 ++- src/firejail/checkcfg.c | 8 +++ src/firejail/firejail.h | 3 +- src/firejail/main.c | 168 ++++++++++++++++++++++++++++-------------------- 5 files changed, 115 insertions(+), 73 deletions(-) diff --git a/RELNOTES b/RELNOTES index d9e4314ba..d59618c7c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * --overlay-clean option * --overlay-named=name option * --overlay-path=path option + * compile time and run time support to disable overlayfs * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command diff --git a/etc/firejail.config b/etc/firejail.config index 1b8d5f4e3..275bba8e2 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -3,9 +3,6 @@ # Most features are enabled by default. Use 'yes' or 'no' as configuration # values. -# Remount /proc and /sys inside the sandbox, default enabled. -# remount-proc-sys yes - # Enable or disable bind support, default enabled. # bind yes @@ -24,9 +21,14 @@ # Enable or disable networking features, default enabled. # network yes +# Enable or disable overlayfs features, default enabled. +# overlayfs yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index c4a6888a9..fed934434 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -233,6 +233,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "overlayfs ", 10) == 0) { + if (strcmp(ptr + 10, "yes") == 0) + cfg_val[CFG_OVERLAYFS] = 1; + else if (strcmp(ptr + 10, "no") == 0) + cfg_val[CFG_OVERLAYFS] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 067d788a6..98ba8ee3b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -591,7 +591,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_WHITELIST 9 #define CFG_XEPHYR_WINDOW_TITLE 10 #define CFG_REMOUNT_PROC_SYS 11 -#define CFG_MAX 12 // this should always be the last entry +#define CFG_OVERLAYFS 12 +#define CFG_MAX 13 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/main.c b/src/firejail/main.c index c366390cc..1824765eb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -266,18 +266,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } #ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay-clean") == 0) { - char *path; - if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - EUID_ROOT(); - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); - errno = 0; - int rv = remove_directory(path); - if (rv) { - fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); + if (checkcfg(CFG_OVERLAYFS)) { + char *path; + if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + EUID_ROOT(); + if (setreuid(0, 0) < 0) + errExit("setreuid"); + if (setregid(0, 0) < 0) + errExit("setregid"); + errno = 0; + int rv = remove_directory(path); + if (rv) { + fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); + exit(1); + } + } + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); exit(1); } exit(0); @@ -1283,78 +1289,103 @@ int main(int argc, char **argv) { } #ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay") == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + + char *subdirname; + if (asprintf(&subdirname, "%d", getpid()) == -1) + errExit("asprintf"); + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); + + free(subdirname); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); + exit(1); } - arg_overlay = 1; - arg_overlay_keep = 1; - - char *subdirname; - if (asprintf(&subdirname, "%d", getpid()) == -1) - errExit("asprintf"); - cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); - - free(subdirname); } else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); - } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + arg_overlay_reuse = 1; + + char *subdirname = argv[i] + 16; + if (subdirname == '\0') { + fprintf(stderr, "Error: invalid overlay option\n"); + exit(1); + } + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } - arg_overlay = 1; - arg_overlay_keep = 1; - arg_overlay_reuse = 1; - - char *subdirname = argv[i] + 16; - if (subdirname == '\0') { - fprintf(stderr, "Error: invalid overlay option\n"); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); exit(1); } - cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); + } else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); - } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + arg_overlay_reuse = 1; + + char *dirname = argv[i] + 15; + if (dirname == '\0') { + fprintf(stderr, "Error: invalid overlay option\n"); + exit(1); + } + cfg.overlay_dir = expand_home(dirname, cfg.homedir); } - arg_overlay = 1; - arg_overlay_keep = 1; - arg_overlay_reuse = 1; - - char *dirname = argv[i] + 15; - if (dirname == '\0') { - fprintf(stderr, "Error: invalid overlay option\n"); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); exit(1); } - cfg.overlay_dir = expand_home(dirname, cfg.homedir); } else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); + exit(1); } - arg_overlay = 1; } #endif else if (strncmp(argv[i], "--profile=", 10) == 0) { @@ -1477,7 +1508,6 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); exit(1); } - } #endif else if (strcmp(argv[i], "--writable-etc") == 0) { -- cgit v1.2.3-70-g09d2 From e93fbf3bd23a243e2dafecb2af07353049c3b890 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 21 Aug 2016 19:37:04 -0400 Subject: disable ssh-agent sockets in disable-programs.inc --- etc/disable-programs.inc | 3 +++ etc/ssh.profile | 1 + 2 files changed, 4 insertions(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 26d9cf22b..2f7584241 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -134,3 +134,6 @@ blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess + +# ssh +blacklist /tmp/ssh-* diff --git a/etc/ssh.profile b/etc/ssh.profile index a6d52c5a5..2411e46f3 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -1,5 +1,6 @@ # ssh client noblacklist ~/.ssh +noblacklist /tmp/ssh-* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From 45306ca2adbe0ccfd655ac356cd7a989706a06a1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 21 Aug 2016 20:37:54 -0400 Subject: fixed whitelist description in man pages --- src/man/firejail-profile.txt | 12 +++++++++--- src/man/firejail.txt | 14 ++++++++++---- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 637519902..52802755f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -198,9 +198,15 @@ Mount an empty tmpfs filesystem on top of directory. This option is available on Blacklist violations logged to syslog. .TP \fBwhitelist file_or_directory -Build a new user home in a temporary filesystem, and mount-bind file_or_directory. -The modifications to file_or_directory are persistent, everything else is discarded -when the sandbox is closed. +Whitelist directory or file. A temporary file system is mounted on the top directory, and the +whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, +everything else is discarded when the sandbox is closed. The top directory could be +user home, /dev, /media, /opt, /var, and /tmp. +.br + +.br +Symbolic link handling: with the exception of user home, both the link and the real file should be in +the same top directory. For user home, both the link and the real file should be owned by the user. .TP \fBwritable-etc Mount /etc directory read-write. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 732d14624..d08b244f7 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1587,9 +1587,15 @@ $ firejail \-\-version firejail version 0.9.27 .TP \fB\-\-whitelist=dirname_or_filename -Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. -With the exception of user home, both the link and the real file should be in -the same top directory. For /home, both the link and the real file should be owned by the user. +Whitelist directory or file. A temporary file system is mounted on the top directory, and the +whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, +everything else is discarded when the sandbox is closed. The top directory could be +user home, /dev, /media, /opt, /var, and /tmp. +.br + +.br +Symbolic link handling: with the exception of user home, both the link and the real file should be in +the same top directory. For user home, both the link and the real file should be owned by the user. .br .br @@ -1630,7 +1636,7 @@ applications started in the sandbox from accessing other X11 displays. A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. .br -.br +br Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. This feature is not available when running as root. .br -- cgit v1.2.3-70-g09d2 From 2b76cea1106462268b975ee68480796ba900d37f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 08:59:00 -0400 Subject: --allow-debuggers --- RELNOTES | 1 + src/firejail/firejail.h | 1 + src/firejail/main.c | 35 +++++++++++++++++++++++++++++++++-- src/firejail/profile.c | 10 ++++++++++ src/firejail/seccomp.c | 13 +++++++++++-- src/firejail/usage.c | 1 + src/man/firejail.txt | 9 +++++++++ test/environment/allow-debuggers.exp | 32 ++++++++++++++++++++++++++++++++ test/environment/environment.sh | 8 ++++++++ 9 files changed, 106 insertions(+), 4 deletions(-) create mode 100755 test/environment/allow-debuggers.exp diff --git a/RELNOTES b/RELNOTES index d59618c7c..1f62c4d64 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * deprecated --user option, please use "sudo -u username firejail" instead * --read-write option rework * allow symlinks in home directory for --whitelist option + * --allow-debuggers option * --private-template (very simillar to the former --private-home) * AppImage support (--appimage) * AppArmor support (--apparmor) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 98ba8ee3b..8e30e929a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -267,6 +267,7 @@ extern int arg_appimage; // appimage extern int arg_audit; // audit extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor +extern int arg_allow_debuggers; // allow debuggers extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 1824765eb..bdb8e0df5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -101,8 +101,9 @@ int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var int arg_appimage = 0; // appimage int arg_audit = 0; // audit -char *arg_audit_prog; // audit -int arg_apparmor; // apparmor +char *arg_audit_prog = NULL; // audit +int arg_apparmor = 0; // apparmor +int arg_allow_debuggers = 0; // allow debuggers int login_shell = 0; int parent_to_child_fds[2]; @@ -730,6 +731,24 @@ static void detect_quiet(int argc, char **argv) { } } +static void detect_allow_debuggers(int argc, char **argv) { + int i; + + // detect --allow-debuggers + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--allow-debuggers") == 0) { + arg_allow_debuggers = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } +} + char *guess_shell(void) { char *shell = NULL; // shells in order of preference @@ -766,11 +785,13 @@ int main(int argc, char **argv) { #endif detect_quiet(argc, argv); + detect_allow_debuggers(argc, argv); // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); + // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') run_symlink(argc, argv); @@ -982,6 +1003,13 @@ int main(int argc, char **argv) { if (checkcfg(CFG_FORCE_NONEWPRIVS)) arg_nonewprivs = 1; + if (arg_allow_debuggers) { + char *cmd = strdup("noblacklist ${PATH}/strace"); + if (!cmd) + errExit("strdup"); + profile_add(cmd); + } + // parse arguments for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized @@ -1005,6 +1033,9 @@ int main(int argc, char **argv) { } else if (strcmp(argv[i], "--force") == 0) ; + else if (strcmp(argv[i], "--allow-debuggers") == 0) { + // already handled + } //************************************* // filtering diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1403db704..26f434f3b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -828,6 +828,16 @@ void profile_read(const char *fname) { exit(1); } + // allow debuggers + if (arg_allow_debuggers) { + char *tmp = strrchr(fname, '/'); + if (tmp && *(tmp + 1) != '\0') { + tmp++; + if (strcmp(tmp, "disable-devel.inc") == 0) + return; + } + } + // open profile file: FILE *fp = fopen(fname, "r"); if (fp == NULL) { diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 88620d1dd..7aaf1a5cd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -344,6 +344,7 @@ void seccomp_filter_32(void) { EXAMINE_SYSCALL, BLACKLIST(21), // mount BLACKLIST(52), // umount2 +// todo: implement --allow-debuggers BLACKLIST(26), // ptrace BLACKLIST(283), // kexec_load BLACKLIST(341), // name_to_handle_at @@ -416,6 +417,7 @@ void seccomp_filter_64(void) { EXAMINE_SYSCALL, BLACKLIST(165), // mount BLACKLIST(166), // umount2 +// todo: implement --allow-debuggers BLACKLIST(101), // ptrace BLACKLIST(246), // kexec_load BLACKLIST(304), // open_by_handle_at @@ -501,9 +503,13 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_umount2 filter_add_blacklist(SYS_umount2, 0); #endif + + if (!arg_allow_debuggers) { #ifdef SYS_ptrace - filter_add_blacklist(SYS_ptrace, 0); + filter_add_blacklist(SYS_ptrace, 0); #endif + } + #ifdef SYS_kexec_load filter_add_blacklist(SYS_kexec_load, 0); #endif @@ -549,9 +555,12 @@ int seccomp_filter_drop(int enforce_seccomp) { #ifdef SYS_syslog filter_add_blacklist(SYS_syslog, 0); #endif + if (!arg_allow_debuggers) { #ifdef SYS_process_vm_readv - filter_add_blacklist(SYS_process_vm_readv, 0); + filter_add_blacklist(SYS_process_vm_readv, 0); #endif + } + #ifdef SYS_process_vm_writev filter_add_blacklist(SYS_process_vm_writev, 0); #endif diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ed6d22e69..ebe1c8830 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -34,6 +34,7 @@ void usage(void) { printf("\n"); printf("Options:\n\n"); printf(" -- - signal the end of options and disables further option processing.\n\n"); + printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n"); printf(" --apparmor - enable AppArmor confinement\n\n"); printf(" --appimage - sandbox an AppImage application\n\n"); printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d08b244f7..cc47e3dc6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -75,6 +75,15 @@ $ firejail [OPTIONS] firefox # starting Mozilla Firefox \fB\-\- Signal the end of options and disables further option processing. .TP +\fB\-\-allow-debuggers +Allow tools such as strace and gdb inside the sandbox. +.br + +.br +Example: +.br +$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile --allow-debuggers strace -f firefox +.TP \fB\-\-apparmor Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. .TP diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp new file mode 100755 index 000000000..dde9c4cc1 --- /dev/null +++ b/test/environment/allow-debuggers.exp @@ -0,0 +1,32 @@ +#!/usr/bin/expect -f + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=/etc/firejail/firefox.profile --allow-debuggers strace ls\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "exited with 0" +} +after 100 + +send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "exited with 0" +} +after 100 + + +puts "\nall done\n" + diff --git a/test/environment/environment.sh b/test/environment/environment.sh index a6fe07a1c..785f57d3f 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -82,4 +82,12 @@ echo "TESTING: nice (test/environment/nice.exp)" echo "TESTING: quiet (test/environment/quiet.exp)" ./quiet.exp +which strace +if [ "$?" -eq 0 ]; +then + echo "TESTING: --allow-debuggers (test/environment/allow-debuggers.exp)" + ./allow-debuggers.exp +else + echo "TESTING SKIP: strace not found" +fi -- cgit v1.2.3-70-g09d2 From bfd93f604a09ae55c7cf9f37e1eea7abf224015a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 09:05:53 -0400 Subject: testing --- test/environment/csh.exp | 2 +- test/environment/dash.exp | 2 +- test/environment/doubledash.exp | 2 +- test/environment/env.exp | 2 +- test/environment/firejail-in-firejail.exp | 2 +- test/environment/firejail-in-firejail2.exp | 2 +- test/environment/nice.exp | 2 +- test/environment/quiet.exp | 2 +- test/environment/rlimit-profile.exp | 2 +- test/environment/rlimit.exp | 2 +- test/environment/shell-none.exp | 6 +++--- test/environment/sound.exp | 2 +- test/environment/zsh.exp | 2 +- 13 files changed, 15 insertions(+), 15 deletions(-) diff --git a/test/environment/csh.exp b/test/environment/csh.exp index 2f1ae17b9..46e4bb3ca 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp @@ -30,7 +30,7 @@ expect { "/bin/csh" } send -- "exit\r" -sleep 1 +after 100 puts "\n" diff --git a/test/environment/dash.exp b/test/environment/dash.exp index d727d302e..cd051ea7c 100755 --- a/test/environment/dash.exp +++ b/test/environment/dash.exp @@ -36,7 +36,7 @@ expect { "home" } send -- "exit\r" -sleep 1 +after 100 puts "\n" diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp index 7abf4b918..2eaa7d9ce 100755 --- a/test/environment/doubledash.exp +++ b/test/environment/doubledash.exp @@ -55,6 +55,6 @@ expect { "/tmp" } -sleep 1 +after 100 puts "\n" diff --git a/test/environment/env.exp b/test/environment/env.exp index a09c3f9c5..8f72400b0 100755 --- a/test/environment/env.exp +++ b/test/environment/env.exp @@ -31,7 +31,7 @@ expect { "ENV3" } send -- "exit\r" -sleep 1 +after 100 #*********************************************** send -- "firejail --profile=env.profile\r" diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 7e7f4fd17..1122b712f 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp @@ -19,6 +19,6 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Warning: an existing sandbox was detected" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp index 5a2213074..37d1c2870 100755 --- a/test/environment/firejail-in-firejail2.exp +++ b/test/environment/firejail-in-firejail2.exp @@ -19,6 +19,6 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/environment/nice.exp b/test/environment/nice.exp index 3a5db71c8..2e0e95ea1 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp @@ -42,7 +42,7 @@ expect { sleep 1 send -- "exit\r" -sleep 1 +after 100 send -- "firejail --profile=nice.profile\r" expect { diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp index 38da4673e..8d7c8d4c0 100755 --- a/test/environment/quiet.exp +++ b/test/environment/quiet.exp @@ -15,7 +15,7 @@ expect { "Child process initialized" {puts "TESTING ERROR 3\n";exit} "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index 7ee828bf2..a9e54a405 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp @@ -29,5 +29,5 @@ expect { timeout {puts "TESTING ERROR 1.4\n";exit} "Max pending signals 200 200" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp index 680520b33..611f69821 100755 --- a/test/environment/rlimit.exp +++ b/test/environment/rlimit.exp @@ -33,5 +33,5 @@ expect { timeout {puts "TESTING ERROR 1.5\n";exit} "home" } -sleep 1 +after 100 puts "\n" diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp index e30008f83..8f3df794f 100755 --- a/test/environment/shell-none.exp +++ b/test/environment/shell-none.exp @@ -19,7 +19,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "shell=none configured, but no program specified" } -sleep 1 +after 100 send -- "firejail --shell=none ls\r" expect { @@ -30,7 +30,7 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "environment.sh" } -sleep 1 +after 100 send -- "firejail --profile=shell-none.profile ls\r" expect { @@ -41,7 +41,7 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "environment.sh" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/environment/sound.exp b/test/environment/sound.exp index e2e8fb610..dd55add89 100755 --- a/test/environment/sound.exp +++ b/test/environment/sound.exp @@ -77,7 +77,7 @@ expect { timeout {puts "TESTING ERROR 25\n";exit} "Parent is shutting down" } -sleep 2 +after 100 puts "\nall done\n" diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 7ab7faa76..5fca1cf22 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -30,7 +30,7 @@ expect { "/usr/bin/zsh" } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 8fdede5811ad03ccb6261fc992fcf11b4a06a3b3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 11:31:08 -0400 Subject: testing --- test/arguments/readme | 2 +- test/filters/caps.exp | 2 +- test/filters/noroot.exp | 1 + test/filters/protocol.exp | 2 +- test/filters/seccomp-bad-empty.exp | 2 +- test/filters/seccomp-chmod-profile.exp | 2 +- test/filters/seccomp-chmod.exp | 2 +- test/filters/seccomp-chown.exp | 4 ++-- test/filters/seccomp-dualfilter.exp | 1 + test/filters/seccomp-empty.exp | 1 + test/filters/seccomp-errno.exp | 2 +- test/filters/seccomp-ptrace.exp | 2 +- test/filters/seccomp-su.exp | 2 +- test/filters/seccomp-umount.exp | 2 +- test/fs/fs_dev_shm.exp | 2 +- test/fs/fs_var_lock.exp | 2 +- test/fs/fs_var_tmp.exp | 2 +- test/fs/option_bind_user.exp | 2 +- test/fs/option_blacklist.exp | 2 +- test/fs/option_blacklist_file.exp | 2 +- test/fs/option_blacklist_glob.exp | 1 + test/fs/private-bin.exp | 2 +- test/fs/private-etc-empty.exp | 1 + test/fs/private-etc.exp | 2 +- test/fs/private.exp | 2 +- test/fs/whitelist-double.exp | 2 +- test/fs/whitelist-empty.exp | 1 + test/network/4bridges_arp.exp | 3 ++- test/network/4bridges_ip.exp | 3 ++- test/network/bandwidth.exp | 2 +- test/network/hostname.exp | 3 ++- test/network/ip6.exp | 2 ++ test/network/net_badip.exp | 2 +- test/network/net_defaultgw.exp | 3 ++- test/network/net_defaultgw2.exp | 3 ++- test/network/net_defaultgw3.exp | 3 ++- test/network/net_interface.exp | 2 ++ test/network/net_ip.exp | 3 ++- test/network/net_local.exp | 2 ++ test/network/net_mac.exp | 3 ++- test/network/net_macvlan.exp | 2 ++ test/network/net_mtu.exp | 2 ++ test/network/net_noip.exp | 1 + test/network/net_noip2.exp | 1 + test/network/net_none.exp | 3 ++- test/network/net_profile.exp | 3 ++- test/profiles/ignore.exp | 2 +- test/profiles/profile_followlnk.exp | 3 ++- test/profiles/profile_noperm.exp | 2 +- test/profiles/profile_readonly.exp | 4 ++-- test/profiles/profile_syntax.exp | 2 +- test/profiles/profile_syntax2.exp | 4 ++-- test/utils/caps-print.exp | 2 +- test/utils/cpu-print.exp | 2 +- test/utils/dns-print.exp | 2 +- test/utils/fs-print.exp | 2 +- test/utils/join-profile.exp | 2 +- test/utils/join.exp | 2 +- test/utils/join2.exp | 2 +- test/utils/join3.exp | 2 +- test/utils/ls.exp | 2 +- test/utils/protocol-print.exp | 2 +- test/utils/seccomp-print.exp | 2 +- test/utils/shutdown2.exp | 2 +- test/utils/shutdown3.exp | 2 +- test/utils/shutdown4.exp | 2 +- test/utils/trace.exp | 1 + 67 files changed, 86 insertions(+), 56 deletions(-) diff --git a/test/arguments/readme b/test/arguments/readme index f5844848e..c28461478 100644 --- a/test/arguments/readme +++ b/test/arguments/readme @@ -5,5 +5,5 @@ Run "make && sudo make install" to install it. Run "make test" to run the tests. -Run "make uninstall" to remove the test program. +Run "sudo make uninstall" to remove the test program. diff --git a/test/filters/caps.exp b/test/filters/caps.exp index 034d6a733..7f7cf7dd1 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp @@ -66,7 +66,7 @@ expect { "Seccomp:" } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 1e08cee12..2a7cb7975 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -156,4 +156,5 @@ expect { timeout {puts "TESTING ERROR 24\n";exit} "3" } +after 100 puts "\nall done\n" diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 82e9a63eb..835f645b2 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp @@ -180,6 +180,6 @@ expect { timeout {puts "TESTING ERROR 4.9\n";exit} "after socket" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 53f06e632..1bd9c9b1f 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp @@ -36,6 +36,6 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "Error: line 1 in seccomp-bad-empty2.profile is invalid" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index e5d16f524..463ce05e9 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp @@ -47,5 +47,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index 9ca084e7f..b17990e3a 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp @@ -47,5 +47,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp index 4e393fea2..a54d279f1 100755 --- a/test/filters/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp @@ -45,5 +45,5 @@ expect { send -- "exit\r" -sleep 1 -puts "\n" +after 100 +puts "\nall done\n" diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 8a48130b3..958dab528 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -51,4 +51,5 @@ expect { "Parent is shutting down" } +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp index 11b275c7d..d150dac7d 100755 --- a/test/filters/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp @@ -144,5 +144,6 @@ expect { } sleep 2 send -- "exit\r" +after 100 puts "\n" diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index aefe816e1..4df1948be 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp @@ -86,5 +86,5 @@ sleep 1 send -- "rm seccomp-test-file\r" -sleep 1 +after 100 puts "all done\n" diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index fba9ea92f..bb87b96ea 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp @@ -22,5 +22,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "all done\n" diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 3f1f2e732..7833c69b0 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -36,5 +36,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "all done\n" diff --git a/test/filters/seccomp-umount.exp b/test/filters/seccomp-umount.exp index 6e2f8c6c2..df38dba5e 100755 --- a/test/filters/seccomp-umount.exp +++ b/test/filters/seccomp-umount.exp @@ -27,5 +27,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\n" diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index 6d27978e2..8150dfa61 100755 --- a/test/fs/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp @@ -85,6 +85,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp index 0e2b3181a..5879dca52 100755 --- a/test/fs/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp @@ -85,6 +85,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index 811baac68..a3bc5afe2 100755 --- a/test/fs/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp @@ -85,6 +85,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp index 9d2d17d7f..a2912968e 100755 --- a/test/fs/option_bind_user.exp +++ b/test/fs/option_bind_user.exp @@ -9,7 +9,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "bind option is available only if running as root" } -sleep 1 +after 100 puts "\n" diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp index 38fd19237..6554d438f 100755 --- a/test/fs/option_blacklist.exp +++ b/test/fs/option_blacklist.exp @@ -32,7 +32,7 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "done" } -sleep 1 +after 100 puts "\n" diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp index 846735d9e..b0164136c 100755 --- a/test/fs/option_blacklist_file.exp +++ b/test/fs/option_blacklist_file.exp @@ -20,7 +20,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "done" } -sleep 1 +after 100 puts "\n" diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp index 01939736d..5a96cacc9 100755 --- a/test/fs/option_blacklist_glob.exp +++ b/test/fs/option_blacklist_glob.exp @@ -27,6 +27,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "Permission denied" } +after 100 puts "\n" diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index c19702e77..fe9468be9 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -66,6 +66,6 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 13e917a5c..2ab634afd 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp @@ -35,4 +35,5 @@ expect { "0" } +after 100 puts "\nall done\n" diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index 3b4f3eb2b..e692f7382 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp @@ -40,6 +40,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/private.exp b/test/fs/private.exp index 7eee0c82b..67435b888 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp @@ -54,6 +54,6 @@ expect { timeout {puts "TESTING ERROR 11\n";exit} "done" } -sleep 1 +after 100 puts "all done\n" diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 34463dbe4..fc05f9322 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -37,6 +37,6 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "0" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index f44d4fb58..71bb8f914 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp @@ -49,5 +49,6 @@ expect { "0" } +after 100 puts "\nall done\n" diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index f769df43b..4ffa715cc 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp @@ -167,7 +167,8 @@ expect { timeout {puts "TESTING ERROR 10.2\n";exit} "10.10.50.0/24 dev eth3 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index db7a61867..3cfd71be0 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp @@ -171,7 +171,8 @@ expect { "10.10.50.0/24 dev eth3 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index 2913c6b14..8f3a706a8 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -60,6 +60,6 @@ expect { "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit} "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 53f24f7b1..73d06725f 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp @@ -23,6 +23,7 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "done" } -sleep 1 +send -- "exit\r" +after 100 puts "all done\n" diff --git a/test/network/ip6.exp b/test/network/ip6.exp index e5939021e..f0fcebcf8 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -42,6 +42,8 @@ expect { "scopeid 0x0" { puts "Arch\n"} } +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index 8003252d6..d13a6144e 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp @@ -13,7 +13,7 @@ expect { timeout {puts "TESTING ERROR 0.0\n";exit} "the IP address is not" } -sleep 1 +after 100 puts "\n" diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 5534b7706..6291ae5ba 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp @@ -43,7 +43,8 @@ expect { timeout {puts "TESTING ERROR 10.2\n";exit} "10.10.20.0/29 dev eth0 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index 86f204e8c..7620e4899 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp @@ -37,7 +37,8 @@ expect { timeout {puts "TESTING ERROR 10.3\n";exit} "10.10.30.0/24 dev eth1 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index 30150938f..a47324adc 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp @@ -14,7 +14,8 @@ expect { "default gateway 10.10.95.89 is not in the range of any network" } -sleep 1 +after 100 + puts "\n" diff --git a/test/network/net_interface.exp b/test/network/net_interface.exp index 2e6619938..2f87024d8 100755 --- a/test/network/net_interface.exp +++ b/test/network/net_interface.exp @@ -86,6 +86,8 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "UP" } +send -- "exit\r" +after 100 puts "all done\n" diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 0eff212dd..32103050d 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -69,7 +69,8 @@ expect { timeout {puts "TESTING ERROR 10\n";exit} "10.10.20.0/29 dev eth0 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\n" diff --git a/test/network/net_local.exp b/test/network/net_local.exp index 60ab2af05..b72b9adaf 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp @@ -43,6 +43,8 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "255.0.0.0" } +send -- "exit\r" +after 100 puts "all done\n" diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index 5c48be9fd..d3cd8163f 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp @@ -33,7 +33,8 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_macvlan.exp b/test/network/net_macvlan.exp index ca503c26a..f457ea98f 100755 --- a/test/network/net_macvlan.exp +++ b/test/network/net_macvlan.exp @@ -86,6 +86,8 @@ while { $i <= $MAXi } { after 100 # sleep 1 } +send -- "exit\r" +after 100 puts "\n" diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index 21b9aa5cb..eb9c5d08c 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp @@ -28,6 +28,8 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "state UP" } +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index 3fb53d860..b557d116c 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp @@ -38,6 +38,7 @@ expect { timeout {puts "TESTING ERROR 6\n";exit} "done" } +send -- "exit\r" after 100 puts "all done\n" diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index cf86d7f6b..c86ea4900 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp @@ -38,6 +38,7 @@ expect { timeout {puts "TESTING ERROR 6\n";exit} "done" } +send -- "exit\r" after 100 puts "all done\n" diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 1c1577d76..1761eb423 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -66,6 +66,7 @@ expect { "eth0" {puts "TESTING ERROR 5.1\n";exit} "done" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index 7e88193cc..dee0b2793 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp @@ -70,7 +70,8 @@ expect { "state UP" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 281697b26..0c5691e9a 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp @@ -46,5 +46,5 @@ expect { "Child process initialized" } - +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp index 4d89de26b..eb3d04852 100755 --- a/test/profiles/profile_followlnk.exp +++ b/test/profiles/profile_followlnk.exp @@ -31,7 +31,8 @@ expect { sleep 1 send -- "exit\r" +after 100 send -- "rm -fr /tmp/firejailtest*\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index 25ec580bd..b3b031cb2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp @@ -9,5 +9,5 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "cannot access profile" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp index e8e78d6ad..c1c9544a6 100755 --- a/test/profiles/profile_readonly.exp +++ b/test/profiles/profile_readonly.exp @@ -28,9 +28,9 @@ expect { "Read-only file system" } send -- "exit\r" -sleep 1 +after 100 send -- "rm -fr /tmp/firejailtest*\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index dd6b637ed..c8cb99a5f 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -50,5 +50,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index ba83731be..9dca35ca2 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -45,6 +45,6 @@ expect { timeout {puts "TESTING ERROR 8\n";exit} "Child process initialized" } - -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp index 9cc4b1872..fa5239da2 100755 --- a/test/utils/caps-print.exp +++ b/test/utils/caps-print.exp @@ -28,5 +28,5 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "net_raw - disabled" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index 4a9ffa0ac..ca2e57313 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp @@ -20,5 +20,5 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Cpus_allowed_list: 1-2" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp index 51dcab508..406ab5149 100755 --- a/test/utils/dns-print.exp +++ b/test/utils/dns-print.exp @@ -20,5 +20,5 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "nameserver 1.2.3.4" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp index fa0eab95b..4d4ceb718 100755 --- a/test/utils/fs-print.exp +++ b/test/utils/fs-print.exp @@ -28,5 +28,5 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "blacklist /proc/kmsg" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp index a4262b999..a2078c2f6 100755 --- a/test/utils/join-profile.exp +++ b/test/utils/join-profile.exp @@ -30,6 +30,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join.exp b/test/utils/join.exp index ab4917f7d..7f582e2e5 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -33,6 +33,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 82540fe39..5895eb730 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp @@ -33,6 +33,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join3.exp b/test/utils/join3.exp index e92045dd1..3ccc47bf9 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp @@ -33,6 +33,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/ls.exp b/test/utils/ls.exp index 3a99be0d5..b83957a4f 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp @@ -37,5 +37,5 @@ expect { sleep 1 send -- "rm -f lstesting\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp index 152a64467..b4b94ea93 100755 --- a/test/utils/protocol-print.exp +++ b/test/utils/protocol-print.exp @@ -20,5 +20,5 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "unix,inet,inet6" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index d0531a9c3..f6ff1e721 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp @@ -32,5 +32,5 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "RETURN_ALLOW" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp index 7857b919c..777a73ec9 100755 --- a/test/utils/shutdown2.exp +++ b/test/utils/shutdown2.exp @@ -40,6 +40,6 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "5" } -sleep 1 +after 100 puts "\nalldone\n" diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp index 02b68c4ce..a74fb3386 100755 --- a/test/utils/shutdown3.exp +++ b/test/utils/shutdown3.exp @@ -60,6 +60,6 @@ expect { timeout {puts "TESTING ERROR 10\n";exit} "5" } -sleep 1 +after 100 puts "\nalldone\n" diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index 0f2e0e7fe..2942ba3d5 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp @@ -60,6 +60,6 @@ expect { timeout {puts "TESTING ERROR 50\n";exit} "50" } -sleep 1 +after 100 puts "\nalldone\n" diff --git a/test/utils/trace.exp b/test/utils/trace.exp index b562a6b49..78a04b273 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -110,5 +110,6 @@ expect { "bash:access /etc/terminfo/" {puts "debian\n"} "bash:access /usr/share/terminfo/" {puts "arch\n"} } +after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 940003dcd7bdd4dfa5e7e5444cdf3b91be4ebdc8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 17:07:36 -0400 Subject: allow-debuggers --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cc47e3dc6..b258c3d20 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -82,7 +82,7 @@ Allow tools such as strace and gdb inside the sandbox. .br Example: .br -$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile --allow-debuggers strace -f firefox +$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-apparmor Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. -- cgit v1.2.3-70-g09d2 From 8db0f9d8b925887df2c1a0941d53c379492d36b0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 18:20:35 -0400 Subject: x11 command in profile files --- RELNOTES | 1 + src/firejail/profile.c | 17 +++++++++++++++++ src/man/firejail-profile.txt | 3 +++ 3 files changed, 21 insertions(+) diff --git a/RELNOTES b/RELNOTES index 1f62c4d64..6d029d320 100644 --- a/RELNOTES +++ b/RELNOTES @@ -29,6 +29,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * run time support to disable remounting of /proc and /sys * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config + * added x11 command for profile files * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 26f434f3b..916e39892 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -613,6 +613,23 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } + + if (strcmp(ptr, "x11") == 0) { +#ifdef HAVE_X11 + if (checkcfg(CFG_X11)) { + char *x11env = getenv("FIREJAIL_X11"); + if (x11env && strcmp(x11env, "yes") == 0) + return 0; + else { + // start x11 + x11_start(cfg.original_argc, cfg.original_argv); + exit(0); + } + } +#endif + return 0; + } + if (strncmp(ptr, "private-template ", 17) == 0) { if (arg_private) { diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 52802755f..e3217bbff 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -258,6 +258,9 @@ does not result in an increase of privilege. \fBnoroot Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace. +.TP +\fBx11 +Enable X11 sandboxing. .SH Resource limits, CPU affinity, Control Groups These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. -- cgit v1.2.3-70-g09d2 From b1de742a08cccb5f3ae7e2a8fa851aa0059c92f4 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 23 Aug 2016 10:00:31 +0300 Subject: remove unneeded chown --- src/firejail/appimage.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index db9382dc3..37e3de5d8 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -39,15 +39,20 @@ void appimage_set(const char *appimage_path) { assert(appimage_path); assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); - + // check appimage_path if (access(appimage_path, R_OK) == -1) { fprintf(stderr, "Error: cannot access AppImage file\n"); exit(1); } - + + // open as user to prevent race condition + int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); + if (ffd == -1) + errExit("open"); + EUID_ROOT(); - + // find or allocate a free loop device to use int cfd = open("/dev/loop-control", O_RDWR); int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); @@ -59,7 +64,6 @@ void appimage_set(const char *appimage_path) { if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) errExit("asprintf"); - int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); int lfd = open(devloop, O_RDONLY); if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) { fprintf(stderr, "Error: cannot configure the loopback device\n"); @@ -68,22 +72,21 @@ void appimage_set(const char *appimage_path) { close(lfd); close(ffd); + EUID_USER(); + + // creates directory with perms 0700 char dirname[] = "/tmp/firejail-mnt-XXXXXX"; mntdir = strdup(mkdtemp(dirname)); if (mntdir == NULL) { fprintf(stderr, "Error: cannot create temporary directory\n"); exit(1); } - mkdir(mntdir, 755); - if (chown(mntdir, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(mntdir, 755) == -1) - errExit("chmod"); char *mode; - if (asprintf(&mode, "mode=755,uid=%d,gid=%d", getuid(), getgid()) == -1) + if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) errExit("asprintf"); + EUID_ROOT(); if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) errExit("mounting appimage"); -- cgit v1.2.3-70-g09d2 From 0c7a3b7269e481065bff70ecdf342de37039b602 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Aug 2016 07:01:46 -0400 Subject: overlayfs fixes --- RELNOTES | 1 - src/firejail/fs.c | 8 +++++-- src/firejail/main.c | 9 ++++++++ src/firejail/sandbox.c | 63 ++++++++++++++++++++++++++++---------------------- src/firejail/usage.c | 20 ++++++++++++++++ src/man/firejail.txt | 18 --------------- 6 files changed, 71 insertions(+), 48 deletions(-) diff --git a/RELNOTES b/RELNOTES index 6d029d320..ee3d60230 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,7 +16,6 @@ firejail (0.9.42~rc2) baseline; urgency=low * noexec support (--noexec) * --overlay-clean option * --overlay-named=name option - * --overlay-path=path option * compile time and run time support to disable overlayfs * Ubuntu snap support * include /dev/snd in --private-dev diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ddb25c2dd..c5ef27615 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -817,9 +817,10 @@ void fs_basic_fs(void) { #ifdef HAVE_OVERLAYFS char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { - // create ~/.firejail directory struct stat s; char *dirname; + + // create ~/.firejail directory if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); if (stat(dirname, &s) == -1) { @@ -835,12 +836,15 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { fprintf(stderr, "Error: invalid ~/.firejail directory\n"); exit(1); } - free(dirname); // check overlay directory if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) errExit("asprintf"); + if (is_link(dirname)) { + fprintf(stderr, "Error: overlay directory is a symbolic link\n"); + exit(1); + } if (allow_reuse == 0) { if (stat(dirname, &s) == 0) { fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); diff --git a/src/firejail/main.c b/src/firejail/main.c index bdb8e0df5..27e2a7f1a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1365,6 +1365,13 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid overlay option\n"); exit(1); } + + // check name + invalid_filename(subdirname); + if (strstr(subdirname, "..") || strstr(subdirname, "/")) { + fprintf(stderr, "Error: invalid overlay name\n"); + exit(1); + } cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } else { @@ -1373,6 +1380,7 @@ int main(int argc, char **argv) { } } +#if 0 // disabled for now, it could be used to overwrite system directories else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { if (checkcfg(CFG_OVERLAYFS)) { if (cfg.chrootdir) { @@ -1400,6 +1408,7 @@ int main(int argc, char **argv) { exit(1); } } +#endif else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { if (checkcfg(CFG_OVERLAYFS)) { if (cfg.chrootdir) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0818bf450..0851e71cd 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -378,7 +378,30 @@ void start_application(void) { exit(1); // it should never get here!!! } - +static void enforce_filters(void) { + // force default seccomp inside the chroot, no keep or drop list + // the list build on top of the default drop list is kept intact + arg_seccomp = 1; + if (cfg.seccomp_list_drop) { + free(cfg.seccomp_list_drop); + cfg.seccomp_list_drop = NULL; + } + if (cfg.seccomp_list_keep) { + free(cfg.seccomp_list_keep); + cfg.seccomp_list_keep = NULL; + } + + // disable all capabilities + if (arg_caps_default_filter || arg_caps_list) + fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); + arg_caps_drop_all = 1; + + // drop all supplementary groups; /etc/group file inside chroot + // is controlled by a regular usr + arg_nogroups = 1; + if (!arg_quiet) + printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); +} int sandbox(void* sandbox_arg) { // Get rid of unused parameter warning @@ -463,37 +486,13 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); - -// // redo cp command -// fs_build_cp_command(); // force caps and seccomp if not started as root if (getuid() != 0) { - // force default seccomp inside the chroot, no keep or drop list - // the list build on top of the default drop list is kept intact - arg_seccomp = 1; + enforce_filters(); #ifdef HAVE_SECCOMP enforce_seccomp = 1; #endif - if (cfg.seccomp_list_drop) { - free(cfg.seccomp_list_drop); - cfg.seccomp_list_drop = NULL; - } - if (cfg.seccomp_list_keep) { - free(cfg.seccomp_list_keep); - cfg.seccomp_list_keep = NULL; - } - - // disable all capabilities - if (arg_caps_default_filter || arg_caps_list) - fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); - arg_caps_drop_all = 1; - - // drop all supplementary groups; /etc/group file inside chroot - // is controlled by a regular usr - arg_nogroups = 1; - if (!arg_quiet) - printf("Dropping all Linux capabilities and enforcing default seccomp filter\n"); } else arg_seccomp = 1; @@ -507,8 +506,18 @@ int sandbox(void* sandbox_arg) { else #endif #ifdef HAVE_OVERLAYFS - if (arg_overlay) + if (arg_overlay) { fs_overlayfs(); + // force caps and seccomp if not started as root + if (getuid() != 0) { + enforce_filters(); +#ifdef HAVE_SECCOMP + enforce_seccomp = 1; +#endif + } + else + arg_seccomp = 1; + } else #endif fs_basic_fs(); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index ebe1c8830..d4eab7802 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -185,10 +185,30 @@ void usage(void) { printf("\t$HOME/.firejail/ directory. (OverlayFS support is required in\n"); printf("\tLinux kernel for this option to work). \n\n"); +#if 0 // disabled for now, it could be used to overwrite system directories printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); printf("\tthis option to work). \n\n"); + +.TP +\fB\-\-overlay-path=path +Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, +the system directories are mounted read-write. All filesystem modifications go into the overlay. +The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. +.br + +.br +OverlayFS support is required in Linux kernel for this option to work. +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. +.br + +.br +Example: +.br +$ firejail \-\-overlay-path=~/jails/jail1 firefox +#endif printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b258c3d20..19fca9854 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1036,24 +1036,6 @@ Example: .br $ firejail \-\-overlay-named=jail1 firefox -.TP -\fB\-\-overlay-path=path -Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, -the system directories are mounted read-write. All filesystem modifications go into the overlay. -The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. -.br - -.br -OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18. -This option is not available on Grsecurity systems. -.br - -.br -Example: -.br -$ firejail \-\-overlay-path=~/jails/jail1 firefox - .TP \fB\-\-overlay-tmpfs Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, -- cgit v1.2.3-70-g09d2 From c6abe4d06cc6349b9a814b11c5058f749ac8585a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Aug 2016 07:59:03 -0400 Subject: run time support to disable chroot desktop features --- RELNOTES | 1 + etc/firejail.config | 5 ++ src/firejail/checkcfg.c | 8 +++ src/firejail/firejail.h | 3 +- src/firejail/fs.c | 132 +++++++++++++++++++++++++----------------------- 5 files changed, 84 insertions(+), 65 deletions(-) diff --git a/RELNOTES b/RELNOTES index ee3d60230..2a3d93771 100644 --- a/RELNOTES +++ b/RELNOTES @@ -26,6 +26,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * compile time and run time support to disable whitelists * compile time support to disable global configuration file * run time support to disable remounting of /proc and /sys + * run time support to disable chroot desktop features * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * added x11 command for profile files diff --git a/etc/firejail.config b/etc/firejail.config index 275bba8e2..6b6ba7fdf 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -9,6 +9,11 @@ # Enable or disable chroot support, default enabled. # chroot yes +# Use chroot for desktop programs, default enabled. The sandbox will have full +# access to system's /dev directory in order to allow video acceleration, +# and it will harden the rest of the chroot tree. +# chroot-desktop yes + # Enable or disable file transfer support, default enabled. # file-transfer yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fed934434..5bc859f8d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -241,6 +241,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { + if (strcmp(ptr + 15, "yes") == 0) + cfg_val[CFG_CHROOT_DESKTOP] = 1; + else if (strcmp(ptr + 15, "no") == 0) + cfg_val[CFG_CHROOT_DESKTOP] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8e30e929a..abbaa807c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -593,7 +593,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_XEPHYR_WINDOW_TITLE 10 #define CFG_REMOUNT_PROC_SYS 11 #define CFG_OVERLAYFS 12 -#define CFG_MAX 13 // this should always be the last entry +#define CFG_CHROOT_DESKTOP 13 +#define CFG_MAX 14 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c5ef27615..6c87df1e9 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1211,56 +1211,58 @@ int fs_check_chroot_dir(const char *rootdir) { void fs_chroot(const char *rootdir) { assert(rootdir); - // mount-bind a /dev in rootdir - char *newdev; - if (asprintf(&newdev, "%s/dev", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Mounting /dev on %s\n", newdev); - if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev"); - free(newdev); - - // x11 - if (getenv("FIREJAIL_X11")) { - char *newx11; - if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) + if (checkcfg(CFG_CHROOT_DESKTOP)) { + // mount-bind a /dev in rootdir + char *newdev; + if (asprintf(&newdev, "%s/dev", rootdir) == -1) errExit("asprintf"); if (arg_debug) - printf("Mounting /tmp/.X11-unix on %s\n", newx11); - if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /tmp/.X11-unix"); - free(newx11); - } - - // some older distros don't have a /run directory - // create one by default - // no exit on error, let the user deal with any problems - char *rundir; - if (asprintf(&rundir, "%s/run", rootdir) == -1) - errExit("asprintf"); - if (!is_dir(rundir)) { - int rv = mkdir(rundir, 0755); - (void) rv; - rv = chown(rundir, 0, 0); - (void) rv; + printf("Mounting /dev on %s\n", newdev); + if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev"); + free(newdev); + + // x11 + if (getenv("FIREJAIL_X11")) { + char *newx11; + if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Mounting /tmp/.X11-unix on %s\n", newx11); + if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /tmp/.X11-unix"); + free(newx11); + } + + // some older distros don't have a /run directory + // create one by default + // no exit on error, let the user deal with any problems + char *rundir; + if (asprintf(&rundir, "%s/run", rootdir) == -1) + errExit("asprintf"); + if (!is_dir(rundir)) { + int rv = mkdir(rundir, 0755); + (void) rv; + rv = chown(rundir, 0, 0); + (void) rv; + } + + // copy /etc/resolv.conf in chroot directory + // if resolv.conf in chroot is a symbolic link, this will fail + // no exit on error, let the user deal with the problem + char *fname; + if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Updating /etc/resolv.conf in %s\n", fname); + if (is_link(fname)) { + fprintf(stderr, "Error: invalid %s file\n", fname); + exit(1); + } + if (copy_file("/etc/resolv.conf", fname) == -1) + fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); } - // copy /etc/resolv.conf in chroot directory - // if resolv.conf in chroot is a symbolic link, this will fail - // no exit on error, let the user deal with the problem - char *fname; - if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Updating /etc/resolv.conf in %s\n", fname); - if (is_link(fname)) { - fprintf(stderr, "Error: invalid %s file\n", fname); - exit(1); - } - if (copy_file("/etc/resolv.conf", fname) == -1) - fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); - // chroot into the new directory if (arg_debug) printf("Chrooting into %s\n", rootdir); @@ -1269,24 +1271,26 @@ void fs_chroot(const char *rootdir) { // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot fs_build_remount_mnt_dir(); - // update /var directory in order to support multiple sandboxes running on the same root directory - if (!arg_private_dev) - fs_dev_shm(); - fs_var_lock(); - fs_var_tmp(); - fs_var_log(); - fs_var_lib(); - fs_var_cache(); - fs_var_utmp(); - - // don't leak user information - restrict_users(); - - // when starting as root, firejail config is not disabled; - // this mode could be used to install and test new software by chaining - // firejail sandboxes (firejail --force) - if (getuid() != 0) - disable_config(); + if (checkcfg(CFG_CHROOT_DESKTOP)) { + // update /var directory in order to support multiple sandboxes running on the same root directory + if (!arg_private_dev) + fs_dev_shm(); + fs_var_lock(); + fs_var_tmp(); + fs_var_log(); + fs_var_lib(); + fs_var_cache(); + fs_var_utmp(); + + // don't leak user information + restrict_users(); + + // when starting as root, firejail config is not disabled; + // this mode could be used to install and test new software by chaining + // firejail sandboxes (firejail --force) + if (getuid() != 0) + disable_config(); + } } #endif -- cgit v1.2.3-70-g09d2 From 567585fe3b2375e0b9dc55dac3672b99aade19f0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Aug 2016 08:48:38 -0400 Subject: chroot and overlayfs hardening --- src/firejail/sandbox.c | 44 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0851e71cd..40df00a98 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -533,8 +533,14 @@ int sandbox(void* sandbox_arg) { // private mode //**************************** if (arg_private) { - if (cfg.home_private) // --private= - fs_private_homedir(); + if (cfg.home_private) { // --private= + if (cfg.chrootdir) + fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n"); + else + fs_private_homedir(); + } else // --private fs_private(); } @@ -542,11 +548,20 @@ int sandbox(void* sandbox_arg) { if (arg_private_template) fs_private_template(); - if (arg_private_dev) - fs_private_dev(); + if (arg_private_dev) { + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n"); + else + fs_private_dev(); + } + if (arg_private_etc) { if (cfg.chrootdir) fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); else { fs_private_etc_list(); // create /etc/ld.so.preload file again @@ -554,14 +569,24 @@ int sandbox(void* sandbox_arg) { fs_trace_preload(); } } + if (arg_private_bin) { if (cfg.chrootdir) fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); else fs_private_bin_list(); } - if (arg_private_tmp) - fs_private_tmp(); + + if (arg_private_tmp) { + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); + else + fs_private_tmp(); + } //**************************** // update /proc, /sys, /dev, /boot directorymy @@ -574,7 +599,12 @@ int sandbox(void* sandbox_arg) { //**************************** if (cfg.profile) { // apply all whitelist commands ... - fs_whitelist(); + if (cfg.chrootdir) + fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); + else + fs_whitelist(); // ... followed by blacklist commands fs_blacklist(); -- cgit v1.2.3-70-g09d2 From 1bb4451d94cde3b4617c3cbdcf765cedb2945e06 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Aug 2016 10:04:41 -0400 Subject: Firejail prompt is enabled by env variable FIREJAIL_PROMPT=yes --- RELNOTES | 57 +++++++++++++++++++++++++++--------------------------- src/firejail/env.c | 10 +++++++--- 2 files changed, 36 insertions(+), 31 deletions(-) diff --git a/RELNOTES b/RELNOTES index 2a3d93771..cc0c1489c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,35 +1,36 @@ firejail (0.9.42~rc2) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov - * security: disable x32 ABI, submitted by Jann Horn + * security: disable x32 ABI in seccomp, submitted by Jann Horn * security: tighten --chroot, submitted by Jann Horn * security: terminal sandbox escape, submitted by Stephan Sokolow - * deprecated --user option, please use "sudo -u username firejail" instead - * --read-write option rework - * allow symlinks in home directory for --whitelist option - * --allow-debuggers option - * --private-template (very simillar to the former --private-home) - * AppImage support (--appimage) - * AppArmor support (--apparmor) - * compile time support for Busybox - * Sandbox auditing support (--audit) - * remove environment variable (--rmenv) - * noexec support (--noexec) - * --overlay-clean option - * --overlay-named=name option - * compile time and run time support to disable overlayfs - * Ubuntu snap support - * include /dev/snd in --private-dev - * added mkfile profile command - * added quiet profile command - * recursive mkdir - * seccomp filter updated - * compile time and run time support to disable whitelists - * compile time support to disable global configuration file - * run time support to disable remounting of /proc and /sys - * run time support to disable chroot desktop features - * added quiet-by-default config option in /etc/firejail/firejail.config - * added netfilter-default config option in /etc/firejail/firejail.config - * added x11 command for profile files + * modifs: deprecated --user option, please use "sudo -u username firejail" instead + * modifs: allow symlinks in home directory for --whitelist option + * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" + * modifs: recursive mkdir + * modifs: include /dev/snd in --private-dev + * modifs: seccomp filter update + * feature: AppImage support (--appimage) + * feature: AppArmor support (--apparmor) + * feature: Ubuntu snap support (/etc/firejail/snap.profile) + * feature: Sandbox auditing support (--audit) + * feature: remove environment variable (--rmenv) + * feature: noexec support (--noexec) + * feature: clean local overlay storage directory (--overlay-clean) + * feature: store and reuse overlay (--overlay-named) + * feature: allow debugging inside the sandbox with gdb and strace (--allow-debuggers) + * feature: mkfile profile command + * feature: quiet profile command + * feature: x11 profile command + * compile time: Busybox support (--enable-busybox-workaround) + * compile time: disable overlayfs (--disable-overlayfs) + * compile time: disable whitlisting (--disable-whitelist) + * compile time: disable global config (--disable-globalcfg) + * run time: enable/disable overlayfs (overlayfs yes/no) + * run time: enable/disable quiet as default (quiet-by-default yes/no) + * run time: user-defined network filter (netfilter-default) + * run time: enable/disable whitelisting (whitelist yes/no) + * run time: enable/disable remounting of /proc and /sys (remount-proc-sys yes/no) + * run time: enable/disable chroot desktop features (chroot-desktop yes/no) * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview diff --git a/src/firejail/env.c b/src/firejail/env.c index c05abadca..2c8be3852 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -123,10 +123,14 @@ void env_defaults(void) { errExit("setenv"); if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) errExit("setenv"); + // set prompt color to green - //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' -// if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) -// errExit("setenv"); + char *prompt = getenv("FIREJAIL_PROMPT"); + if (prompt && strcmp(prompt, "yes") == 0) { + //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' + if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) + errExit("setenv"); + } // set the window title printf("\033]0;firejail %s\007", cfg.window_title); -- cgit v1.2.3-70-g09d2 From 9e025dab2a228092058d170daa78290a33e626b3 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 23 Aug 2016 19:46:43 +0300 Subject: ASSERT_PERMS macros --- src/firejail/appimage.c | 1 + src/firejail/firejail.h | 23 ++++++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 37e3de5d8..513a5a8a2 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -81,6 +81,7 @@ void appimage_set(const char *appimage_path) { fprintf(stderr, "Error: cannot create temporary directory\n"); exit(1); } + ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); char *mode; if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8e30e929a..4bc953e24 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -75,6 +75,27 @@ #define DEFAULT_ROOT_PROFILE "server" #define MAX_INCLUDE_LEVEL 6 // include levels in profile files + +#define ASSERT_PERMS(file, uid, gid, mode) \ + do { \ + assert(file);\ + struct stat s;\ + if (stat(file, &s) == -1) errExit("stat");\ + assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\ + } while (0) +#define ASSERT_PERMS_FD(fd, uid, gid, mode) \ + do { \ + struct stat s;\ + if (stat(fd, &s) == -1) errExit("stat");\ + assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\ + } while (0) +#define ASSERT_PERMS_STREAM(file, uid, gid, mode) \ + do { \ + int fd = fileno(file);\ + if (fd == -1) errExit("fileno");\ + ASSERT_PERMS_FD(fd, uid, gid, mode);\ + } while (0) + // main.c typedef struct bridge_t { // on the host @@ -386,7 +407,7 @@ void logsignal(int s); void logmsg(const char *msg); void logargs(int argc, char **argv) ; void logerr(const char *msg); -int copy_file(const char *srcname, const char *destname); +int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); int is_dir(const char *fname); int is_link(const char *fname); char *line_remove_spaces(const char *buf); -- cgit v1.2.3-70-g09d2 From c321020a559a2640799c4144ade6b4e69140e065 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 24 Aug 2016 13:14:44 +0300 Subject: tighten secutiry --- src/firejail/fs.c | 120 +++++++++++++--------------------------------- src/firejail/fs_home.c | 25 ++++------ src/firejail/ls.c | 6 +-- src/firejail/pulseaudio.c | 2 +- src/firejail/util.c | 7 ++- src/include/euid_common.h | 6 ++- 6 files changed, 55 insertions(+), 111 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6c87df1e9..21ab56bd8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -29,16 +29,25 @@ static void fs_rdwr(const char *dir); +static void create_dir_as_root(const char *dir, mode_t mode) { + assert(dir); + if (arg_debug) + printf("Creating %s directory\n", dir); + + if (mkdir(dir, mode) == -1) + errExit("mkdir"); + + ASSERT_PERMS(dir, 0, 0, mode); +} + static void create_empty_dir(void) { struct stat s; if (stat(RUN_RO_DIR, &s)) { /* coverity[toctou] */ - int rv = mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR); - if (rv == -1) - errExit("mkdir"); - if (chown(RUN_RO_DIR, 0, 0) < 0) - errExit("chown"); + if (mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1) + errExit("mkdir"); + ASSERT_PERMS(RUN_RO_DIR, 0, 0, S_IRUSR | S_IXUSR); } } @@ -50,11 +59,16 @@ static void create_empty_file(void) { FILE *fp = fopen(RUN_RO_FILE, "w"); if (!fp) errExit("fopen"); - fclose(fp); - if (chown(RUN_RO_FILE, 0, 0) < 0) + + int fd = fileno(fp); + if (fd == -1) + errExit("fileno"); + if (fchown(fd, 0, 0) < 0) errExit("chown"); - if (chmod(RUN_RO_FILE, S_IRUSR) < 0) + if (fchmod(fd, S_IRUSR) < 0) errExit("chown"); + + fclose(fp); } } @@ -64,16 +78,7 @@ void fs_build_firejail_dir(void) { // CentOS 6 doesn't have /run directory if (stat(RUN_FIREJAIL_BASEDIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_FIREJAIL_BASEDIR); - /* coverity[toctou] */ - int rv = mkdir(RUN_FIREJAIL_BASEDIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (chown(RUN_FIREJAIL_BASEDIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_FIREJAIL_BASEDIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); } else { // check /tmp/firejail directory belongs to root end exit if doesn't! if (s.st_uid != 0 || s.st_gid != 0) { @@ -83,61 +88,23 @@ void fs_build_firejail_dir(void) { } if (stat(RUN_FIREJAIL_DIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_FIREJAIL_DIR); - /* coverity[toctou] */ - int rv = mkdir(RUN_FIREJAIL_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_FIREJAIL_DIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_FIREJAIL_DIR, 0755); } if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_FIREJAIL_NETWORK_DIR); - - if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1) - errExit("mkdir"); - if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); } if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_FIREJAIL_BANDWIDTH_DIR); - if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1) - errExit("mkdir"); - if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); } if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_FIREJAIL_NAME_DIR); - if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1) - errExit("mkdir"); - if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); } if (stat(RUN_FIREJAIL_X11_DIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_FIREJAIL_X11_DIR); - if (mkdir(RUN_FIREJAIL_X11_DIR, 0755) == -1) - errExit("mkdir"); - if (chown(RUN_FIREJAIL_X11_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_FIREJAIL_X11_DIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); } create_empty_dir(); @@ -160,16 +127,7 @@ void fs_build_mnt_dir(void) { // create /run/firejail/mnt directory if (stat(RUN_MNT_DIR, &s)) { - if (arg_debug) - printf("Creating %s directory\n", RUN_MNT_DIR); - /* coverity[toctou] */ - int rv = mkdir(RUN_MNT_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (chown(RUN_MNT_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_MNT_DIR, 0755) < 0) - errExit("chmod"); + create_dir_as_root(RUN_MNT_DIR, 0755); } // ... and mount tmpfs on top of it @@ -202,16 +160,12 @@ void fs_build_cp_command(void) { fprintf(stderr, "Error: invalid /bin/cp file\n"); exit(1); } - int rv = copy_file(fname, RUN_CP_COMMAND); + int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); if (rv) { fprintf(stderr, "Error: cannot access /bin/cp\n"); exit(1); } - /* coverity[toctou] */ - if (chown(RUN_CP_COMMAND, 0, 0)) - errExit("chown"); - if (chmod(RUN_CP_COMMAND, 0755)) - errExit("chmod"); + ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755); free(fname); } @@ -827,10 +781,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { /* coverity[toctou] */ if (mkdir(dirname, 0700)) errExit("mkdir"); - if (chown(dirname, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dirname, 0700) < 0) - errExit("chmod"); + ASSERT_PERMS(dirname, getuid(), getgid(), 0700); } else if (is_link(dirname)) { fprintf(stderr, "Error: invalid ~/.firejail directory\n"); @@ -917,10 +868,7 @@ void fs_overlayfs(void) { errExit("asprintf"); if (mkdir(oroot, 0755)) errExit("mkdir"); - if (chown(oroot, 0, 0) < 0) - errExit("chown"); - if (chmod(oroot, 0755) < 0) - errExit("chmod"); + ASSERT_PERMS(oroot, 0, 0, 0755); struct stat s; char *basedir = RUN_MNT_DIR; @@ -1259,7 +1207,7 @@ void fs_chroot(const char *rootdir) { fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (copy_file("/etc/resolv.conf", fname) == -1) + if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); } diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index d328d5f1c..75d69e021 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -43,9 +43,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.zshrc", &s) == 0) { - if (copy_file("/etc/skel/.zshrc", fname) == 0) { - if (chown(fname, u, g) == -1) - errExit("chown"); + if (copy_file("/etc/skel/.zshrc", fname, u, g, 0644) == 0) { fs_logger("clone /etc/skel/.zshrc"); } } @@ -73,9 +71,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.cshrc", &s) == 0) { - if (copy_file("/etc/skel/.cshrc", fname) == 0) { - if (chown(fname, u, g) == -1) - errExit("chown"); + if (copy_file("/etc/skel/.cshrc", fname, u, g, 0644) == 0) { fs_logger("clone /etc/skel/.cshrc"); } } @@ -104,10 +100,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.bashrc", &s) == 0) { - if (copy_file("/etc/skel/.bashrc", fname) == 0) { - /* coverity[toctou] */ - if (chown(fname, u, g) == -1) - errExit("chown"); + if (copy_file("/etc/skel/.bashrc", fname, u, g, 0644) == 0) { fs_logger("clone /etc/skel/.bashrc"); } } @@ -131,7 +124,7 @@ static int store_xauthority(void) { exit(1); } - int rv = copy_file(src, dest); + int rv = copy_file(src, dest, -1, -1, 0600); if (rv) { fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); return 0; @@ -167,7 +160,7 @@ static int store_asoundrc(void) { free(rp); } - int rv = copy_file(src, dest); + int rv = copy_file(src, dest, -1, -1, -0644); if (rv) { fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); return 0; @@ -184,7 +177,7 @@ static void copy_xauthority(void) { char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - int rv = copy_file(src, dest); + int rv = copy_file(src, dest, -1, -1, 0600); if (rv) fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); else { @@ -207,7 +200,7 @@ static void copy_asoundrc(void) { char *dest; if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); - int rv = copy_file(src, dest); + int rv = copy_file(src, dest, -1 , -1, 0644); if (rv) fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); else { @@ -360,11 +353,9 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s return(0); if (stat(path, &s) == 0) { if(ftype == FTW_F) { - if (copy_file(path, dest) == 0) { + if (copy_file(path, dest, u, g, 0644) == 0) { if (arg_debug) printf("copy from %s to %s\n", path, dest); - if (chown(dest, u, g) == -1) - errExit("chown"); fs_logger2("clone", path); } } diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 09577fb0c..495aaf8e2 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -374,11 +374,7 @@ void sandboxfs(int op, pid_t pid, const char *path) { } // copy file EUID_ROOT(); - copy_file(src_fname, dest_fname); - if (chown(dest_fname, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(dest_fname, 0644) == -1) - errExit("chmod"); + copy_file(src_fname, dest_fname, getuid(), getgid(), 0644); printf("Transfer complete\n"); EUID_USER(); } diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 908ef1d25..dd26d219c 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -114,7 +114,7 @@ void pulseaudio_init(void) { char *pulsecfg = NULL; if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) errExit("asprintf"); - if (copy_file("/etc/pulse/client.conf", pulsecfg)) + if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) errExit("copy_file"); FILE *fp = fopen(pulsecfg, "a+"); if (!fp) diff --git a/src/firejail/util.c b/src/firejail/util.c index 24bb71e4c..22434e200 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -170,7 +170,7 @@ void logerr(const char *msg) { // return -1 if error, 0 if no error -int copy_file(const char *srcname, const char *destname) { +int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { assert(srcname); assert(destname); @@ -207,6 +207,11 @@ int copy_file(const char *srcname, const char *destname) { } } + if (fchown(dst, uid, gid) == -1) + errExit("fchown"); + if (fchmod(dst, mode) == -1) + errExit("fchmod"); + close(src); close(dst); return 0; diff --git a/src/include/euid_common.h b/src/include/euid_common.h index b6d341bf4..de5572fb1 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -37,11 +37,15 @@ extern uid_t firejail_uid; static inline void EUID_ROOT(void) { if (seteuid(0) == -1) fprintf(stderr, "Warning: cannot switch euid to root\n"); + if (setegid(0) == -1) + fprintf(stderr, "Warning: cannot switch egid to root\n"); } static inline void EUID_USER(void) { if (seteuid(firejail_uid) == -1) - fprintf(stderr, "Warning: cannot switch euid to user\n"); + errExit("seteuid"); + if (setegid(firejail_uid) == -1) + errExit("setegid"); } static inline void EUID_PRINT(void) { -- cgit v1.2.3-70-g09d2 From 1ccd5d84b9d7491bb8deec24db5c8ea0a163fa10 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 24 Aug 2016 09:29:39 -0400 Subject: testing 0.9.42~rc2 --- Makefile.in | 2 +- README | 1 + README.md | 21 --------------------- RELNOTES | 20 ++++++++++++-------- src/firejail/firejail.h | 10 +++++++--- src/firejail/main.c | 8 +++++++- src/firejail/profile.c | 3 ++- src/firejail/sandbox.c | 4 +++- src/firejail/usage.c | 17 ++++++++++++++++- src/man/firejail.txt | 12 ------------ 10 files changed, 49 insertions(+), 49 deletions(-) diff --git a/Makefile.in b/Makefile.in index d1b3d3be8..803769f3f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -204,5 +204,5 @@ test-network: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters echo "TEST COMPLETE" diff --git a/README b/README index fe9ddaaae..c8cdbb6d8 100644 --- a/README +++ b/README @@ -39,6 +39,7 @@ Aleksey Manevich (https://github.com/manevich) - Busybox support - X11 support rewrite - gether shell selection code in one place + - fixed several TOCTOU security problems greigdp (https://github.com/greigdp) - Gajim IM client profile - fix Slack profile diff --git a/README.md b/README.md index 14dcd4d56..6785e3f7a 100644 --- a/README.md +++ b/README.md @@ -38,27 +38,6 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ Version 0.9.41~rc1 was released. -# Branch status: unstable - -A number of problems are being worked on. This is the output of "make test": -````` -[...] -cd test/sysutils; ./sysutils.sh | grep TESTING -TESTING: cpio -netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 -TESTING: gzip -netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 -TESTING: xzdec -netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 -TESTING: xz -netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 1 -TESTING: less -TESTING: file -TESTING: tar -netblue@debian:~/work/github/firejail/test/sysutils$ TESTING ERROR 3.1 -[...] -````` - ## Deprecated --user --user option was deprecated, please use "sudo -u username firejail application" instead. diff --git a/RELNOTES b/RELNOTES index cc0c1489c..674c9de5e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,12 +3,14 @@ firejail (0.9.42~rc2) baseline; urgency=low * security: disable x32 ABI in seccomp, submitted by Jann Horn * security: tighten --chroot, submitted by Jann Horn * security: terminal sandbox escape, submitted by Stephan Sokolow - * modifs: deprecated --user option, please use "sudo -u username firejail" instead + * security: several TOCTOU fixes submitted by Aleksey Manevich + * modifs: deprecated --user option, please use "sudo -u username firejail" * modifs: allow symlinks in home directory for --whitelist option * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" * modifs: recursive mkdir * modifs: include /dev/snd in --private-dev * modifs: seccomp filter update + * modifs: release archives moved to .xz format * feature: AppImage support (--appimage) * feature: AppArmor support (--apparmor) * feature: Ubuntu snap support (/etc/firejail/snap.profile) @@ -17,7 +19,8 @@ firejail (0.9.42~rc2) baseline; urgency=low * feature: noexec support (--noexec) * feature: clean local overlay storage directory (--overlay-clean) * feature: store and reuse overlay (--overlay-named) - * feature: allow debugging inside the sandbox with gdb and strace (--allow-debuggers) + * feature: allow debugging inside the sandbox with gdb and strace + (--allow-debuggers) * feature: mkfile profile command * feature: quiet profile command * feature: x11 profile command @@ -29,13 +32,14 @@ firejail (0.9.42~rc2) baseline; urgency=low * run time: enable/disable quiet as default (quiet-by-default yes/no) * run time: user-defined network filter (netfilter-default) * run time: enable/disable whitelisting (whitelist yes/no) - * run time: enable/disable remounting of /proc and /sys (remount-proc-sys yes/no) + * run time: enable/disable remounting of /proc and /sys + (remount-proc-sys yes/no) * run time: enable/disable chroot desktop features (chroot-desktop yes/no) - * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice - * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom, jitsi, eom, uudeview - * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux, - * new profiles: inox, Slack, gnome-chess. Gajim IM client + * profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice + * profiles: pix, audacity, xz, xzdec, gzip, cpio, less + * profiles: Atom Beta, Atom, jitsi, eom, uudeview + * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, + * profiles: inox, Slack, gnome-chess. Gajim IM client -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b573acc..755ed4979 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -81,19 +81,23 @@ assert(file);\ struct stat s;\ if (stat(file, &s) == -1) errExit("stat");\ - assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\ + assert(s.st_uid == uid);\ + assert(s.st_gid == gid);\ + assert((s.st_mode & 07777) == (mode));\ } while (0) #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ do { \ struct stat s;\ if (stat(fd, &s) == -1) errExit("stat");\ - assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\ + assert(s.st_uid == uid);\ + assert(s.st_gid == gid);\ + assert((s.st_mode & 07777) == (mode));\ } while (0) #define ASSERT_PERMS_STREAM(file, uid, gid, mode) \ do { \ int fd = fileno(file);\ if (fd == -1) errExit("fileno");\ - ASSERT_PERMS_FD(fd, uid, gid, mode);\ + ASSERT_PERMS_FD(fd, uid, gid, (mode));\ } while (0) // main.c diff --git a/src/firejail/main.c b/src/firejail/main.c index 27e2a7f1a..2181a274b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1561,17 +1561,21 @@ int main(int argc, char **argv) { arg_writable_var = 1; } else if (strcmp(argv[i], "--private") == 0) { +#if 0 if (arg_private_template) { fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); exit(1); } +#endif arg_private = 1; - } + } else if (strncmp(argv[i], "--private=", 10) == 0) { +#if 0 if (arg_private_template) { fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); exit(1); } +#endif // extract private home dirname cfg.home_private = argv[i] + 10; if (*cfg.home_private == '\0') { @@ -1581,6 +1585,7 @@ int main(int argc, char **argv) { fs_check_private_dir(); arg_private = 1; } +#if 0 else if (strncmp(argv[i], "--private-template=", 19) == 0) { cfg.private_template = argv[i] + 19; if (arg_private) { @@ -1594,6 +1599,7 @@ int main(int argc, char **argv) { fs_check_private_template(); arg_private_template = 1; } +#endif else if (strcmp(argv[i], "--private-dev") == 0) { arg_private_dev = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 916e39892..ee5d8c159 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -630,7 +630,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } - +#if 0 if (strncmp(ptr, "private-template ", 17) == 0) { if (arg_private) { fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); @@ -642,6 +642,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } +#endif // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { if (arg_writable_etc) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 40df00a98..5f845fbd3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -544,9 +544,11 @@ int sandbox(void* sandbox_arg) { else // --private fs_private(); } - + +#if 0 if (arg_private_template) fs_private_template(); +#endif if (arg_private_dev) { if (cfg.chrootdir) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d4eab7802..363f973e8 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -221,10 +221,25 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); printf("\tclosed.\n\n"); printf(" --private=directory - use directory as user home.\n\n"); - +#if 0 printf(" --private-template=directory - same as --private but copy the\n"); printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n"); +.TP +\fB\-\-private-template=templatedir +Mount new /root and /home/user directories in temporary +filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is +closed. +.br + +.br +Example: +.br +$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox +#endif + + + printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); printf("\tand copy the programs in the list.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 19fca9854..434c29c0f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1085,18 +1085,6 @@ Example: .br $ firejail \-\-private=/home/netblue/firefox-home firefox -.TP -\fB\-\-private-template=templatedir -Mount new /root and /home/user directories in temporary -filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is -closed. -.br - -.br -Example: -.br -$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox - .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. -- cgit v1.2.3-70-g09d2 From 88ac875a2b092af3997723684dbeb1d22f0c82dd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 24 Aug 2016 09:53:58 -0400 Subject: 0.9.42~2 testing --- src/firejail/no_sandbox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index f7d62f90c..aae490c34 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -231,7 +231,7 @@ void run_no_sandbox(int argc, char **argv) { // use $SHELL to get shell used in sandbox if (!arg_shell_none && !cfg.shell) { - char *shell = secure_getenv("SHELL"); + char *shell = getenv("SHELL"); if (access(shell, R_OK) == 0) cfg.shell = shell; } -- cgit v1.2.3-70-g09d2 From f3a20e13cebedffb3af7cee6b5b9e2b0e4d56fb9 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 24 Aug 2016 18:12:37 +0300 Subject: SET_PERMS macros --- src/firejail/firejail.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 755ed4979..7be04f782 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -100,6 +100,27 @@ ASSERT_PERMS_FD(fd, uid, gid, (mode));\ } while (0) +#define SET_PERMS_FD(fd, uid, gid, mode) \ + do { \ + if (fchmod(fd, (mode)) == -1) errExit("chmod");\ + if (fchown(fd, uid, gid) == -1) errExit("chown");\ + } while (0) +#define SET_PERMS_STREAM(stream, uid, gid, mode) \ + do { \ + int fd = fileno(stream);\ + if (fd == -1) errExit("fileno");\ + SET_PERMS_FD(fd, uid, gid, (mode));\ + } while (0) +#define SET_PERMS_STREAM_NOERR(stream, uid, gid, mode) \ + do { \ + int fd = fileno(stream);\ + if (fd == -1) continue;\ + int rv = fchmod(fd, (mode));\ + (void) rv;\ + rv = fchown(fd, uid, gid);\ + (void) rv;\ + } while (0) + // main.c typedef struct bridge_t { // on the host -- cgit v1.2.3-70-g09d2 From 0ee599684c4ca622ca22d09eba565eb07c1a2b12 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Wed, 24 Aug 2016 19:33:30 +0300 Subject: tighten security --- src/firejail/bandwidth.c | 15 +++-------- src/firejail/cgroup.c | 3 +-- src/firejail/cpu.c | 5 +--- src/firejail/fs.c | 9 +------ src/firejail/fs_bin.c | 9 ++----- src/firejail/fs_dev.c | 62 +++++++++++++--------------------------------- src/firejail/fs_etc.c | 8 ++---- src/firejail/fs_home.c | 28 +++++---------------- src/firejail/fs_hostname.c | 28 +++++++-------------- src/firejail/fs_logger.c | 6 +---- src/firejail/fs_mkdir.c | 7 ++++-- 11 files changed, 48 insertions(+), 132 deletions(-) diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 5ff67b644..22be5b23c 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -130,14 +130,8 @@ static void bandwidth_create_run_file(pid_t pid) { /* coverity[toctou] */ FILE *fp = fopen(fname, "w"); if (fp) { + SET_PERMS_STREAM(fp, 0, 0, 0644); fclose(fp); - - /* coverity[toctou] */ - if (chmod(fname, 0644) == -1) - errExit("chmod"); - /* coverity[toctou] */ - if (chown(fname, 0, 0) == -1) - errExit("chown"); } else { fprintf(stderr, "Error: cannot create bandwidth file\n"); @@ -180,12 +174,9 @@ void network_set_run_file(pid_t pid) { fprintf(fp, "%s:%s\n", cfg.bridge2.dev, cfg.bridge2.devsandbox); if (cfg.bridge3.configured) fprintf(fp, "%s:%s\n", cfg.bridge3.dev, cfg.bridge3.devsandbox); - fclose(fp); - if (chmod(fname, 0644) == -1) - errExit("chmod"); - if (chown(fname, 0, 0) == -1) - errExit("chown"); + SET_PERMS_STREAM(fp, 0, 0, 0644); + fclose(fp); } else { fprintf(stderr, "Error: cannot create network map file\n"); diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index ebd87f0d2..d9c7af9cf 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c @@ -30,10 +30,9 @@ void save_cgroup(void) { if (fp) { fprintf(fp, "%s", cfg.cgroup); fflush(0); + SET_PERMS_STREAM(fp, 0, 0, 0644); if (fclose(fp)) goto errout; - if (chown(RUN_CGROUP_CFG, 0, 0) < 0) - errExit("chown"); } else goto errout; diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 1802ad5e1..cfb03e5fc 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -78,11 +78,8 @@ void save_cpu(void) { FILE *fp = fopen(RUN_CPU_CFG, "w"); if (fp) { fprintf(fp, "%x\n", cfg.cpus); + SET_PERMS_STREAM(fp, 0, 0, 0600); fclose(fp); - if (chmod(RUN_CPU_CFG, 0600) < 0) - errExit("chmod"); - if (chown(RUN_CPU_CFG, 0, 0) < 0) - errExit("chown"); } else { fprintf(stderr, "Error: cannot save cpu affinity mask\n"); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 21ab56bd8..27c69d0e1 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -60,14 +60,7 @@ static void create_empty_file(void) { if (!fp) errExit("fopen"); - int fd = fileno(fp); - if (fd == -1) - errExit("fileno"); - if (fchown(fd, 0, 0) < 0) - errExit("chown"); - if (fchmod(fd, S_IRUSR) < 0) - errExit("chown"); - + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); fclose(fp); } } diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6bd407346..b9d8614d4 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -203,14 +203,9 @@ void fs_private_bin_list(void) { // create /tmp/firejail/mnt/bin directory fs_build_mnt_dir(); - int rv = mkdir(RUN_BIN_DIR, 0755); - if (rv == -1) + if (mkdir(RUN_BIN_DIR, 0755) == -1) errExit("mkdir"); - if (chown(RUN_BIN_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_BIN_DIR, 0755) < 0) - errExit("chmod"); - + ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755); // copy the list of files in the new etc directory // using a new child process without root privileges diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index c7a27115f..571848dec 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -32,15 +32,11 @@ static void create_char_dev(const char *path, mode_t mode, int major, int minor) { dev_t dev = makedev(major, minor); - int rv = mknod(path, S_IFCHR | mode, dev); - if (rv == -1) + if (mknod(path, S_IFCHR | mode, dev) == -1) goto errexit; - - if (chmod(path, mode) < 0) goto errexit; - if (chown(path, 0, 0) < 0) - goto errexit; + ASSERT_PERMS(path, 0, 0, mode); return; @@ -78,14 +74,9 @@ void fs_private_dev(void){ // create DRI_DIR fs_build_mnt_dir(); if (have_dri) { - /* coverity[toctou] */ - rv = mkdir(RUN_DRI_DIR, 0755); - if (rv == -1) + if (mkdir(RUN_DRI_DIR, 0755) == -1) errExit("mkdir"); - if (chown(RUN_DRI_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_DRI_DIR, 0755) < 0) - errExit("chmod"); + ASSERT_PERMS(RUN_DRI_DIR, 0, 0, 0755); // keep a copy of /dev/dri under DRI_DIR if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) @@ -94,14 +85,9 @@ void fs_private_dev(void){ // create SND_DIR if (have_snd) { - /* coverity[toctou] */ - rv = mkdir(RUN_SND_DIR, 0755); - if (rv == -1) + if (mkdir(RUN_SND_DIR, 0755) == -1) errExit("mkdir"); - if (chown(RUN_SND_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_SND_DIR, 0755) < 0) - errExit("chmod"); + ASSERT_PERMS(RUN_SND_DIR, 0, 0, 0755); // keep a copy of /dev/dri under DRI_DIR if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) @@ -143,13 +129,9 @@ void fs_private_dev(void){ // bring back the /dev/snd directory if (have_snd) { /* coverity[toctou] */ - rv = mkdir("/dev/snd", 0755); - if (rv == -1) + if (mkdir("/dev/snd", 0755) == -1) errExit("mkdir"); - if (chown("/dev/snd", 0, 0) < 0) - errExit("chown"); - if (chmod("/dev/snd",0755) < 0) - errExit("chmod"); + ASSERT_PERMS("/dev/snd", 0, 0, 0755); if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /dev/snd"); fs_logger("whitelist /dev/snd"); @@ -157,14 +139,9 @@ void fs_private_dev(void){ // bring back the /dev/dri directory if (have_dri) { - /* coverity[toctou] */ - rv = mkdir("/dev/dri", 0755); - if (rv == -1) + if (mkdir("/dev/dri", 0755) == -1) errExit("mkdir"); - if (chown("/dev/dri", 0, 0) < 0) - errExit("chown"); - if (chmod("/dev/dri",0755) < 0) - errExit("chmod"); + ASSERT_PERMS("/dev/dri", 0, 0, 0755); if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /dev/dri"); fs_logger("whitelist /dev/dri"); @@ -173,13 +150,12 @@ void fs_private_dev(void){ // create /dev/shm if (arg_debug) printf("Create /dev/shm directory\n"); - rv = mkdir("/dev/shm", 01777); - if (rv == -1) + if (mkdir("/dev/shm", 01777) == -1) errExit("mkdir"); - if (chown("/dev/shm", 0, 0) < 0) - errExit("chown"); + // mkdir sets only the file permission bits if (chmod("/dev/shm", 01777) < 0) errExit("chmod"); + ASSERT_PERMS("/dev/shm", 0, 0, 01777); fs_logger("mkdir /dev/shm"); // create devices @@ -201,13 +177,9 @@ void fs_private_dev(void){ #endif // pseudo-terminal - rv = mkdir("/dev/pts", 0755); - if (rv == -1) + if (mkdir("/dev/pts", 0755) == -1) errExit("mkdir"); - if (chown("/dev/pts", 0, 0) < 0) - errExit("chown"); - if (chmod("/dev/pts", 0755) < 0) - errExit("chmod"); + ASSERT_PERMS("/dev/pts", 0, 0, 0755); fs_logger("mkdir /dev/pts"); create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); fs_logger("mknod /dev/pts/ptmx"); @@ -258,10 +230,10 @@ void fs_dev_shm(void) { // create directory if (mkdir(lnk, 01777)) errExit("mkdir"); - if (chown(lnk, 0, 0)) - errExit("chown"); + // mkdir sets only the file permission bits if (chmod(lnk, 01777)) errExit("chmod"); + ASSERT_PERMS(lnk, 0, 0, 01777); } if (arg_debug) printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 6b9a4395b..d5b348ee2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -130,13 +130,9 @@ void fs_private_etc_list(void) { // create /tmp/firejail/mnt/etc directory fs_build_mnt_dir(); - int rv = mkdir(RUN_ETC_DIR, 0755); - if (rv == -1) + if (mkdir(RUN_ETC_DIR, 0755) == -1) errExit("mkdir"); - if (chown(RUN_ETC_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_ETC_DIR, 0755) < 0) - errExit("chmod"); + ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755); fs_logger("tmpfs /etc"); fs_logger_print(); // save the current log diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 75d69e021..85fa244be 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -51,11 +51,8 @@ static void skel(const char *homedir, uid_t u, gid_t g) { FILE *fp = fopen(fname, "w"); if (fp) { fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR); fclose(fp); - if (chown(fname, u, g) == -1) - errExit("chown"); - if (chmod(fname, S_IRUSR | S_IWUSR) < 0) - errExit("chown"); fs_logger2("touch", fname); } } @@ -80,11 +77,8 @@ static void skel(const char *homedir, uid_t u, gid_t g) { FILE *fp = fopen(fname, "w"); if (fp) { fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, u, g, S_IRUSR | S_IWUSR); fclose(fp); - if (chown(fname, u, g) == -1) - errExit("chown"); - if (chmod(fname, S_IRUSR | S_IWUSR) < 0) - errExit("chown"); fs_logger2("touch", fname); } } @@ -177,17 +171,12 @@ static void copy_xauthority(void) { char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - int rv = copy_file(src, dest, -1, -1, 0600); + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); if (rv) fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); else { fs_logger2("clone", dest); - - // set permissions and ownership - if (chown(dest, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dest, S_IRUSR | S_IWUSR) < 0) - errExit("chmod"); } // delete the temporary file @@ -200,17 +189,12 @@ static void copy_asoundrc(void) { char *dest; if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) errExit("asprintf"); - int rv = copy_file(src, dest, -1 , -1, 0644); + // copy, set permissions and ownership + int rv = copy_file(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); if (rv) fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); else { fs_logger2("clone", dest); - - // set permissions and ownership - if (chown(dest, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dest, S_IRUSR | S_IWUSR) < 0) - errExit("chmod"); } // delete the temporary file diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index aa391c0cb..87d3742e4 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -40,14 +40,10 @@ void fs_hostname(const char *hostname) { exit(1); } fprintf(fp, "%s\n", hostname); - fclose(fp); - // mode and owner - if (chown(RUN_HOSTNAME_FILE, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) - errExit("chmod"); - + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + fclose(fp); + // bind-mount the file on top of /etc/hostname if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind /etc/hostname"); @@ -88,13 +84,9 @@ void fs_hostname(const char *hostname) { fprintf(fp2, "%s\n", buf); } fclose(fp1); - fclose(fp2); - // mode and owner - if (chown(RUN_HOSTS_FILE, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_HOSTS_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) - errExit("chmod"); + SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + fclose(fp2); // bind-mount the file on top of /etc/hostname if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) @@ -126,13 +118,11 @@ void fs_resolvconf(void) { fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); if (cfg.dns3) fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); - fclose(fp); - + // mode and owner - if (chown(RUN_RESOLVCONF_FILE, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) - errExit("chmod"); + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + + fclose(fp); // bind-mount the file on top of /etc/hostname if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 30b0fe438..9f33b36d9 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c @@ -97,11 +97,7 @@ void fs_logger_print(void) { perror("fopen"); return; } - - int rv = chown(RUN_FSLOGGER_FILE, getuid(), getgid()); - (void) rv; // best effort! - rv = chmod(RUN_FSLOGGER_FILE, 0644); - (void) rv; // best effort! + SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644); FsMsg *ptr = head; while (ptr) { diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 5bc2df2cc..b2a5927e6 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -119,9 +119,12 @@ void fs_mkfile(const char *name) { if (!fp) fprintf(stderr, "Warning: cannot create %s file\n", expanded); else { - fclose(fp); - int rv = chmod(expanded, 0600); + int fd = fileno(fp); + if (fd == -1) + errExit("fileno"); + int rv = fchmod(fd, 0600); (void) rv; + fclose(fp); } exit(0); } -- cgit v1.2.3-70-g09d2 From 51d69322896d0f622d77dc581c35876c1c937596 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 25 Aug 2016 01:01:06 +0300 Subject: tighten security --- src/firejail/fs_trace.c | 14 +++----------- src/firejail/fs_var.c | 23 +++++------------------ src/firejail/fs_whitelist.c | 8 ++------ src/firejail/main.c | 20 ++++++-------------- src/firejail/protocol.c | 8 +------- src/firejail/pulseaudio.c | 5 +---- src/firejail/restrict_users.c | 14 ++++---------- src/firejail/sandbox.c | 3 +-- src/firejail/seccomp.c | 3 +-- src/firejail/x11.c | 8 ++------ 10 files changed, 26 insertions(+), 80 deletions(-) diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index f6ca28227..bab117b7e 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -37,11 +37,8 @@ void fs_trace_preload(void) { FILE *fp = fopen("/etc/ld.so.preload", "w"); if (!fp) errExit("fopen"); + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); fclose(fp); - if (chown("/etc/ld.so.preload", 0, 0) < 0) - errExit("chown"); - if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) - errExit("chmod"); fs_logger("touch /etc/ld.so.preload"); } } @@ -66,12 +63,9 @@ void fs_trace(void) { } else assert(0); - + + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); fclose(fp); - if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) - errExit("chmod"); // mount the new preload file if (arg_debug) @@ -81,5 +75,3 @@ void fs_trace(void) { fs_logger("create /etc/ld.so.preload"); } - - \ No newline at end of file diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 1516d684f..a578d04e6 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -131,22 +131,16 @@ void fs_var_log(void) { // create an empty /var/log/wtmp file /* coverity[toctou] */ FILE *fp = fopen("/var/log/wtmp", "w"); + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); if (fp) fclose(fp); - if (chown("/var/log/wtmp", 0, wtmp_group) < 0) - errExit("chown"); - if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) - errExit("chmod"); fs_logger("touch /var/log/wtmp"); // create an empty /var/log/btmp file fp = fopen("/var/log/btmp", "w"); + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); if (fp) fclose(fp); - if (chown("/var/log/btmp", 0, wtmp_group) < 0) - errExit("chown"); - if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0) - errExit("chmod"); fs_logger("touch /var/log/btmp"); } else @@ -169,11 +163,8 @@ void fs_var_lib(void) { if (fp) { fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); fclose(fp); - if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1) - errExit("chown"); - if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) - errExit("chmod"); fs_logger("touch /var/lib/dhcp/dhcpd.leases"); } } @@ -279,10 +270,9 @@ void fs_var_lock(void) { // create directory if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) errExit("mkdir"); - if (chown(lnk, 0, 0)) - errExit("chown"); if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) errExit("chmod"); + ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO); } if (arg_debug) printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); @@ -353,11 +343,8 @@ void fs_var_utmp(void) { // save new utmp file fwrite(&u_boot, sizeof(u_boot), 1, fp); + SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); fclose(fp); - if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0) - errExit("chown"); - if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) - errExit("chmod"); // mount the new utmp file if (arg_debug) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 90b91f9dd..33037da29 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -275,18 +275,14 @@ static void whitelist_path(ProfileEntry *entry) { fprintf(stderr, "Error: cannot create empty file in home directory\n"); exit(1); } + // set file properties + SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); fclose(fp); } else return; // the file is already present } - // set file properties - if (chown(path, s.st_uid, s.st_gid) < 0) - errExit("chown"); - if (chmod(path, s.st_mode) < 0) - errExit("chmod"); - // mount if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); diff --git a/src/firejail/main.c b/src/firejail/main.c index 2181a274b..dbb92a899 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -663,14 +663,10 @@ static void set_name_file(pid_t pid) { exit(1); } fprintf(fp, "%s\n", cfg.name); - fclose(fp); - + // mode and ownership - if (chown(fname, 0, 0) == -1) - errExit("chown"); - if (chmod(fname, 0644) == -1) - errExit("chmod"); - + SET_PERMS_STREAM(fp, 0, 0, 0644); + fclose(fp); } static void delete_name_file(pid_t pid) { @@ -694,14 +690,10 @@ static void set_x11_file(pid_t pid, int display) { exit(1); } fprintf(fp, "%d\n", display); - fclose(fp); - + // mode and ownership - if (chown(fname, 0, 0) == -1) - errExit("chown"); - if (chmod(fname, 0644) == -1) - errExit("chmod"); - + SET_PERMS_STREAM(fp, 0, 0, 0644); + fclose(fp); } static void delete_x11_file(pid_t pid) { diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 7e5ab7dfb..1ef5bf13d 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -273,14 +273,8 @@ void protocol_filter_save(void) { if (!fp) errExit("fopen"); fprintf(fp, "%s\n", cfg.protocol); + SET_PERMS_STREAM(fp, 0, 0, 0600); fclose(fp); - - if (chmod(RUN_PROTOCOL_CFG, 0600) < 0) - errExit("chmod"); - - if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0) - errExit("chown"); - } void protocol_filter_load(const char *fname) { diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index dd26d219c..7db8d2c18 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -120,11 +120,8 @@ void pulseaudio_init(void) { if (!fp) errExit("fopen"); fprintf(fp, "%s", "\nenable-shm = no\n"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); fclose(fp); - if (chmod(pulsecfg, 0644) == -1) - errExit("chmod"); - if (chown(pulsecfg, getuid(), getgid()) == -1) - errExit("chown"); // create ~/.config/pulse directory if not present char *dir1; diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index de798037f..cb999a4a6 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -187,12 +187,9 @@ static void sanitize_passwd(void) { fprintf(fpout, "%s", buf); } fclose(fpin); + SET_PERMS_STREAM(fpout, 0, 0, 0644); fclose(fpout); - if (chown(RUN_PASSWD_FILE, 0, 0) == -1) - errExit("chown"); - if (chmod(RUN_PASSWD_FILE, 0644) == -1) - errExit("chmod"); - + // mount-bind tne new password file if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("mount"); @@ -319,12 +316,9 @@ static void sanitize_group(void) { goto errout; } fclose(fpin); + SET_PERMS_STREAM(fpout, 0, 0, 0644); fclose(fpout); - if (chown(RUN_GROUP_FILE, 0, 0) == -1) - errExit("chown"); - if (chmod(RUN_GROUP_FILE, 0644) == -1) - errExit("chmod"); - + // mount-bind tne new group file if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("mount"); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5f845fbd3..9423ae7e0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -104,9 +104,8 @@ void save_nogroups(void) { FILE *fp = fopen(RUN_GROUPS_CFG, "w"); if (fp) { fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 fclose(fp); - if (chown(RUN_GROUPS_CFG, 0, 0) < 0) - errExit("chown"); } else { fprintf(stderr, "Error: cannot save nogroups state\n"); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7aaf1a5cd..c2da1168a 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -290,9 +290,8 @@ static void write_seccomp_file(void) { fprintf(stderr, "Error: cannot save seccomp filter\n"); exit(1); } + SET_PERMS_FD(fd, 0, 0, S_IRUSR | S_IWUSR); close(fd); - if (chown(RUN_SECCOMP_CFG, 0, 0) < 0) - errExit("chown"); } // read seccomp filter from /run/firejail/mnt/seccomp diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 3d0918b2c..a68b54cdb 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -132,13 +132,9 @@ void fs_x11(void) { fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); exit(1); } - fclose(fp); - // set file properties - if (chown(x11file, s.st_uid, s.st_gid) < 0) - errExit("chown"); - if (chmod(x11file, s.st_mode) < 0) - errExit("chmod"); + SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); + fclose(fp); // mount char *wx11file; -- cgit v1.2.3-70-g09d2 From 3880034da5e0f8e387dd8cf79d8b973aaa87fffe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 25 Aug 2016 09:15:50 -0400 Subject: command name fix --- RELNOTES | 2 +- src/firejail/util.c | 14 +++++++------- todo | 16 +--------------- 3 files changed, 9 insertions(+), 23 deletions(-) diff --git a/RELNOTES b/RELNOTES index 674c9de5e..f3da05c79 100644 --- a/RELNOTES +++ b/RELNOTES @@ -40,7 +40,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: Atom Beta, Atom, jitsi, eom, uudeview * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, * profiles: inox, Slack, gnome-chess. Gajim IM client - -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 + -- netblue30 Thu, 24 Augl 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low * added --nice option diff --git a/src/firejail/util.c b/src/firejail/util.c index 22434e200..5b407eaf5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -425,13 +425,13 @@ void extract_command_name(int index, char **argv) { errExit("strdup"); // if we have a symbolic link, use the real path to extract the name - if (is_link(argv[index])) { - char*newname = realpath(argv[index], NULL); - if (newname) { - free(str); - str = newname; - } - } +// if (is_link(argv[index])) { +// char*newname = realpath(argv[index], NULL); +// if (newname) { +// free(str); +// str = newname; +// } +// } // configure command name cfg.command_name = str; diff --git a/todo b/todo index 02eacdda9..c2a450778 100644 --- a/todo +++ b/todo @@ -247,7 +247,6 @@ References 22. add support for read-write and noexec to Firetools - 23. AppArmor $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify @@ -266,19 +265,6 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log 24. check monitor proc behaviour for sandboxes with --blacklist=/proc also check --apparmor in this case -25. bring back strings.profile - -# strings profile -quiet -ignore noroot -include /etc/firejail/default.profile -tracelog -net none -shell none -private-dev -private-tmp -nosound - -26. fix firemon and firetools on systems with hidepid=2 +25. fix firemon and firetools on systems with hidepid=2 sudo mount -o remount,rw,hidepid=2 /proc -- cgit v1.2.3-70-g09d2 From 277a06d1f24828b8cf408b5c2d3c072d4977eabe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 25 Aug 2016 09:22:58 -0400 Subject: added back strings profile --- etc/strings.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/strings.profile diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..d013e7cb5 --- /dev/null +++ b/etc/strings.profile @@ -0,0 +1,11 @@ +# strings profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp +nosound + -- cgit v1.2.3-70-g09d2 From 949070a1dd728e58ab04c8e02f08cef422ddf7d9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 26 Aug 2016 09:29:44 -0400 Subject: shell fixes --- RELNOTES | 2 +- src/firejail/bandwidth.c | 7 ++++++- src/firejail/env.c | 2 ++ src/firejail/join.c | 28 +++++++++++++++++++++++----- 4 files changed, 32 insertions(+), 7 deletions(-) diff --git a/RELNOTES b/RELNOTES index f3da05c79..25f4c31c9 100644 --- a/RELNOTES +++ b/RELNOTES @@ -40,7 +40,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: Atom Beta, Atom, jitsi, eom, uudeview * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, * profiles: inox, Slack, gnome-chess. Gajim IM client - -- netblue30 Thu, 24 Augl 2016 08:00:00 -0500 + -- netblue30 Thu, 26 Aug 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low * added --nice option diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 22be5b23c..4a1df9c67 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -450,7 +450,12 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in if (setregid(0, 0)) errExit("setregid"); - assert(cfg.shell); + if (!cfg.shell) + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); + exit(1); + } char *arg[4]; arg[0] = cfg.shell; diff --git a/src/firejail/env.c b/src/firejail/env.c index 2c8be3852..2cc65e464 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -121,6 +121,8 @@ void env_defaults(void) { errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); + if (!cfg.shell) + cfg.shell = guess_shell(); if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) errExit("setenv"); diff --git a/src/firejail/join.c b/src/firejail/join.c index 37bac7e65..948c7ef71 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -319,10 +319,13 @@ void join(pid_t pid, int argc, char **argv, int index) { caps_set(caps); // set prompt color to green - //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' - if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) - errExit("setenv"); - + char *prompt = getenv("FIREJAIL_PROMPT"); + if (prompt && strcmp(prompt, "yes") == 0) { + //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' + if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) + errExit("setenv"); + } + // set nice if (arg_nice) { errno = 0; @@ -336,7 +339,22 @@ void join(pid_t pid, int argc, char **argv, int index) { // run cmdline trough shell if (cfg.command_line == NULL) { - assert(cfg.shell); + // if the sandbox was started with --shell=none, it is possible we don't have a shell + // inside the sandbox + if (cfg.shell == NULL) { + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); + exit(1); + } + } + + struct stat s; + if (stat(cfg.shell, &s) == -1) { + fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell); + exit(1); + } + cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } -- cgit v1.2.3-70-g09d2 From cdff9ea0b35852998b635b6b5b9a44b51255e94c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 28 Aug 2016 08:36:21 -0400 Subject: fixes --- platform/debian/conffiles | 1 + 1 file changed, 1 insertion(+) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 4c6b0ebef..2eaca90ce 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -141,3 +141,4 @@ /etc/firejail/xviewer.profile /etc/firejail/xz.profile /etc/firejail/xzdec.profile +/etc/firejail/strings.profile -- cgit v1.2.3-70-g09d2 From 80c8015d7d3158dcd44b48f83658f2c61e14eddf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 28 Aug 2016 08:59:18 -0400 Subject: fixes --- src/firejail/fs_dev.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 571848dec..701183ee1 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -58,7 +58,6 @@ errexit: } void fs_private_dev(void){ - int rv; // install a new /dev directory if (arg_debug) printf("Mounting tmpfs on /dev\n"); -- cgit v1.2.3-70-g09d2 From 70d1b463a04867e2ede3da284a5209d190458d84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 29 Aug 2016 11:56:34 -0400 Subject: 0.9.42~rc3 starting --- RELNOTES | 1 + configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/fs.c | 10 ++++------ todo | 3 +++ 5 files changed, 18 insertions(+), 16 deletions(-) diff --git a/RELNOTES b/RELNOTES index 25f4c31c9..62171af35 100644 --- a/RELNOTES +++ b/RELNOTES @@ -40,6 +40,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: Atom Beta, Atom, jitsi, eom, uudeview * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, * profiles: inox, Slack, gnome-chess. Gajim IM client + * bugfixes -- netblue30 Thu, 26 Aug 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/configure b/configure index 5505b01c2..3f9d0fc42 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc3. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.42~rc2' -PACKAGE_STRING='firejail 0.9.42~rc2' +PACKAGE_VERSION='0.9.42~rc3' +PACKAGE_STRING='firejail 0.9.42~rc3' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1257,7 +1257,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.42~rc2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.42~rc3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1318,7 +1318,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.42~rc2:";; + short | recursive ) echo "Configuration of firejail 0.9.42~rc3:";; esac cat <<\_ACEOF @@ -1421,7 +1421,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.42~rc2 +firejail configure 0.9.42~rc3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1723,7 +1723,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.42~rc2, which was +It was created by firejail $as_me 0.9.42~rc3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4294,7 +4294,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.42~rc2, which was +This file was extended by firejail $as_me 0.9.42~rc3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4348,7 +4348,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.42~rc2 +firejail config.status 0.9.42~rc3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 2a5bd5e54..67b74e723 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.42~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.42~rc3, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 27c69d0e1..855ebad7b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -647,10 +647,6 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); -// if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) -// errExit("mounting /sys"); - - // various /proc/sys files disable_file(BLACKLIST_FILE, "/proc/sys/security"); disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); @@ -661,7 +657,6 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); - // various /proc files disable_file(BLACKLIST_FILE, "/proc/irq"); disable_file(BLACKLIST_FILE, "/proc/bus"); @@ -674,7 +669,10 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/proc/mem"); disable_file(BLACKLIST_FILE, "/proc/kmem"); - // disable /boot + // remove kernel symbol information + disable_file(BLACKLIST_FILE, "/usr/src/linux"); + disable_file(BLACKLIST_FILE, "/lib/modules"); + disable_file(BLACKLIST_FILE, "/usr/lib/debug"); disable_file(BLACKLIST_FILE, "/boot"); // disable /selinux diff --git a/todo b/todo index c2a450778..6fe7c5e6f 100644 --- a/todo +++ b/todo @@ -268,3 +268,6 @@ also check --apparmor in this case 25. fix firemon and firetools on systems with hidepid=2 sudo mount -o remount,rw,hidepid=2 /proc + +26. mupdf profile + -- cgit v1.2.3-70-g09d2 From 8d054a67ec661aa4cfcb70f70a860631cac2ef2b Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Mon, 29 Aug 2016 19:26:05 +0200 Subject: Fix spelling error found by lintian --- src/firejail/x11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index a68b54cdb..9a59b873b 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -525,7 +525,7 @@ void x11_start_xpra(int argc, char **argv) { if (n == 10) printf("failed to stop xpra server gratefully\n"); else - printf("xpra server successfully stoped in %d secs\n", n); + printf("xpra server successfully stopped in %d secs\n", n); } // kill xpra server and xpra client -- cgit v1.2.3-70-g09d2 From 130ae047b8c1565cfcebb59630e642ec4a2ccb4a Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Mon, 29 Aug 2016 19:48:09 +0200 Subject: another typo --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 434c29c0f..35b84b981 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -85,7 +85,7 @@ Example: $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-apparmor -Enable AppArmor confinement. Formore information, please see \fBAPPARMOR\fR section below. +Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. .TP \fB\-\-appimage Sandbox an AppImage (http://appimage.org/) application. -- cgit v1.2.3-70-g09d2 From 18a1ae6609c556aa433dc62fc5cd8685d2d612ea Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 29 Aug 2016 23:31:57 +0300 Subject: fix umask problem --- src/firejail/appimage.c | 2 ++ src/firejail/fs.c | 8 ++++++++ src/firejail/fs_bin.c | 2 ++ src/firejail/fs_dev.c | 10 ++++++++++ src/firejail/fs_etc.c | 2 ++ 5 files changed, 24 insertions(+) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 513a5a8a2..eb90a39dd 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -81,6 +81,8 @@ void appimage_set(const char *appimage_path) { fprintf(stderr, "Error: cannot create temporary directory\n"); exit(1); } + if (chmod(mntdir, 0700) == -1) + errExit("chmod"); ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); char *mode; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 855ebad7b..e38f128ea 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -36,6 +36,8 @@ static void create_dir_as_root(const char *dir, mode_t mode) { if (mkdir(dir, mode) == -1) errExit("mkdir"); + if (chmod(dir, mode) == -1) + errExit("chmod"); ASSERT_PERMS(dir, 0, 0, mode); } @@ -47,6 +49,8 @@ static void create_empty_dir(void) { /* coverity[toctou] */ if (mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1) errExit("mkdir"); + if (chmod(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1) + errExit("chmod"); ASSERT_PERMS(RUN_RO_DIR, 0, 0, S_IRUSR | S_IXUSR); } } @@ -772,6 +776,8 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { /* coverity[toctou] */ if (mkdir(dirname, 0700)) errExit("mkdir"); + if (chmod(dirname, 0700) == -1) + errExit("chmod"); ASSERT_PERMS(dirname, getuid(), getgid(), 0700); } else if (is_link(dirname)) { @@ -859,6 +865,8 @@ void fs_overlayfs(void) { errExit("asprintf"); if (mkdir(oroot, 0755)) errExit("mkdir"); + if (chmod(oroot, 0755) == -1) + errExit("chmod"); ASSERT_PERMS(oroot, 0, 0, 0755); struct stat s; diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index b9d8614d4..6c4db57b4 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -205,6 +205,8 @@ void fs_private_bin_list(void) { fs_build_mnt_dir(); if (mkdir(RUN_BIN_DIR, 0755) == -1) errExit("mkdir"); + if (chmod(RUN_BIN_DIR, 0755) == -1) + errExit("chmod"); ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755); // copy the list of files in the new etc directory diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 701183ee1..363d3e484 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -75,6 +75,8 @@ void fs_private_dev(void){ if (have_dri) { if (mkdir(RUN_DRI_DIR, 0755) == -1) errExit("mkdir"); + if (chmod(RUN_DRI_DIR, 0755) == -1) + errExit("chmod"); ASSERT_PERMS(RUN_DRI_DIR, 0, 0, 0755); // keep a copy of /dev/dri under DRI_DIR @@ -86,6 +88,8 @@ void fs_private_dev(void){ if (have_snd) { if (mkdir(RUN_SND_DIR, 0755) == -1) errExit("mkdir"); + if (chmod(RUN_SND_DIR, 0755) == -1) + errExit("chmod"); ASSERT_PERMS(RUN_SND_DIR, 0, 0, 0755); // keep a copy of /dev/dri under DRI_DIR @@ -130,6 +134,8 @@ void fs_private_dev(void){ /* coverity[toctou] */ if (mkdir("/dev/snd", 0755) == -1) errExit("mkdir"); + if (chmod("/dev/snd", 0755) == -1) + errExit("chmod"); ASSERT_PERMS("/dev/snd", 0, 0, 0755); if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /dev/snd"); @@ -140,6 +146,8 @@ void fs_private_dev(void){ if (have_dri) { if (mkdir("/dev/dri", 0755) == -1) errExit("mkdir"); + if (chmod("/dev/dri", 0755) == -1) + errExit("chmod"); ASSERT_PERMS("/dev/dri", 0, 0, 0755); if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /dev/dri"); @@ -178,6 +186,8 @@ void fs_private_dev(void){ // pseudo-terminal if (mkdir("/dev/pts", 0755) == -1) errExit("mkdir"); + if (chmod("/dev/pts", 0755) == -1) + errExit("chmod"); ASSERT_PERMS("/dev/pts", 0, 0, 0755); fs_logger("mkdir /dev/pts"); create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index d5b348ee2..e860bc173 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -132,6 +132,8 @@ void fs_private_etc_list(void) { fs_build_mnt_dir(); if (mkdir(RUN_ETC_DIR, 0755) == -1) errExit("mkdir"); + if (chmod(RUN_ETC_DIR, 0755) == -1) + errExit("chmod"); ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755); fs_logger("tmpfs /etc"); -- cgit v1.2.3-70-g09d2 From ad9977e18dbe1c104a1cabb48ea2ef56b5d31449 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 30 Aug 2016 00:03:23 +0300 Subject: change errExit message to include filename --- src/include/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/include/common.h b/src/include/common.h index 762a0262a..e28870807 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -32,7 +32,7 @@ #include #include -#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) +#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) // macro to print ip addresses in a printf statement #define PRINT_IP(A) \ -- cgit v1.2.3-70-g09d2 From 1de8b9257a287cfb80daeaabd56377e509efeca5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 30 Aug 2016 12:05:38 -0400 Subject: Arch Linux fix: setegid error --- src/firejail/main.c | 1 + src/include/euid_common.h | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index dbb92a899..391e86907 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -46,6 +46,7 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick); #endif uid_t firejail_uid = 0; +gid_t firejail_gid = 0; #define STACK_SIZE (1024 * 1024) static char child_stack[STACK_SIZE]; // space for child's stack diff --git a/src/include/euid_common.h b/src/include/euid_common.h index de5572fb1..752df5fff 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -31,6 +31,7 @@ } extern uid_t firejail_uid; +extern uid_t firejail_gid; @@ -44,16 +45,18 @@ static inline void EUID_ROOT(void) { static inline void EUID_USER(void) { if (seteuid(firejail_uid) == -1) errExit("seteuid"); - if (setegid(firejail_uid) == -1) + if (setegid(firejail_gid) == -1) errExit("setegid"); } static inline void EUID_PRINT(void) { printf("debug: uid %d, euid %d\n", getuid(), geteuid()); + printf("debug: gid %d, egid %d\n", getgid(), getegid()); } static inline void EUID_INIT(void) { firejail_uid = getuid(); + firejail_gid = getgid(); } #endif -- cgit v1.2.3-70-g09d2 From 5adafe44026aba6d37deef04c3229fca9704d118 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 30 Aug 2016 20:47:12 -0400 Subject: fix join caps --- src/firejail/join.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 948c7ef71..414b899ce 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -309,14 +309,15 @@ void join(pid_t pid, int argc, char **argv, int index) { printf("Joining user namespace\n"); if (join_namespace(1, "user")) exit(1); + + // user namespace resets capabilities + // set caps filter + if (apply_caps == 1) // not available for uid 0 + caps_set(caps); } else drop_privs(arg_nogroups); // nogroups not available for uid 0 - // user namespace resets capabilities - // set caps filter - if (apply_caps == 1) // not available for uid 0 - caps_set(caps); // set prompt color to green char *prompt = getenv("FIREJAIL_PROMPT"); -- cgit v1.2.3-70-g09d2 From ddcd56b11c47278fe887e5b4fb5bd86715881114 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 31 Aug 2016 10:40:16 -0400 Subject: Arch fixes --- src/firejail/fs_whitelist.c | 38 ++++++++++++++++++++++---------------- test/fs/private-etc-empty.exp | 9 ++++++--- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 33037da29..11e626b6e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -554,24 +554,30 @@ void fs_whitelist(void) { // /media mountpoint if (media_dir) { - // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR - int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) - errExit("chmod"); + // some distros don't have a /media directory + struct stat s; + if (stat("/media", &s) == 0) { + // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR + int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); + if (rv == -1) + errExit("mkdir"); + if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) + errExit("chown"); + if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) + errExit("chmod"); - if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); + if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); - // mount tmpfs on /media - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /media directory\n"); - if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /media"); - fs_logger("tmpfs /media"); + // mount tmpfs on /media + if (arg_debug || arg_debug_whitelists) + printf("Mounting tmpfs on /media directory\n"); + if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mounting tmpfs on /media"); + fs_logger("tmpfs /media"); + } + else + media_dir = 0; } // /var mountpoint diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 2ab634afd..5ddce8678 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp @@ -3,7 +3,7 @@ # Copyright (C) 2014-2016 Firejail Authors # License GPL v2 -set timeout 30 +set timeout 10 spawn $env(SHELL) match_max 100000 @@ -17,7 +17,8 @@ sleep 1 send -- "ls -l /etc | wc -l\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "0" + "0" {puts "Debian\n"} + "1" {puts "Arch\n"} } send -- "exit\r" sleep 1 @@ -32,7 +33,9 @@ sleep 1 send -- "ls -l /etc | wc -l\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "0" + "0" {puts "Debian\n"} + "1" {puts "Arch\n"} + } after 100 -- cgit v1.2.3-70-g09d2 From f67614cef6c9f6513b3efa72f05f763c510021ad Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 1 Sep 2016 03:42:13 +1000 Subject: may break on some systems --- etc/hexchat.profile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0ff64aef5..5cefe45b5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,7 +1,8 @@ # HexChat instant messaging profile +# Currently in testing (may not work for all users) noblacklist ${HOME}/.config/hexchat -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* +#noblacklist /usr/lib/python2* +#noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -14,11 +15,14 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none +tracelog mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc -# private-bin requires perl, python, etc. +private-bin hexchat +#debug note: private-bin requires perl, python, etc on some systems private-dev private-tmp -- cgit v1.2.3-70-g09d2 From c26be70b30582400dc88a4bb213368a6d7250302 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 1 Sep 2016 03:42:44 +1000 Subject: tested and stable --- etc/0ad.profile | 4 ++-- etc/atom-beta.profile | 7 ++++--- etc/atom.profile | 6 ++++-- etc/atril.profile | 1 + etc/audacity.profile | 2 ++ etc/aweather.profile | 3 ++- etc/dosbox.profile | 21 +++++++++++++++++++++ etc/eom.profile | 1 + etc/gitter.profile | 4 +++- etc/gthumb.profile | 1 - etc/libreoffice.profile | 3 +-- etc/palemoon.profile | 1 + etc/pidgin.profile | 1 + etc/qtox.profile | 1 + etc/rhythmbox.profile | 1 + etc/stellarium.profile | 2 +- etc/transmission-gtk.profile | 2 +- etc/vlc.profile | 2 ++ etc/warzone2100.profile | 1 + etc/xplayer.profile | 1 + etc/xreader.profile | 1 + etc/xviewer.profile | 3 ++- 22 files changed, 54 insertions(+), 15 deletions(-) create mode 100644 etc/dosbox.profile diff --git a/etc/0ad.profile b/etc/0ad.profile index 217cdeee0..1e7c06879 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -19,8 +19,8 @@ whitelist ~/.local/share/0ad caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp @@ -28,4 +28,4 @@ shell none tracelog private-dev - +private-tmp diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 3c753e86c..9a8d93875 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -1,4 +1,4 @@ -# Firjail profile for Atom Beta. +# Firejail profile for Atom Beta. noblacklist ~/.atom noblacklist ~/.config/Atom @@ -11,9 +11,10 @@ netfilter nonewprivs nogroups noroot +nosound +protocol unix,inet,inet6,netlink seccomp shell none private-dev -nosound - +private-tmp diff --git a/etc/atom.profile b/etc/atom.profile index 8304cd379..3cb86847e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -1,4 +1,4 @@ -# Firjail profile for Atom. +# Firejail profile for Atom. noblacklist ~/.atom noblacklist ~/.config/Atom @@ -11,8 +11,10 @@ netfilter nonewprivs nogroups noroot +nosound +protocol unix,inet,inet6,netlink seccomp shell none private-dev -nosound +private-tmp diff --git a/etc/atril.profile b/etc/atril.profile index bfe731bec..d9e10b072 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -18,3 +18,4 @@ tracelog private-bin atril, atril-previewer, atril-thumbnailer private-dev +private-tmp diff --git a/etc/audacity.profile b/etc/audacity.profile index 162201cb8..be3fac9be 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter nonewprivs nogroups noroot @@ -17,3 +18,4 @@ tracelog private-bin audacity private-dev +private-tmp diff --git a/etc/aweather.profile b/etc/aweather.profile index da93e8ba3..4e5c36f50 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -15,10 +15,11 @@ nonewprivs nogroups noroot nosound -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp shell none tracelog private-bin aweather private-dev +private-tmp diff --git a/etc/dosbox.profile b/etc/dosbox.profile new file mode 100644 index 000000000..45fbb712a --- /dev/null +++ b/etc/dosbox.profile @@ -0,0 +1,21 @@ +# Firejail profile for dosbox +noblacklist ~/.dosbox + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin dosbox +private-dev +private-tmp diff --git a/etc/eom.profile b/etc/eom.profile index 81d993e96..dfcea82c1 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -18,3 +18,4 @@ tracelog private-bin eom private-dev +private-tmp diff --git a/etc/gitter.profile b/etc/gitter.profile index 2882c59a6..f43f5f199 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -7,12 +7,14 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot +nosound protocol unix,inet,inet6,netlink seccomp shell none private-bin gitter private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index e043c7229..3ffd10add 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -19,4 +19,3 @@ tracelog private-bin gthumb whitelist /tmp/.X11-unix private-dev -private-tmp diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 77a00ebef..75a52e9ff 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -15,5 +16,3 @@ tracelog private-dev whitelist /tmp/.X11-unix/ -nosound - diff --git a/etc/palemoon.profile b/etc/palemoon.profile index acedaebb7..71deec6bc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -23,6 +23,7 @@ shell none tracelog private-bin palemoon +private-tmp # These are uncommented in the Firefox profile. If you run into trouble you may # want to uncomment (some of) them. diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3df2cafa6..47be2b6ea 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -18,3 +18,4 @@ tracelog private-bin pidgin private-dev +private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 0cac18573..927487037 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -20,3 +20,4 @@ shell none tracelog private-bin qtox +private-tmp diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f087ea1d..0e8527ae7 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -16,3 +16,4 @@ tracelog private-bin rhythmbox private-dev +private-tmp diff --git a/etc/stellarium.profile b/etc/stellarium.profile index adefa75ff..d57c9e5f7 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -25,4 +25,4 @@ tracelog private-bin stellarium private-dev - +private-tmp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index fa5c3b22b..0cfa4fcfc 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -14,9 +14,9 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none tracelog -shell none private-bin transmission-gtk whitelist /tmp/.X11-unix private-dev diff --git a/etc/vlc.profile b/etc/vlc.profile index c82247dd2..cdd098dd5 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -17,3 +17,5 @@ shell none tracelog private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +private-dev +private-tmp diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ff37e2800..7c7efade8 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -23,3 +23,4 @@ tracelog private-bin warzone2100 private-dev +private-tmp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index a46b2fa06..54d5ed89b 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -19,3 +19,4 @@ tracelog private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer private-dev +private-tmp diff --git a/etc/xreader.profile b/etc/xreader.profile index ac7d34022..d2a000bd0 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -20,3 +20,4 @@ tracelog private-bin xreader, xreader-previewer, xreader-thumbnailer private-dev +private-tmp diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7a4ae4858..cbb59d16e 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -17,3 +17,4 @@ tracelog private-dev private-bin xviewer +private-tmp -- cgit v1.2.3-70-g09d2 From 425c3c34c54366cadc6f97df99dc6fa5c964dc25 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 2 Sep 2016 12:08:03 +1000 Subject: extra dosbox files --- README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README b/README index c8cdbb6d8..fa67c1252 100644 --- a/README +++ b/README @@ -103,6 +103,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - pidgin private-bin conversion - added eom profile - added gnome-chess profile + - added DOSBox profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index 6785e3f7a..ebd39de5b 100644 --- a/README.md +++ b/README.md @@ -197,5 +197,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox diff --git a/RELNOTES b/RELNOTES index 62171af35..3c69b0a1c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -39,7 +39,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: pix, audacity, xz, xzdec, gzip, cpio, less * profiles: Atom Beta, Atom, jitsi, eom, uudeview * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, - * profiles: inox, Slack, gnome-chess. Gajim IM client + * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox * bugfixes -- netblue30 Thu, 26 Aug 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 2f7584241..fb0f5a669 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -89,6 +89,7 @@ blacklist ${HOME}/.steam blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.dosbox # Cryptocoins blacklist ${HOME}/.*coin diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2eaca90ce..691c536df 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -142,3 +142,4 @@ /etc/firejail/xz.profile /etc/firejail/xzdec.profile /etc/firejail/strings.profile +/etc/firejail/dosbox.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c909e6903..dd876c87c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -75,6 +75,7 @@ unbound # emulators/compatibility layers mupen64plus wine +dosbox # games 0ad -- cgit v1.2.3-70-g09d2 From c08a57c8811cbb2868ab448de5b7e7a68e6b0bb4 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 2 Sep 2016 14:22:01 +0300 Subject: firecfg: option to fix .desktop files --- src/firecfg/main.c | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 9c7c49e1d..8ca56a2ff 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -24,7 +24,11 @@ #include #include #include +#include #include +#include +#include +#include #include "../include/common.h" static int arg_debug = 0; @@ -41,6 +45,7 @@ static void usage(void) { printf(" --debug - print debug messages.\n\n"); printf(" --help, -? - this help screen.\n\n"); printf(" --list - list all firejail symbolic links.\n\n"); + printf(" --fix - fix .desktop files.\n\n"); printf(" --version - print program version and exit.\n\n"); printf("Example:\n\n"); printf(" $ sudo firecfg\n"); @@ -55,6 +60,10 @@ static void usage(void) { printf(" /usr/local/bin/firefox removed\n"); printf(" /usr/local/bin/vlc removed\n"); printf(" [...]\n"); + printf(" $ firecfg --fix\n"); + printf(" /home/user/.local/share/applications/chromium.desktop created\n"); + printf(" /home/user/.local/share/applications/vlc.desktop created\n"); + printf(" [...]\n"); printf("\n"); printf("License GPL version 2 or later\n"); printf("Homepage: http://firejail.wordpress.com\n\n"); @@ -285,6 +294,164 @@ static void set(void) { free(firejail_exec); } +static void fix_desktop_files(void) { + if (getuid() == 0) { + fprintf(stderr, "Error: you should run --fix as user\n"); + exit(1); + } + + char *homedir = getenv("HOME"); + if (!homedir) + errExit("getenv"); + + char *user_apps_dir; + if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1) + errExit("asprintf"); + + DIR *dir = opendir("/usr/share/applications"); + if (!dir) { + perror("Error: cannot open /usr/share/applications directory"); + exit(1); + } + + if (chdir("/usr/share/applications")) { + perror("Error: cannot chdir to /usr/share/applications"); + exit(1); + } + + struct dirent *entry; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + continue; + + // skip if not regular file or link + if (entry->d_type != DT_REG && entry->d_type != DT_LNK) + continue; + + // skip if not .desktop file + if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8)) + continue; + + char *filename = entry->d_name; + + // skip links + if (is_link(filename)) + continue; + + struct stat sb; + if (stat(filename, &sb) == -1) + errExit("stat"); + + int fd = open(filename, O_RDONLY); + if (fd == -1) + errExit("open"); + + char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (buf == MAP_FAILED) + errExit("mmap"); + + close(fd); + + // check format + if (strstr(buf, "[Desktop Entry]\n") == NULL) { + if (arg_debug) + fprintf(stderr, "/usr/share/applications/%s - SKIPPED: wrong format?\n", filename); + munmap(buf, sb.st_size + 1); + continue; + } + + // get executable name + char *ptr1 = strstr(buf,"\nExec="); + if (!ptr1 || strlen(ptr1) < 7) { + if (arg_debug) + fprintf(stderr, "/usr/share/applications/%s - SKIPPED: wrong format?\n", filename); + munmap(buf, sb.st_size + 1); + continue; + } + + char *execname = ptr1 + 6; + // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html + // The executable program can either be specified with its full path + // or with the name of the executable only + if (execname[0] != '/') { + if (arg_debug) + fprintf(stderr, "/usr/share/applications/%s - already OK\n", filename); + continue; + } + // executable name can be quoted, this is rare and currently unsupported, TODO + if (execname[0] == '"') { + if (arg_debug) + fprintf(stderr, "/usr/share/applications/%s - skipped: path quoting unsupported\n", filename); + continue; + } + + // put '\0' at end of filename + char *tail = NULL; + char endchar; + if (execname[0] == '/') { + char *ptr2 = index(execname, ' '); + char *ptr3 = index(execname, '\n'); + if (ptr2 && (!ptr3 || (ptr2 < ptr3))) { + endchar = ptr2[0]; + ptr2[0] = '\0'; + tail = ptr2 + 1; + } else if (ptr3 && (!ptr2 || (ptr3 < ptr2))) { + endchar = ptr3[0]; + ptr3[0] = '\0'; + tail = ptr3 + 1; + } + ptr1[5] = '\0'; + } + + char *bname = basename(execname); + assert(bname); + + // check if basename in PATH + if (!which(bname)) { + fprintf(stderr, "/usr/share/applications/%s - unable to fix: executable not in PATH\n", filename); + continue; + } + + char *outname; + if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1) + errExit("asprintf"); + + int fd1 = open(outname, O_CREAT | O_WRONLY | O_EXCL, S_IRUSR | S_IWUSR); + free(outname); + + if (fd1 == -1) { + fprintf(stderr, "%s/%s skipped: %s\n", user_apps_dir, filename, strerror(errno)); + munmap(buf, sb.st_size + 1); + continue; + } + + FILE *outfile = fdopen(fd1, "w"); + if (!outfile) { + fprintf(stderr, "%s/%s skipped: %s\n", user_apps_dir, filename, strerror(errno)); + munmap(buf, sb.st_size + 1); + close(fd1); + continue; + } + + if (fprintf(outfile,\ + "# Converted by firecfg --fix from /usr/share/applications/%s\n\n%s=%s%c%s",\ + filename, buf, bname, endchar, tail) < 0) { + fprintf(stderr, "Unable to write %s/%s: %s\n", user_apps_dir, filename, strerror(errno)); + munmap(buf, sb.st_size + 1); + fclose(outfile); + continue; + } + + fclose(outfile); + munmap(buf, sb.st_size + 1); + + printf("%s/%s created\n", user_apps_dir, filename); + } + + closedir(dir); + free(user_apps_dir); +} + int main(int argc, char **argv) { int i; @@ -309,6 +476,10 @@ int main(int argc, char **argv) { list(); return 0; } + else if (strcmp(argv[i], "--fix") == 0) { + fix_desktop_files(); + return 0; + } else { fprintf(stderr, "Error: invalid command line option\n"); usage(); -- cgit v1.2.3-70-g09d2 From 631353bcdbf3819517e909ec12e1161ea6c27923 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 2 Sep 2016 14:32:36 +0300 Subject: firecfg: update man --- src/man/firecfg.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 9458c4b67..c647acc14 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -26,6 +26,9 @@ Print options end exit. \fB\-\-list List all firejail symbolic links .TP +\fB\-\-fix +Fix .desktop files. Some .desktop files use full path to executable. Firecfg will check .desktop files in /usr/share/applications/, replace full path by name if it is in PATH, and write result to $HOME/.local/share/applications/. +.TP \fB\-\-version Print program version and exit. -- cgit v1.2.3-70-g09d2 From 5bfd5dc5d1dc4e36a70dec33bf97a380367ace26 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 2 Sep 2016 15:25:16 +0300 Subject: firecfg: small fixes --- src/firecfg/main.c | 2 +- src/man/firecfg.txt | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 8ca56a2ff..3f9285776 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -408,7 +408,7 @@ static void fix_desktop_files(void) { // check if basename in PATH if (!which(bname)) { - fprintf(stderr, "/usr/share/applications/%s - unable to fix: executable not in PATH\n", filename); + fprintf(stderr, "/usr/share/applications/%s - skipped, %s not in PATH\n", filename, bname); continue; } diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index c647acc14..4acacb071 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -61,6 +61,15 @@ $ sudo firecfg --clean /usr/local/bin/vlc removed .br [...] +.br +$ firecfg --fix +.br +/home/user/.local/share/applications/chromium.desktop created +.br +/home/user/.local/share/applications/vlc.desktop created +.br +[...] + .SH LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. -- cgit v1.2.3-70-g09d2 From 9142d9488b4f2beeb958f93a8e21387ab06ece22 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 2 Sep 2016 20:34:09 +0200 Subject: Run correct zsh test --- test/environment/environment.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 785f57d3f..04a1daaf6 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -50,7 +50,7 @@ which zsh if [ "$?" -eq 0 ]; then echo "TESTING: zsh (test/environment/zsh.exp)" - ./csh.exp + ./zsh.exp else echo "TESTING SKIP: zsh not found" fi -- cgit v1.2.3-70-g09d2 From 6485559a37b6741ce8fab38daf56c0edf6ee4cb4 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 2 Sep 2016 20:48:05 +0200 Subject: Don't set window title in quiet mode Tools using the quiet mode don't expect anything foreign on stdout. --- src/firejail/env.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/firejail/env.c b/src/firejail/env.c index 2cc65e464..88cd6918d 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -135,7 +135,8 @@ void env_defaults(void) { } // set the window title - printf("\033]0;firejail %s\007", cfg.window_title); + if (!arg_quiet) + printf("\033]0;firejail %s\007", cfg.window_title); fflush(0); } -- cgit v1.2.3-70-g09d2 From 8055ecad1286d908e29c1e4aea43490f12a99024 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Fri, 2 Sep 2016 21:11:56 +0200 Subject: Fix path to zsh --- test/environment/zsh.exp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 5fca1cf22..578951ce0 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -27,7 +27,7 @@ expect { } expect { timeout {puts "TESTING ERROR 2.1\n";exit} - "/usr/bin/zsh" + "/bin/zsh" } send -- "exit\r" after 100 -- cgit v1.2.3-70-g09d2 From 8d999823e793a38306bccd264f089b5faa203aae Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 2 Sep 2016 22:56:15 +0300 Subject: fix --join-network and --join-filesystem --- src/firejail/main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 391e86907..501bccff2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -607,6 +607,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(1); } + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); + // join sandbox by pid or by name pid_t pid; if (read_pid(argv[i] + 15, &pid) == 0) @@ -630,6 +633,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(1); } + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); + // join sandbox by pid or by name pid_t pid; if (read_pid(argv[i] + 18, &pid) == 0) -- cgit v1.2.3-70-g09d2 From d9cecb0bcceebdc48181978ea97c1d75d6da8a6f Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 2 Sep 2016 23:02:06 +0300 Subject: update man --- src/man/firejail.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 35b84b981..dbb0df233 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -578,19 +578,19 @@ $ firejail --net=eth0 --name=browser firefox & .br # change netfilter configuration .br -$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" +$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore" .br .br # verify netfilter configuration .br -$ sudo firejail --join-network=browser "/sbin/iptables -vL" +$ sudo firejail --join-network=browser /sbin/iptables -vL .br .br # verify IP addresses .br -$ sudo firejail --join-network=browser "ip addr" +$ sudo firejail --join-network=browser ip addr .br Switching to pid 1932, the first child process inside the sandbox .br -- cgit v1.2.3-70-g09d2 From ae1649cda3630c3ebd3d2d34fb2d77eacdb6ef4c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 3 Sep 2016 10:45:17 -0400 Subject: fixes --- README | 61 +++++++++++++++++++++++++++++++------------------------------ RELNOTES | 3 ++- 2 files changed, 33 insertions(+), 31 deletions(-) diff --git a/README b/README index fa67c1252..8923abaf4 100644 --- a/README +++ b/README @@ -40,6 +40,37 @@ Aleksey Manevich (https://github.com/manevich) - X11 support rewrite - gether shell selection code in one place - fixed several TOCTOU security problems + - added --fix option to firecfg utility +Fred-Barclay (https://github.com/Fred-Barclay) + - added Vivaldi, Atril profiles + - added PaleMoon profile + - split Icedove and Thunderbird profiles + - added 0ad profile + - fixed version for .deb packages + - added Warzone2100 profile + - blacklisted VeraCrypt + - added Gpredict profile + - added Aweather, Stellarium profiles + - fixed HexChat and Atril profiles + - fixed disable-common.inc for mate-terminal + - blacklisted escape-happy terminals in disable-common.inc + - blacklisted g++ + - added xplayer, xreader, and xviewer profiles + - added Brave profile + - added Gitter profile + - various organising + - added LibreOffice profile + - added pix profile + - added audacity profile + - fixed Telegram and qtox profiles + - added Atom Beta and Atom profiles + - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. + - several private-bin conversions + - added jitsi profile + - pidgin private-bin conversion + - added eom profile + - added gnome-chess profile + - added DOSBox profile greigdp (https://github.com/greigdp) - Gajim IM client profile - fix Slack profile @@ -74,36 +105,6 @@ Thomas Jarosch (https://github.com/thomasjfox) - include mkuid.sh in make dist Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client -Fred-Barclay (https://github.com/Fred-Barclay) - - added Vivaldi, Atril profiles - - added PaleMoon profile - - split Icedove and Thunderbird profiles - - added 0ad profile - - fixed version for .deb packages - - added Warzone2100 profile - - blacklisted VeraCrypt - - added Gpredict profile - - added Aweather, Stellarium profiles - - fixed HexChat and Atril profiles - - fixed disable-common.inc for mate-terminal - - blacklisted escape-happy terminals in disable-common.inc - - blacklisted g++ - - added xplayer, xreader, and xviewer profiles - - added Brave profile - - added Gitter profile - - various organising - - added LibreOffice profile - - added pix profile - - added audacity profile - - fixed Telegram and qtox profiles - - added Atom Beta and Atom profiles - - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. - - several private-bin conversions - - added jitsi profile - - pidgin private-bin conversion - - added eom profile - - added gnome-chess profile - - added DOSBox profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/RELNOTES b/RELNOTES index 3c69b0a1c..d07bfa896 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,6 +24,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * feature: mkfile profile command * feature: quiet profile command * feature: x11 profile command + * feature: option to fix desktop files (firecfg --fix) * compile time: Busybox support (--enable-busybox-workaround) * compile time: disable overlayfs (--disable-overlayfs) * compile time: disable whitlisting (--disable-whitelist) @@ -41,7 +42,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox * bugfixes - -- netblue30 Thu, 26 Aug 2016 08:00:00 -0500 + -- netblue30 Fri, 26 Aug 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low * added --nice option -- cgit v1.2.3-70-g09d2 From 6aad9ad431f749003b4eab7b91cfdd0f218852a2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 4 Sep 2016 13:52:16 -0400 Subject: bringing back --private-home --- README | 2 +- README.md | 2 + RELNOTES | 1 + configure | 17 ++ configure.ac | 9 + etc/firejail.config | 3 + src/firejail/Makefile.in | 3 +- src/firejail/checkcfg.c | 32 +++- src/firejail/firejail.h | 4 +- src/firejail/fs_home.c | 408 +++++++++++++++++++++++++++++++++---------- src/firejail/main.c | 51 +++--- src/firejail/profile.c | 12 ++ src/firejail/sandbox.c | 8 + src/firejail/usage.c | 22 +-- src/man/firejail-profile.txt | 6 + src/man/firejail.txt | 13 ++ 16 files changed, 446 insertions(+), 147 deletions(-) diff --git a/README b/README index 8923abaf4..7ba78a05f 100644 --- a/README +++ b/README @@ -87,7 +87,7 @@ greigdp (https://github.com/greigdp) Laurent Declercq (https://github.com/nuxwin) - fixed test for shell interpreter in chroots Franco (nextime) Lanza (https://github.com/nextime) - - added --private-template + - added --private-template/--private-home xee5ch (https://github.com/xee5ch) - skypeforlinux profile Peter Hogg (https://github.com/pigmonkey) diff --git a/README.md b/README.md index ebd39de5b..2f2ab38e7 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ Version 0.9.41~rc1 was released. +## Bringing back --private-home + ## Deprecated --user --user option was deprecated, please use "sudo -u username firejail application" instead. diff --git a/RELNOTES b/RELNOTES index d07bfa896..734a92b4f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * security: tighten --chroot, submitted by Jann Horn * security: terminal sandbox escape, submitted by Stephan Sokolow * security: several TOCTOU fixes submitted by Aleksey Manevich + * modifs: bringing back --private-home option * modifs: deprecated --user option, please use "sudo -u username firejail" * modifs: allow symlinks in home directory for --whitelist option * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" diff --git a/configure b/configure index 3f9d0fc42..0b05d42e5 100755 --- a/configure +++ b/configure @@ -636,6 +636,7 @@ HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP +HAVE_PRIVATE_HOME HAVE_OVERLAYFS EXTRA_LDFLAGS EGREP @@ -696,6 +697,7 @@ ac_user_opts=' enable_option_checking enable_apparmor enable_overlayfs +enable_private_home enable_seccomp enable_chroot enable_bind @@ -1328,6 +1330,7 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-apparmor enable apparmor --disable-overlayfs disable overlayfs + --disable-private-home disable private home feature --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind @@ -3525,6 +3528,19 @@ if test "x$enable_overlayfs" != "xno"; then : HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" +fi + +HAVE_PRIVATEHOME="" +# Check whether --enable-private-home was given. +if test "${enable_private_home+set}" = set; then : + enableval=$enable_private_home; +fi + +if test "x$enable_private_home" != "xno"; then : + + HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" + + fi HAVE_SECCOMP="" @@ -4937,6 +4953,7 @@ echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" +echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" diff --git a/configure.ac b/configure.ac index 67b74e723..ca6066d25 100644 --- a/configure.ac +++ b/configure.ac @@ -38,6 +38,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [ AC_SUBST(HAVE_OVERLAYFS) ]) +HAVE_PRIVATEHOME="" +AC_ARG_ENABLE([private-home], + AS_HELP_STRING([--disable-private-home], [disable private home feature])) +AS_IF([test "x$enable_private_home" != "xno"], [ + HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" + AC_SUBST(HAVE_PRIVATE_HOME) +]) + HAVE_SECCOMP="" AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [disable seccomp])) @@ -163,6 +171,7 @@ echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" +echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" diff --git a/etc/firejail.config b/etc/firejail.config index 6b6ba7fdf..08ff5380d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -29,6 +29,9 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Enable or disable private-home feature, default enabled +# private-home yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index f56137308..fce460906 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -20,13 +20,14 @@ HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 5bc859f8d..99266c575 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -241,6 +241,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "private-home ", 13) == 0) { + if (strcmp(ptr + 13, "yes") == 0) + cfg_val[CFG_PRIVATE_HOME] = 1; + else if (strcmp(ptr + 13, "no") == 0) + cfg_val[CFG_PRIVATE_HOME] = 0; + else + goto errout; + } else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { if (strcmp(ptr + 15, "yes") == 0) cfg_val[CFG_CHROOT_DESKTOP] = 1; @@ -295,14 +303,6 @@ void print_compiletime_support(void) { #endif ); - printf("\t- overlayfs support is %s\n", -#ifdef HAVE_OVERLAYFS - "enabled" -#else - "disabled" -#endif - ); - printf("\t- file and directory whitelisting support is %s\n", #ifdef HAVE_WHITELIST "enabled" @@ -332,6 +332,22 @@ void print_compiletime_support(void) { printf("\t- networking features are available only to root user\n"); #endif + printf("\t- overlayfs support is %s\n", +#ifdef HAVE_OVERLAYFS + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- private-home support is %s\n", +#ifdef HAVE_PRIVATE_HOME + "enabled" +#else + "disabled" +#endif + ); + printf("\t- seccomp-bpf support is %s\n", #ifdef HAVE_SECCOMP "enabled" diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7be04f782..9b60d40c2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -180,6 +180,7 @@ typedef struct config_t { char *profile_ignore[MAX_PROFILE_IGNORE]; char *chrootdir; // chroot directory char *home_private; // private home directory + char *home_private_keep; // keep list for private home directory char *etc_private_keep; // keep list for private etc directory char *bin_private_keep; // keep list for private bin directory char *cwd; // current working directory @@ -640,7 +641,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_REMOUNT_PROC_SYS 11 #define CFG_OVERLAYFS 12 #define CFG_CHROOT_DESKTOP 13 -#define CFG_MAX 14 // this should always be the last entry +#define CFG_PRIVATE_HOME 14 +#define CFG_MAX 15 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 85fa244be..a4b2ec046 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -313,61 +313,6 @@ void fs_private(void) { } -int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw); - - -int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) -{ -(void) st; -(void) sftw; - char *homedir = cfg.homedir; - char *dest; - int srcbaselen = 0; - assert(homedir); - uid_t u = getuid(); - gid_t g = getgid(); - srcbaselen = strlen(cfg.private_template); - - if(ftype == FTW_F || ftype == FTW_D) { - if (asprintf(&dest, "%s/%s", homedir, path + srcbaselen) == -1) - errExit("asprintf"); - struct stat s; - // don't copy it if we already have the file - if (stat(dest, &s) == 0) - return(0); - if (stat(path, &s) == 0) { - if(ftype == FTW_F) { - if (copy_file(path, dest, u, g, 0644) == 0) { - if (arg_debug) - printf("copy from %s to %s\n", path, dest); - fs_logger2("clone", path); - } - } - else if(ftype == FTW_D) { - if (mkdir(dest, s.st_mode) == -1) - errExit("mkdir"); - if (chown(dest, u, g) < 0) - errExit("chown"); - if (arg_debug) - printf("copy from %s to %s\n", path, dest); - fs_logger2("clone", path); - } - } - free(dest); - } - return(0); -} - -void fs_private_template(void) { - - fs_private(); - if(nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS) != 0) { - fprintf(stderr, "Error: unable to copy template dir\n"); - exit(1); - } - -} - // check new private home directory (--private= option) - exit if it fails void fs_check_private_dir(void) { EUID_ASSERT(); @@ -406,42 +351,323 @@ void fs_check_private_dir(void) { } } -// check new template home directoty (--private-template= option) - exit if it fails -void fs_check_private_template(void) { - EUID_ASSERT(); - invalid_filename(cfg.private_template); - - // Expand the home directory - char *tmp = expand_home(cfg.private_template, cfg.homedir); - cfg.private_template = realpath(tmp, NULL); - free(tmp); - - if (!cfg.private_template - || !is_dir(cfg.private_template) - || is_link(cfg.private_template) - || strstr(cfg.private_template, "..")) { - fprintf(stderr, "Error: invalid private template directory\n"); - exit(1); - } - - // check home directory and chroot home directory have the same owner - struct stat s2; - int rv = stat(cfg.private_template, &s2); - if (rv < 0) { - fprintf(stderr, "Error: cannot find %s directory\n", cfg.private_template); - exit(1); - } - - struct stat s1; - rv = stat(cfg.homedir, &s1); - if (rv < 0) { - fprintf(stderr, "Error: cannot find %s directory, full path name required\n", cfg.homedir); - exit(1); - } - if (s1.st_uid != s2.st_uid) { - printf("Error: --private-template directory should be owned by the current user\n"); - exit(1); - } +//*********************************************************************************** +// --private-home +//*********************************************************************************** +#define PRIVATE_COPY_LIMIT (500 * 1024 *1024) +static int size_limit_reached = 0; +static unsigned file_cnt = 0; +static unsigned size_cnt = 0; +static char *check_dir_or_file(const char *name); + +int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) { + if (size_limit_reached) + return 0; + + struct stat s; + char *dest; + if (asprintf(&dest, "%s%s", RUN_HOME_DIR, path + strlen(cfg.homedir)) == -1) + errExit("asprintf"); + + // don't copy it if we already have the file + if (stat(dest, &s) == 0) { + free(dest); + return 0; + } + + // extract mode and ownership + if (stat(path, &s) != 0) { + free(dest); + return 0; + } + + // check uid + if (s.st_uid != firejail_uid || s.st_gid != firejail_gid) { + free(dest); + return 0; + } + + if ((s.st_size + size_cnt) > PRIVATE_COPY_LIMIT) { + size_limit_reached = 1; + free(dest); + return 0; + } + + file_cnt++; + size_cnt += s.st_size; + + if(ftype == FTW_F) + copy_file(path, dest, firejail_uid, firejail_gid, s.st_mode); + else if (ftype == FTW_D) { + if (mkdir(dest, s.st_mode) == -1) + errExit("mkdir"); + if (chmod(dest, s.st_mode) < 0) { + fprintf(stderr, "Error: cannot change mode for %s\n", path); + exit(1); + } + if (chown(dest, firejail_uid, firejail_gid) < 0) { + fprintf(stderr, "Error: cannot change ownership for %s\n", path); + exit(1); + } + +#if 0 +struct stat s2; +if (stat(dest, &s2) == 0) { + printf("%s\t", dest); + printf((S_ISDIR(s.st_mode)) ? "d" : "-"); + printf((s.st_mode & S_IRUSR) ? "r" : "-"); + printf((s.st_mode & S_IWUSR) ? "w" : "-"); + printf((s.st_mode & S_IXUSR) ? "x" : "-"); + printf((s.st_mode & S_IRGRP) ? "r" : "-"); + printf((s.st_mode & S_IWGRP) ? "w" : "-"); + printf((s.st_mode & S_IXGRP) ? "x" : "-"); + printf((s.st_mode & S_IROTH) ? "r" : "-"); + printf((s.st_mode & S_IWOTH) ? "w" : "-"); + printf((s.st_mode & S_IXOTH) ? "x" : "-"); + printf("\n"); +} +#endif + + fs_logger2("clone", path); + } + + free(dest); + return(0); +} + +static void duplicate(char *name) { + char *fname = check_dir_or_file(name); + + if (arg_debug) + printf("Private home: duplicating %s\n", fname); + assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0); + + struct stat s; + if (stat(fname, &s) == -1) { + free(fname); + return; + } + + if(nftw(fname, fs_copydir, 1, FTW_PHYS) != 0) { + fprintf(stderr, "Error: unable to copy template dir\n"); + exit(1); + } + fs_logger_print(); // save the current log + + free(fname); +} + + + +static char *check_dir_or_file(const char *name) { + assert(name); + struct stat s; + + // basic checks + invalid_filename(name); + + if (arg_debug) + printf("Private home: checking %s\n", name); + + // expand home directory + char *fname = expand_home(name, cfg.homedir); + if (!fname) { + fprintf(stderr, "Error: file %s not found.\n", name); + exit(1); + } + + // If it doesn't start with '/', it must be relative to homedir + if (fname[0] != '/') { + char* tmp; + if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1) + errExit("asprintf"); + free(fname); + fname = tmp; + } + + // check the file is in user home directory + char *rname = realpath(fname, NULL); + if (!rname) { + fprintf(stderr, "Error: invalid file %s\n", name); + exit(1); + } + if (strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0) { + fprintf(stderr, "Error: file %s is not in user home directory\n", name); + exit(1); + } + + // a full home directory is not allowed + if (strcmp(rname, cfg.homedir) == 0) { + fprintf(stderr, "Error: invalid directory %s\n", rname); + exit(1); + } + + // only top files and directories in user home are allowed + char *ptr = rname + strlen(cfg.homedir); + if (*ptr == '\0') { + fprintf(stderr, "Error: invalid file %s\n", name); + exit(1); + } + ptr++; + ptr = strchr(ptr, '/'); + if (ptr) { + if (*ptr != '\0') { + fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); + exit(1); + } + } + + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error: file %s not found.\n", fname); + exit(1); + } + + // check uid + uid_t uid = getuid(); + gid_t gid = getgid(); + if (s.st_uid != uid || s.st_gid != gid) { + fprintf(stderr, "Error: only files or directories created by the current user are allowed.\n"); + exit(1); + } + + // dir or regular file + if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { + free(fname); + return rname; // regular exit from the function + } + + fprintf(stderr, "Error: invalid file type, %s.\n", fname); + exit(1); +} + + +// check directory list specified by user (--private-home option) - exit if it fails +void fs_check_home_list(void) { + if (strstr(cfg.home_private_keep, "..")) { + fprintf(stderr, "Error: invalid private-home list\n"); + exit(1); + } + + char *dlist = strdup(cfg.home_private_keep); + if (!dlist) + errExit("strdup"); + + char *ptr = strtok(dlist, ","); + char *tmp = check_dir_or_file(ptr); + free(tmp); + + while ((ptr = strtok(NULL, ",")) != NULL) { + tmp = check_dir_or_file(ptr); + free(tmp); + } + + free(dlist); } + +// private mode (--private-home=list): +// mount homedir on top of /home/user, +// tmpfs on top of /root in nonroot mode, +// tmpfs on top of /tmp in root mode, +// set skel files, +// restore .Xauthority +void fs_private_home_list(void) { + char *homedir = cfg.homedir; + char *private_list = cfg.home_private_keep; + assert(homedir); + assert(private_list); + + int xflag = store_xauthority(); + int aflag = store_asoundrc(); + + uid_t u = firejail_uid; + gid_t g = firejail_gid; + struct stat s; + if (stat(homedir, &s) == -1) { + fprintf(stderr, "Error: cannot find user home directory\n"); + exit(1); + } + + // create /tmp/firejail/mnt/home directory + fs_build_mnt_dir(); + int rv = mkdir(RUN_HOME_DIR, 0755); + if (rv == -1) + errExit("mkdir"); + if (chown(RUN_HOME_DIR, u, g) < 0) + errExit("chown"); + if (chmod(RUN_HOME_DIR, 0755) < 0) + errExit("chmod"); + ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); + + fs_logger_print(); // save the current log + + // copy the list of files in the new home directory + // using a new child process without root privileges + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + if (arg_debug) + printf("Copying files in the new home:\n"); + + // drop privileges + if (setgroups(0, NULL) < 0) + errExit("setgroups"); + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + + // copy the list of files in the new home directory + char *dlist = strdup(cfg.home_private_keep); + if (!dlist) + errExit("strdup"); + + char *ptr = strtok(dlist, ","); + duplicate(ptr); + while ((ptr = strtok(NULL, ",")) != NULL) + duplicate(ptr); + + if (!arg_quiet) { + if (size_limit_reached) + fprintf(stderr, "Warning: private-home copy limit of %u MB reached, not all the files were copied\n", + PRIVATE_COPY_LIMIT / (1024 *1024)); + else + printf("Private home: %u files, total size %u bytes\n", file_cnt, size_cnt); + } + + fs_logger_print(); // save the current log + free(dlist); + exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + + if (arg_debug) + printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir); + + if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + + if (u != 0) { + // mask /root + if (arg_debug) + printf("Mounting a new /root directory\n"); + if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) + errExit("mounting home directory"); + } + else { + // mask /home + if (arg_debug) + printf("Mounting a new /home directory\n"); + if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mounting home directory"); + } + + skel(homedir, u, g); + if (xflag) + copy_xauthority(); + if (aflag) + copy_asoundrc(); +} diff --git a/src/firejail/main.c b/src/firejail/main.c index 501bccff2..94000d917 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1560,21 +1560,14 @@ int main(int argc, char **argv) { arg_writable_var = 1; } else if (strcmp(argv[i], "--private") == 0) { -#if 0 - if (arg_private_template) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } -#endif arg_private = 1; } else if (strncmp(argv[i], "--private=", 10) == 0) { -#if 0 - if (arg_private_template) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } -#endif + if (cfg.home_private_keep) { + fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n"); + exit(1); + } + // extract private home dirname cfg.home_private = argv[i] + 10; if (*cfg.home_private == '\0') { @@ -1584,21 +1577,25 @@ int main(int argc, char **argv) { fs_check_private_dir(); arg_private = 1; } -#if 0 - else if (strncmp(argv[i], "--private-template=", 19) == 0) { - cfg.private_template = argv[i] + 19; - if (arg_private) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } - if (*cfg.private_template == '\0') { - fprintf(stderr, "Error: invalid private-template option\n"); - exit(1); - } - fs_check_private_template(); - arg_private_template = 1; - } -#endif +#ifdef HAVE_PRIVATE_HOME + else if (strncmp(argv[i], "--private-home=", 15) == 0) { + if (checkcfg(CFG_PRIVATE_HOME)) { + if (cfg.home_private) { + fprintf(stderr, "Error: a private home directory was already defined with --private option.\n"); + exit(1); + } + + // extract private home dirname + cfg.home_private_keep = argv[i] + 15; + fs_check_home_list(); + arg_private = 1; + } + else { + fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n"); + exit(1); + } + } +#endif else if (strcmp(argv[i], "--private-dev") == 0) { arg_private_dev = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ee5d8c159..a516f3216 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -169,6 +169,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } + if (strncmp(ptr, "private-home ", 13) == 0) { +#ifdef HAVE_PRIVATE_HOME + if (checkcfg(CFG_PRIVATE_HOME)) { + cfg.home_private_keep = ptr + 13; + fs_check_home_list(); + arg_private = 1; + } + else + fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); +#endif + return 0; + } else if (strcmp(ptr, "private-dev") == 0) { arg_private_dev = 1; return 0; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9423ae7e0..76efe996b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -540,6 +540,14 @@ int sandbox(void* sandbox_arg) { else fs_private_homedir(); } + else if (cfg.home_private_keep) { // --private-home= + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-home= feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-home= feature is disabled in overlay\n"); + else + fs_private_home_list(); + } else // --private fs_private(); } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 363f973e8..52d9bbe7e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -221,24 +221,10 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); printf("\tclosed.\n\n"); printf(" --private=directory - use directory as user home.\n\n"); -#if 0 - printf(" --private-template=directory - same as --private but copy the\n"); - printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n"); - -.TP -\fB\-\-private-template=templatedir -Mount new /root and /home/user directories in temporary -filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is -closed. -.br - -.br -Example: -.br -$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox -#endif - - + printf(" --private-home=file,directory - build a new user home in a temporary\n"); + printf("\t\tfilesystem, and copy the files and directories in the list in\n"); + printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); + printf("\t\tis closed.\n\n"); printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); printf("\tand copy the programs in the list.\n\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e3217bbff..51b45cd10 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -170,6 +170,12 @@ closed. \fBprivate directory Use directory as user home. .TP +\f\private-home file,directory +Build a new user home in a temporary +filesystem, and copy the files and directories in the list in the +new home. All modifications are discarded when the sandbox is +closed. +.TP \fBprivate-bin file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dbb0df233..a5d3623b6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1085,6 +1085,19 @@ Example: .br $ firejail \-\-private=/home/netblue/firefox-home firefox +.TP +\fB\-\-private-home=file,directory +Build a new user home in a temporary +filesystem, and copy the files and directories in the list in the +new home. All modifications are discarded when the sandbox is +closed. +.br + +.br +Example: +.br +$ firejail \-\-private-home=.mozilla firefox + .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. -- cgit v1.2.3-70-g09d2 From e633e923d3f45af8e0142f04fbae08e0e1d5e0ca Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 6 Sep 2016 01:19:41 +0300 Subject: fix read_pid --- src/firejail/main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 94000d917..569fc7add 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -161,7 +161,8 @@ static inline int read_pid(char *str, pid_t *pid) { || (errno != 0 && pidtmp == 0)) { return 1; } - if (endptr == str) { + // endptr points to '\0' char in str if the entire string is valid + if (endptr == NULL || endptr[0]!='\0') { return 1; } *pid = (pid_t)pidtmp; -- cgit v1.2.3-70-g09d2 From cac5c1da30ee626cddea673a65c08bbff7b1df4b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 6 Sep 2016 09:12:57 -0400 Subject: todo --- README | 1 + todo | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README b/README index 7ba78a05f..0302114d6 100644 --- a/README +++ b/README @@ -41,6 +41,7 @@ Aleksey Manevich (https://github.com/manevich) - gether shell selection code in one place - fixed several TOCTOU security problems - added --fix option to firecfg utility + - read_pid fix Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/todo b/todo index 6fe7c5e6f..2a5a3e388 100644 --- a/todo +++ b/todo @@ -259,8 +259,8 @@ $ sudo reboot If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. $ sudo aa-notify -p -f /var/log/audit/audit.log -/sys/module/apparmor/parameters/enabled -/sys/kernel/security/apparmor +$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail +firejail-default (enforce) 24. check monitor proc behaviour for sandboxes with --blacklist=/proc also check --apparmor in this case @@ -271,3 +271,10 @@ sudo mount -o remount,rw,hidepid=2 /proc 26. mupdf profile +27. LUKS + +dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in +Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, +removable media, partitions, software RAID volumes, logical volumes, and files. + +28. add support for whitelisting /mtn -- cgit v1.2.3-70-g09d2 From fa424ad84d1bcabdc35611fac4b3ca1ebe51e1e1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 6 Sep 2016 10:13:11 -0400 Subject: compile cleanup --- src/firecfg/main.c | 2 +- src/firejail/firejail.h | 4 ++++ src/firejail/fs_home.c | 2 ++ test/compile/compile.sh | 21 +++++++++++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 3f9285776..d2566ce22 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -387,7 +387,7 @@ static void fix_desktop_files(void) { // put '\0' at end of filename char *tail = NULL; - char endchar; + char endchar = ' '; if (execname[0] == '/') { char *ptr2 = index(execname, ' '); char *ptr3 = index(execname, '\n'); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9b60d40c2..cb8070ae6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -478,6 +478,10 @@ void fs_private_template(void); void fs_check_private_dir(void); // check new private template home directory (--private-template= option) exit if it fails void fs_check_private_template(void); +// check directory list specified by user (--private-home option) - exit if it fails +void fs_check_home_list(void); +void fs_private_home_list(void); + // seccomp.c int seccomp_filter_drop(int enforce_seccomp); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index a4b2ec046..064340613 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -361,6 +361,8 @@ static unsigned size_cnt = 0; static char *check_dir_or_file(const char *name); int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) { + (void) st; + (void) sftw; if (size_limit_reached) return 0; diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 76a7162b7..44e67fe22 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -14,6 +14,7 @@ arr[11]="TEST 11: compile disable global config" arr[12]="TEST 12: compile apparmor" arr[13]="TEST 13: compile busybox" arr[14]="TEST 14: compile overlayfs disabled" +arr[15]="TEST 15: compile apparmor enabled" # remove previous reports and output file cleanup() { @@ -307,6 +308,24 @@ cp output-configure oc14 cp output-make om14 rm output-configure output-make +#***************************************************************** +# TEST 15 +#***************************************************************** +# - enable apparmor +#***************************************************************** +print_title "${arr[15]}" +# seccomp +cd firejail +make distclean +./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test15 +grep Error output-configure output-make >> ./report-test15 +cp output-configure oc15 +cp output-make om15 +rm output-configure output-make + #***************************************************************** # PRINT REPORTS @@ -336,3 +355,5 @@ echo ${arr[11]} echo ${arr[12]} echo ${arr[13]} echo ${arr[14]} +echo ${arr[15]} + -- cgit v1.2.3-70-g09d2 From a08d989d09ef1d39a4e5fa41a06f8008fe06315c Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Tue, 6 Sep 2016 20:06:21 +0300 Subject: xpra fix --- src/firejail/x11.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 9a59b873b..5c6f045e7 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -436,7 +436,7 @@ void x11_start_xpra(int argc, char **argv) { } // build attach command - char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str }; + char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL }; // run attach command client = fork(); -- cgit v1.2.3-70-g09d2 From ae1111abb8b8eee2a7605d3b535a16680dba3925 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 7 Sep 2016 10:23:07 -0400 Subject: testcase for read_pid fix --- test/utils/join4.exp | 38 ++++++++++++++++++++++++++++++++++++++ test/utils/utils.sh | 3 +++ 2 files changed, 41 insertions(+) create mode 100755 test/utils/join4.exp diff --git a/test/utils/join4.exp b/test/utils/join4.exp new file mode 100755 index 000000000..c367dd770 --- /dev/null +++ b/test/utils/join4.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=123test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --join=123test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 +send -- "ps aux\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" +} + +send -- "exit" +after 100 + +puts "\nall done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 0428c4807..ff4e5e086 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -71,6 +71,9 @@ echo "TESTING: join2 (test/utils/join2.exp)" echo "TESTING: join3 (test/utils/join3.exp)" ./join3.exp +echo "TESTING: join3 (test/utils/join4.exp)" +./join4.exp + echo "TESTING: join profile (test/utils/join-profile.exp)" ./join-profile.exp -- cgit v1.2.3-70-g09d2 From 14bc2dfdb85a8b951ed63090f48d81c9eb80e2fc Mon Sep 17 00:00:00 2001 From: Sergey Alirzaev Date: Thu, 8 Sep 2016 06:15:53 +0300 Subject: use enum for enumeration --- src/firejail/firejail.h | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cb8070ae6..776bfbc74 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -631,22 +631,24 @@ void sandboxfs_name(int op, const char *name, const char *path); void sandboxfs(int op, pid_t pid, const char *patqh); // checkcfg.c -#define CFG_FILE_TRANSFER 0 -#define CFG_X11 1 -#define CFG_BIND 2 -#define CFG_USERNS 3 -#define CFG_CHROOT 4 -#define CFG_SECCOMP 5 -#define CFG_NETWORK 6 -#define CFG_RESTRICTED_NETWORK 7 -#define CFG_FORCE_NONEWPRIVS 8 -#define CFG_WHITELIST 9 -#define CFG_XEPHYR_WINDOW_TITLE 10 -#define CFG_REMOUNT_PROC_SYS 11 -#define CFG_OVERLAYFS 12 -#define CFG_CHROOT_DESKTOP 13 -#define CFG_PRIVATE_HOME 14 -#define CFG_MAX 15 // this should always be the last entry +enum { + CFG_FILE_TRANSFER = 0, + CFG_X11, + CFG_BIND, + CFG_USERNS, + CFG_CHROOT, + CFG_SECCOMP, + CFG_NETWORK, + CFG_RESTRICTED_NETWORK, + CFG_FORCE_NONEWPRIVS, + CFG_WHITELIST, + CFG_XEPHYR_WINDOW_TITLE, + CFG_REMOUNT_PROC_SYS, + CFG_OVERLAYFS, + CFG_CHROOT_DESKTOP, + CFG_PRIVATE_HOME, + CFG_MAX // this should always be the last entry +}; extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; -- cgit v1.2.3-70-g09d2 From 22d6041c8fe43e025676ea254d3cbff7da7e3d4f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Sep 2016 08:58:30 -0400 Subject: 0.9.42 testing --- README | 2 ++ RELNOTES | 4 ++-- configure | 18 +++++++++--------- configure.ac | 2 +- test/profiles/profile_syntax.exp | 2 +- test/sysrq-trigger.exp | 21 --------------------- test/test-root.sh | 5 ++--- 7 files changed, 17 insertions(+), 37 deletions(-) delete mode 100755 test/sysrq-trigger.exp diff --git a/README b/README index 0302114d6..b3cef82b0 100644 --- a/README +++ b/README @@ -72,6 +72,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added eom profile - added gnome-chess profile - added DOSBox profile +Sergey Alirzaev (https://github.com/l29ah) + - firejail.h enum fix greigdp (https://github.com/greigdp) - Gajim IM client profile - fix Slack profile diff --git a/RELNOTES b/RELNOTES index 734a92b4f..e48dbbb0e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,4 @@ -firejail (0.9.42~rc2) baseline; urgency=low +firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov * security: disable x32 ABI in seccomp, submitted by Jann Horn * security: tighten --chroot, submitted by Jann Horn @@ -43,7 +43,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox * bugfixes - -- netblue30 Fri, 26 Aug 2016 08:00:00 -0500 + -- netblue30 Thu, 8 Sept 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low * added --nice option diff --git a/configure b/configure index 0b05d42e5..b591987e7 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.42~rc3. +# Generated by GNU Autoconf 2.69 for firejail 0.9.42. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.42~rc3' -PACKAGE_STRING='firejail 0.9.42~rc3' +PACKAGE_VERSION='0.9.42' +PACKAGE_STRING='firejail 0.9.42' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.42~rc3 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.42 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.42~rc3:";; + short | recursive ) echo "Configuration of firejail 0.9.42:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.42~rc3 +firejail configure 0.9.42 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.42~rc3, which was +It was created by firejail $as_me 0.9.42, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4310,7 +4310,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.42~rc3, which was +This file was extended by firejail $as_me 0.9.42, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4364,7 +4364,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.42~rc3 +firejail config.status 0.9.42 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index ca6066d25..11c5b993e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.42~rc3, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.42, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index c8cb99a5f..d1be2074a 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -25,7 +25,7 @@ sleep 1 send -- "ls -l /etc/shadow\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "root root 0" + "root root" } sleep 1 diff --git a/test/sysrq-trigger.exp b/test/sysrq-trigger.exp deleted file mode 100755 index 18fb4a01a..000000000 --- a/test/sysrq-trigger.exp +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo b > /proc/sysrq-trigger\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Read-only file system" -} -sleep 1 - -puts "\n" diff --git a/test/test-root.sh b/test/test-root.sh index aca48d334..0fdaf4ff7 100755 --- a/test/test-root.sh +++ b/test/test-root.sh @@ -44,9 +44,6 @@ then ./servers6.exp fi -echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)" -./sysrq-trigger.exp - echo "TESTING: seccomp umount (seccomp-umount.exp)" ./filters/seccomp-umount.exp @@ -80,3 +77,5 @@ rm -f /tmp/chroot/etc/resolv.conf ln -s tmp /tmp/chroot/etc/resolv.conf ./chroot-resolvconf.exp rm -f tmpfile +rm /tmp/chroot/etc/resolv.conf + -- cgit v1.2.3-70-g09d2 From a72ecf8ce0efd38d9cd6df218d352817c4734426 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Sep 2016 09:35:41 -0400 Subject: 0.9.42 testing - CentOS 6 --- src/firejail/appimage.c | 11 +++++++++-- src/firejail/checkcfg.c | 12 ++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index eb90a39dd..05bd8a1d8 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -40,6 +40,7 @@ void appimage_set(const char *appimage_path) { assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); +#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h // check appimage_path if (access(appimage_path, R_OK) == -1) { fprintf(stderr, "Error: cannot access AppImage file\n"); @@ -48,8 +49,10 @@ void appimage_set(const char *appimage_path) { // open as user to prevent race condition int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); - if (ffd == -1) - errExit("open"); + if (ffd == -1) { + fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); + exit(1); + } EUID_ROOT(); @@ -109,6 +112,10 @@ void appimage_set(const char *appimage_path) { errExit("asprintf"); free(mode); +#else + fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); + exit(1); +#endif } void appimage_clear(void) { diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 99266c575..34078492e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -19,6 +19,7 @@ */ #include "firejail.h" #include +#include #define MAX_READ 8192 // line buffer for profile files @@ -286,6 +287,17 @@ void print_compiletime_support(void) { #endif ); + printf("\t- AppImage support is %s\n", +#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h + "enabled" +#else + "disabled" +#endif + ); + + + + printf("\t- bind support is %s\n", #ifdef HAVE_BIND -- cgit v1.2.3-70-g09d2 From e0935c5a3bb4c3b297c151e2060cfc624377a421 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 9 Sep 2016 13:18:18 -0400 Subject: starting new development --- README.md | 167 +---------------------------------------------------------- RELNOTES | 4 ++ configure | 18 +++---- configure.ac | 2 +- 4 files changed, 15 insertions(+), 176 deletions(-) diff --git a/README.md b/README.md index 2f2ab38e7..eafcf1d78 100644 --- a/README.md +++ b/README.md @@ -34,170 +34,5 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` ````` -# Current development version: 0.9.42~rc2 - -Version 0.9.41~rc1 was released. - -## Bringing back --private-home - -## Deprecated --user - ---user option was deprecated, please use "sudo -u username firejail application" instead. - -## --whitelist rework - -Symlinks outside user home directories are allowed: -````` - --whitelist=dirname_or_filename - Whitelist directory or file. This feature is implemented only - for user home, /dev, /media, /opt, /var, and /tmp directories. - With the exception of user home, both the link and the real file - should be in the same top directory. For /home, both the link - and the real file should be owned by the user. - - Example: - $ firejail --noprofile --whitelist=~/.mozilla - $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null - $ firejail "--whitelist=/home/username/My Virtual Machines" -````` - -## AppArmor support - -So far I've seen this working on Debian Jessie and Ubuntu 16.04, where I can get Firefox and -Chromium running. There is more testing to come. - -````` -APPARMOR - AppArmor support is disabled by default at compile time. Use --enable- - apparmor configuration option to enable it: - - $ ./configure --prefix=/usr --enable-apparmor - - During software install, a generic AppArmor profile file, firejail- - default, is placed in /etc/apparmor.d directory. The profile needs to - be loaded into the kernel by running the following command as root: - - # aa-enforce firejail-default - - The installed profile tries to replicate some advanced security fea‐ - tures inspired by kernel-based Grsecurity: - - - Prevent information leakage in /proc and /sys directories. The - resulting file system is barely enough for running commands such - as "top" and "ps aux". - - - Allow running programs only from well-known system paths, such - as /bin, /sbin, /usr/bin etc. Running programs and scripts from - user home or other directories writable by the user is not - allowed. - - - Disable D-Bus. D-Bus has long been a huge security hole, and - most programs don't use it anyway. You should have no problems - running Chromium or Firefox. - - To enable AppArmor confinement on top of your current Firejail security - features, pass --apparmor flag to Firejail command line. You can also - include apparmor command in a Firejail profile file. Example: - - $ firejail --apparmor firefox - -````` - -## AppImage support - -AppImage (http://appimage.org/) is a distribution-agnostic packaging format. -The package is a regular ISO file containing all binaries, libraries and resources -necessary for the program to run. - -We introduce in this release support for sandboxing AppImage applications. Example: -````` -$ firejail --appimage krita-3.0-x86_64.appimage -````` -All Firejail sandboxing options should be available. A private home directory: -````` -$ firejail --appimage --private krita-3.0-x86_64.appimage -````` -or some basic X11 sandboxing: -````` -$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage -````` -Major software applications distributing AppImage packages: - -* Krita: https://krita.org/download/krita-desktop/ -* OpenShot: http://www.openshot.org/download/ -* Scribus: https://www.scribus.net/downloads/unstable-branch/ -* MuseScore: https://musescore.org/en/download - -More packages build by AppImage developer Simon Peter: https://bintray.com/probono/AppImages - -AppImage project home: https://github.com/probonopd/AppImageKit - -## Sandbox auditing -````` -AUDIT - Audit feature allows the user to point out gaps in security profiles. - The implementation replaces the program to be sandboxed with a test - program. By default, we use faudit program distributed with Firejail. A - custom test program can also be supplied by the user. Examples: - - Running the default audit program: - $ firejail --audit transmission-gtk - - Running a custom audit program: - $ firejail --audit=~/sandbox-test transmission-gtk - - In the examples above, the sandbox configures transmission-gtk profile - and starts the test program. The real program, transmission-gtk, will - not be started. - - Limitations: audit feature is not implemented for --x11 commands. -````` - -## --noexec -````` - --noexec=dirname_or_filename - Remount directory or file noexec, nodev and nosuid. - - Example: - $ firejail --noexec=/tmp - - /etc and /var are noexec by default. If there are more than one - mount operation on the path of the file or directory, noexec - should be applied to the last one. Always check if the change - took effect inside the sandbox. -````` - -## --rmenv -````` - --rmenv=name - Remove environment variable in the new sandbox. - - Example: - $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS -````` - -## Converting profiles to private-bin - work in progress! - -BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk - -File transfer: filezilla - -Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom - -Office: evince, gthumb, fbreader, pix, atril, xreader, - -Chat/messaging: qtox, gitter, pidgin - -Games: warzone2100, gnome-chess - -Weather/climate: aweather - -Astronomy: gpredict, stellarium - -Browsers: Palemoon - -## New security profiles - -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox +# Current development version: 0.9.43 diff --git a/RELNOTES b/RELNOTES index e48dbbb0e..6a0bd4711 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,7 @@ +firejail (0.9.43) baseline; urgency=low + * development version + -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 + firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov * security: disable x32 ABI in seccomp, submitted by Jann Horn diff --git a/configure b/configure index b591987e7..7f9fdc3f0 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.42. +# Generated by GNU Autoconf 2.69 for firejail 0.9.43. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.42' -PACKAGE_STRING='firejail 0.9.42' +PACKAGE_VERSION='0.9.43' +PACKAGE_STRING='firejail 0.9.43' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.42 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.43 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.42:";; + short | recursive ) echo "Configuration of firejail 0.9.43:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.42 +firejail configure 0.9.43 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.42, which was +It was created by firejail $as_me 0.9.43, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4310,7 +4310,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.42, which was +This file was extended by firejail $as_me 0.9.43, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4364,7 +4364,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.42 +firejail config.status 0.9.43 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 11c5b993e..f4deff7b5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.42, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.43, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From 85195f55733b5a369ddbc335393b3a16e10647a5 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 10 Sep 2016 21:16:09 +0300 Subject: add x11=block option --- src/firejail/firejail.h | 2 ++ src/firejail/main.c | 8 +++++++ src/firejail/profile.c | 39 +++++++++++++++++++++++++++++++++++ src/firejail/x11.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 104 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 776bfbc74..ed9d901c0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -315,6 +315,7 @@ extern int arg_audit; // audit extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor extern int arg_allow_debuggers; // allow debuggers +extern int arg_x11_block; // block X11 extern int login_shell; extern int parent_to_child_fds[2]; @@ -623,6 +624,7 @@ int x11_display(void); void x11_start(int argc, char **argv); void x11_start_xpra(int argc, char **argv); void x11_start_xephyr(int argc, char **argv); +void x11_block(void); // ls.c #define SANDBOX_FS_LS 0 diff --git a/src/firejail/main.c b/src/firejail/main.c index 569fc7add..e171919d1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -105,6 +105,7 @@ int arg_audit = 0; // audit char *arg_audit_prog = NULL; // audit int arg_apparmor = 0; // apparmor int arg_allow_debuggers = 0; // allow debuggers +int arg_x11_block = 0; // block X11 int login_shell = 0; int parent_to_child_fds[2]; @@ -2118,6 +2119,9 @@ int main(int argc, char **argv) { return 1; } } + else if (strcmp(argv[i], "--x11=block") == 0) { + arg_x11_block = 1; + } else if (strcmp(argv[i], "--") == 0) { // double dash - positional params to follow arg_doubledash = 1; @@ -2284,6 +2288,10 @@ int main(int argc, char **argv) { } } + // block X11 sockets + if (arg_x11_block) + x11_block(); + // check network configuration options - it will exit if anything went wrong net_check_cfg(); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a516f3216..00301037f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -625,6 +625,45 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } + + if (strcmp(ptr, "x11 block") == 0) { +#ifdef HAVE_X11 + arg_x11_block = 1; +#endif + return 0; + } + + if (strcmp(ptr, "x11 xephyr") == 0) { +#ifdef HAVE_X11 + if (checkcfg(CFG_X11)) { + char *x11env = getenv("FIREJAIL_X11"); + if (x11env && strcmp(x11env, "yes") == 0) + return 0; + else { + // start x11 + x11_start_xephyr(cfg.original_argc, cfg.original_argv); + exit(0); + } + } +#endif + return 0; + } + + if (strcmp(ptr, "x11 xpra") == 0) { +#ifdef HAVE_X11 + if (checkcfg(CFG_X11)) { + char *x11env = getenv("FIREJAIL_X11"); + if (x11env && strcmp(x11env, "yes") == 0) + return 0; + else { + // start x11 + x11_start_xpra(cfg.original_argc, cfg.original_argv); + exit(0); + } + } +#endif + return 0; + } if (strcmp(ptr, "x11") == 0) { #ifdef HAVE_X11 diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 5c6f045e7..29111d5ff 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -51,6 +51,27 @@ static int x11_check_xephyr(void) { return 1; } +// check for X11 abstract sockets +static int x11_abstract_sockets_present(void) { + char *path; + FILE *fp = fopen("/proc/net/unix", "r"); + if (!fp) + errExit("fopen"); + + while (fscanf(fp, "%*s %*s %*s %*s %*s %*s %*s %ms\n", &path) != EOF) { + if (path && strncmp(path, "@/tmp/.X11-unix/", 16) == 0) { + free(path); + fclose(fp); + return 1; + } + } + + free(path); + fclose(fp); + + return 0; +} + static int random_display_number(void) { int i; int found = 1; @@ -566,3 +587,37 @@ void x11_start(int argc, char **argv) { } #endif + +void x11_block(void) { +#ifdef HAVE_X11 + // check abstract socket presence and network namespace options + if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) + && x11_abstract_sockets_present()) { + fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" + "Additional setup required. To block abstract X11 socket you need either:\n" + " * use network namespace (--net=none, --net=...)\n" + " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n"); + exit(1); + } + + // blacklist sockets + profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); + profile_add(strdup("blacklist /tmp/.X11-unix")); + + // blacklist .Xauthority + profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); + profile_add(strdup("blacklist ${HOME}/.Xauthority")); + char *xauthority = getenv("XAUTHORITY"); + if (xauthority) { + char *line; + if (asprintf(&line, "blacklist %s", xauthority) == -1) + errExit("asprintf"); + profile_check_line(line, 0, NULL); + profile_add(line); + } + + // clear enviroment + env_store("DISPLAY", RMENV); + env_store("XAUTHORITY", RMENV); +#endif +} -- cgit v1.2.3-70-g09d2 From 214b62cebecab39340b523880cc44994f343244b Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Sat, 10 Sep 2016 21:59:20 +0300 Subject: update man --- src/man/firejail-profile.txt | 11 +++++++++++ src/man/firejail.txt | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 51b45cd10..d4ab0af55 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -267,6 +267,17 @@ There is no root account (uid 0) defined in the namespace. .TP \fBx11 Enable X11 sandboxing. +.TP +\fBx11 xpra +Enable X11 sandboxing with xpra. +.TP +\fBx11 xephyr +Enable X11 sandboxing with xephyr. +.TP +\fBx11 block +Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable. +Remove DISPLAY and XAUTHORITY enviroment variables. +Stop with error message if X11 abstract socket will be accessible in jail. .SH Resource limits, CPU affinity, Control Groups These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a5d3623b6..c05c8e201 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1672,6 +1672,13 @@ Example: .br $ firejail \-\-x11=xephyr --net=eth0 openbox +.TP +\fB\-\-x11=block +Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable. +Remove DISPLAY and XAUTHORITY enviroment variables. +Stop with error message if X11 abstract socket will be accessible in jail. +.br + .TP \fB\-\-zsh Use /usr/bin/zsh as default user shell. -- cgit v1.2.3-70-g09d2 From ddf50ee4f6364f5b465921c1eed50fc879bc2310 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 12 Sep 2016 15:03:03 +0300 Subject: grsecurity fix --- src/firejail/x11.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 29111d5ff..48af39caf 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -54,7 +54,11 @@ static int x11_check_xephyr(void) { // check for X11 abstract sockets static int x11_abstract_sockets_present(void) { char *path; + + EUID_ROOT(); // grsecurity fix FILE *fp = fopen("/proc/net/unix", "r"); + EUID_USER(); + if (!fp) errExit("fopen"); -- cgit v1.2.3-70-g09d2 From 025aae5bd230a5a1809f52e714801ec77f370652 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 12 Sep 2016 16:00:58 +0300 Subject: change error message --- src/firejail/x11.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 48af39caf..774294ff1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -598,9 +598,10 @@ void x11_block(void) { if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) && x11_abstract_sockets_present()) { fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" - "Additional setup required. To block abstract X11 socket you need either:\n" - " * use network namespace (--net=none, --net=...)\n" - " * add \"-nolisten local\" to xserver options (eg. /etc/X11/xinit/xserverrc)\n"); + "Additional setup required. To block abstract X11 socket you can either:\n" + " * use network namespace in firejail (--net=none, --net=...)\n" + " * add \"-nolisten local\" to xserver options\n" + " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); exit(1); } -- cgit v1.2.3-70-g09d2 From cb42fa600df2f0843421620e3597ba71b1117828 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 15 Sep 2016 08:19:29 -0400 Subject: fixed /etc/login.def reading on Mageia systems --- README | 2 ++ README.md | 12 ++++++++++++ RELNOTES | 2 ++ mkuid.sh | 2 +- 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README b/README index b3cef82b0..9510b6b1d 100644 --- a/README +++ b/README @@ -42,6 +42,8 @@ Aleksey Manevich (https://github.com/manevich) - fixed several TOCTOU security problems - added --fix option to firecfg utility - read_pid fix + - added --x11=block options + - x11 xpra, xphyr, block profile commands Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/README.md b/README.md index eafcf1d78..944cd41ca 100644 --- a/README.md +++ b/README.md @@ -36,3 +36,15 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` # Current development version: 0.9.43 +## New command line options +````` + --x11=block + Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file + specified in ${XAUTHORITY} enviroment variable. Remove DISPLAY and + XAUTHORITY enviroment variables. Stop with error message if X11 + abstract socket will be accessible in jail. +````` + +## New profile commands + +x11 xpra, x11 xephyr, x11 block \ No newline at end of file diff --git a/RELNOTES b/RELNOTES index 6a0bd4711..fb0f989fe 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,7 @@ firejail (0.9.43) baseline; urgency=low * development version + * feature: blocking x11 (--x11=block) + * feature: x11 xpra, x11 xephyr, x11 block profile commands -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 firejail (0.9.42) baseline; urgency=low diff --git a/mkuid.sh b/mkuid.sh index f03fdaf94..c95741043 100755 --- a/mkuid.sh +++ b/mkuid.sh @@ -4,7 +4,7 @@ echo "extracting UID_MIN and GID_MIN" echo "#ifndef FIREJAIL_UIDS_H" > uids.h echo "#define FIREJAIL_UIDS_H" >> uids.h -if [ -f /etc/login.defs ] +if [ -r /etc/login.defs ] then echo "// using values extracted from /etc/login.defs" >> uids.h UID_MIN=`awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs` -- cgit v1.2.3-70-g09d2 From fc116c063938d5e141d5fbc38e8013d9832ef315 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 15 Sep 2016 09:59:11 -0400 Subject: testing --- Makefile.in | 3 ++ test/filters/filters.sh | 2 +- test/filters/seccomp-su.exp | 2 +- test/filters/seccomp-umount.exp | 31 ----------- test/firemon-interface.exp | 34 ------------ test/network/net_interface.exp | 93 -------------------------------- test/option_bind_directory.exp | 22 -------- test/option_bind_file.exp | 22 -------- test/option_tmpfs.exp | 44 --------------- test/profile_tmpfs.exp | 37 ------------- test/root/apache2.exp | 69 ++++++++++++++++++++++++ test/root/configure | 27 ++++++++++ test/root/firemon-interface.exp | 34 ++++++++++++ test/root/isc-dhcp.exp | 58 ++++++++++++++++++++ test/root/net_interface.exp | 93 ++++++++++++++++++++++++++++++++ test/root/nginx.exp | 69 ++++++++++++++++++++++++ test/root/option_bind_directory.exp | 22 ++++++++ test/root/option_bind_file.exp | 22 ++++++++ test/root/option_tmpfs.exp | 44 +++++++++++++++ test/root/profile_tmpfs.exp | 37 +++++++++++++ test/root/root.sh | 105 ++++++++++++++++++++++++++++++++++++ test/root/seccomp-chmod.exp | 51 ++++++++++++++++++ test/root/seccomp-chown.exp | 49 +++++++++++++++++ test/root/seccomp-umount.exp | 25 +++++++++ test/root/snmpd.exp | 57 ++++++++++++++++++++ test/root/start.sh | 4 ++ test/root/tmpfs.profile | 1 + test/root/unbound.exp | 57 ++++++++++++++++++++ test/servers2.exp | 57 -------------------- test/servers3.exp | 75 -------------------------- test/servers4.exp | 58 -------------------- test/servers5.exp | 57 -------------------- test/servers6.exp | 75 -------------------------- test/test-root.sh | 81 ---------------------------- test/tmpfs.profile | 1 - 35 files changed, 829 insertions(+), 689 deletions(-) delete mode 100755 test/filters/seccomp-umount.exp delete mode 100755 test/firemon-interface.exp delete mode 100755 test/network/net_interface.exp delete mode 100755 test/option_bind_directory.exp delete mode 100755 test/option_bind_file.exp delete mode 100755 test/option_tmpfs.exp delete mode 100755 test/profile_tmpfs.exp create mode 100755 test/root/apache2.exp create mode 100755 test/root/configure create mode 100755 test/root/firemon-interface.exp create mode 100755 test/root/isc-dhcp.exp create mode 100755 test/root/net_interface.exp create mode 100755 test/root/nginx.exp create mode 100755 test/root/option_bind_directory.exp create mode 100755 test/root/option_bind_file.exp create mode 100755 test/root/option_tmpfs.exp create mode 100755 test/root/profile_tmpfs.exp create mode 100755 test/root/root.sh create mode 100755 test/root/seccomp-chmod.exp create mode 100755 test/root/seccomp-chown.exp create mode 100755 test/root/seccomp-umount.exp create mode 100755 test/root/snmpd.exp create mode 100755 test/root/start.sh create mode 100644 test/root/tmpfs.profile create mode 100755 test/root/unbound.exp delete mode 100755 test/servers2.exp delete mode 100755 test/servers3.exp delete mode 100755 test/servers4.exp delete mode 100755 test/servers5.exp delete mode 100755 test/servers6.exp delete mode 100755 test/test-root.sh delete mode 100644 test/tmpfs.profile diff --git a/Makefile.in b/Makefile.in index 803769f3f..95b07c170 100644 --- a/Makefile.in +++ b/Makefile.in @@ -161,6 +161,9 @@ install-snap: snap test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) + +test-root: + cd test/root; su -c ./start.sh .PHONY: rpms rpms: diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 67b9f2c0d..5093c8614 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -45,7 +45,7 @@ echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" ./seccomp-chmod-profile.exp -# todo: fix pwd and add seccomp-chown.exp and seccomp-umount.exp +# todo: fix pwd and add seccomp-chown.exp echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" ./seccomp-empty.exp diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 7833c69b0..3feabc20f 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -30,7 +30,7 @@ expect { send -- "ping google.com\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "Operation not permitted" {puts "OK\n"} "unknown host" {puts "OK\n"} } diff --git a/test/filters/seccomp-umount.exp b/test/filters/seccomp-umount.exp deleted file mode 100755 index df38dba5e..000000000 --- a/test/filters/seccomp-umount.exp +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "umount /proc\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" -} - -send -- "exit\r" -after 100 -puts "\n" diff --git a/test/firemon-interface.exp b/test/firemon-interface.exp deleted file mode 100755 index 6a82ae41e..000000000 --- a/test/firemon-interface.exp +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --interface\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "lo UP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "10.10.20.1/29" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "10.10.50.1/24" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "br3" -} -sleep 1 - -puts "\n" diff --git a/test/network/net_interface.exp b/test/network/net_interface.exp deleted file mode 100755 index 2f87024d8..000000000 --- a/test/network/net_interface.exp +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "ip link add link eth0 name eth0.100 type vlan id 100\r" -sleep 1 -send -- "ip link add link eth0 name eth0.101 type vlan id 101\r" -sleep 1 -send -- "ip link add link eth0 name eth0.102 type vlan id 102\r" -sleep 1 -send -- "ip link add link eth0 name eth0.103 type vlan id 103\r" -sleep 1 -send -- "ip link add link eth0 name eth0.104 type vlan id 104\r" -sleep 1 -puts "\n" - -send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r" -sleep 1 -puts "\n" - - - -send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "maximum 4 interfaces are allowed" -} -sleep 1 - -send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "eth0.100" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "eth0.101" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "eth0.102" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "eth0.103" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "UP" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --noprofile --interface=eth0.104\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0.104" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "UP" -} -send -- "exit\r" -after 100 - -puts "all done\n" - diff --git a/test/option_bind_directory.exp b/test/option_bind_directory.exp deleted file mode 100755 index 3233c68de..000000000 --- a/test/option_bind_directory.exp +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --bind=/tmp/chroot,mntpoint\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls mntpoint;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "root" -} -sleep 1 - -puts "\n" - diff --git a/test/option_bind_file.exp b/test/option_bind_file.exp deleted file mode 100755 index 8926e0391..000000000 --- a/test/option_bind_file.exp +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --bind=tmpfile,/etc/passwd\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /etc/passwd;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "hello" -} -sleep 1 - -puts "\n" - diff --git a/test/option_tmpfs.exp b/test/option_tmpfs.exp deleted file mode 100755 index 6522ef2d3..000000000 --- a/test/option_tmpfs.exp +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --tmpfs=/var\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l /var;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "total 0" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "/root" -} -sleep 1 -send -- "exit\r" -sleep 2 - -send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 13.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 13.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 13.3\n";exit} - "is an invalid filename" -} -after 100 - - -puts "\nalldone\n" - diff --git a/test/profile_tmpfs.exp b/test/profile_tmpfs.exp deleted file mode 100755 index a2faa32f7..000000000 --- a/test/profile_tmpfs.exp +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "mkdir /tmp/firejailtestdir\r" -sleep 1 -send -- "ls > /tmp/firejailtestdir/tmpfile\r" -sleep 1 - -send -- "firejail --profile=tmpfs.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} - -# testing private only -send -- "bash\r" -sleep 1 - -send -- "ls -l /tmp/firejailtestdir;pwd\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "tmpfile" {puts "TESTING ERROR 1\n";exit} - "home" -} -sleep 1 -send -- "exit\r" -sleep 1 -send -- "exit\r" -sleep 1 -send -- "rm -fr /tmp/firejailtestdir\r" - -sleep 1 - -puts "\n" diff --git a/test/root/apache2.exp b/test/root/apache2.exp new file mode 100755 index 000000000..7f67f4706 --- /dev/null +++ b/test/root/apache2.exp @@ -0,0 +1,69 @@ +#!/usr/bin/expect -f + +set timeout 5 +spawn $env(SHELL) +match_max 100000 + +send -- "pkill apache\r" +sleep 2 + + +send -- "firejail --name=apache /etc/init.d/apache2 start\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + + +spawn $env(SHELL) +send -- "firejail --tree\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "root:/usr/sbin/apache2" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "www-data:/usr/sbin/apache2" +} +sleep 2 + + +send -- "rm index.html\r" +sleep 1 +send -- "wget 0\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "saved" +} +send -- "cat index.html\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "DOCTYPE html PUBLIC" +} + +sleep 1 +send -- "rm index.html\r" + +send -- "firejail --join=apache\r" +sleep 2 + +send -- "ls /dev\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "tty0" {puts "TESTING ERROR 6\n";exit} + "ttyS0" {puts "TESTING ERROR 6\n";exit} + "audio" {puts "TESTING ERROR 6\n";exit} + "ppp" {puts "TESTING ERROR 6\n";exit} + "log" +} +sleep 1 +send -- "ls -al /tmp;pwd\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "X11-unix" {puts "TESTING ERROR 11\n";exit} + "/root" +} +sleep 2 + +puts "\nall done\n" diff --git a/test/root/configure b/test/root/configure new file mode 100755 index 000000000..35d938340 --- /dev/null +++ b/test/root/configure @@ -0,0 +1,27 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +brctl addbr br0 +ifconfig br0 10.10.20.1/29 up +# NAT masquerade +iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE +# port forwarding +# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80 + +brctl addbr br1 +ifconfig br1 10.10.30.1/24 up +brctl addbr br2 +ifconfig br2 10.10.40.1/24 up +brctl addbr br3 +ifconfig br3 10.10.50.1/24 up +brctl addbr br4 +ifconfig br4 10.10.60.1/24 up +ip link add link eth0 name eth0.5 type vlan id 5 +/sbin/ifconfig eth0.5 10.10.205.10/24 up +ip link add link eth0 name eth0.6 type vlan id 6 +/sbin/ifconfig eth0.6 10.10.206.10/24 up +ip link add link eth0 name eth0.7 type vlan id 7 +/sbin/ifconfig eth0.7 10.10.207.10/24 up + diff --git a/test/root/firemon-interface.exp b/test/root/firemon-interface.exp new file mode 100755 index 000000000..6a82ae41e --- /dev/null +++ b/test/root/firemon-interface.exp @@ -0,0 +1,34 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --interface\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "lo UP" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "10.10.20.1/29" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "10.10.50.1/24" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "br3" +} +sleep 1 + +puts "\n" diff --git a/test/root/isc-dhcp.exp b/test/root/isc-dhcp.exp new file mode 100755 index 000000000..86500707a --- /dev/null +++ b/test/root/isc-dhcp.exp @@ -0,0 +1,58 @@ +#!/usr/bin/expect -f + +set timeout 5 +spawn $env(SHELL) +match_max 100000 + +send -- "sudo ls; sudo whoami; sudo pwd\r" +expect { + timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} + "root" +} + +send -- "pkill dhcpd\r" +sleep 2 + +send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --tree\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "root:/usr/sbin/dhcpd" +} +sleep 2 + +send -- "tail -n 200 /var/log/syslog\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Internet Systems Consortium DHCP Server" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Wrote 0 leases to leases file" +} +sleep 2 + +send -- "firejail --join=dhcpd\r" +sleep 2 + +send -- "ls /dev\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "tty0" {puts "TESTING ERROR 6\n";exit} + "ttyS0" {puts "TESTING ERROR 6\n";exit} + "ppp" {puts "TESTING ERROR 6\n";exit} + "audio" {puts "TESTING ERROR 6\n";exit} + "log" +} +sleep 2 + + +puts "\nall done\n" + diff --git a/test/root/net_interface.exp b/test/root/net_interface.exp new file mode 100755 index 000000000..2f87024d8 --- /dev/null +++ b/test/root/net_interface.exp @@ -0,0 +1,93 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "ip link add link eth0 name eth0.100 type vlan id 100\r" +sleep 1 +send -- "ip link add link eth0 name eth0.101 type vlan id 101\r" +sleep 1 +send -- "ip link add link eth0 name eth0.102 type vlan id 102\r" +sleep 1 +send -- "ip link add link eth0 name eth0.103 type vlan id 103\r" +sleep 1 +send -- "ip link add link eth0 name eth0.104 type vlan id 104\r" +sleep 1 +puts "\n" + +send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r" +sleep 1 +send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r" +sleep 1 +puts "\n" + + + +send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "maximum 4 interfaces are allowed" +} +sleep 1 + +send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "eth0.100" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "eth0.101" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "eth0.102" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "eth0.103" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "UP" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --noprofile --interface=eth0.104\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0.104" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "UP" +} +send -- "exit\r" +after 100 + +puts "all done\n" + diff --git a/test/root/nginx.exp b/test/root/nginx.exp new file mode 100755 index 000000000..0b62fada9 --- /dev/null +++ b/test/root/nginx.exp @@ -0,0 +1,69 @@ +#!/usr/bin/expect -f + +set timeout 5 +spawn $env(SHELL) +match_max 100000 + +send -- "pkill nginx\r" +sleep 2 + + +send -- "firejail --name=nginx /etc/init.d/nginx start\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + + +spawn $env(SHELL) +send -- "firejail --tree\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "root:nginx" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "www-data:nginx" +} +sleep 2 + + +send -- "rm index.html\r" +sleep 1 +send -- "wget 0\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "saved" +} +send -- "cat index.html\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "DOCTYPE html PUBLIC" +} + +sleep 1 +send -- "rm index.html\r" + +send -- "firejail --join=nginx\r" +sleep 2 + +send -- "ls /dev\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "tty0" {puts "TESTING ERROR 6\n";exit} + "ttyS0" {puts "TESTING ERROR 6\n";exit} + "audio" {puts "TESTING ERROR 6\n";exit} + "ppp" {puts "TESTING ERROR 6\n";exit} + "log" +} +sleep 1 +send -- "ls -al /tmp;pwd\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "X11-unix" {puts "TESTING ERROR 11\n";exit} + "/root" +} +sleep 2 + +puts "\nall done\n" diff --git a/test/root/option_bind_directory.exp b/test/root/option_bind_directory.exp new file mode 100755 index 000000000..3233c68de --- /dev/null +++ b/test/root/option_bind_directory.exp @@ -0,0 +1,22 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --bind=/tmp/chroot,mntpoint\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls mntpoint;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "root" +} +sleep 1 + +puts "\n" + diff --git a/test/root/option_bind_file.exp b/test/root/option_bind_file.exp new file mode 100755 index 000000000..8926e0391 --- /dev/null +++ b/test/root/option_bind_file.exp @@ -0,0 +1,22 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --bind=tmpfile,/etc/passwd\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/passwd;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "hello" +} +sleep 1 + +puts "\n" + diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp new file mode 100755 index 000000000..20e42a858 --- /dev/null +++ b/test/root/option_tmpfs.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --tmpfs=/var\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /var;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "total 0" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "/root" +} +sleep 1 +send -- "exit\r" +sleep 2 + +send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 13.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 13.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 13.3\n";exit} + "is an invalid filename" +} +after 100 + + +puts "\nall done\n" + diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp new file mode 100755 index 000000000..da7c084a2 --- /dev/null +++ b/test/root/profile_tmpfs.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "mkdir /tmp/firejailtestdir\r" +sleep 1 +send -- "ls > /tmp/firejailtestdir/tmpfile\r" +sleep 1 + +send -- "firejail --profile=tmpfs.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} + +# testing private only +send -- "bash\r" +sleep 1 + +send -- "ls -l /tmp/firejailtestdir;pwd\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "tmpfile" {puts "TESTING ERROR 1\n";exit} + "home" +} +sleep 1 +send -- "exit\r" +sleep 1 +send -- "exit\r" +sleep 1 +send -- "rm -fr /tmp/firejailtestdir\r" + +sleep 1 + +puts "\nall done\n" diff --git a/test/root/root.sh b/test/root/root.sh new file mode 100755 index 000000000..960071d45 --- /dev/null +++ b/test/root/root.sh @@ -0,0 +1,105 @@ +#!/bin/bash + +./configure 2 > /dev/null + +#******************************** +# servers +#******************************** +if [ -f /etc/init.d/snmpd ] +then + echo "TESTING: snmpd (test/root/snmpd.exp)" + ./snmpd.exp +else + echo "TESTING SKIP: snmpd not found" +fi + + +if [ -f /etc/init.d/apache2 ] +then + echo "TESTING: apache2 (test/root/apache2.exp)" + ./apache2.exp +else + echo "TESTING SKIP: apache2 not found" +fi + +if [ -f /etc/init.d/isc-dhcp-server ] +then + echo "TESTING: isc dhcp server (test/root/isc-dhscp.exp)" + ./isc-dhcp.exp +else + echo "TESTING SKIP: isc dhcp server not found" +fi + +if [ -f /etc/init.d/unbound ] +then + echo "TESTING: unbound (test/root/unbound.exp)" + ./unbound.exp +else + echo "TESTING SKIP: unbound not found" +fi + +if [ -f /etc/init.d/nginx ] +then + echo "TESTING: nginx (test/root/nginx.exp)" + ./nginx.exp +else + echo "TESTING SKIP: nginx not found" +fi + +#******************************** +# seccomp +#******************************** +echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)" +./seccomp-umount.exp + +echo "TESTING: seccomp chmod (test/root/seccomp-chmod.exp)" +./seccomp-chmod.exp + +echo "TESTING: seccomp chown (test/root/seccomp-chown.exp)" +./seccomp-chown.exp + +#******************************** +# command line options +#******************************** +echo "TESTING: tmpfs (test/root/option_tmpfs.exp)" +./option_tmpfs.exp + +echo "TESTING: profile tmpfs (test/root/profile_tmpfs)" +./profile_tmpfs.exp + +echo "TESTING: bind directory (test/root/option_bind_directory.exp)" +./option_bind_directory.exp + +echo "TESTING: bind file (test/root/option_bind_file.exp)" +echo hello > tmpfile +./option_bind_file.exp +rm -f tmpfile + +#******************************** +# networking +#******************************** +echo "TESTING: network interfaces (test/root/net_interface.exp)" +./net_interface.exp + +echo "TESTING: firemon --interface (test/root/firemon-interface.exp)" +./firemon-interface.exp + +#if [ -f /sys/fs/cgroup/g1/tasks ] +#then +# echo "TESTING: firemon --cgroup (firemon-cgroup.exp)" +# ./firemon-cgroup.exp +#fi +# +#echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)" +#rm -f tmpfile +#touch tmpfile +#rm -f /tmp/chroot/etc/resolv.conf +#ln -s tmp /tmp/chroot/etc/resolv.conf +#./chroot-resolvconf.exp +#rm -f tmpfile +#rm /tmp/chroot/etc/resolv.conf + +#echo "TESTING: chroot (fs_chroot_asroot.exp)" +#./fs_chroot_asroot.exp + + diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp new file mode 100755 index 000000000..b17990e3a --- /dev/null +++ b/test/root/seccomp-chmod.exp @@ -0,0 +1,51 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cd ~; echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "touch testfile; echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} + +send -- "ls -l testfile; echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "chmod +x testfile; echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "done" +} + +send -- "exit\r" +after 100 +puts "\nall done\n" diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp new file mode 100755 index 000000000..a54d279f1 --- /dev/null +++ b/test/root/seccomp-chown.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chown netblue:netblue testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +after 100 +puts "\nall done\n" diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp new file mode 100755 index 000000000..04a9b7a3d --- /dev/null +++ b/test/root/seccomp-umount.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "umount /proc\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Bad system call" +} + +send -- "exit\r" +after 100 +puts "\n" diff --git a/test/root/snmpd.exp b/test/root/snmpd.exp new file mode 100755 index 000000000..90e34470f --- /dev/null +++ b/test/root/snmpd.exp @@ -0,0 +1,57 @@ +#!/usr/bin/expect -f + +set timeout 5 +spawn $env(SHELL) +match_max 100000 + +send -- "sudo ls; sudo whoami; sudo pwd\r" +expect { + timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} + "root" +} + +send -- "pkill snmpd\r" +sleep 2 + + +send -- "firejail --name=snmpd /etc/init.d/snmpd start\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --tree\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "snmp:/usr/sbin/snmpd" +} +sleep 2 + +send -- "tail /var/log/syslog\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "snmpd" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "NET-SNMP version" +} + +send -- "firejail --join=snmpd\r" +sleep 2 + +send -- "ls /dev\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "tty0" {puts "TESTING ERROR 6\n";exit} + "ttyS0" {puts "TESTING ERROR 6\n";exit} + "audio" {puts "TESTING ERROR 6\n";exit} + "ppp" {puts "TESTING ERROR 6\n";exit} + "log" +} +sleep 2 + +sleep 2 +puts "\nall done\n" diff --git a/test/root/start.sh b/test/root/start.sh new file mode 100755 index 000000000..8e7a869cd --- /dev/null +++ b/test/root/start.sh @@ -0,0 +1,4 @@ +#/bin/bash + +./configure +./root.sh | grep TESTING \ No newline at end of file diff --git a/test/root/tmpfs.profile b/test/root/tmpfs.profile new file mode 100644 index 000000000..0680f4d69 --- /dev/null +++ b/test/root/tmpfs.profile @@ -0,0 +1 @@ +tmpfs /tmp/firejailtestdir \ No newline at end of file diff --git a/test/root/unbound.exp b/test/root/unbound.exp new file mode 100755 index 000000000..193e662ff --- /dev/null +++ b/test/root/unbound.exp @@ -0,0 +1,57 @@ +#!/usr/bin/expect -f + +set timeout 5 +spawn $env(SHELL) +match_max 100000 + +send -- "sudo ls; sudo whoami; sudo pwd\r" +expect { + timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} + "root" +} + +send -- "pkill unbound\r" +sleep 2 + +send -- "firejail --name=unbound unbound\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --tree\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "unbound:unbound" +} +sleep 2 + +send -- "tail /var/log/syslog\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "unbound" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "info: start of service" +} +sleep 2 + +send -- "firejail --join=unbound\r" +sleep 2 + +send -- "ls /dev\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "tty0" {puts "TESTING ERROR 6\n";exit} + "ttyS0" {puts "TESTING ERROR 6\n";exit} + "audio" {puts "TESTING ERROR 6\n";exit} + "ppp" {puts "TESTING ERROR 6\n";exit} + "log" +} +sleep 2 + + +puts "\nall done\n" diff --git a/test/servers2.exp b/test/servers2.exp deleted file mode 100755 index 90e34470f..000000000 --- a/test/servers2.exp +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 5 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill snmpd\r" -sleep 2 - - -send -- "firejail --name=snmpd /etc/init.d/snmpd start\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --tree\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "snmp:/usr/sbin/snmpd" -} -sleep 2 - -send -- "tail /var/log/syslog\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "snmpd" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "NET-SNMP version" -} - -send -- "firejail --join=snmpd\r" -sleep 2 - -send -- "ls /dev\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "tty0" {puts "TESTING ERROR 6\n";exit} - "ttyS0" {puts "TESTING ERROR 6\n";exit} - "audio" {puts "TESTING ERROR 6\n";exit} - "ppp" {puts "TESTING ERROR 6\n";exit} - "log" -} -sleep 2 - -sleep 2 -puts "\nall done\n" diff --git a/test/servers3.exp b/test/servers3.exp deleted file mode 100755 index eccdaa1d9..000000000 --- a/test/servers3.exp +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 5 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill apache\r" -sleep 2 - - -send -- "firejail --name=apache /etc/init.d/apache2 start\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - - -spawn $env(SHELL) -send -- "firejail --tree\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "root:/usr/sbin/apache2" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "www-data:/usr/sbin/apache2" -} -sleep 2 - - -send -- "rm index.html\r" -sleep 1 -send -- "wget 0\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "saved" -} -send -- "cat index.html\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "DOCTYPE html PUBLIC" -} - -sleep 1 -send -- "rm index.html\r" - -send -- "firejail --join=apache\r" -sleep 2 - -send -- "ls /dev\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "tty0" {puts "TESTING ERROR 6\n";exit} - "ttyS0" {puts "TESTING ERROR 6\n";exit} - "audio" {puts "TESTING ERROR 6\n";exit} - "ppp" {puts "TESTING ERROR 6\n";exit} - "log" -} -sleep 1 -send -- "ls -al /tmp;pwd\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "X11-unix" {puts "TESTING ERROR 11\n";exit} - "/root" -} -sleep 2 - -puts "\nall done\n" diff --git a/test/servers4.exp b/test/servers4.exp deleted file mode 100755 index 86500707a..000000000 --- a/test/servers4.exp +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 5 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill dhcpd\r" -sleep 2 - -send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --tree\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "root:/usr/sbin/dhcpd" -} -sleep 2 - -send -- "tail -n 200 /var/log/syslog\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Internet Systems Consortium DHCP Server" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Wrote 0 leases to leases file" -} -sleep 2 - -send -- "firejail --join=dhcpd\r" -sleep 2 - -send -- "ls /dev\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "tty0" {puts "TESTING ERROR 6\n";exit} - "ttyS0" {puts "TESTING ERROR 6\n";exit} - "ppp" {puts "TESTING ERROR 6\n";exit} - "audio" {puts "TESTING ERROR 6\n";exit} - "log" -} -sleep 2 - - -puts "\nall done\n" - diff --git a/test/servers5.exp b/test/servers5.exp deleted file mode 100755 index 193e662ff..000000000 --- a/test/servers5.exp +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 5 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill unbound\r" -sleep 2 - -send -- "firejail --name=unbound unbound\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --tree\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "unbound:unbound" -} -sleep 2 - -send -- "tail /var/log/syslog\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "unbound" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "info: start of service" -} -sleep 2 - -send -- "firejail --join=unbound\r" -sleep 2 - -send -- "ls /dev\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "tty0" {puts "TESTING ERROR 6\n";exit} - "ttyS0" {puts "TESTING ERROR 6\n";exit} - "audio" {puts "TESTING ERROR 6\n";exit} - "ppp" {puts "TESTING ERROR 6\n";exit} - "log" -} -sleep 2 - - -puts "\nall done\n" diff --git a/test/servers6.exp b/test/servers6.exp deleted file mode 100755 index 9ef4ea514..000000000 --- a/test/servers6.exp +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 5 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill nginx\r" -sleep 2 - - -send -- "firejail --name=nginx /etc/init.d/nginx start\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - - -spawn $env(SHELL) -send -- "firejail --tree\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "root:nginx" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "www-data:nginx" -} -sleep 2 - - -send -- "rm index.html\r" -sleep 1 -send -- "wget 0\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "saved" -} -send -- "cat index.html\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "DOCTYPE html PUBLIC" -} - -sleep 1 -send -- "rm index.html\r" - -send -- "firejail --join=nginx\r" -sleep 2 - -send -- "ls /dev\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "tty0" {puts "TESTING ERROR 6\n";exit} - "ttyS0" {puts "TESTING ERROR 6\n";exit} - "audio" {puts "TESTING ERROR 6\n";exit} - "ppp" {puts "TESTING ERROR 6\n";exit} - "log" -} -sleep 1 -send -- "ls -al /tmp;pwd\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "X11-unix" {puts "TESTING ERROR 11\n";exit} - "/root" -} -sleep 2 - -puts "\nall done\n" diff --git a/test/test-root.sh b/test/test-root.sh deleted file mode 100755 index 0fdaf4ff7..000000000 --- a/test/test-root.sh +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/bash - -./chk_config.exp - -echo "TESTING: tmpfs (option_tmpfs.exp)" -./option_tmpfs.exp - -echo "TESTING: profile tmpfs (profile_tmpfs)" -./profile_tmpfs.exp - -echo "TESTING: network interfaces (net_interface.exp)" -./network/net_interface.exp - -echo "TESTING: chroot (fs_chroot_asroot.exp)" -./fs_chroot_asroot.exp - -if [ -f /etc/init.d/snmpd ] -then - echo "TESTING: servers snmpd, private-dev (servers2.exp)" - ./servers2.exp -fi - -if [ -f /etc/init.d/apache2 ] -then - echo "TESTING: servers apache2, private-dev, private-tmp (servers3.exp)" - ./servers3.exp -fi - -if [ -f /etc/init.d/isc-dhcp-server ] -then - echo "TESTING: servers isc dhcp server, private-dev (servers4.exp)" - ./servers4.exp -fi - -if [ -f /etc/init.d/unbound ] -then - echo "TESTING: servers unbound, private-dev, private-tmp (servers5.exp)" - ./servers5.exp -fi - -if [ -f /etc/init.d/nginx ] -then - echo "TESTING: servers nginx, private-dev, private-tmp (servers6.exp)" - ./servers6.exp -fi - -echo "TESTING: seccomp umount (seccomp-umount.exp)" -./filters/seccomp-umount.exp - -echo "TESTING: seccomp chmod (seccomp-chmod.exp)" -./filters/seccomp-chmod.exp - -echo "TESTING: seccomp chown (seccomp-chown.exp)" -./filters/seccomp-chown.exp - -echo "TESTING: bind directory (option_bind_directory.exp)" -./option_bind_directory.exp - -echo "TESTING: bind file (option_bind_file.exp)" -echo hello > tmpfile -./option_bind_file.exp -rm -f tmpfile - -echo "TESTING: firemon --interface (firemon-interface.exp)" -./firemon-interface.exp - -if [ -f /sys/fs/cgroup/g1/tasks ] -then - echo "TESTING: firemon --cgroup (firemon-cgroup.exp)" - ./firemon-cgroup.exp -fi - -echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)" -rm -f tmpfile -touch tmpfile -rm -f /tmp/chroot/etc/resolv.conf -ln -s tmp /tmp/chroot/etc/resolv.conf -./chroot-resolvconf.exp -rm -f tmpfile -rm /tmp/chroot/etc/resolv.conf - diff --git a/test/tmpfs.profile b/test/tmpfs.profile deleted file mode 100644 index 0680f4d69..000000000 --- a/test/tmpfs.profile +++ /dev/null @@ -1 +0,0 @@ -tmpfs /tmp/firejailtestdir \ No newline at end of file -- cgit v1.2.3-70-g09d2 From 30c9afe1085e8780f16e606a07f6381f7b47d108 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 15 Sep 2016 19:59:20 +0300 Subject: /mnt whitelisting --- src/firejail/firejail.h | 2 ++ src/firejail/fs_whitelist.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ed9d901c0..7043aa0ca 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -55,6 +55,7 @@ #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" +#define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" #define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" #define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" @@ -164,6 +165,7 @@ typedef struct profile_entry_t { unsigned home_dir:1; // whitelist in /home/user directory unsigned tmp_dir:1; // whitelist in /tmp directory unsigned media_dir:1; // whitelist in /media directory + unsigned mnt_dir:1; // whitelist in /mnt directory unsigned var_dir:1; // whitelist in /var directory unsigned dev_dir:1; // whitelist in /dev directory unsigned opt_dir:1; // whitelist in /opt directory diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 11e626b6e..ad7fea227 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -214,6 +214,16 @@ static void whitelist_path(ProfileEntry *entry) { if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) errExit("asprintf"); } + else if (entry->mnt_dir) { + fname = path + 4; // strlen("/mnt") + if (*fname == '\0') { + fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path); + exit(1); + } + + if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) + errExit("asprintf"); + } else if (entry->var_dir) { fname = path + 4; // strlen("/var") if (*fname == '\0') { @@ -303,6 +313,7 @@ void fs_whitelist(void) { int home_dir = 0; // /home/user directory flag int tmp_dir = 0; // /tmp directory flag int media_dir = 0; // /media directory flag + int mnt_dir = 0; // /mnt directory flag int var_dir = 0; // /var directory flag int dev_dir = 0; // /dev directory flag int opt_dir = 0; // /opt directory flag @@ -368,6 +379,8 @@ void fs_whitelist(void) { tmp_dir = 1; else if (strncmp(new_name, "/media/", 7) == 0) media_dir = 1; + else if (strncmp(new_name, "/mnt/", 5) == 0) + mnt_dir = 1; else if (strncmp(new_name, "/var/", 5) == 0) var_dir = 1; else if (strncmp(new_name, "/dev/", 5) == 0) @@ -423,6 +436,16 @@ void fs_whitelist(void) { goto errexit; } } + else if (strncmp(new_name, "/mnt/", 5) == 0) { + entry->mnt_dir = 1; + mnt_dir = 1; + // both path and absolute path are under /mnt + if (strncmp(fname, "/mnt/", 5) != 0) { + if (arg_debug) + fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); + goto errexit; + } + } else if (strncmp(new_name, "/var/", 5) == 0) { entry->var_dir = 1; var_dir = 1; @@ -580,6 +603,35 @@ void fs_whitelist(void) { media_dir = 0; } + // /mnt mountpoint + if (mnt_dir) { + // check if /mnt directory exists + struct stat s; + if (stat("/mnt", &s) == 0) { + // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR + int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); + if (rv == -1) + errExit("mkdir"); + if (chown(RUN_WHITELIST_MNT_DIR, 0, 0) < 0) + errExit("chown"); + if (chmod(RUN_WHITELIST_MNT_DIR, 0755) < 0) + errExit("chmod"); + + if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + + // mount tmpfs on /mnt + if (arg_debug || arg_debug_whitelists) + printf("Mounting tmpfs on /mnt directory\n"); + if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mounting tmpfs on /mnt"); + fs_logger("tmpfs /mnt"); + } + else + mnt_dir = 0; + } + + // /var mountpoint if (var_dir) { // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR @@ -730,6 +782,13 @@ void fs_whitelist(void) { fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); } + // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR + if (mnt_dir) { + if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); + } + if (new_name) free(new_name); -- cgit v1.2.3-70-g09d2 From a7c2e4aa3fab87112bed6675a3ad75f68e191b6e Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 15 Sep 2016 21:17:50 +0300 Subject: update man --- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d4ab0af55..5a959dd83 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -207,7 +207,7 @@ Blacklist violations logged to syslog. Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /media, /opt, /var, and /tmp. +user home, /dev, /media, /mnt, /opt, /var, and /tmp. .br .br diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c05c8e201..d654290bf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1582,7 +1582,7 @@ firejail version 0.9.27 Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /media, /opt, /var, and /tmp. +user home, /dev, /media, /mnt, /opt, /var, and /tmp. .br .br -- cgit v1.2.3-70-g09d2 From f3aa0772637dcc891fac8cab6248e5ded55ef07b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 17 Sep 2016 08:38:57 -0400 Subject: bug: configuration file should be owned by root, issue 786 --- src/firejail/checkcfg.c | 2 +- src/firejail/env.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 34078492e..fdd2b8edd 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -61,7 +61,7 @@ int checkcfg(int val) { struct stat s; if (stat(fname, &s) == -1) errExit("stat"); - if (s.st_uid != 0 || s.st_gid != 0) { + if (s.st_uid != 0) { fprintf(stderr, "Error: configuration file should be owned by root\n"); exit(1); } diff --git a/src/firejail/env.c b/src/firejail/env.c index 88cd6918d..a02c67ae1 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -119,6 +119,8 @@ void env_defaults(void) { // fix qt 4.8 if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) errExit("setenv"); +// if (setenv("MOZ_NO_REMOTE, "1", 1) < 0) +// errExit("setenv"); if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, errExit("setenv"); if (!cfg.shell) -- cgit v1.2.3-70-g09d2 From 482a38ca66c7b189a0fcc31fd680801a3bf3c893 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 17 Sep 2016 09:24:16 -0400 Subject: bug: add support to remove /usr/local from private-bin list, issue 778 --- etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/fs_bin.c | 7 +++++++ 4 files changed, 20 insertions(+) diff --git a/etc/firejail.config b/etc/firejail.config index 08ff5380d..143400938 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -29,6 +29,9 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Remove /usr/local directories from private-bin list, default disabled +# private-bin-no-local no + # Enable or disable private-home feature, default enabled # private-home yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fdd2b8edd..78c0e5c60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -40,6 +40,7 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default + cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default // open configuration file char *fname; @@ -258,6 +259,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { + if (strcmp(ptr + 21, "yes") == 0) + cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; + else if (strcmp(ptr + 21, "no") == 0) + cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7043aa0ca..c0536502e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -651,6 +651,7 @@ enum { CFG_OVERLAYFS, CFG_CHROOT_DESKTOP, CFG_PRIVATE_HOME, + CFG_PRIVATE_BIN_NO_LOCAL, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6c4db57b4..40539305f 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -46,6 +46,13 @@ static char *check_dir_or_file(const char *name) { int i = 0; while (paths[i]) { + // private-bin-no-local can be disabled in /etc/firejail/firejail.config + if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { + i++; + continue; + } + + // check file if (asprintf(&fname, "%s/%s", paths[i], name) == -1) errExit("asprintf"); if (arg_debug) -- cgit v1.2.3-70-g09d2 From ccb3587e52814e178d585c93a1053ff00587d102 Mon Sep 17 00:00:00 2001 From: Tomasz Jan Góralczyk Date: Sat, 17 Sep 2016 14:25:29 +0100 Subject: Add netlink to --protocols in steam profile Fixes #779 --- etc/steam.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/steam.profile b/etc/steam.profile index b15a54be9..5dc5e80ff 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -10,5 +10,5 @@ caps.drop all netfilter nonewprivs noroot -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp -- cgit v1.2.3-70-g09d2 From d131c595b2da7717c0879cd962f174b32635a53c Mon Sep 17 00:00:00 2001 From: Pwnage Pineapple Date: Sat, 17 Sep 2016 16:32:20 -0500 Subject: Update okular.profile Gives Okular read-only access to kdeglobals file to fix theme issue --- etc/okular.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/okular.profile b/etc/okular.profile index c9c342b15..df142ccfc 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -2,6 +2,7 @@ noblacklist ~/.kde/share/apps/okular noblacklist ~/.kde/share/config/okularrc noblacklist ~/.kde/share/config/okularpartrc +read-only ~/.kde/share/config/kdeglobals include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From ea29b9538f57663e3554d480eb69a806e6d4b7a2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 18 Sep 2016 10:42:18 -0400 Subject: fixes --- README | 4 ++++ etc/firejail.config | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README b/README index 9510b6b1d..9f3065b3b 100644 --- a/README +++ b/README @@ -74,6 +74,10 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added eom profile - added gnome-chess profile - added DOSBox profile +Tomasz Jan Góralczyk (https://github.com/tjg) + - fixed Steam profile +pwnage-pineapple (https://github.com/pwnage-pineapple) + - update Okular profile Sergey Alirzaev (https://github.com/l29ah) - firejail.h enum fix greigdp (https://github.com/greigdp) diff --git a/etc/firejail.config b/etc/firejail.config index 143400938..2ea767f37 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -29,7 +29,7 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes -# Remove /usr/local directories from private-bin list, default disabled +# Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no # Enable or disable private-home feature, default enabled -- cgit v1.2.3-70-g09d2 From e470524e20a5bf7c5907306b76d41adcb28ac490 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 08:19:16 -0400 Subject: remove man firejail-config --- Makefile.in | 2 +- src/man/firecfg.txt | 1 - src/man/firejail-config.txt | 109 ------------------------------------------- src/man/firejail-login.txt | 1 - src/man/firejail-profile.txt | 1 - src/man/firejail.txt | 1 - src/man/firemon.txt | 1 - 7 files changed, 1 insertion(+), 115 deletions(-) delete mode 100644 src/man/firejail-config.txt diff --git a/Makefile.in b/Makefile.in index 95b07c170..54037e6ac 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ all: apps man MYLIBS = src/lib APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit -MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-config.5 +MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 prefix=@prefix@ exec_prefix=@exec_prefix@ diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 4acacb071..b9d336c4c 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -80,6 +80,5 @@ Homepage: http://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) -\&\flfirejail-config\fR\|(5) diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt deleted file mode 100644 index 386eda976..000000000 --- a/src/man/firejail-config.txt +++ /dev/null @@ -1,109 +0,0 @@ -.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page" -.SH NAME -firejail.config \- Firejail run time configuration file - -.SH DESCRIPTION -/etc/firejail/firejail.config is the system-wide configuration file for Firejail. -It allows the system administrator to enable or disable a number of -features and Linux kernel security technologies used by Firejail sandbox. -The file contains keyword-argument pairs, one per line. -Use 'yes' or 'no' as configuration values. - -Note that some of these features can also be enabled or disabled at compile -time. Most features are enabled by default both at compile time and -at run time. - -.TP -\fBbind -Enable or disable bind support, default enabled. - -.TP -\fBchroot -Enable or disable chroot support, default enabled. - -.TP -\fBfile-transfer -Enable or disable file transfer support, default enabled. - -.TP -\fBforce-nonewprivs -Force use of nonewprivs. This mitigates the possibility of -a user abusing firejail's features to trick a privileged (suid -or file capabilities) process into loading code or configuration -that is partially under their control. Default disabled. - -.TP -\fBnetwork -Enable or disable networking features, default enabled. - -.TP -\fBrestricted-network -Enable or disable restricted network support, default disabled. If enabled, -networking features should also be enabled (network yes). -Restricted networking grants access to --interface, --net=ethXXX and -\-\-netfilter only to root user. Regular users are only allowed --net=none. - -.TP -\fBsecomp -Enable or disable seccomp support, default enabled. - -.TP -\fBuserns -Enable or disable user namespace support, default enabled. - -.TP -\fBwhitelist -Enable or disable whitelisting support, default enabled. - -.TP -\fBx11 -Enable or disable X11 sandboxing support, default enabled. - -.TP -\fBxephyr-screen -Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for -a full list of resolutions available on your specific setup. Examples: -.br - -.br -xephyr-screen 640x480 -.br -xephyr-screen 800x600 -.br -xephyr-screen 1024x768 -.br -xephyr-screen 1280x1024 - -.TP -\fBxephyr-window-title -Firejail window title in Xephyr, default enabled. - -.TP -\fBxephyr-extra-params -Xephyr command extra parameters. None by default, and the declaration is commented out. Examples: -.br - -.br -xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev -.br -xephyr-extra-params -grayscale - -.SH COMPILE TIME CONFIGURATION -Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details. - -.SH FILES -/etc/firejail/firejail.config - -.SH LICENSE -Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. -.PP -Homepage: http://firejail.wordpress.com -.SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-login\fR\|(5) - - - diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 464551202..691217253 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -34,6 +34,5 @@ Homepage: http://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5) -\&\flfirejail-config\fR\|(5) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5a959dd83..99e7f6690 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -499,7 +499,6 @@ Homepage: http://firejail.wordpress.com \&\flfiremon\fR\|(1), \&\flfirecfg\fR\|(1), \&\flfirejail-login\fR\|(5) -\&\flfirejail-config\fR\|(5) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d654290bf..a906de0c9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2042,7 +2042,6 @@ Homepage: http://firejail.wordpress.com \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) -\&\flfirejail-config\fR\|(5) diff --git a/src/man/firemon.txt b/src/man/firemon.txt index ef99b0927..bd84401af 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -109,6 +109,5 @@ Homepage: http://firejail.wordpress.com \&\flfirecfg\fR\|(1), \&\flfirejail-profile\fR\|(5), \&\flfirejail-login\fR\|(5) -\&\flfirejail-config\fR\|(5) -- cgit v1.2.3-70-g09d2 From b29542e4daa38d7b1e577f6f8284fb190ae713ad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 08:31:18 -0400 Subject: remove man firejail-config --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index fb0f989fe..391f7bcf2 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.43) baseline; urgency=low * development version + * modifs: removed man firejail-config * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block profile commands -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From 684919100254e0e9eeec16897093881a6855ea48 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 09:03:41 -0400 Subject: bug: preserve config.status during make dist --- Makefile.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile.in b/Makefile.in index 54037e6ac..aa008b7dd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -140,7 +140,9 @@ DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkma DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" dist: + mv config.status config.status.old make distclean + mv config.status.old config.status rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz mkdir -p $(NAME)-$(VERSION)/test cp -a "$(DISTFILES)" $(NAME)-$(VERSION) -- cgit v1.2.3-70-g09d2 From 528e3a6916e753f34d63d13234dc9f3d3a1a3ebb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 09:09:09 -0400 Subject: moved uids.h processing from configure to Makefile.in --- Makefile.in | 6 ++++-- configure | 5 ----- configure.ac | 5 ----- 3 files changed, 4 insertions(+), 12 deletions(-) diff --git a/Makefile.in b/Makefile.in index aa008b7dd..ee17ae60c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -18,14 +18,16 @@ DOCDIR=@docdir@ HAVE_APPARMOR=@HAVE_APPARMOR@ BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ +uids.h:; ./mkuid.sh + .PHONY: mylibs $(MYLIBS) -mylibs: $(MYLIBS) +mylibs: $(MYLIBS) uids.h $(MYLIBS): $(MAKE) -C $@ .PHONY: apps $(APPS) apps: $(APPS) -$(APPS): $(MYLIBS) +$(APPS): $(MYLIBS) uids.h $(MAKE) -C $@ $(MANPAGES): $(wildcard src/man/*.txt) diff --git a/configure b/configure index 7f9fdc3f0..35cd69564 100755 --- a/configure +++ b/configure @@ -3763,9 +3763,6 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -# extract UID_MIN and GID_MIN from login.def -./mkuid.sh - ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" cat >confcache <<\_ACEOF @@ -4958,8 +4955,6 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" -printf " uid_min: "; grep UID_MIN uids.h -printf " gid_min: "; grep GID_MIN uids.h printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/configure.ac b/configure.ac index f4deff7b5..10534c9ab 100644 --- a/configure.ac +++ b/configure.ac @@ -152,9 +152,6 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -# extract UID_MIN and GID_MIN from login.def -./mkuid.sh - AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) echo @@ -176,8 +173,6 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" -printf " uid_min: "; grep UID_MIN uids.h -printf " gid_min: "; grep GID_MIN uids.h printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo -- cgit v1.2.3-70-g09d2 From 0c2cd3fa619af1f4cc74a5f92a6a18d98e181cb3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 09:14:18 -0400 Subject: make deb is build using the current configuration --- mkdeb.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mkdeb.sh b/mkdeb.sh index be8d618e1..596569929 100755 --- a/mkdeb.sh +++ b/mkdeb.sh @@ -18,7 +18,9 @@ echo "*****************************************" tar -xJvf $CODE_ARCHIVE #mkdir -p $INSTALL_DIR cd $CODE_DIR -./configure --prefix=/usr +cp ../config.status . +./config.status +#./configure --prefix=/usr make mkdir debian DESTDIR=debian make install-strip -- cgit v1.2.3-70-g09d2 From 7c5618cd1cf98078848e3af17b68e21f7489a779 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 09:51:39 -0400 Subject: make deb is build using the current configuration --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index 391f7bcf2..1cb8bbcbd 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.43) baseline; urgency=low * development version * modifs: removed man firejail-config + * modifs: make deb builds package based on the current configuration * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block profile commands -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From fa417620d29e6cd1a27b6e513eab41d42cd9ad7b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 10:01:19 -0400 Subject: document blacklist-nolog --- RELNOTES | 1 + src/man/firejail-profile.txt | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/RELNOTES b/RELNOTES index 1cb8bbcbd..0920691e7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.43) baseline; urgency=low * modifs: make deb builds package based on the current configuration * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block profile commands + * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 firejail (0.9.42) baseline; urgency=low diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 99e7f6690..cc37670aa 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -127,6 +127,17 @@ blacklist ${PATH}/ifconfig .br blacklist ${HOME}/.ssh +.TP +\fBblacklist-nolog file_or_directory +When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. +blacklist-nolog command disables syslog messages for this particular file or directory. Examples: +.br + +.br +blacklist-nolog /usr/bin +.br +blacklist-nolog /usr/bin/gcc* + .TP \fBbind directory1,directory2 Mount-bind directory1 on top of directory2. This option is only available when running as root. -- cgit v1.2.3-70-g09d2 From 83c7253a753a810240408ac2057e7c2b920a2a52 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Sep 2016 13:11:59 -0400 Subject: --private-tmp whitelists /tmp/.X11-unix directory --- RELNOTES | 1 + src/firejail/sandbox.c | 31 +++++++++++++++++-------------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/RELNOTES b/RELNOTES index 0920691e7..17d488fac 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,6 +2,7 @@ firejail (0.9.43) baseline; urgency=low * development version * modifs: removed man firejail-config * modifs: make deb builds package based on the current configuration + * modifs: --private-tmp whitelists /tmp/.X11-unix directory * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block profile commands * bugfixes diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 76efe996b..cc5483c08 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -593,8 +593,13 @@ int sandbox(void* sandbox_arg) { fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); else if (arg_overlay) fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); - else - fs_private_tmp(); + else { + // private-tmp is implemented as a whitelist + EUID_USER(); + profile_add("whitelist /tmp/.X11-unix"); + EUID_ROOT(); +// fs_private_tmp(); + } } //**************************** @@ -606,18 +611,16 @@ int sandbox(void* sandbox_arg) { //**************************** // apply the profile file //**************************** - if (cfg.profile) { - // apply all whitelist commands ... - if (cfg.chrootdir) - fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); - else if (arg_overlay) - fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); - else - fs_whitelist(); - - // ... followed by blacklist commands - fs_blacklist(); - } + // apply all whitelist commands ... + if (cfg.chrootdir) + fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); + else + fs_whitelist(); + + // ... followed by blacklist commands + fs_blacklist(); //**************************** // install trace -- cgit v1.2.3-70-g09d2 From ea01effe46990d7376efa81ad4da47430025a234 Mon Sep 17 00:00:00 2001 From: Dara Adib Date: Mon, 19 Sep 2016 22:45:59 -0400 Subject: Quiet SSH config firejail output in ssh client breaks git+ssh for me, e.g., $ git clone git@github.com:netblue30/firejail.git Cloning into 'firejail'... Reading profile /etc/firejail/ssh.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc fatal: protocol error: bad line length character: Pare The "Pare" comes from "Parent pid x, child pid y". --- etc/ssh.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/ssh.profile b/etc/ssh.profile index 2411e46f3..d3558ead3 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -1,4 +1,5 @@ # ssh client +quiet noblacklist ~/.ssh noblacklist /tmp/ssh-* -- cgit v1.2.3-70-g09d2 From 2ef9a452c72686e76f71817d0b4c383971f2b380 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 20 Sep 2016 09:18:07 -0400 Subject: support nvidia drivers in --private-dev --- RELNOTES | 1 + src/firejail/firejail.h | 4 +- src/firejail/fs_dev.c | 113 ++++++++++++++++++++++++------------------------ todo | 4 -- 4 files changed, 60 insertions(+), 62 deletions(-) diff --git a/RELNOTES b/RELNOTES index 17d488fac..31b948c71 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,6 +3,7 @@ firejail (0.9.43) baseline; urgency=low * modifs: removed man firejail-config * modifs: make deb builds package based on the current configuration * modifs: --private-tmp whitelists /tmp/.X11-unix directory + * modifs: Nvidia drivers added to --privte-dev * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block profile commands * bugfixes diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c0536502e..bee93ca85 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -45,9 +45,9 @@ #define RUN_HOME_DIR "/run/firejail/mnt/home" #define RUN_ETC_DIR "/run/firejail/mnt/etc" #define RUN_BIN_DIR "/run/firejail/mnt/bin" -#define RUN_DRI_DIR "/run/firejail/mnt/dri" -#define RUN_SND_DIR "/run/firejail/mnt/snd" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" + +#define RUN_DEV_DIR "/run/firejail/mnt/dev" #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 363d3e484..4744b3096 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -30,6 +30,49 @@ #endif #include +typedef struct { + const char *dev_fname; + const char *run_fname; +} DevEntry; + +static DevEntry dev[] = { + {"/dev/snd", RUN_DEV_DIR "/snd"}, + {"/dev/dri", RUN_DEV_DIR "/dri"}, + {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0"}, + {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1"}, + {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2"}, + {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3"}, + {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4"}, + {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5"}, + {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6"}, + {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7"}, + {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8"}, + {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9"}, + {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl"}, + {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset"}, + {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm"}, + {NULL, NULL} +}; + +static void deventry_mount(void) { + int i = 0; + while (dev[i].dev_fname != NULL) { + struct stat s; + if (stat(dev[i].run_fname, &s) == 0) { + if (mkdir(dev[i].dev_fname, 0755) == -1) + errExit("mkdir"); + if (chmod(dev[i].dev_fname, 0755) == -1) + errExit("chmod"); + ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); + if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev/snd"); + fs_logger2("whitelist", dev[i].dev_fname); + } + + i++; + } +} + static void create_char_dev(const char *path, mode_t mode, int major, int minor) { dev_t dev = makedev(major, minor); if (mknod(path, S_IFCHR | mode, dev) == -1) @@ -62,43 +105,21 @@ void fs_private_dev(void){ if (arg_debug) printf("Mounting tmpfs on /dev\n"); - int have_dri = 0; - int have_snd = 0; - struct stat s; - if (stat("/dev/dri", &s) == 0) - have_dri = 1; - if (stat("/dev/snd", &s) == 0) - have_snd = 1; - // create DRI_DIR fs_build_mnt_dir(); - if (have_dri) { - if (mkdir(RUN_DRI_DIR, 0755) == -1) - errExit("mkdir"); - if (chmod(RUN_DRI_DIR, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(RUN_DRI_DIR, 0, 0, 0755); - - // keep a copy of /dev/dri under DRI_DIR - if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev/dri"); - } - - // create SND_DIR - if (have_snd) { - if (mkdir(RUN_SND_DIR, 0755) == -1) - errExit("mkdir"); - if (chmod(RUN_SND_DIR, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(RUN_SND_DIR, 0, 0, 0755); - - // keep a copy of /dev/dri under DRI_DIR - if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev/snd"); - } + // keep a copy of dev directory + if (mkdir(RUN_DEV_DIR, 0755) == -1) + errExit("mkdir"); + if (chmod(RUN_DEV_DIR, 0755) == -1) + errExit("chmod"); + ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755); + if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev/dri"); + // create DEVLOG_FILE int have_devlog = 0; + struct stat s; if (stat("/dev/log", &s) == 0) { have_devlog = 1; FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); @@ -116,6 +137,8 @@ void fs_private_dev(void){ if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /dev"); fs_logger("tmpfs /dev"); + + deventry_mount(); // bring back /dev/log if (have_devlog) { @@ -128,31 +151,9 @@ void fs_private_dev(void){ fs_logger("clone /dev/log"); } } + if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable /dev/snd"); - // bring back the /dev/snd directory - if (have_snd) { - /* coverity[toctou] */ - if (mkdir("/dev/snd", 0755) == -1) - errExit("mkdir"); - if (chmod("/dev/snd", 0755) == -1) - errExit("chmod"); - ASSERT_PERMS("/dev/snd", 0, 0, 0755); - if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev/snd"); - fs_logger("whitelist /dev/snd"); - } - - // bring back the /dev/dri directory - if (have_dri) { - if (mkdir("/dev/dri", 0755) == -1) - errExit("mkdir"); - if (chmod("/dev/dri", 0755) == -1) - errExit("chmod"); - ASSERT_PERMS("/dev/dri", 0, 0, 0755); - if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev/dri"); - fs_logger("whitelist /dev/dri"); - } // create /dev/shm if (arg_debug) diff --git a/todo b/todo index 2a5a3e388..26c3e247c 100644 --- a/todo +++ b/todo @@ -161,10 +161,6 @@ To disable Vsync $ vblank_mode=0 glxgears -18. Bring in nvidia drives in private-dev - -/dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm - 19. testing snaps Install firejail from official repository -- cgit v1.2.3-70-g09d2 From d4e34ce781f06282a5088e1f32007f8a1468bb77 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 21 Sep 2016 07:42:06 -0400 Subject: ssh profile fix --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index 9f3065b3b..94d3b5ed6 100644 --- a/README +++ b/README @@ -74,6 +74,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added eom profile - added gnome-chess profile - added DOSBox profile +Dara Adib (https://github.com/daradib) + - ssh profile fix Tomasz Jan Góralczyk (https://github.com/tjg) - fixed Steam profile pwnage-pineapple (https://github.com/pwnage-pineapple) -- cgit v1.2.3-70-g09d2 From f6d86a4ccfd1dd62e1511f3f2e664dca9cbd2f6f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 22 Sep 2016 10:12:01 -0400 Subject: --ls fix --- src/firejail/ls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 495aaf8e2..593977e0e 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -257,7 +257,9 @@ void sandboxfs(int op, pid_t pid, const char *path) { if (chdir("/") < 0) errExit("chdir"); - // access chek is performed with the real UID + // drop privileges + drop_privs(0); + if (access(fname, R_OK) == -1) { fprintf(stderr, "Error: Cannot access %s\n", fname); exit(1); -- cgit v1.2.3-70-g09d2 From 45167c58f114ad634bce3c2e639dfe3574bf59f1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 22 Sep 2016 10:36:34 -0400 Subject: --get fixes --- src/firejail/ls.c | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 593977e0e..4c1992278 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -360,13 +360,29 @@ void sandboxfs(int op, pid_t pid, const char *path) { } if (access(dest_fname, F_OK) == -1) { - // try to create the file - FILE *fp = fopen(dest_fname, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create %s\n", dest_fname); - exit(1); + // try to create the file as a regular user + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + FILE *fp = fopen(dest_fname, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot create %s\n", dest_fname); + exit(1); + } + fclose(fp); + exit(0); } - fclose(fp); + + // wait for the child to finish + int status = 0; + waitpid(child, &status, 0); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0); + else + exit(1); } else { if (access(dest_fname, W_OK) == -1) { @@ -374,10 +390,13 @@ void sandboxfs(int op, pid_t pid, const char *path) { exit(1); } } + // copy file EUID_ROOT(); - copy_file(src_fname, dest_fname, getuid(), getgid(), 0644); - printf("Transfer complete\n"); + if (copy_file(src_fname, dest_fname, getuid(), getgid(), 0644)) + fprintf(stderr, "Error: transfer failed\n"); + else + printf("Transfer complete\n"); EUID_USER(); } -- cgit v1.2.3-70-g09d2 From 6163ff2a6fd8fa0858ff4f7c57d45dc57c8f39b1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 22 Sep 2016 13:40:32 -0400 Subject: add files to sandbox container (--put) --- RELNOTES | 1 + src/firejail/firejail.h | 12 ++-- src/firejail/ls.c | 187 +++++++++++++++++++++++++++++++++++++++--------- src/firejail/main.c | 43 +++++++++-- src/firejail/usage.c | 27 +------ src/man/firejail.txt | 17 ++++- 6 files changed, 216 insertions(+), 71 deletions(-) diff --git a/RELNOTES b/RELNOTES index 31b948c71..84ad8bce7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.43) baseline; urgency=low * modifs: make deb builds package based on the current configuration * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --privte-dev + * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block profile commands * bugfixes diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index bee93ca85..e3bf5e187 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -629,10 +629,14 @@ void x11_start_xephyr(int argc, char **argv); void x11_block(void); // ls.c -#define SANDBOX_FS_LS 0 -#define SANDBOX_FS_GET 1 -void sandboxfs_name(int op, const char *name, const char *path); -void sandboxfs(int op, pid_t pid, const char *patqh); +enum { + SANDBOX_FS_LS = 0, + SANDBOX_FS_GET, + SANDBOX_FS_PUT, + SANDBOX_FS_MAX // this should always be the last entry +}; +void sandboxfs_name(int op, const char *name, const char *path1, const char *path2); +void sandboxfs(int op, pid_t pid, const char *path1, const char *path2); // checkcfg.c enum { diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 4c1992278..14991ba94 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -185,7 +185,7 @@ static void print_directory(const char *path) { free(namelist); } -void sandboxfs_name(int op, const char *name, const char *path) { +void sandboxfs_name(int op, const char *name, const char *path1, const char *path2) { EUID_ASSERT(); if (!name || strlen(name) == 0) { @@ -198,10 +198,29 @@ void sandboxfs_name(int op, const char *name, const char *path) { exit(1); } - sandboxfs(op, pid, path); + sandboxfs(op, pid, path1, path2); } -void sandboxfs(int op, pid_t pid, const char *path) { +char *expand_path(const char *path) { + char *fname = NULL; + if (*path == '/') { + fname = strdup(path); + if (!fname) + errExit("strdup"); + } + else if (*path == '~') { + if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1) + errExit("asprintf"); + } + else { + // assume the file is in current working directory + if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1) + errExit("asprintf"); + } + return fname; +} + +void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { EUID_ASSERT(); // if the pid is that of a firejail process, use the pid of the first child process @@ -228,22 +247,17 @@ void sandboxfs(int op, pid_t pid, const char *path) { } } - // full path or file in current directory? - char *fname; - if (*path == '/') { - fname = strdup(path); - if (!fname) - errExit("strdup"); + // expand paths + char *fname1 = expand_path(path1);; + char *fname2 = NULL; + if (path2 != NULL) { + fname2 = expand_path(path2); } - else if (*path == '~') { - if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1) - errExit("asprintf"); + if (arg_debug) { + printf("file1 %s\n", fname1); + printf("file2 %s\n", fname2); } - else { - fprintf(stderr, "Error: Cannot access %s\n", path); - exit(1); - } - + // sandbox root directory char *rootdir; if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) @@ -260,21 +274,21 @@ void sandboxfs(int op, pid_t pid, const char *path) { // drop privileges drop_privs(0); - if (access(fname, R_OK) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname); + if (access(fname1, R_OK) == -1) { + fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } // list directory contents struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname); + if (stat(fname1, &s) == -1) { + fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } if (S_ISDIR(s.st_mode)) { - char *rp = realpath(fname, NULL); + char *rp = realpath(fname1, NULL); if (!rp) { - fprintf(stderr, "Error: Cannot access %s\n", fname); + fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } if (arg_debug) @@ -289,9 +303,9 @@ void sandboxfs(int op, pid_t pid, const char *path) { free(dir); } else { - char *rp = realpath(fname, NULL); + char *rp = realpath(fname1, NULL); if (!rp) { - fprintf(stderr, "Error: Cannot access %s\n", fname); + fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } if (arg_debug) @@ -312,15 +326,18 @@ void sandboxfs(int op, pid_t pid, const char *path) { else if (op == SANDBOX_FS_GET) { // check source file (sandbox) char *src_fname; - if (asprintf(&src_fname, "%s%s", rootdir, fname) == -1) + if (asprintf(&src_fname, "%s%s", rootdir, fname1) == -1) errExit("asprintf"); EUID_ROOT(); struct stat s; if (stat(src_fname, &s) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname); + fprintf(stderr, "Error: Cannot access %s\n", fname1); + exit(1); + } + if (is_dir(src_fname)) { + fprintf(stderr, "Error: source file name is a directory\n"); exit(1); } - // try to open the source file - we need to chroot pid_t child = fork(); @@ -337,8 +354,8 @@ void sandboxfs(int op, pid_t pid, const char *path) { drop_privs(0); // try to read the file - if (access(fname, R_OK) == -1) { - fprintf(stderr, "Error: Cannot read %s\n", fname); + if (access(fname1, R_OK) == -1) { + fprintf(stderr, "Error: Cannot read %s\n", fname1); exit(1); } exit(0); @@ -353,9 +370,9 @@ void sandboxfs(int op, pid_t pid, const char *path) { EUID_USER(); // check destination file (host) - char *dest_fname = strrchr(fname, '/'); + char *dest_fname = strrchr(fname1, '/'); if (!dest_fname || *(++dest_fname) == '\0') { - fprintf(stderr, "Error: invalid file name %s\n", fname); + fprintf(stderr, "Error: invalid file name %s\n", fname1); exit(1); } @@ -376,7 +393,7 @@ void sandboxfs(int op, pid_t pid, const char *path) { fclose(fp); exit(0); } - + // wait for the child to finish int status = 0; waitpid(child, &status, 0); @@ -392,6 +409,8 @@ void sandboxfs(int op, pid_t pid, const char *path) { } // copy file + if (arg_debug) + printf("copy %s to %s\n", src_fname, dest_fname); EUID_ROOT(); if (copy_file(src_fname, dest_fname, getuid(), getgid(), 0644)) fprintf(stderr, "Error: transfer failed\n"); @@ -399,8 +418,106 @@ void sandboxfs(int op, pid_t pid, const char *path) { printf("Transfer complete\n"); EUID_USER(); } - - free(fname); + // get file from host and store it in the sandbox + else if (op == SANDBOX_FS_PUT) { + // verify the source file + const char *src_fname = path1; + struct stat s; + if (stat(src_fname, &s) == -1) { + fprintf(stderr, "Error: Cannot access %s\n", fname1); + exit(1); + } + if (is_dir(src_fname)) { + fprintf(stderr, "Error: source file name is a directory\n"); + exit(1); + } + + // try to open the source file + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // try to read the file + if (access(src_fname, R_OK) == -1) { + fprintf(stderr, "Error: Cannot read %s\n", src_fname); + exit(1); + } + exit(0); + } + + // wait for the child to finish + int status = 0; + waitpid(child, &status, 0); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0); + else + exit(1); + + // check destination file (sandbox) + char *dest_fname; + if (asprintf(&dest_fname, "%s%s", rootdir, fname2) == -1) + errExit("asprintf"); + EUID_ROOT(); + if (is_dir(dest_fname)) { + fprintf(stderr, "Error: destination file name is a directory inside the sandbox\n"); + exit(1); + } + + // check write access on destination + child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // chroot + if (chroot(rootdir) < 0) + errExit("chroot"); + if (chdir("/") < 0) + errExit("chdir"); + + // drop privileges + drop_privs(0); + + if (access(path2, F_OK) == -1) { + FILE *fp = fopen(path2, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot create %s\n", path2); + exit(1); + } + fclose(fp); + } + else { + if (access(path2, W_OK) == -1) { + fprintf(stderr, "Error: cannot write %s\n", path2); + exit(1); + } + } + + exit(0); + } + + // wait for the child to finish + status = 0; + waitpid(child, &status, 0); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0); + else + exit(1); + + // copy file + if (arg_debug) + printf("copy %s to %s\n", src_fname, dest_fname); + EUID_ROOT(); + if (copy_file(src_fname, dest_fname, getuid(), getgid(), 0644)) + fprintf(stderr, "Error: transfer failed\n"); + else + printf("Transfer complete\n"); + EUID_USER(); + } + + if (fname2) + free(fname2); + free(fname1); free(rootdir); exit(0); diff --git a/src/firejail/main.c b/src/firejail/main.c index e171919d1..3afecbe62 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -536,9 +536,44 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { // get file pid_t pid; if (read_pid(argv[i] + 6, &pid) == 0) - sandboxfs(SANDBOX_FS_GET, pid, path); + sandboxfs(SANDBOX_FS_GET, pid, path, NULL); else - sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path); + sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path, NULL); + exit(0); + } + else { + fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); + exit(1); + } + } + else if (strncmp(argv[i], "--put=", 6) == 0) { + if (checkcfg(CFG_FILE_TRANSFER)) { + logargs(argc, argv); + + // verify path + if ((i + 3) != argc) { + fprintf(stderr, "Error: invalid --put option, 2 paths expected\n"); + exit(1); + } + char *path1 = argv[i + 1]; + invalid_filename(path1); + if (strstr(path1, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path1); + exit(1); + } + char *path2 = argv[i + 2]; + invalid_filename(path2); + if (strstr(path2, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path2); + exit(1); + } + + // get file + pid_t pid; + if (read_pid(argv[i] + 6, &pid) == 0) + sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); + else + sandboxfs_name(SANDBOX_FS_PUT, argv[i] + 6, path1, path2); exit(0); } else { @@ -565,9 +600,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { // list directory contents pid_t pid; if (read_pid(argv[i] + 5, &pid) == 0) - sandboxfs(SANDBOX_FS_LS, pid, path); + sandboxfs(SANDBOX_FS_LS, pid, path, NULL); else - sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path); + sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path, NULL); exit(0); } else { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 52d9bbe7e..c08ec18a0 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -185,31 +185,6 @@ void usage(void) { printf("\t$HOME/.firejail/ directory. (OverlayFS support is required in\n"); printf("\tLinux kernel for this option to work). \n\n"); -#if 0 // disabled for now, it could be used to overwrite system directories - printf(" --overlay-path=path - mount a filesystem overlay on top of the current\n"); - printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); - printf("\tthe specified path. (OverlayFS support is required in Linux kernel for\n"); - printf("\tthis option to work). \n\n"); - -.TP -\fB\-\-overlay-path=path -Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, -the system directories are mounted read-write. All filesystem modifications go into the overlay. -The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. -.br - -.br -OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18. -This option is not available on Grsecurity systems. -.br - -.br -Example: -.br -$ firejail \-\-overlay-path=~/jails/jail1 firefox -#endif - printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n"); @@ -246,6 +221,8 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n"); printf("\tidentified by name or PID.\n\n"); + printf(" --put=name|pid src-filename dest-filename - put a file in sandbox container.\n\n"); + printf(" --quiet - turn off Firejail's output.\n\n"); printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a906de0c9..29b0f05a2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments] File transfer from an existing sandbox .PP .RS -firejail {\-\-ls | \-\-get} dir_or_filename +firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename .RE .PP Network traffic shaping for an existing sandbox: @@ -1224,6 +1224,9 @@ $ firejail \-\-protocol.print=3272 .br unix,inet,inet6,netlink .TP +\fB\-\-put=name|pid src-filename dest-filename +Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details. +.TP \fB\-\-quiet Turn off Firejail's output. .TP @@ -1787,12 +1790,16 @@ and transfer files from the container to the host filesystem. .TP \fB\-\-get=name|pid filename Retrieve the container file and store it on the host in the current working directory. -The container is specified by name or PID. Full path is needed for filename. +The container is specified by name or PID. .TP \fB\-\-ls=name|pid dir_or_filename List container files. The container is specified by name or PID. -Full path is needed for dir_or_filename. + +.TP +\fB\-\-put=name|pid src-filename dest-filename +Put src-filename in sandbox container. +The container is specified by name or PID. .TP Examples: @@ -1818,7 +1825,11 @@ drwxr-xr-x netblue netblue 4096 .. .br $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png +.br +.br +$ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png +.br .SH TRAFFIC SHAPING Network bandwidth is an expensive resource shared among all sandboxes running on a system. -- cgit v1.2.3-70-g09d2 From fa93551a220215b3308983372823e136c0728e73 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 23 Sep 2016 09:14:57 -0400 Subject: fixed make deb --- RELNOTES | 1 - configure | 4 ---- configure.ac | 4 ---- mkdeb.sh | 4 +--- 4 files changed, 1 insertion(+), 12 deletions(-) diff --git a/RELNOTES b/RELNOTES index 84ad8bce7..b6ed4ead9 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,7 +1,6 @@ firejail (0.9.43) baseline; urgency=low * development version * modifs: removed man firejail-config - * modifs: make deb builds package based on the current configuration * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --privte-dev * feature: add files to sandbox container (--put) diff --git a/configure b/configure index 35cd69564..42c59279e 100755 --- a/configure +++ b/configure @@ -3083,10 +3083,6 @@ else fi -# Allow to build without apparmor support by calling: -# ./configure --disable-apparmor -# This makes it possible to run snaps in devmode on almost any host, -# regardless of the kernel version. HAVE_APPARMOR="" # Check whether --enable-apparmor was given. if test "${enable_apparmor+set}" = set; then : diff --git a/configure.ac b/configure.ac index 10534c9ab..e664cbe31 100644 --- a/configure.ac +++ b/configure.ac @@ -9,10 +9,6 @@ AC_PROG_CC AC_PROG_INSTALL AC_PROG_RANLIB -# Allow to build without apparmor support by calling: -# ./configure --disable-apparmor -# This makes it possible to run snaps in devmode on almost any host, -# regardless of the kernel version. HAVE_APPARMOR="" AC_ARG_ENABLE([apparmor], AS_HELP_STRING([--enable-apparmor], [enable apparmor])) diff --git a/mkdeb.sh b/mkdeb.sh index 596569929..be8d618e1 100755 --- a/mkdeb.sh +++ b/mkdeb.sh @@ -18,9 +18,7 @@ echo "*****************************************" tar -xJvf $CODE_ARCHIVE #mkdir -p $INSTALL_DIR cd $CODE_DIR -cp ../config.status . -./config.status -#./configure --prefix=/usr +./configure --prefix=/usr make mkdir debian DESTDIR=debian make install-strip -- cgit v1.2.3-70-g09d2 From 7d60b07d1515a2d7f3732f2620689000ed110535 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 23 Sep 2016 16:41:18 +0300 Subject: join-or-start option --- src/firejail/main.c | 35 +++++++++++++++++++++++++++++++++++ src/firejail/profile.c | 24 ++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 3afecbe62..03ffab788 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -634,6 +634,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } + else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { + // NOTE: this is first part of option handler, + // sandbox name is set in other part + logargs(argc, argv); + + if (arg_shell_none) { + if (argc <= (i+1)) { + fprintf(stderr, "Error: --shell=none set, but no command specified\n"); + exit(1); + } + cfg.original_program_index = i + 1; + } + + // try to join by name only + pid_t pid; + if (!name2pid(argv[i] + 16, &pid)) { + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); + + join(pid, argc, argv, i + 1); + exit(0); + } + // if there no such sandbox continue argument processing + } #ifdef HAVE_NETWORK else if (strncmp(argv[i], "--join-network=", 15) == 0) { if (checkcfg(CFG_NETWORK)) { @@ -2157,6 +2181,17 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--x11=block") == 0) { arg_x11_block = 1; } + else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { + // NOTE: this is second part of option handler, + // atempt to find and join sandbox is done in other one + + // set sandbox name and start normally + cfg.name = argv[i] + 16; + if (strlen(cfg.name) == 0) { + fprintf(stderr, "Error: please provide a name for sandbox\n"); + return 1; + } + } else if (strcmp(argv[i], "--") == 0) { // double dash - positional params to follow arg_doubledash = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 00301037f..73b655379 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -803,6 +803,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strncmp(ptr, "join-or-start ", 14) == 0) { + // try to join by name only + pid_t pid; + if (!name2pid(ptr + 14, &pid)) { + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); + + // find first non-option arg + int i; + for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); + + join(pid, cfg.original_argc,cfg.original_argv, i + 1); + exit(0); + } + + // set sandbox name and start normally + cfg.name = ptr + 14; + if (strlen(cfg.name) == 0) { + fprintf(stderr, "Error: invalid sandbox name\n"); + exit(1); + } + return 0; + } + // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; -- cgit v1.2.3-70-g09d2 From 430a442a99e8ebf2f3e18f22bdf182abd9103136 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Fri, 23 Sep 2016 19:44:42 +0300 Subject: update man --- src/man/firejail-profile.txt | 6 ++++++ src/man/firejail.txt | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index cc37670aa..68420ae9d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -467,6 +467,12 @@ available in the new namespace is a new loopback interface (lo). Use this option to deny network access to programs that don't really need network access. +.SH Other +.TP +\fBjoin-or-start sandboxname +Join the sandbox identified by name or start a new one. +Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". + .SH RELOCATING PROFILES For various reasons some users might want to keep the profile files in a different directory. Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 29b0f05a2..88c884801 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -618,6 +618,13 @@ Switching to pid 1932, the first child process inside the sandbox .br valid_lft forever preferred_lft forever +.TP +\fB\-\-join-or-start=name +Join the sandbox identified by name or start a new one. +Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..." +.br +Note that in contrary to other join options there is respective profile option. + .TP \fB\-\-ls=name|pid dir_or_filename List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. -- cgit v1.2.3-70-g09d2 From dfe379acac6a87b6595e376b81851b3394297782 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 25 Sep 2016 01:48:10 +1000 Subject: Added tracelog --- etc/evince.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/evince.profile b/etc/evince.profile index 530ce959a..374fa4aaa 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,14 +5,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix seccomp - shell none +tracelog + private-bin evince,evince-previewer,evince-thumbnailer whitelist /tmp/.X11-unix private-dev -- cgit v1.2.3-70-g09d2 From 72bda4d4accd2082da2a118d6a8ef63519eec3a6 Mon Sep 17 00:00:00 2001 From: W Date: Sun, 25 Sep 2016 03:48:39 +0200 Subject: fixed typo in comment I fixed typo in a comment, it bothered me. If you don't really care about this kind of stuff, just reject this PR :) --- src/firejail/restrict_users.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index cb999a4a6..6aca49b1a 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -342,7 +342,7 @@ void restrict_users(void) { sanitize_home(); } else { - // user has the home diercotry outside /home + // user has the home directory outside /home // mount tmpfs on top of /home in order to hide it if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); -- cgit v1.2.3-70-g09d2 From 0cc0a5807289501bb25a1df8c69aca20dd224988 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 25 Sep 2016 08:50:09 -0400 Subject: --allusers --- README | 3 +++ src/firejail/firejail.h | 1 + src/firejail/main.c | 5 +++++ src/firejail/restrict_users.c | 3 +++ src/firejail/usage.c | 1 + src/man/firejail.txt | 9 +++++++++ 6 files changed, 22 insertions(+) diff --git a/README b/README index 94d3b5ed6..9b981d805 100644 --- a/README +++ b/README @@ -74,6 +74,9 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added eom profile - added gnome-chess profile - added DOSBox profile + - evince profile enhancement +graywolf (https://github.com/graywolf) + - spelling fix Dara Adib (https://github.com/daradib) - ssh profile fix Tomasz Jan Góralczyk (https://github.com/tjg) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e3bf5e187..e76f54ec3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -318,6 +318,7 @@ extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 +extern int arg_allusers; // all user home directories visible extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/main.c b/src/firejail/main.c index 03ffab788..1f2ee9573 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -106,8 +106,11 @@ char *arg_audit_prog = NULL; // audit int arg_apparmor = 0; // apparmor int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 +int arg_allusers = 0; // all user home directories visible + int login_shell = 0; + int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -1296,6 +1299,8 @@ int main(int argc, char **argv) { //************************************* // filesystem //************************************* + else if (strcmp(argv[i], "--allusers") == 0) + arg_allusers = 1; #ifdef HAVE_BIND else if (strncmp(argv[i], "--bind=", 7) == 0) { if (checkcfg(CFG_BIND)) { diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index cb999a4a6..9e0c789aa 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -335,6 +335,9 @@ errout: } void restrict_users(void) { + if (arg_allusers) + return; + // only in user mode if (getuid()) { if (strncmp(cfg.homedir, "/home/", 6) == 0) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c08ec18a0..3425b050e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -35,6 +35,7 @@ void usage(void) { printf("Options:\n\n"); printf(" -- - signal the end of options and disables further option processing.\n\n"); printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n"); + printf(" --allusers - all user home directories are visible inside the sandbox.\n\n"); printf(" --apparmor - enable AppArmor confinement\n\n"); printf(" --appimage - sandbox an AppImage application\n\n"); printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 88c884801..71624afc2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -84,6 +84,15 @@ Example: .br $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP +\fB\-\-allusers +All user home directories are visible inside the sandbox. By default, only current user home directory is visible. +.br + +.br +Example: +.br +$ firejail --allusers +.TP \fB\-\-apparmor Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. .TP -- cgit v1.2.3-70-g09d2 From c10766c01947793679462beb998ccde6e37107b7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 25 Sep 2016 12:04:59 -0400 Subject: allusers support in profile files --- README | 1 + README.md | 18 +++++++++++++++++- RELNOTES | 5 ++++- src/firejail/profile.c | 4 ++++ src/man/firejail-profile.txt | 4 ++++ 5 files changed, 30 insertions(+), 2 deletions(-) diff --git a/README b/README index 9b981d805..0b2a27f02 100644 --- a/README +++ b/README @@ -44,6 +44,7 @@ Aleksey Manevich (https://github.com/manevich) - read_pid fix - added --x11=block options - x11 xpra, xphyr, block profile commands + - added --join-or-start command Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/README.md b/README.md index 944cd41ca..64a67bf63 100644 --- a/README.md +++ b/README.md @@ -43,8 +43,24 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ specified in ${XAUTHORITY} enviroment variable. Remove DISPLAY and XAUTHORITY enviroment variables. Stop with error message if X11 abstract socket will be accessible in jail. + + --put=name|pid src-filename dest-filename + Put src-filename in sandbox container. The container is specified by name or PID. + + --allusers + All user home directories are visible inside the sandbox. By default, only current user home + directory is visible. + + Example: + $ firejail --allusers + + --join-or-start=name + Join the sandbox identified by name or start a new one. Same as "firejail --join=name" if + sandbox with specified name exists, otherwise same as "firejail --name=name ..." + Note that in contrary to other join options there is respective profile option. + ````` ## New profile commands -x11 xpra, x11 xephyr, x11 block \ No newline at end of file +x11 xpra, x11 xephyr, x11 block, allusers, join-or-start diff --git a/RELNOTES b/RELNOTES index b6ed4ead9..da882e461 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,9 +3,12 @@ firejail (0.9.43) baseline; urgency=low * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --privte-dev + * feature: support starting/joining sandbox is a single command + (--join-or-start) + * feature: all user home directories are visible (--allusers) * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) - * feature: x11 xpra, x11 xephyr, x11 block profile commands + * feature: x11 xpra, x11 xephyr, x11 block, allusers profile commands * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 73b655379..33029a86b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -181,6 +181,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #endif return 0; } + else if (strcmp(ptr, "allusers") == 0) { + arg_allusers = 1; + return 0; + } else if (strcmp(ptr, "private-dev") == 0) { arg_private_dev = 1; return 0; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 68420ae9d..3e415c2cc 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -321,6 +321,10 @@ Set a nice value of -5 to all processes running inside the sandbox. The sandbox is placed in g1 control group. .SH User Environment +.TP +\fBallusers +All user home directories are visible inside the sandbox. By default, only current user home directory is visible. + .TP \fBname sandboxname Set sandbox name. Example: -- cgit v1.2.3-70-g09d2 From cf1e38c210b12a504bebf4b63b2a0abfd7d023e0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 26 Sep 2016 12:27:27 -0400 Subject: CVE-2016-7545 --- README | 1 + RELNOTES | 1 + src/firejail/main.c | 3 +++ src/firejail/sandbox.c | 7 +++++++ 4 files changed, 12 insertions(+) diff --git a/README b/README index 0b2a27f02..dcdc7fde1 100644 --- a/README +++ b/README @@ -45,6 +45,7 @@ Aleksey Manevich (https://github.com/manevich) - added --x11=block options - x11 xpra, xphyr, block profile commands - added --join-or-start command + - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/RELNOTES b/RELNOTES index da882e461..f0528b28c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,5 @@ firejail (0.9.43) baseline; urgency=low + * CVE-2016-7545 submitted by Aleksey Manevich * development version * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory diff --git a/src/firejail/main.c b/src/firejail/main.c index 1f2ee9573..135ff17d8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -35,6 +35,8 @@ #include #include #include +#include +#include #if 0 #include @@ -141,6 +143,7 @@ static void myexit(int rv) { EUID_ROOT(); clear_run_files(sandbox_pid); appimage_clear(); + ioctl(0, TCFLSH, TCIFLUSH); exit(rv); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index cc5483c08..08296d823 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -28,6 +28,8 @@ #include #include #include +#include +#include #include #ifndef CLONE_NEWUSER @@ -80,8 +82,10 @@ static void sandbox_handler(int sig){ } + // broadcast a SIGKILL kill(-1, SIGKILL); + ioctl(0, TCFLSH, TCIFLUSH); exit(sig); } @@ -290,6 +294,8 @@ void start_audit(void) { } void start_application(void) { +//if (setsid() == -1) +//errExit("setsid"); //**************************************** // audit //**************************************** @@ -890,6 +896,7 @@ int sandbox(void* sandbox_arg) { } int status = monitor_application(app_pid); // monitor application + ioctl(0, TCFLSH, TCIFLUSH); if (WIFEXITED(status)) { // if we had a proper exit, return that exit status -- cgit v1.2.3-70-g09d2 From bde9fae007dd3c4b802c1652a7d7cbabf0aec237 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Mon, 26 Sep 2016 21:33:39 +0300 Subject: CVE-2016-7545 --- src/firejail/main.c | 12 +++++++++++- src/firejail/sandbox.c | 23 +++++++++++++++++++++-- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 135ff17d8..81765e3ff 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -143,7 +143,17 @@ static void myexit(int rv) { EUID_ROOT(); clear_run_files(sandbox_pid); appimage_clear(); - ioctl(0, TCFLSH, TCIFLUSH); + + int fd = open("/dev/tty", O_RDWR); + if (fd != -1) { + ioctl(fd, TCFLSH, TCIFLUSH); + close(fd); + } else { + fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n"); + ioctl(0, TCFLSH, TCIFLUSH); + ioctl(1, TCFLSH, TCIFLUSH); + ioctl(2, TCFLSH, TCIFLUSH); + } exit(rv); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 08296d823..272737c06 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #ifndef CLONE_NEWUSER @@ -85,7 +86,16 @@ static void sandbox_handler(int sig){ // broadcast a SIGKILL kill(-1, SIGKILL); - ioctl(0, TCFLSH, TCIFLUSH); + int fd = open("/dev/tty", O_RDWR); + if (fd != -1) { + ioctl(fd, TCFLSH, TCIFLUSH); + close(fd); + } else { + fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n"); + ioctl(0, TCFLSH, TCIFLUSH); + ioctl(1, TCFLSH, TCIFLUSH); + ioctl(2, TCFLSH, TCIFLUSH); + } exit(sig); } @@ -896,7 +906,16 @@ int sandbox(void* sandbox_arg) { } int status = monitor_application(app_pid); // monitor application - ioctl(0, TCFLSH, TCIFLUSH); + int fd = open("/dev/tty", O_RDWR); + if (fd != -1) { + ioctl(fd, TCFLSH, TCIFLUSH); + close(fd); + } else { + fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n"); + ioctl(0, TCFLSH, TCIFLUSH); + ioctl(1, TCFLSH, TCIFLUSH); + ioctl(2, TCFLSH, TCIFLUSH); + } if (WIFEXITED(status)) { // if we had a proper exit, return that exit status -- cgit v1.2.3-70-g09d2 From acc50de312e0bb77ef76f5f848e41e9736638c17 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 26 Sep 2016 15:13:56 -0400 Subject: CVE-2016-7545 --- src/firejail/sandbox.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 08296d823..baa6eb2e5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -85,7 +85,7 @@ static void sandbox_handler(int sig){ // broadcast a SIGKILL kill(-1, SIGKILL); - ioctl(0, TCFLSH, TCIFLUSH); +// ioctl(0, TCFLSH, TCIFLUSH); exit(sig); } @@ -896,7 +896,7 @@ int sandbox(void* sandbox_arg) { } int status = monitor_application(app_pid); // monitor application - ioctl(0, TCFLSH, TCIFLUSH); +// ioctl(0, TCFLSH, TCIFLUSH); if (WIFEXITED(status)) { // if we had a proper exit, return that exit status -- cgit v1.2.3-70-g09d2 From 0347045c57d1b75b1c62d52e401e9bd60c2901e5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 26 Sep 2016 15:20:20 -0400 Subject: undoing previous commit --- src/firejail/sandbox.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index baa6eb2e5..08296d823 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -85,7 +85,7 @@ static void sandbox_handler(int sig){ // broadcast a SIGKILL kill(-1, SIGKILL); -// ioctl(0, TCFLSH, TCIFLUSH); + ioctl(0, TCFLSH, TCIFLUSH); exit(sig); } @@ -896,7 +896,7 @@ int sandbox(void* sandbox_arg) { } int status = monitor_application(app_pid); // monitor application -// ioctl(0, TCFLSH, TCIFLUSH); + ioctl(0, TCFLSH, TCIFLUSH); if (WIFEXITED(status)) { // if we had a proper exit, return that exit status -- cgit v1.2.3-70-g09d2 From 66a988fcf007a6d8610db64f1ad85d34fcbc625f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 26 Sep 2016 15:26:28 -0400 Subject: more CVE-2016-7545 --- src/firejail/sandbox.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 272737c06..a348add34 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -86,6 +86,7 @@ static void sandbox_handler(int sig){ // broadcast a SIGKILL kill(-1, SIGKILL); +#if 0 int fd = open("/dev/tty", O_RDWR); if (fd != -1) { ioctl(fd, TCFLSH, TCIFLUSH); @@ -96,6 +97,7 @@ static void sandbox_handler(int sig){ ioctl(1, TCFLSH, TCIFLUSH); ioctl(2, TCFLSH, TCIFLUSH); } +#endif exit(sig); } @@ -906,6 +908,7 @@ int sandbox(void* sandbox_arg) { } int status = monitor_application(app_pid); // monitor application +#if 0 int fd = open("/dev/tty", O_RDWR); if (fd != -1) { ioctl(fd, TCFLSH, TCIFLUSH); @@ -916,6 +919,7 @@ int sandbox(void* sandbox_arg) { ioctl(1, TCFLSH, TCIFLUSH); ioctl(2, TCFLSH, TCIFLUSH); } +#endif if (WIFEXITED(status)) { // if we had a proper exit, return that exit status -- cgit v1.2.3-70-g09d2 From ae0e5b667d7756f5a4e318c37aefb0a827abbf25 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 10:38:21 -0400 Subject: CVE-2016-7545 --- src/firejail/firejail.h | 1 + src/firejail/join.c | 1 + src/firejail/main.c | 15 +-------------- src/firejail/sandbox.c | 31 +++++-------------------------- src/firejail/util.c | 15 +++++++++++++++ 5 files changed, 23 insertions(+), 40 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e76f54ec3..4e92f3e89 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -455,6 +455,7 @@ void invalid_filename(const char *fname); uid_t get_tty_gid(void); uid_t get_audio_gid(void); int remove_directory(const char *path); +void flush_stdin(void); // fs_var.c void fs_var_log(void); // mounting /var/log diff --git a/src/firejail/join.c b/src/firejail/join.c index 414b899ce..f11d85cfe 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -386,6 +386,7 @@ void join(pid_t pid, int argc, char **argv, int index) { // wait for the child to finish waitpid(child, NULL, 0); + flush_stdin(); exit(0); } diff --git a/src/firejail/main.c b/src/firejail/main.c index 81765e3ff..bf73656d2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -35,8 +35,6 @@ #include #include #include -#include -#include #if 0 #include @@ -143,18 +141,7 @@ static void myexit(int rv) { EUID_ROOT(); clear_run_files(sandbox_pid); appimage_clear(); - - int fd = open("/dev/tty", O_RDWR); - if (fd != -1) { - ioctl(fd, TCFLSH, TCIFLUSH); - close(fd); - } else { - fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n"); - ioctl(0, TCFLSH, TCIFLUSH); - ioctl(1, TCFLSH, TCIFLUSH); - ioctl(2, TCFLSH, TCIFLUSH); - } - + flush_stdin(); exit(rv); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a348add34..cd81b0b11 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -28,8 +28,6 @@ #include #include #include -#include -#include #include #include @@ -86,18 +84,8 @@ static void sandbox_handler(int sig){ // broadcast a SIGKILL kill(-1, SIGKILL); -#if 0 - int fd = open("/dev/tty", O_RDWR); - if (fd != -1) { - ioctl(fd, TCFLSH, TCIFLUSH); - close(fd); - } else { - fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n"); - ioctl(0, TCFLSH, TCIFLUSH); - ioctl(1, TCFLSH, TCIFLUSH); - ioctl(2, TCFLSH, TCIFLUSH); - } -#endif + flush_stdin(); + exit(sig); } @@ -908,18 +896,9 @@ int sandbox(void* sandbox_arg) { } int status = monitor_application(app_pid); // monitor application -#if 0 - int fd = open("/dev/tty", O_RDWR); - if (fd != -1) { - ioctl(fd, TCFLSH, TCIFLUSH); - close(fd); - } else { - fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n"); - ioctl(0, TCFLSH, TCIFLUSH); - ioctl(1, TCFLSH, TCIFLUSH); - ioctl(2, TCFLSH, TCIFLUSH); - } -#endif + flush_stdin(); + + if (WIFEXITED(status)) { // if we had a proper exit, return that exit status diff --git a/src/firejail/util.c b/src/firejail/util.c index 5b407eaf5..7aa0ae0e8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -26,6 +26,8 @@ #include #include #include +#include +#include #define MAX_GROUPS 1024 // drop privileges @@ -686,3 +688,16 @@ int remove_directory(const char *path) { // FTW_PHYS - do not follow symbolic links return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS); } + +void flush_stdin(void) { + if (isatty(STDIN_FILENO)) { + int cnt = 0; + ioctl(STDIN_FILENO, FIONREAD, &cnt); + if (cnt) { + if (!arg_quiet) + printf("Warning: removing %d bytes from stdin\n", cnt); + ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + } + } +} + -- cgit v1.2.3-70-g09d2 From ed31d2238915749730856f877fceae3579b320da Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 11:32:59 -0400 Subject: mupdf and qpdfview profiles --- README.md | 5 +++++ RELNOTES | 1 + etc/disable-programs.inc | 2 ++ etc/mupdf.profile | 18 ++++++++++++++++++ etc/qpdfview.profile | 22 ++++++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 2 ++ 7 files changed, 53 insertions(+) create mode 100644 etc/mupdf.profile create mode 100644 etc/qpdfview.profile diff --git a/README.md b/README.md index 64a67bf63..9db50d5ba 100644 --- a/README.md +++ b/README.md @@ -64,3 +64,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ## New profile commands x11 xpra, x11 xephyr, x11 block, allusers, join-or-start + +## New profiles + +qpdfview, mupdf + diff --git a/RELNOTES b/RELNOTES index f0528b28c..492bd007a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,6 +10,7 @@ firejail (0.9.43) baseline; urgency=low * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block, allusers profile commands + * new profiles: qpdfview, mupdf * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index fb0f5a669..54c53e794 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -26,6 +26,7 @@ blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc blacklist ${HOME}/.kde/share/apps/gwenview blacklist ${HOME}/.kde/share/config/gwenviewrc +blacklist ${HOME}/.config/qpdfview # Media players blacklist ${HOME}/.config/cmus @@ -135,6 +136,7 @@ blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/qpdfview # ssh blacklist /tmp/ssh-* diff --git a/etc/mupdf.profile b/etc/mupdf.profile new file mode 100644 index 000000000..6f2db511b --- /dev/null +++ b/etc/mupdf.profile @@ -0,0 +1,18 @@ +# mupdf reader profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-tmp +private-dev diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile new file mode 100644 index 000000000..07ea173e6 --- /dev/null +++ b/etc/qpdfview.profile @@ -0,0 +1,22 @@ +# qpdfview profile +noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.local/share/qpdfview + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin qpdfview +private-tmp +private-dev diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 691c536df..0c494c042 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -143,3 +143,6 @@ /etc/firejail/xzdec.profile /etc/firejail/strings.profile /etc/firejail/dosbox.profile +/etc/firejail/mupdf.profile +/etc/firejail/qpdfview.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index dd876c87c..ca28d025b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -128,6 +128,8 @@ mathematica okular pix xreader +mupdf +qpdfview # other ssh -- cgit v1.2.3-70-g09d2 From 9d21d8cf9d12513bfd77e44b845a1f5d7a06f594 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 13:23:50 -0400 Subject: qt additions to whitelist-common.inc --- etc/whitelist-common.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index abbb4a9fc..fd44c2528 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -29,3 +29,6 @@ whitelist ~/.kde/share/config/gtkrc-2.0 # dconf mkdir ~/.config/dconf whitelist ~/.config/dconf + +# qt +whitelist ~/.config/kdeglobals -- cgit v1.2.3-70-g09d2 From 78e772fe13a2ecd79be8cf196afd819a7a517a10 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 13:29:39 -0400 Subject: allow-debuggers fix --- src/firejail/fs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e38f128ea..3dbfe3909 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -674,11 +674,13 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/proc/kmem"); // remove kernel symbol information - disable_file(BLACKLIST_FILE, "/usr/src/linux"); - disable_file(BLACKLIST_FILE, "/lib/modules"); - disable_file(BLACKLIST_FILE, "/usr/lib/debug"); - disable_file(BLACKLIST_FILE, "/boot"); - + if (!arg_allow_debuggers) { + disable_file(BLACKLIST_FILE, "/usr/src/linux"); + disable_file(BLACKLIST_FILE, "/lib/modules"); + disable_file(BLACKLIST_FILE, "/usr/lib/debug"); + disable_file(BLACKLIST_FILE, "/boot"); + } + // disable /selinux disable_file(BLACKLIST_FILE, "/selinux"); -- cgit v1.2.3-70-g09d2 From 03b0112741813427e2d656b537b3583e3efe9f89 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 13:39:11 -0400 Subject: user submitted profile repositories --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 9db50d5ba..6a20b8361 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ Features: https://firejail.wordpress.com/features-3/ Documentation: https://firejail.wordpress.com/documentation-2/ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ + +User submitted profile repositories: https://github.com/chiraag-nataraj/firejail-profiles ````` ````` -- cgit v1.2.3-70-g09d2 From 8ad0743f2dffa536581efd8d377fe399b862ad83 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 13:43:26 -0400 Subject: user submitted profile repositories --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a20b8361..39bb5bc59 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,14 @@ Documentation: https://firejail.wordpress.com/documentation-2/ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ -User submitted profile repositories: https://github.com/chiraag-nataraj/firejail-profiles +````` + +````` +## User submitted profile repositories + +If you keep your Firejail profiles in a public repository, please give us a link: + +* https://github.com/chiraag-nataraj/firejail-profiles ````` ````` -- cgit v1.2.3-70-g09d2 From 46dc2b34f1fbbc4597b4ff9f6a3cb28b2d500d1b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 15:12:11 -0400 Subject: CVE-2016-7545 --- src/firejail/join.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/firejail/join.c b/src/firejail/join.c index f11d85cfe..ea44019ca 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -30,6 +30,12 @@ static uint64_t caps = 0; static int apply_seccomp = 0; #define BUFLEN 4096 +static void signal_handler(int sig){ + flush_stdin(); + + exit(sig); +} + static void extract_command(int argc, char **argv, int index) { EUID_ASSERT(); if (index >= argc) @@ -187,6 +193,7 @@ void join(pid_t pid, int argc, char **argv, int index) { char *homedir = cfg.homedir; extract_command(argc, argv, index); + signal (SIGTERM, signal_handler); // if the pid is that of a firejail process, use the pid of the first child process EUID_ROOT(); -- cgit v1.2.3-70-g09d2 From 19a67bebb4e11dd1727f8085dfa03c45d3128d49 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 15:52:21 -0400 Subject: debug --- src/firejail/fs_dev.c | 6 +++++- src/firejail/pulseaudio.c | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 4744b3096..c21aed6c4 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -59,13 +59,15 @@ static void deventry_mount(void) { while (dev[i].dev_fname != NULL) { struct stat s; if (stat(dev[i].run_fname, &s) == 0) { + if (arg_debug) + printf("mounting %s\n", dev[i].run_fname); if (mkdir(dev[i].dev_fname, 0755) == -1) errExit("mkdir"); if (chmod(dev[i].dev_fname, 0755) == -1) errExit("chmod"); ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev/snd"); + errExit("mounting dev file"); fs_logger2("whitelist", dev[i].dev_fname); } @@ -261,6 +263,8 @@ void fs_dev_shm(void) { } void fs_dev_disable_sound() { + if (arg_debug) + printf("disable /dev/snd\n"); if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("disable /dev/snd"); fs_logger("blacklist /dev/snd"); diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 7db8d2c18..90997f934 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -53,6 +53,8 @@ doexit: // disable pulseaudio socket void pulseaudio_disable(void) { + if (arg_debug) + printf("disable pulseaudio\n"); // blacklist user config directory disable_file(cfg.homedir, ".config/pulse"); -- cgit v1.2.3-70-g09d2 From 28c2ace5fd2dbf8b44f88470ba817d0b0449e8cc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Sep 2016 09:07:00 -0400 Subject: private-dev fix --- src/firejail/fs_dev.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index c21aed6c4..6f5385f79 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -59,13 +59,32 @@ static void deventry_mount(void) { while (dev[i].dev_fname != NULL) { struct stat s; if (stat(dev[i].run_fname, &s) == 0) { + int dir = is_dir(dev[i].run_fname); if (arg_debug) - printf("mounting %s\n", dev[i].run_fname); - if (mkdir(dev[i].dev_fname, 0755) == -1) - errExit("mkdir"); - if (chmod(dev[i].dev_fname, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); + printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); + if (dir) { + if (mkdir(dev[i].dev_fname, 0755) == -1) + errExit("mkdir"); + if (chmod(dev[i].dev_fname, 0755) == -1) + errExit("chmod"); + ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); + } + else { + struct stat s; + if (stat(dev[i].run_fname, &s) == -1) { + if (arg_debug) + printf("Warning: cannot stat %s file\n", dev[i].run_fname); + i++; + continue; + } + FILE *fp = fopen(dev[i].dev_fname, "w"); + if (fp) { + fprintf(fp, "\n"); + SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); + fclose(fp); + } + } + if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting dev file"); fs_logger2("whitelist", dev[i].dev_fname); -- cgit v1.2.3-70-g09d2 From 79a014e0e6b2d8f1a83fd0a3fab61cc1d2e376ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Sep 2016 10:13:17 -0400 Subject: --no3d - disable 3D hardware acceleration --- README.md | 5 +++ RELNOTES | 5 +-- src/firejail/firejail.h | 4 ++- src/firejail/fs_dev.c | 72 +++++++++++++++++++++++++++++++------------- src/firejail/main.c | 4 +++ src/firejail/profile.c | 4 +++ src/firejail/sandbox.c | 10 +++--- src/firejail/usage.c | 3 +- src/man/firejail-profile.txt | 3 ++ src/man/firejail.txt | 9 ++++++ 10 files changed, 88 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 39bb5bc59..43489d38a 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,11 @@ If you keep your Firejail profiles in a public repository, please give us a link sandbox with specified name exists, otherwise same as "firejail --name=name ..." Note that in contrary to other join options there is respective profile option. + --no3d Disable 3D hardware acceleration. + + Example: + $ firejail --no3d firefox + ````` ## New profile commands diff --git a/RELNOTES b/RELNOTES index 492bd007a..8b47ee8e4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,13 +3,14 @@ firejail (0.9.43) baseline; urgency=low * development version * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory - * modifs: Nvidia drivers added to --privte-dev + * modifs: Nvidia drivers added to --private-dev * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: all user home directories are visible (--allusers) * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) - * feature: x11 xpra, x11 xephyr, x11 block, allusers profile commands + * feature: disable 3D hardware acceleration (--no3d) + * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4e92f3e89..4ee1c943a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -305,6 +305,7 @@ extern int arg_private_tmp; // private tmp directory extern int arg_scan; // arp-scan all interfaces extern int arg_whitelist; // whitelist commad extern int arg_nosound; // disable sound +extern int arg_no3d; // disable 3d hardware acceleration extern int arg_quiet; // no output for scripting extern int arg_join_network; // join only the network namespace extern int arg_join_filesystem; // join only the mount namespace @@ -470,7 +471,8 @@ void dbg_test_dir(const char *dir); // fs_dev.c void fs_dev_shm(void); void fs_private_dev(void); -void fs_dev_disable_sound(); +void fs_dev_disable_sound(void); +void fs_dev_disable_3d(void); // fs_home.c // private mode (--private) diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 6f5385f79..daf0afd9e 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -33,25 +33,27 @@ typedef struct { const char *dev_fname; const char *run_fname; + int sound; + int hw3d; } DevEntry; static DevEntry dev[] = { - {"/dev/snd", RUN_DEV_DIR "/snd"}, - {"/dev/dri", RUN_DEV_DIR "/dri"}, - {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0"}, - {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1"}, - {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2"}, - {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3"}, - {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4"}, - {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5"}, - {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6"}, - {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7"}, - {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8"}, - {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9"}, - {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl"}, - {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset"}, - {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm"}, - {NULL, NULL} + {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device + {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1}, // 3d device + {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1}, + {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1}, + {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1}, + {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1}, + {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1}, + {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1}, + {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1}, + {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1}, + {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1}, + {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1}, + {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1}, + {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1}, + {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1}, + {NULL, NULL, 0, 0} }; static void deventry_mount(void) { @@ -281,10 +283,38 @@ void fs_dev_shm(void) { } } -void fs_dev_disable_sound() { +static void disable_file_or_dir(const char *fname) { if (arg_debug) - printf("disable /dev/snd\n"); - if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable /dev/snd"); - fs_logger("blacklist /dev/snd"); + printf("disable %s\n", fname); + struct stat s; + if (stat(fname, &s) != -1) { + if (is_dir(fname)) { + if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable directory"); + } + else { + if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable file"); + } + } + fs_logger2("blacklist", fname); + +} + +void fs_dev_disable_sound(void) { + int i = 0; + while (dev[i].dev_fname != NULL) { + if (dev[i].sound) + disable_file_or_dir(dev[i].dev_fname); + i++; + } +} + +void fs_dev_disable_3d(void) { + int i = 0; + while (dev[i].dev_fname != NULL) { + if (dev[i].hw3d) + disable_file_or_dir(dev[i].dev_fname); + i++; + } } diff --git a/src/firejail/main.c b/src/firejail/main.c index bf73656d2..c2d71bdf5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -93,6 +93,7 @@ int arg_private_tmp = 0; // private tmp directory int arg_scan = 0; // arp-scan all interfaces int arg_whitelist = 0; // whitelist commad int arg_nosound = 0; // disable sound +int arg_no3d; // disable 3d hardware acceleration int arg_quiet = 0; // no output for scripting int arg_join_network = 0; // join only the network namespace int arg_join_filesystem = 0; // join only the mount namespace @@ -1733,6 +1734,9 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--nosound") == 0) { arg_nosound = 1; } + else if (strcmp(argv[i], "--no3d") == 0) { + arg_no3d = 1; + } //************************************* // network diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 33029a86b..1e1ccaf0e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -201,6 +201,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_nosound = 1; return 0; } + else if (strcmp(ptr, "no3d") == 0) { + arg_no3d = 1; + return 0; + } else if (strcmp(ptr, "netfilter") == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index cd81b0b11..7666f1f62 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -558,11 +558,6 @@ int sandbox(void* sandbox_arg) { fs_private(); } -#if 0 - if (arg_private_template) - fs_private_template(); -#endif - if (arg_private_dev) { if (cfg.chrootdir) fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); @@ -635,7 +630,7 @@ int sandbox(void* sandbox_arg) { fs_trace(); //**************************** - // --nosound and fix for pulseaudio 7.0 + // nosound/no3d and fix for pulseaudio 7.0 //**************************** if (arg_nosound) { // disable pulseaudio @@ -647,6 +642,9 @@ int sandbox(void* sandbox_arg) { else pulseaudio_init(); + if (arg_no3d) + fs_dev_disable_3d(); + //**************************** // networking //**************************** diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 3425b050e..78ba34fd2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -147,7 +147,8 @@ void usage(void) { printf(" --netstats - monitor network statistics for sandboxes creating a new\n"); printf("\tnetwork namespace.\n\n"); #endif - printf(" --nice=value - set nice value\n\n"); + printf(" --nice=value - set nice value.\n\n"); + printf(" --no3d - disable 3D hardware acceleration.\n\n"); printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); printf("\tfile.\n\n"); printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3e415c2cc..b945f6828 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -355,6 +355,9 @@ Enable IPC namespace. .TP \fBnosound Disable sound system. +.TP +\fBno3d +Disable 3D hardware acceleration. .SH Networking Networking features available in profile files. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 71624afc2..fe3e53044 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -853,6 +853,15 @@ Example: .br $ firejail --nice=2 firefox +.TP +\fB\-\-no3d +Disable 3D hardware acceleration. +.br + +.br +Example: +.br +$ firejail --no3d firefox .TP \fB\-\-noblacklist=dirname_or_filename -- cgit v1.2.3-70-g09d2 From 9498f2313e40f53abb8e47e08c3bbb88281d29ad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Sep 2016 10:29:01 -0400 Subject: profile cleanup --- etc/dnscrypt-proxy.profile | 1 + etc/dnsmasq.profile | 1 + etc/file.profile | 6 +++++- etc/gzip.profile | 5 ++++- etc/server.profile | 2 ++ etc/tar.profile | 6 +++++- etc/unrar.profile | 6 +++++- etc/unzip.profile | 6 +++++- etc/uudeview.profile | 2 ++ etc/xzdec.profile | 5 ++++- 10 files changed, 34 insertions(+), 6 deletions(-) diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 90c244e03..926b8bfcc 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -9,5 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev nosound +no3d seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 1c01d44e4..3bd43f144 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -12,5 +12,6 @@ nonewprivs private private-dev nosound +no3d protocol unix,inet,inet6,netlink seccomp diff --git a/etc/file.profile b/etc/file.profile index c2d7b0b0f..860f7b104 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -7,7 +7,11 @@ tracelog net none shell none private-bin file -private-dev private-etc magic.mgc,magic,localtime hostname file +private-dev nosound +no3d +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/gzip.profile b/etc/gzip.profile index ce4aa3c4b..4843839c5 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,6 +5,9 @@ include /etc/firejail/default.profile tracelog net none shell none -private-dev private-tmp +blacklist /tmp/.X11-unix +private-dev nosound +no3d + diff --git a/etc/server.profile b/etc/server.profile index 88331d951..22cef0a3c 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -9,6 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev nosound +no3d private-tmp +blacklist /tmp/.X11-unix seccomp diff --git a/etc/tar.profile b/etc/tar.profile index 78bf7ad13..3f6599784 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -10,6 +10,10 @@ shell none # support compressed archives private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev +nosound +no3d private-etc passwd,group,localtime hostname tar -nosound +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/unrar.profile b/etc/unrar.profile index e941a8f2a..f29d1b51b 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -8,6 +8,10 @@ net none shell none private-bin unrar private-dev +nosound +no3d private-etc passwd,group,localtime hostname unrar -nosound +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/unzip.profile b/etc/unzip.profile index ab69e932e..957dbdd71 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -7,7 +7,11 @@ tracelog net none shell none private-bin unzip -private-dev private-etc passwd,group,localtime hostname unzip +private-dev nosound +no3d +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/uudeview.profile b/etc/uudeview.profile index f6fe0abf1..51e413493 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -13,3 +13,5 @@ private-tmp private-etc nonexisting_fakefile_for_empty_etc hostname uudeview nosound +uudeview + diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 3692160e6..0647bddeb 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,6 +5,9 @@ include /etc/firejail/default.profile tracelog net none shell none -private-dev private-tmp +blacklist /tmp/.X11-unix +private-dev nosound +no3d + -- cgit v1.2.3-70-g09d2 From d50b3b3db2df3ac5e82bbf49eb8de132099488f0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Sep 2016 13:23:09 -0400 Subject: --veth-name option --- README.md | 7 +++++++ RELNOTES | 2 ++ src/firejail/firejail.h | 2 ++ src/firejail/main.c | 21 +++++++++++++++++++++ src/firejail/network.c | 6 ++++++ src/firejail/network_main.c | 9 +++++++-- src/firejail/profile.c | 24 +++++++++++++++++++++++- src/firejail/usage.c | 4 ++++ src/man/firejail-profile.txt | 5 +++++ src/man/firejail.txt | 12 ++++++++++++ 10 files changed, 89 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 43489d38a..05cfd3b11 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,13 @@ If you keep your Firejail profiles in a public repository, please give us a link Example: $ firejail --no3d firefox + --veth-name=name + Use this name for the interface connected to the bridge for + --net=bridge_interface commands, instead of the default one. + + Example: + $ firejail --net=br0 --veth-name=if0 + ````` ## New profile commands diff --git a/RELNOTES b/RELNOTES index 8b47ee8e4..9b746e229 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,8 @@ firejail (0.9.43) baseline; urgency=low * modifs: Nvidia drivers added to --private-dev * feature: support starting/joining sandbox is a single command (--join-or-start) + * feature: assign a name to the interface connected to the bridge + (--veth-name) * feature: all user home directories are visible (--allusers) * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4ee1c943a..29cdc2c20 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -131,6 +131,8 @@ typedef struct bridge_t { uint8_t mac[6]; // interface mac address int mtu; // interface mtu + char *veth_name; // veth name for the device connected to the bridge + // inside the sandbox char *devsandbox; // name of the device inside the sandbox uint32_t ipsandbox; // ip address inside the sandbox diff --git a/src/firejail/main.c b/src/firejail/main.c index c2d71bdf5..8576c9ee4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1855,6 +1855,27 @@ int main(int argc, char **argv) { } } + else if (strncmp(argv[i], "--veth-name=", 12) == 0) { + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + br->veth_name = strdup(argv[i] + 12); + if (br->veth_name == NULL) + errExit("strdup"); + if (*br->veth_name == '\0') { + fprintf(stderr, "Error: no veth-name configured\n"); + exit(1); + } + } + else { + fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); + exit(1); + } + } + else if (strcmp(argv[i], "--scan") == 0) { if (checkcfg(CFG_NETWORK)) { arg_scan = 1; diff --git a/src/firejail/network.c b/src/firejail/network.c index aac48e521..4473ef099 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -204,6 +204,7 @@ void net_if_up(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } @@ -212,6 +213,7 @@ void net_if_up(const char *ifname) { // set the new flags if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } @@ -219,6 +221,7 @@ void net_if_up(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } @@ -230,6 +233,7 @@ void net_if_up(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } if (ifr.ifr_flags & IFF_RUNNING) @@ -260,6 +264,7 @@ void net_if_down(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot shut down interface %s\n", ifname); errExit("ioctl"); } @@ -268,6 +273,7 @@ void net_if_down(const char *ifname) { // set the new flags if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot shut down interface %s\n", ifname); errExit("ioctl"); } diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 396c612b1..907b84642 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -120,8 +120,13 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { // create a veth pair char *dev; - if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) - errExit("asprintf"); + if (br->veth_name == NULL) { + if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) + errExit("asprintf"); + } + else + dev = br->veth_name; + net_create_veth(dev, ifname, child); // add interface to the bridge diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1e1ccaf0e..079324f14 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -302,6 +302,29 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + else if (strncmp(ptr, "veth-name ", 10) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + + br->veth_name = strdup(ptr + 10); + if (br->veth_name == NULL) + errExit("strdup"); + if (*br->veth_name == '\0') { + fprintf(stderr, "Error: no veth-name configured\n"); + exit(1); + } + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + else if (strncmp(ptr, "iprange ", 8) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { @@ -348,7 +371,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } -// from here else if (strncmp(ptr, "mac ", 4) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78ba34fd2..903817099 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -272,6 +272,10 @@ void usage(void) { printf("\tdirectoires blacklisted by the security profile.\n\n"); printf(" --tree - print a tree of all sandboxed processes.\n\n"); printf(" --version - print program version and exit.\n\n"); +#ifdef HAVE_NETWORK + printf(" --veth-name=name - use this name for the interface connected to the bridge\n"); + printf("\tfor --net=bridgename commands, instead of the default one.\n\n"); +#endif #ifdef HAVE_WHITELIST printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); #endif diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b945f6828..4c5651925 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -474,6 +474,11 @@ available in the new namespace is a new loopback interface (lo). Use this option to deny network access to programs that don't really need network access. +.TP +\fBveth-name name +Use this name for the interface connected to the bridge for --net=bridge_interface commands, +instead of the default one. + .SH Other .TP \fBjoin-or-start sandboxname diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fe3e53044..2c4944331 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1605,6 +1605,18 @@ Example: $ firejail \-\-version .br firejail version 0.9.27 + +.TP +\fB\-\-veth-name=name +Use this name for the interface connected to the bridge for --net=bridge_interface commands, +instead of the default one. +.br + +.br +Example: +.br +$ firejail \-\-net=br0 --veth-name=if0 + .TP \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the -- cgit v1.2.3-70-g09d2 From 7671983267e5e31b1bd436ec8e7fdb340b6f7b84 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 29 Sep 2016 00:40:53 +0300 Subject: if .Xauthority is symlink, skip and warn --- src/firejail/fs_home.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 064340613..63d5a1c5e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -114,8 +114,8 @@ static int store_xauthority(void) { struct stat s; if (stat(src, &s) == 0) { if (is_link(src)) { - fprintf(stderr, "Error: invalid .Xauthority file\n"); - exit(1); + fprintf(stderr, "Warning: invalid .Xauthority file\n"); + return 0; } int rv = copy_file(src, dest, -1, -1, 0600); -- cgit v1.2.3-70-g09d2 From e90a8025a8173f3ce1fb0d22c3fc0b2ccb431ecc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 30 Sep 2016 09:33:45 -0400 Subject: added luminance-hdr and synfigstudio profiles --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 3 +++ etc/luminance-hdr.profile | 23 +++++++++++++++++++++++ etc/synfigstudio.profile | 17 +++++++++++++++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 7 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 etc/luminance-hdr.profile create mode 100644 etc/synfigstudio.profile diff --git a/README.md b/README.md index 05cfd3b11..e98f8ad21 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ x11 xpra, x11 xephyr, x11 block, allusers, join-or-start ## New profiles -qpdfview, mupdf +qpdfview, mupdf, Luminance HDR, Synfig Studio diff --git a/RELNOTES b/RELNOTES index 9b746e229..f09c628e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,7 @@ firejail (0.9.43) baseline; urgency=low * feature: blocking x11 (--x11=block) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands - * new profiles: qpdfview, mupdf + * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 54c53e794..8566ea0c5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -27,6 +27,9 @@ blacklist ${HOME}/.kde/share/config/okularpartrc blacklist ${HOME}/.kde/share/apps/gwenview blacklist ${HOME}/.kde/share/config/gwenviewrc blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/Luminance +blacklist ${HOME}/.config/synfig +blacklist ${HOME}/.synfig # Media players blacklist ${HOME}/.config/cmus diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile new file mode 100644 index 000000000..e9207fba3 --- /dev/null +++ b/etc/luminance-hdr.profile @@ -0,0 +1,23 @@ +# luminance-hdr +noblacklist ${HOME}/.config/Luminance +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + + +caps.drop all +netfilter +protocol unix +nonewprivs +noroot +seccomp +shell none +tracelog +private-tmp +private-dev +noexec ${HOME} +noexec /tmp +nogroups +nosound +ipc-namespace diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile new file mode 100644 index 000000000..d46467b99 --- /dev/null +++ b/etc/synfigstudio.profile @@ -0,0 +1,17 @@ +# synfigstudio +noblacklist ${HOME}/.config/synfig +noblacklist ${HOME}/.synfig +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 0c494c042..86f5564fd 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -145,4 +145,6 @@ /etc/firejail/dosbox.profile /etc/firejail/mupdf.profile /etc/firejail/qpdfview.profile +/etc/firejail/luminance-hdr.profile +/etc/firejail/synfigstudio.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ca28d025b..2fec8ef90 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -130,6 +130,8 @@ pix xreader mupdf qpdfview +luminance-hdr +synfigstudio # other ssh -- cgit v1.2.3-70-g09d2 From b806f35192817e78b95a92dd658f1430bcc6fb56 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 30 Sep 2016 10:13:00 -0400 Subject: gimp and inkscape profiles --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ etc/gimp.profile | 18 ++++++++++++++++++ etc/inkscape.profile | 18 ++++++++++++++++++ etc/luminance-hdr.profile | 2 -- platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 8 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 etc/gimp.profile create mode 100644 etc/inkscape.profile diff --git a/README.md b/README.md index e98f8ad21..6fa6c996c 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ x11 xpra, x11 xephyr, x11 block, allusers, join-or-start ## New profiles -qpdfview, mupdf, Luminance HDR, Synfig Studio +qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape diff --git a/RELNOTES b/RELNOTES index f09c628e1..97ace1c91 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,7 @@ firejail (0.9.43) baseline; urgency=low * feature: blocking x11 (--x11=block) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands - * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio + * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8566ea0c5..1e2b81d27 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -30,6 +30,8 @@ blacklist ${HOME}/.config/qpdfview blacklist ${HOME}/.config/Luminance blacklist ${HOME}/.config/synfig blacklist ${HOME}/.synfig +blacklist ${HOME}/.inkscape +blacklist ${HOME}/.gimp* # Media players blacklist ${HOME}/.config/cmus diff --git a/etc/gimp.profile b/etc/gimp.profile new file mode 100644 index 000000000..23361b771 --- /dev/null +++ b/etc/gimp.profile @@ -0,0 +1,18 @@ +# gimp +noblacklist ${HOME}/.gimp* +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp +nogroups +nosound diff --git a/etc/inkscape.profile b/etc/inkscape.profile new file mode 100644 index 000000000..cf885fba2 --- /dev/null +++ b/etc/inkscape.profile @@ -0,0 +1,18 @@ +# inkscape +noblacklist ${HOME}/.inkscape +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp +nogroups +nosound diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index e9207fba3..6e059ea52 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -3,8 +3,6 @@ noblacklist ${HOME}/.config/Luminance include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-devel.inc - caps.drop all netfilter diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 86f5564fd..75e7a469b 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -147,4 +147,6 @@ /etc/firejail/qpdfview.profile /etc/firejail/luminance-hdr.profile /etc/firejail/synfigstudio.profile +/etc/firejail/gimp.profile +/etc/firejail/inkscape.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2fec8ef90..75265545b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -132,6 +132,8 @@ mupdf qpdfview luminance-hdr synfigstudio +gimp +inkscape # other ssh -- cgit v1.2.3-70-g09d2 From 74ad73c808ecbd4e0ccdfb1d6893b65c68647c62 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 09:36:22 -0400 Subject: x11 detection support for --audit --- src/faudit/dbus.c | 59 +++++++++++++++++++++++++++++++++++--------------- src/faudit/faudit.h | 1 + src/faudit/main.c | 5 +++++ src/faudit/x11.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++ todo | 14 +++++++++++- 5 files changed, 123 insertions(+), 18 deletions(-) create mode 100644 src/faudit/x11.c diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 64f5d8ae4..d17d3922a 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -21,15 +21,15 @@ #include #include -void check_session_bus(const char *sockfile) { +// return 0 if the connection is possible +int check_unix(const char *sockfile) { assert(sockfile); - + int rv = -1; + // open socket int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); - return; - } + if (sock == -1) + return rv; // connect struct sockaddr_un remote; @@ -37,35 +37,60 @@ void check_session_bus(const char *sockfile) { remote.sun_family = AF_UNIX; strcpy(remote.sun_path, sockfile); int len = strlen(remote.sun_path) + sizeof(remote.sun_family); - remote.sun_path[0] = '\0'; - if (connect(sock, (struct sockaddr *)&remote, len) == -1) { - printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); - } - else { - printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - + if (*sockfile == '@') + remote.sun_path[0] = '\0'; + if (connect(sock, (struct sockaddr *)&remote, len) == 0) + rv = 0; + close(sock); + return rv; } void dbus_test(void) { // check the session bus char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); if (str) { + int rv = 0; char *bus = strdup(str); if (!bus) errExit("strdup"); - char *sockfile = strstr(bus, "unix:abstract="); - if (sockfile) { + char *sockfile; + if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { sockfile += 13; *sockfile = '@'; char *ptr = strchr(sockfile, ','); if (ptr) *ptr = '\0'; - check_session_bus(sockfile); + rv = check_unix(sockfile); + *sockfile = '@'; + if (rv == 0) + printf("MAYBE: D-Bus socket %s is available\n", sockfile); + else if (rv == -1) + printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); + } + else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { + sockfile += 10; + char *ptr = strchr(sockfile, ','); + if (ptr) + *ptr = '\0'; + rv = check_unix(sockfile); + if (rv == 0) + printf("MAYBE: D-Bus socket %s is available\n", sockfile); + else if (rv == -1) + printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); + } + else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) { + printf("UGLY: session bus configured for TCPcommunication.\n"); + rv = -2; } + else + printf("GOOD: cannot find a D-Bus socket\n"); + + free(bus); } + else + printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); } diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 93fb4b709..3fddbf1f5 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -56,6 +56,7 @@ void files_test(void); void network_test(void); // dbus.c +int check_unix(const char *sockfile); void dbus_test(void); // dev.c diff --git a/src/faudit/main.c b/src/faudit/main.c index 6ff938d98..61005945d 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -69,10 +69,15 @@ int main(int argc, char **argv) { dbus_test(); printf("\n"); + // x11 test + x11_test(); + printf("\n"); + // /dev test dev_test(); printf("\n"); + free(prog); printf("--------------------------------------------------------------------------------\n"); diff --git a/src/faudit/x11.c b/src/faudit/x11.c new file mode 100644 index 000000000..e1a4bf66e --- /dev/null +++ b/src/faudit/x11.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "faudit.h" +#include +#include + + +void x11_test(void) { + // check regular display 0 sockets + if (check_unix("/tmp/.X11-unix/X0") == 0) + printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); + + if (check_unix("@/tmp/.X11-unix/X0") == 0) + printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); + + // check all unix sockets in /tmp/.X11-unix directory + DIR *dir; + if (!(dir = opendir("/tmp/.X11-unix"))) { + // sleep 2 seconds and try again + sleep(2); + if (!(dir = opendir("/tmp/.X11-unix"))) + ; + } + + if (dir == NULL) + printf("GOOD: cannot open /tmp/.X11-unix directory\n"); + else { + struct dirent *entry; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, "X0") == 0) + continue; + if (strcmp(entry->d_name, ".") == 0) + continue; + if (strcmp(entry->d_name, "..") == 0) + continue; + char *name; + if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) + errExit("asprintf"); + if (check_unix(name) == 0) + printf("MAYBE: X11 socket %s is available\n", name); + free(name); + } + closedir(dir); + } +} diff --git a/todo b/todo index 26c3e247c..ddf886fcd 100644 --- a/todo +++ b/todo @@ -273,4 +273,16 @@ dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files. -28. add support for whitelisting /mtn +28. Merge --dbus=none from https://github.com/Sidnioulz/firejail + + // block dbus session bus the hard way if necessary + if (cfg.dbus == 0) { + char *dbus_path; + if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1) + errExit("asprintf"); + fs_blacklist_file(dbus_path); + free(dbus_path); +} + + + -- cgit v1.2.3-70-g09d2 From 68d2c41f34def20265c139611aa7297d73eacf56 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 09:40:02 -0400 Subject: x11 detection support for --audit --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index 97ace1c91..281bfa1bb 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,7 @@ firejail (0.9.43) baseline; urgency=low * modifs: Nvidia drivers added to --private-dev * feature: support starting/joining sandbox is a single command (--join-or-start) + * feature: X11 detection support for --audit * feature: assign a name to the interface connected to the bridge (--veth-name) * feature: all user home directories are visible (--allusers) -- cgit v1.2.3-70-g09d2 From a14f20736bbf604f5925dbe18bfd1110c5fcf4b0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 09:42:31 -0400 Subject: x11 detection support for --audit --- src/faudit/faudit.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 3fddbf1f5..17c754c3b 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h @@ -62,4 +62,7 @@ void dbus_test(void); // dev.c void dev_test(void); +// x11.c +void x11_test(void); + #endif -- cgit v1.2.3-70-g09d2 From 0bec95a96abd2299dbb9fa9f17671747512768c5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 12:56:39 -0400 Subject: potential Gentoo fix --- etc/disable-devel.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 963cf6da0..971857710 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -2,7 +2,7 @@ # GCC blacklist /usr/include -blacklist /usr/lib/gcc +#blacklist /usr/lib/gcc - seems to create problems on Gentoo blacklist /usr/bin/gcc* blacklist /usr/bin/cpp* blacklist /usr/bin/c9* -- cgit v1.2.3-70-g09d2 From 27bffbfeb2295f7d460f78dd93e02aa2f9b0a00c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 13:50:58 -0400 Subject: disable x11 abstract socket for --x11=block --- Makefile.in | 4 ++- configure | 3 ++- configure.ac | 2 +- platform/debian/conffiles | 1 - src/faudit/dbus.c | 6 ++--- src/faudit/x11.c | 3 ++- src/firejail/firejail.h | 1 + src/firejail/fs_trace.c | 8 +++--- src/firejail/ls.c | 2 +- src/firejail/sandbox.c | 8 +++--- src/firejail/x11.c | 6 +++++ src/libx11/Makefile.in | 25 ++++++++++++++++++ src/libx11/libx11.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++ 13 files changed, 118 insertions(+), 17 deletions(-) create mode 100644 src/libx11/Makefile.in create mode 100644 src/libx11/libx11.c diff --git a/Makefile.in b/Makefile.in index ee17ae60c..cdb3535c2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libx11 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 prefix=@prefix@ @@ -71,6 +71,7 @@ realinstall: install -m 0755 -d $(DESTDIR)/$(libdir)/firejail install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 src/libx11/libx11.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. @@ -120,6 +121,7 @@ install-strip: all strip src/firecfg/firecfg strip src/libtrace/libtrace.so strip src/libtracelog/libtracelog.so + strip src/libx11/libx11.so strip src/ftee/ftee strip src/faudit/faudit $(MAKE) realinstall diff --git a/configure b/configure index 42c59279e..c27787397 100755 --- a/configure +++ b/configure @@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4477,6 +4477,7 @@ do "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; + "src/libx11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libx11/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.ac b/configure.ac index e664cbe31..523ebd831 100644 --- a/configure.ac +++ b/configure.ac @@ -148,7 +148,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile) +AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile) echo echo "Configuration options:" diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 75e7a469b..fb6c18b36 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -149,4 +149,3 @@ /etc/firejail/synfigstudio.profile /etc/firejail/gimp.profile /etc/firejail/inkscape.profile - diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index d17d3922a..4debf2ff6 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -79,10 +79,8 @@ void dbus_test(void) { else if (rv == -1) printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); } - else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) { - printf("UGLY: session bus configured for TCPcommunication.\n"); - rv = -2; - } + else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) + printf("UGLY: session bus configured for TCP communication.\n"); else printf("GOOD: cannot find a D-Bus socket\n"); diff --git a/src/faudit/x11.c b/src/faudit/x11.c index e1a4bf66e..43f40f4e9 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c @@ -35,8 +35,9 @@ void x11_test(void) { if (!(dir = opendir("/tmp/.X11-unix"))) { // sleep 2 seconds and try again sleep(2); - if (!(dir = opendir("/tmp/.X11-unix"))) + if (!(dir = opendir("/tmp/.X11-unix"))) { ; + } } if (dir == NULL) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 29cdc2c20..f2d490a6c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -627,6 +627,7 @@ void fs_mkdir(const char *name); void fs_mkfile(const char *name); // x11.c +extern int mask_x11_abstract_socket; void fs_x11(void); int x11_display(void); void x11_start(int argc, char **argv); diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index bab117b7e..861b8a9a7 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -54,15 +54,17 @@ void fs_trace(void) { FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); if (!fp) errExit("fopen"); - if (arg_trace) + if (arg_trace) { fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); + } else if (arg_tracelog) { fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); if (!arg_quiet) printf("Blacklist violations are logged to syslog\n"); } - else - assert(0); + + if (mask_x11_abstract_socket) + fprintf(fp, "%s/firejail/libx11.so\n", LIBDIR); SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); fclose(fp); diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 14991ba94..39efaa0a6 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -419,7 +419,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { EUID_USER(); } // get file from host and store it in the sandbox - else if (op == SANDBOX_FS_PUT) { + else if (op == SANDBOX_FS_PUT && path2) { // verify the source file const char *src_fname = path1; struct stat s; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7666f1f62..7b519c8c2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -479,7 +479,7 @@ int sandbox(void* sandbox_arg) { fs_build_cp_command(); // trace pre-install - if (arg_trace || arg_tracelog) + if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace_preload(); //**************************** @@ -505,7 +505,7 @@ int sandbox(void* sandbox_arg) { //**************************** // trace pre-install, this time inside chroot //**************************** - if (arg_trace || arg_tracelog) + if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace_preload(); } else @@ -575,7 +575,7 @@ int sandbox(void* sandbox_arg) { else { fs_private_etc_list(); // create /etc/ld.so.preload file again - if (arg_trace || arg_tracelog) + if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace_preload(); } } @@ -626,7 +626,7 @@ int sandbox(void* sandbox_arg) { //**************************** // install trace //**************************** - if (arg_trace || arg_tracelog) + if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace(); //**************************** diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 774294ff1..2fa7f84d8 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -27,6 +27,7 @@ #include #include #include +int mask_x11_abstract_socket = 0; #ifdef HAVE_X11 // return 1 if xpra is installed on the system @@ -51,6 +52,7 @@ static int x11_check_xephyr(void) { return 1; } +#if 0 // check for X11 abstract sockets static int x11_abstract_sockets_present(void) { char *path; @@ -75,6 +77,7 @@ static int x11_abstract_sockets_present(void) { return 0; } +#endif static int random_display_number(void) { int i; @@ -594,6 +597,8 @@ void x11_start(int argc, char **argv) { void x11_block(void) { #ifdef HAVE_X11 + mask_x11_abstract_socket = 1; +#if 0 // check abstract socket presence and network namespace options if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) && x11_abstract_sockets_present()) { @@ -604,6 +609,7 @@ void x11_block(void) { " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); exit(1); } +#endif // blacklist sockets profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); diff --git a/src/libx11/Makefile.in b/src/libx11/Makefile.in new file mode 100644 index 000000000..2dfef8076 --- /dev/null +++ b/src/libx11/Makefile.in @@ -0,0 +1,25 @@ +PREFIX=@prefix@ +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now + +all: libx11.so + +%.o : %.c $(H_FILE_LIST) + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +libx11.so: $(OBJS) + $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl + + +clean:; rm -f $(OBJS) libx11.so + +distclean: clean + rm -fr Makefile diff --git a/src/libx11/libx11.c b/src/libx11/libx11.c new file mode 100644 index 000000000..208fb65ed --- /dev/null +++ b/src/libx11/libx11.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +//#define DEBUG + +//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { +static int check_sockaddr(const struct sockaddr *addr) { + if (addr->sa_family == AF_UNIX) { + struct sockaddr_un *a = (struct sockaddr_un *) addr; + if (a->sun_path[0] == '\0') { +// printf("@%s\n", a->sun_path + 1); + errno = ENOENT; + return -1; + } + } + + return 0; +} + +// +// syscalls +// + +// connect +typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); +static orig_connect_t orig_connect = NULL; +int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { + if (!orig_connect) + orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); + + if (check_sockaddr(addr) == -1) + return -1; + + return orig_connect(sockfd, addr, addrlen); +} -- cgit v1.2.3-70-g09d2 From 6d2eaf548d092826017d96443b54d656f05676cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 16:25:36 -0400 Subject: moved libx11 to libconnect --- Makefile.in | 6 ++--- configure | 4 +-- configure.ac | 2 +- src/firejail/fs_trace.c | 2 +- src/libconnect/Makefile.in | 25 +++++++++++++++++ src/libconnect/libconnect.c | 66 +++++++++++++++++++++++++++++++++++++++++++++ src/libx11/Makefile.in | 25 ----------------- src/libx11/libx11.c | 66 --------------------------------------------- 8 files changed, 98 insertions(+), 98 deletions(-) create mode 100644 src/libconnect/Makefile.in create mode 100644 src/libconnect/libconnect.c delete mode 100644 src/libx11/Makefile.in delete mode 100644 src/libx11/libx11.c diff --git a/Makefile.in b/Makefile.in index cdb3535c2..3f08c5952 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libx11 +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 prefix=@prefix@ @@ -71,7 +71,7 @@ realinstall: install -m 0755 -d $(DESTDIR)/$(libdir)/firejail install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0644 src/libx11/libx11.so $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 src/libconnect/libconnect.so $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. @@ -121,7 +121,7 @@ install-strip: all strip src/firecfg/firecfg strip src/libtrace/libtrace.so strip src/libtracelog/libtracelog.so - strip src/libx11/libx11.so + strip src/libconnect/libconnect.so strip src/ftee/ftee strip src/faudit/faudit $(MAKE) realinstall diff --git a/configure b/configure index c27787397..5e066a44d 100755 --- a/configure +++ b/configure @@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4477,7 +4477,7 @@ do "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; - "src/libx11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libx11/Makefile" ;; + "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.ac b/configure.ac index 523ebd831..a1d65cc63 100644 --- a/configure.ac +++ b/configure.ac @@ -148,7 +148,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libx11/Makefile) +AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile) echo echo "Configuration options:" diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 861b8a9a7..78fc8a647 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -64,7 +64,7 @@ void fs_trace(void) { } if (mask_x11_abstract_socket) - fprintf(fp, "%s/firejail/libx11.so\n", LIBDIR); + fprintf(fp, "%s/firejail/libconnect.so\n", LIBDIR); SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); fclose(fp); diff --git a/src/libconnect/Makefile.in b/src/libconnect/Makefile.in new file mode 100644 index 000000000..5b7a8d0f1 --- /dev/null +++ b/src/libconnect/Makefile.in @@ -0,0 +1,25 @@ +PREFIX=@prefix@ +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now + +all: libconnect.so + +%.o : %.c $(H_FILE_LIST) + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +libconnect.so: $(OBJS) + $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl + + +clean:; rm -f $(OBJS) libconnect.so + +distclean: clean + rm -fr Makefile diff --git a/src/libconnect/libconnect.c b/src/libconnect/libconnect.c new file mode 100644 index 000000000..18c4d81f5 --- /dev/null +++ b/src/libconnect/libconnect.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +//#define DEBUG + +//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { +static int check_sockaddr(const struct sockaddr *addr) { + if (addr->sa_family == AF_UNIX) { + struct sockaddr_un *a = (struct sockaddr_un *) addr; + if (a->sun_path[0] == '\0' && strstr(a->sun_path + 1, "X11-unix")) { +// printf("@%s\n", a->sun_path + 1); + errno = ENOENT; + return -1; + } + } + + return 0; +} + +// +// syscalls +// + +// connect +typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); +static orig_connect_t orig_connect = NULL; +int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { + if (!orig_connect) + orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); + + if (check_sockaddr(addr) == -1) + return -1; + + return orig_connect(sockfd, addr, addrlen); +} diff --git a/src/libx11/Makefile.in b/src/libx11/Makefile.in deleted file mode 100644 index 2dfef8076..000000000 --- a/src/libx11/Makefile.in +++ /dev/null @@ -1,25 +0,0 @@ -PREFIX=@prefix@ -VERSION=@PACKAGE_VERSION@ -NAME=@PACKAGE_NAME@ -HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ - -H_FILE_LIST = $(sort $(wildcard *.[h])) -C_FILE_LIST = $(sort $(wildcard *.c)) -OBJS = $(C_FILE_LIST:.c=.o) -BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now - -all: libx11.so - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ - -libx11.so: $(OBJS) - $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - - -clean:; rm -f $(OBJS) libx11.so - -distclean: clean - rm -fr Makefile diff --git a/src/libx11/libx11.c b/src/libx11/libx11.c deleted file mode 100644 index 208fb65ed..000000000 --- a/src/libx11/libx11.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//#define DEBUG - -//static int check_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) { -static int check_sockaddr(const struct sockaddr *addr) { - if (addr->sa_family == AF_UNIX) { - struct sockaddr_un *a = (struct sockaddr_un *) addr; - if (a->sun_path[0] == '\0') { -// printf("@%s\n", a->sun_path + 1); - errno = ENOENT; - return -1; - } - } - - return 0; -} - -// -// syscalls -// - -// connect -typedef int (*orig_connect_t)(int sockfd, const struct sockaddr *addr, socklen_t addrlen); -static orig_connect_t orig_connect = NULL; -int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { - if (!orig_connect) - orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); - - if (check_sockaddr(addr) == -1) - return -1; - - return orig_connect(sockfd, addr, addrlen); -} -- cgit v1.2.3-70-g09d2 From 2cfa7e461bdfd351ca510a389aedb46d5e69c4c5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 16:38:07 -0400 Subject: dropping requirement for network namespace when using --x11 --- RELNOTES | 2 ++ src/firejail/fs.c | 2 ++ src/firejail/main.c | 4 ++++ src/firejail/profile.c | 12 +++++++++--- 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/RELNOTES b/RELNOTES index 281bfa1bb..2775ecdde 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,8 @@ firejail (0.9.43) baseline; urgency=low * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev + * modifs: dropping requirement for network namespace when + using a --x11 * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3dbfe3909..b40f8a3fa 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1143,6 +1143,7 @@ int fs_check_chroot_dir(const char *rootdir) { // check x11 socket directory if (getenv("FIREJAIL_X11")) { + mask_x11_abstract_socket = 1; char *name; if (asprintf(&name, "%s/tmp/.X11-unix", rootdir) == -1) errExit("asprintf"); @@ -1173,6 +1174,7 @@ void fs_chroot(const char *rootdir) { // x11 if (getenv("FIREJAIL_X11")) { + mask_x11_abstract_socket = 1; char *newx11; if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) errExit("asprintf"); diff --git a/src/firejail/main.c b/src/firejail/main.c index 8576c9ee4..91ea523ab 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2266,6 +2266,10 @@ int main(int argc, char **argv) { fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); } + // disable x11 abstract socket + if (getenv("FIREJAIL_X11")) + mask_x11_abstract_socket = 1; + // check user namespace (--noroot) options if (arg_noroot) { if (arg_overlay) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 079324f14..faf6c49b6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -667,8 +667,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { char *x11env = getenv("FIREJAIL_X11"); - if (x11env && strcmp(x11env, "yes") == 0) + if (x11env && strcmp(x11env, "yes") == 0) { + mask_x11_abstract_socket = 1; return 0; + } else { // start x11 x11_start_xephyr(cfg.original_argc, cfg.original_argv); @@ -683,8 +685,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { char *x11env = getenv("FIREJAIL_X11"); - if (x11env && strcmp(x11env, "yes") == 0) + if (x11env && strcmp(x11env, "yes") == 0) { + mask_x11_abstract_socket = 1; return 0; + } else { // start x11 x11_start_xpra(cfg.original_argc, cfg.original_argv); @@ -699,8 +703,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { char *x11env = getenv("FIREJAIL_X11"); - if (x11env && strcmp(x11env, "yes") == 0) + if (x11env && strcmp(x11env, "yes") == 0) { + mask_x11_abstract_socket = 1; return 0; + } else { // start x11 x11_start(cfg.original_argc, cfg.original_argv); -- cgit v1.2.3-70-g09d2 From 6c006921eb77a933f9cfb5baf98a4043447d985e Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:05:07 +0200 Subject: Create feh.profile --- etc/feh.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/feh.profile diff --git a/etc/feh.profile b/etc/feh.profile new file mode 100644 index 000000000..ba8f32f44 --- /dev/null +++ b/etc/feh.profile @@ -0,0 +1,13 @@ +# feh image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix +seccomp -- cgit v1.2.3-70-g09d2 From 25fbc140c081cd41962cbca077fc7716c0191c17 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:06:16 +0200 Subject: Create zathura.profile --- etc/zathura.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/zathura.profile diff --git a/etc/zathura.profile b/etc/zathura.profile new file mode 100644 index 000000000..99d9a1a90 --- /dev/null +++ b/etc/zathura.profile @@ -0,0 +1,19 @@ +# zathura document viewer profile +# noblacklist ~/.config/zathura +# noblacklist ~/.local/share/zathura +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +nonewprivs +noroot +nosound + +#net none +shell none +#private-etc X11 -- cgit v1.2.3-70-g09d2 From b11408ba5397e3b70786b98226adc03eb2da9cee Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:06:57 +0200 Subject: Create ranger.profile --- etc/ranger.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/ranger.profile diff --git a/etc/ranger.profile b/etc/ranger.profile new file mode 100644 index 000000000..775098d91 --- /dev/null +++ b/etc/ranger.profile @@ -0,0 +1,13 @@ +# ranger file manager profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +nosound -- cgit v1.2.3-70-g09d2 From b0e68493218380de3b5dc5031d8ab5b67ab4d8b4 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:11:33 +0200 Subject: Update conffiles Added profiles for feh, ranger and zathura --- platform/debian/conffiles | 3 +++ 1 file changed, 3 insertions(+) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index fb6c18b36..08dd55d2c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -36,6 +36,7 @@ /etc/firejail/epiphany.profile /etc/firejail/evince.profile /etc/firejail/fbreader.profile +/etc/firejail/feh.profile /etc/firejail/file.profile /etc/firejail/filezilla.profile /etc/firejail/firefox-esr.profile @@ -100,6 +101,7 @@ /etc/firejail/quassel.profile /etc/firejail/quiterss.profile /etc/firejail/qutebrowser.profile +/etc/firejail/ranger.profile /etc/firejail/rhythmbox.profile /etc/firejail/rtorrent.profile /etc/firejail/seamonkey-bin.profile @@ -141,6 +143,7 @@ /etc/firejail/xviewer.profile /etc/firejail/xz.profile /etc/firejail/xzdec.profile +/etc/firejail/zathura.profile /etc/firejail/strings.profile /etc/firejail/dosbox.profile /etc/firejail/mupdf.profile -- cgit v1.2.3-70-g09d2 From 756ef53c290bcd4d2d48e5fef87cce78d8ea4f5b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:14:21 +0200 Subject: Update firecfg.config Added feh, ranger and zathura to list of supported programs --- src/firecfg/firecfg.config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 75265545b..5d3248fbc 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -91,6 +91,7 @@ audacity clementine cmus deadbeef +feh gnome-mplayer google-play-music-desktop-player mpv @@ -128,6 +129,7 @@ mathematica okular pix xreader +zathura mupdf qpdfview luminance-hdr @@ -139,6 +141,7 @@ inkscape ssh atom-beta atom +ranger # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 07dcea9fee912950ee5dd075b93103b43672bfc9 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:20:54 +0200 Subject: Fixed alphabetical order --- platform/debian/conffiles | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 08dd55d2c..af8e74ba8 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -30,6 +30,7 @@ /etc/firejail/disable-programs.inc /etc/firejail/dnscrypt-proxy.profile /etc/firejail/dnsmasq.profile +/etc/firejail/dosbox.profile /etc/firejail/dropbox.profile /etc/firejail/empathy.profile /etc/firejail/eom.profile @@ -45,6 +46,7 @@ /etc/firejail/flashpeak-slimjet.profile /etc/firejail/franz.profile /etc/firejail/gajim.profile +/etc/firejail/gimp.profile /etc/firejail/gitter.profile /etc/firejail/gnome-chess.profile /etc/firejail/gnome-mplayer.profile @@ -63,6 +65,7 @@ /etc/firejail/icecat.profile /etc/firejail/icedove.profile /etc/firejail/iceweasel.profile +/etc/firejail/inkscape.profile /etc/firejail/inox.profile /etc/firejail/jitsi.profile /etc/firejail/kmail.profile @@ -78,11 +81,13 @@ /etc/firejail/lomath.profile /etc/firejail/loweb.profile /etc/firejail/lowriter.profile +/etc/firejail/luminance-hdr.profile /etc/firejail/lxterminal.profile /etc/firejail/mathematica.profile /etc/firejail/mcabber.profile /etc/firejail/midori.profile /etc/firejail/mpv.profile +/etc/firejail/mupdf.profile /etc/firejail/mupen64plus.profile /etc/firejail/netsurf.profile /etc/firejail/nolocal.net @@ -97,6 +102,7 @@ /etc/firejail/polari.profile /etc/firejail/psi-plus.profile /etc/firejail/qbittorrent.profile +/etc/firejail/qpdfview.profile /etc/firejail/qtox.profile /etc/firejail/quassel.profile /etc/firejail/quiterss.profile @@ -116,6 +122,8 @@ /etc/firejail/ssh.profile /etc/firejail/steam.profile /etc/firejail/stellarium.profile +/etc/firejail/strings.profile +/etc/firejail/synfigstudio.profile /etc/firejail/tar.profile /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile @@ -144,11 +152,3 @@ /etc/firejail/xz.profile /etc/firejail/xzdec.profile /etc/firejail/zathura.profile -/etc/firejail/strings.profile -/etc/firejail/dosbox.profile -/etc/firejail/mupdf.profile -/etc/firejail/qpdfview.profile -/etc/firejail/luminance-hdr.profile -/etc/firejail/synfigstudio.profile -/etc/firejail/gimp.profile -/etc/firejail/inkscape.profile -- cgit v1.2.3-70-g09d2 From 7fe740bfbf95aa11769339d1b9fa9681516994b7 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:24:17 +0200 Subject: Fixed alphabetical order --- src/firecfg/firecfg.config | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 5d3248fbc..0564326bb 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -112,8 +112,10 @@ atril cherrytree evince fbreader -gwenview +gimp gthumb +gwenview +inkscape libreoffice localc lodraw @@ -123,19 +125,23 @@ loimpress lomath loweb lowriter +luminance-hdr +mupdf +qpdfview soffice +synfigstudio Mathematica mathematica okular pix xreader zathura -mupdf -qpdfview -luminance-hdr -synfigstudio -gimp -inkscape + + + + + + # other ssh -- cgit v1.2.3-70-g09d2 From 7c07a5ccb16b97793f4e4330849827f6c3584a58 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:25:00 +0200 Subject: Fixed spacing --- src/firecfg/firecfg.config | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 0564326bb..9e5ff7f12 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -137,12 +137,6 @@ pix xreader zathura - - - - - - # other ssh atom-beta -- cgit v1.2.3-70-g09d2 From 46229d101a158ecd53e976799df8c4de20b65f0e Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:27:16 +0200 Subject: Updated list of new profiles --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6fa6c996c..99b78d8ca 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ x11 xpra, x11 xephyr, x11 block, allusers, join-or-start ## New profiles -qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape +qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura -- cgit v1.2.3-70-g09d2 From ba9edec22cce71b57266b20262fbb586314f3f8b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:54:05 +0200 Subject: added muttrc to blacklisted secets ~/.muttrc, ~/.mutt/muttrc and ~/.msmtprc contain in most cases login credentials of the users mail accounts --- etc/disable-common.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c4169db8a..4f854c8d8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -121,6 +121,9 @@ blacklist ${HOME}/.smbcredentials blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc blacklist /etc/shadow blacklist /etc/gshadow blacklist /etc/passwd- -- cgit v1.2.3-70-g09d2 From 8026502c3758e82f64c13154030083460fa4528b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:55:19 +0200 Subject: added muttrc to disable-programs --- etc/disable-programs.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e2b81d27..bd338f401 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -67,6 +67,9 @@ blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave blacklist ${HOME}/.config/inox +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc # Instant Messaging blacklist ${HOME}/.config/hexchat -- cgit v1.2.3-70-g09d2 From 931f09d320dc7ab6f27ea5e724e9791eda2cec8b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:59:27 +0200 Subject: Removed whitelisting There is no reason to assume the users database for cherrytree is in any of these specific directories. --- etc/cherrytree.profile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 76ee70679..7c324a34b 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -6,12 +6,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -whitelist ${HOME}/cherrytree -mkdir ~/.config/cherrytree -whitelist ${HOME}/.config/cherrytree/ -mkdir ~/.local/share -whitelist ${HOME}/.local/share/ - caps.drop all netfilter nonewprivs -- cgit v1.2.3-70-g09d2 From afa0feed21dcd3b1ef30faf0a37110cef618feb4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 2 Oct 2016 09:14:31 -0400 Subject: feh, ranger, zathura profiles --- README | 2 ++ RELNOTES | 1 + etc/disable-programs.inc | 3 +++ etc/zathura.profile | 4 ++-- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README b/README index dcdc7fde1..e98352913 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +vismir2 (https://github.com/vismir2) + - feh, ranger and zathura profiles graywolf (https://github.com/graywolf) - spelling fix Dara Adib (https://github.com/daradib) diff --git a/RELNOTES b/RELNOTES index 2775ecdde..ad4c750b5 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,6 +17,7 @@ firejail (0.9.43) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape + * new profiles: feh, ranger, zathura * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e2b81d27..e9416b34a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -32,6 +32,8 @@ blacklist ${HOME}/.config/synfig blacklist ${HOME}/.synfig blacklist ${HOME}/.inkscape blacklist ${HOME}/.gimp* +blacklist ${HOME}/.config/zathura + # Media players blacklist ${HOME}/.config/cmus @@ -142,6 +144,7 @@ blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/zathura # ssh blacklist /tmp/ssh-* diff --git a/etc/zathura.profile b/etc/zathura.profile index 99d9a1a90..955792b2e 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,6 +1,6 @@ # zathura document viewer profile -# noblacklist ~/.config/zathura -# noblacklist ~/.local/share/zathura +noblacklist ~/.config/zathura +noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From b2b955ef34a62ec734d982fc601d77492dc4a232 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:41:45 +0200 Subject: hardened profile for feh --- etc/feh.profile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/etc/feh.profile b/etc/feh.profile index ba8f32f44..5fcb6bf25 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,9 +5,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +seccomp +protocol unix netfilter +net none nonewprivs noroot +nogroups nosound -protocol unix -seccomp +shell none + +private-bin feh +whitelist /tmp/.X11-unix +private-dev +private-etc feh -- cgit v1.2.3-70-g09d2 From 83f5ee2ec327a9eca98fc835cc0f5cd68006c179 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:43:49 +0200 Subject: Fixed ranger to work correctly with atool needed perl, hardened profile --- etc/ranger.profile | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/etc/ranger.profile b/etc/ranger.profile index 775098d91..af137fa13 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,4 +1,9 @@ -# ranger file manager profile +# ranger profile +noblacklist /usr/bin/perl +#noblacklist /usr/bin/cpan* +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -6,8 +11,14 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nonewprivs noroot +nogroups protocol unix seccomp nosound + +private-tmp +private-dev + -- cgit v1.2.3-70-g09d2 From 8edf59794fb37758f94e4b5a208615b957ac5863 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:45:14 +0200 Subject: hardened profile for zathura --- etc/zathura.profile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/etc/zathura.profile b/etc/zathura.profile index 99d9a1a90..f6651af09 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,4 +1,4 @@ -# zathura document viewer profile +# zathura viewer profile # noblacklist ~/.config/zathura # noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc @@ -12,8 +12,9 @@ protocol unix netfilter nonewprivs noroot +nogroups nosound - -#net none shell none -#private-etc X11 + +private-bin zathura +private-dev -- cgit v1.2.3-70-g09d2 From 248bc971750a533888c61d0b97d0ff35542fe71d Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:49:26 +0200 Subject: hardened mupdf --- etc/mupdf.profile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 6f2db511b..d1a157c3c 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -11,8 +11,14 @@ noroot nosound protocol unix seccomp +netfilter shell none tracelog +private-bin mupdf private-tmp private-dev + +# mupdf will never write anything +read-only ${HOME} + -- cgit v1.2.3-70-g09d2 From 1bb1eb6d0970e8e60938fe70ee54b677288312c8 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:56:13 +0200 Subject: fixed description --- etc/ranger.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/ranger.profile b/etc/ranger.profile index af137fa13..a040cd6bc 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,4 +1,4 @@ -# ranger profile +# ranger file manager profile noblacklist /usr/bin/perl #noblacklist /usr/bin/cpan* noblacklist /usr/share/perl* -- cgit v1.2.3-70-g09d2 From c313409c3d60dbde22ae932db7447d4ee8cb92fd Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:56:41 +0200 Subject: fixed description --- etc/zathura.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/zathura.profile b/etc/zathura.profile index f6651af09..b3a9b0af8 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,4 +1,4 @@ -# zathura viewer profile +# zathura document viewer profile # noblacklist ~/.config/zathura # noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From 89ce7a2091f469abf89fce88879a8092f5e00ff9 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 2 Oct 2016 16:04:57 +0200 Subject: Fix typos found by lintian --- README.md | 4 ++-- src/firejail/x11.c | 2 +- src/man/firejail-profile.txt | 4 ++-- src/man/firejail.txt | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 99b78d8ca..b6f80a52f 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,8 @@ If you keep your Firejail profiles in a public repository, please give us a link ````` --x11=block Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file - specified in ${XAUTHORITY} enviroment variable. Remove DISPLAY and - XAUTHORITY enviroment variables. Stop with error message if X11 + specified in ${XAUTHORITY} environment variable. Remove DISPLAY and + XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. --put=name|pid src-filename dest-filename diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2fa7f84d8..36023e067 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -627,7 +627,7 @@ void x11_block(void) { profile_add(line); } - // clear enviroment + // clear environment env_store("DISPLAY", RMENV); env_store("XAUTHORITY", RMENV); #endif diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 4c5651925..9583ad426 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -286,8 +286,8 @@ Enable X11 sandboxing with xpra. Enable X11 sandboxing with xephyr. .TP \fBx11 block -Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable. -Remove DISPLAY and XAUTHORITY enviroment variables. +Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. +Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. .SH Resource limits, CPU affinity, Control Groups diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2c4944331..3ceb21e78 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1714,8 +1714,8 @@ $ firejail \-\-x11=xephyr --net=eth0 openbox .TP \fB\-\-x11=block -Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} enviroment variable. -Remove DISPLAY and XAUTHORITY enviroment variables. +Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. +Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. .br -- cgit v1.2.3-70-g09d2 From b7d5d68ae43edb1cd2da60762a9e297934f76b5b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 2 Oct 2016 10:23:29 -0400 Subject: renamed --x11=block to --x11=none, brought back the requirement for network namespaces for x11 sandboxing --- README | 3 ++- README.md | 4 ++-- RELNOTES | 2 -- src/firejail/main.c | 2 +- src/firejail/x11.c | 7 ++----- src/man/firejail.txt | 2 +- 6 files changed, 8 insertions(+), 12 deletions(-) diff --git a/README b/README index e98352913..325ef2aa5 100644 --- a/README +++ b/README @@ -43,7 +43,7 @@ Aleksey Manevich (https://github.com/manevich) - added --fix option to firecfg utility - read_pid fix - added --x11=block options - - x11 xpra, xphyr, block profile commands + - x11 xpra, xphyr, none profile commands - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) @@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement vismir2 (https://github.com/vismir2) - feh, ranger and zathura profiles + - lots of profile fixes graywolf (https://github.com/graywolf) - spelling fix Dara Adib (https://github.com/daradib) diff --git a/README.md b/README.md index b6f80a52f..a8075cc1e 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New command line options ````` - --x11=block + --x11=none Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 @@ -84,7 +84,7 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New profile commands -x11 xpra, x11 xephyr, x11 block, allusers, join-or-start +x11 xpra, x11 xephyr, x11 none, allusers, join-or-start ## New profiles diff --git a/RELNOTES b/RELNOTES index ad4c750b5..4ae23c2f3 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,8 +4,6 @@ firejail (0.9.43) baseline; urgency=low * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev - * modifs: dropping requirement for network namespace when - using a --x11 * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit diff --git a/src/firejail/main.c b/src/firejail/main.c index 91ea523ab..c4b7ce4dc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2208,7 +2208,7 @@ int main(int argc, char **argv) { return 1; } } - else if (strcmp(argv[i], "--x11=block") == 0) { + else if (strcmp(argv[i], "--x11=none") == 0) { arg_x11_block = 1; } else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 36023e067..def1dd324 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -52,7 +52,6 @@ static int x11_check_xephyr(void) { return 1; } -#if 0 // check for X11 abstract sockets static int x11_abstract_sockets_present(void) { char *path; @@ -77,7 +76,6 @@ static int x11_abstract_sockets_present(void) { return 0; } -#endif static int random_display_number(void) { int i; @@ -598,18 +596,17 @@ void x11_start(int argc, char **argv) { void x11_block(void) { #ifdef HAVE_X11 mask_x11_abstract_socket = 1; -#if 0 + // check abstract socket presence and network namespace options if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) && x11_abstract_sockets_present()) { - fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n" + fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" "Additional setup required. To block abstract X11 socket you can either:\n" " * use network namespace in firejail (--net=none, --net=...)\n" " * add \"-nolisten local\" to xserver options\n" " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); exit(1); } -#endif // blacklist sockets profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3ceb21e78..aadc54677 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1713,7 +1713,7 @@ Example: $ firejail \-\-x11=xephyr --net=eth0 openbox .TP -\fB\-\-x11=block +\fB\-\-x11=none Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. -- cgit v1.2.3-70-g09d2 From f9b1722032e79791590e03d271216482105c0e33 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 2 Oct 2016 10:24:14 -0400 Subject: renamed --x11=block to --x11=none, brought back the requirement for network namespaces for x11 sandboxing --- src/firejail/profile.c | 2 +- src/man/firejail-profile.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index faf6c49b6..59ef42a74 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -656,7 +656,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } - if (strcmp(ptr, "x11 block") == 0) { + if (strcmp(ptr, "x11 none") == 0) { #ifdef HAVE_X11 arg_x11_block = 1; #endif diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9583ad426..f4b2c22fa 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -285,7 +285,7 @@ Enable X11 sandboxing with xpra. \fBx11 xephyr Enable X11 sandboxing with xephyr. .TP -\fBx11 block +\fBx11 none Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. -- cgit v1.2.3-70-g09d2 From 0579100e2df9b9af899a7143ff1dd2511ca226c1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 3 Oct 2016 10:15:14 -0400 Subject: --x11=xorg --- README.md | 36 +++++++++++++++---- RELNOTES | 1 + src/firejail/firejail.h | 2 ++ src/firejail/main.c | 13 +++++++ src/firejail/profile.c | 26 ++++++-------- src/firejail/sandbox.c | 15 +++++++- src/firejail/usage.c | 9 +++-- src/firejail/x11.c | 70 ++++++++++++++++++++++++++++++++++++ src/man/firejail-profile.txt | 15 ++++---- src/man/firejail.txt | 84 ++++++++++++++++++++++++++++++-------------- 10 files changed, 212 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index a8075cc1e..43aa183ef 100644 --- a/README.md +++ b/README.md @@ -45,14 +45,36 @@ If you keep your Firejail profiles in a public repository, please give us a link ````` # Current development version: 0.9.43 -## New command line options +## X11 development ````` - --x11=none - Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file - specified in ${XAUTHORITY} environment variable. Remove DISPLAY and - XAUTHORITY environment variables. Stop with error message if X11 - abstract socket will be accessible in jail. + --x11=none + Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the + file specified in ${XAUTHORITY} environment variable. Remove + DISPLAY and XAUTHORITY environment variables. Stop with error + message if X11 abstract socket will be accessible in jail. + + --x11=xorg + Sandbox the application using the untrusted mode implemented by + X11 security extension. The extension is available in Xorg + package and it is installed by default on most Linux distribu‐ + tions. It provides support for a simple trusted/untrusted con‐ + nection model. Untrusted clients are restricted in certain ways + to prevent them from reading window contents of other clients, + stealing input events, etc. + + The untrusted mode has several limitations. A lot of regular + programs assume they are a trusted X11 clients and will crash + or lock up when run in untrusted mode. Chromium browser and + xterm are two examples. Firefox and transmission-gtk seem to be + working fine. A network namespace is not required for this + option. + Example: + $ firejail --x11=xorg firefox +````` + +## Other command line options +````` --put=name|pid src-filename dest-filename Put src-filename in sandbox container. The container is specified by name or PID. @@ -84,7 +106,7 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New profile commands -x11 xpra, x11 xephyr, x11 none, allusers, join-or-start +x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start ## New profiles diff --git a/RELNOTES b/RELNOTES index 4ae23c2f3..df495c31a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -12,6 +12,7 @@ firejail (0.9.43) baseline; urgency=low * feature: all user home directories are visible (--allusers) * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) + * feature: X11 security extension (--x11=xorg) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f2d490a6c..f4d468394 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -61,6 +61,7 @@ #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" +#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" #define RUN_ASOUNDRC_FILE "/run/firejail/mnt/.asoundrc" #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" @@ -321,6 +322,7 @@ extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 +extern int arg_x11_xorg; // use X11 security extention extern int arg_allusers; // all user home directories visible extern int login_shell; diff --git a/src/firejail/main.c b/src/firejail/main.c index c4b7ce4dc..6d4eb21df 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -107,6 +107,7 @@ char *arg_audit_prog = NULL; // audit int arg_apparmor = 0; // apparmor int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 +int arg_x11_xorg = 0; // use X11 security extention int arg_allusers = 0; // all user home directories visible int login_shell = 0; @@ -2208,9 +2209,21 @@ int main(int argc, char **argv) { return 1; } } + + // unlike all other x11 features, this is available always else if (strcmp(argv[i], "--x11=none") == 0) { arg_x11_block = 1; } +#ifdef HAVE_X11 + else if (strcmp(argv[i], "--x11=xorg") == 0) { + if (checkcfg(CFG_X11)) + arg_x11_xorg = 1; + else { + fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); + exit(1); + } + } +#endif else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { // NOTE: this is second part of option handler, // atempt to find and join sandbox is done in other one diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 59ef42a74..e5c35a89d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -657,9 +657,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } if (strcmp(ptr, "x11 none") == 0) { -#ifdef HAVE_X11 arg_x11_block = 1; -#endif return 0; } @@ -681,6 +679,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "x11 xorg") == 0) { +#ifdef HAVE_X11 + if (checkcfg(CFG_X11)) + arg_x11_xorg = 1; + else { + fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); + return 0; + } +#endif + return 0; + } if (strcmp(ptr, "x11 xpra") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { @@ -717,19 +726,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } -#if 0 - if (strncmp(ptr, "private-template ", 17) == 0) { - if (arg_private) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } - cfg.private_template = ptr + 17; - fs_check_private_template(); - arg_private_template = 1; - - return 0; - } -#endif // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { if (arg_writable_etc) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7b519c8c2..8021ce9a3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -585,8 +585,19 @@ int sandbox(void* sandbox_arg) { fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); else if (arg_overlay) fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); - else + else { + // for --x11=xorg we need to add xauth command + if (arg_x11_xorg) { + EUID_USER(); + char *tmp; + if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) + errExit("asprintf"); + cfg.bin_private_keep = tmp; + fs_check_bin_list(); + EUID_ROOT(); + } fs_private_bin_list(); + } } if (arg_private_tmp) { @@ -784,6 +795,8 @@ int sandbox(void* sandbox_arg) { // clean /tmp/.X11-unix sockets fs_x11(); + if (arg_x11_xorg) + x11_xorg(); //**************************** // set security filters diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 903817099..7db91b5a9 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -282,10 +282,13 @@ void usage(void) { printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); printf(" --writable-var - /var directory is mounted read-write.\n\n"); - printf(" --x11 - enable X11 server. The software checks first if Xpra is installed,\n"); - printf("\tthen it checks if Xephyr is installed.\n\n"); - printf(" --x11=xpra - enable Xpra X11 server.\n\n"); + printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); + printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); + printf("\tattempt to use X11 security extension.\n\n"); + printf(" --x11=none - disable access to X11 sockets.\n\n"); printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n"); + printf(" --x11=xorg - enable X11 security extension.\n\n"); + printf(" --x11=xpra - enable Xpra X11 server.\n\n"); printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); printf("\n"); printf("\n"); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index def1dd324..d40d349e1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -629,3 +629,73 @@ void x11_block(void) { env_store("XAUTHORITY", RMENV); #endif } + +void x11_xorg(void) { +#ifdef HAVE_X11 + // destination + char *dest; + if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) + errExit("asprintf"); + struct stat s; + if (stat(dest, &s) == -1) { + // create an .Xauthority file + FILE *fp = fopen(dest, "w"); + if (!fp) + errExit("fopen"); + SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); + fclose(fp); + } + + if (stat("/usr/bin/xauth", &s) == -1) { + fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n"); + exit(1); + } + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // generate a new .Xauthority file + if (arg_debug) + printf("Generating a new .Xauthority file\n"); + + // elevate privileges - files in /run/firejail/mnt directory belong to root + if (setreuid(0, 0) < 0) + errExit("setreuid"); + if (setregid(0, 0) < 0) + errExit("setregid"); + + char *display = getenv("DISPLAY"); + if (!display) + display = ":0.0"; + + execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, + "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); + + exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + + // check the file was created and set mode and ownership + if (stat(RUN_XAUTHORITY_SEC_FILE, &s) == -1) { + fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); + exit(1); + } + if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1) + errExit("chmod"); + + // mount + if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) { + fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); + exit(1); + } + if (chown(dest, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(dest, 0600) == -1) + errExit("chmod"); + free(dest); +#endif +} diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f4b2c22fa..d420fab7a 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -279,16 +279,19 @@ There is no root account (uid 0) defined in the namespace. \fBx11 Enable X11 sandboxing. .TP -\fBx11 xpra -Enable X11 sandboxing with xpra. -.TP -\fBx11 xephyr -Enable X11 sandboxing with xephyr. -.TP \fBx11 none Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. Remove DISPLAY and XAUTHORITY environment variables. Stop with error message if X11 abstract socket will be accessible in jail. +.TP +\fBx11 xephyr +Enable X11 sandboxing with xephyr. +.TP +\fBx11 xorg +Enable X11 sandboxing with X11 security extension. +.TP +\fBx11 xpra +Enable X11 sandboxing with xpra. .SH Resource limits, CPU affinity, Control Groups These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index aadc54677..4aebb71e8 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1662,15 +1662,17 @@ $ sudo firejail --writable-var .TP \fB\-\-x11 -Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server. -The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger -applications started in the sandbox from accessing other X11 displays. -A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. +Sandbox the application using Xpra, Xephyr or Xorg security extension. +The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing +clients running outside the sandbox. +Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. +If all fails, Firejail will not attempt to use X11 security extension. .br -br -Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr. -This feature is not available when running as root. +.br +Xpra and Xephyr modes require a network namespace to be instantiated in order to disable +X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket +by adding "-nolisten local" on Xorg command line. .br .br @@ -1679,31 +1681,30 @@ Example: $ firejail \-\-x11 --net=eth0 firefox .TP -\fB\-\-x11=xpra -Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server. -Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. -On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. -This feature is not available when running as root. -.br - -.br -Example: -.br -$ firejail \-\-x11=xpra --net=eth0 firefox +\fB\-\-x11=none +Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable. +Remove DISPLAY and XAUTHORITY environment variables. +Stop with error message if X11 abstract socket will be accessible in jail. .TP \fB\-\-x11=xephyr -Start a new X11 server using Xephyr and attach the sandbox to this server. +Start Xephyr and attach the sandbox to this server. Xephyr is a display server implementing the X11 display server protocol. -It runs in a window just like other X applications, but it is an X server itself in which you can run other software. -The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file, -see \fBman 5 firejail-config\fR for more details. +A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. +.br + +.br +Xephyr runs in a window just like any other X11 application. The default window size is 800x600. +This can be modified in /etc/firejail/firejail.config file. .br .br The recommended way to use this feature is to run a window manager inside the sandbox. A security profile for OpenBox is provided. -On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR. +.br + +.br +Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR. This feature is not available when running as root. .br @@ -1713,11 +1714,40 @@ Example: $ firejail \-\-x11=xephyr --net=eth0 openbox .TP -\fB\-\-x11=none -Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable. -Remove DISPLAY and XAUTHORITY environment variables. -Stop with error message if X11 abstract socket will be accessible in jail. +\fB\-\-x11=xorg +Sandbox the application using the untrusted mode implemented by X11 security extension. +The extension is available in Xorg package +and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted +connection model. Untrusted clients are restricted in certain ways to prevent them from reading window +contents of other clients, stealing input events, etc. + +The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients +and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. +Firefox and transmission-gtk seem to be working fine. +A network namespace is not required for this option. +.br + +.br +Example: +.br +$ firejail \-\-x11=xorg firefox + +.TP +\fB\-\-x11=xpra +Start Xpra (http://xpra.org) and attach the sandbox to this server. +Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens. +A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket. +.br + +.br +On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR. +This feature is not available when running as root. +.br + .br +Example: +.br +$ firejail \-\-x11=xpra --net=eth0 firefox .TP \fB\-\-zsh -- cgit v1.2.3-70-g09d2 From dfa025636778ee99a1c663a92cce1e061370156a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 3 Oct 2016 11:33:22 -0400 Subject: keepass, keepassx, 7z profiles --- README | 2 +- README.md | 4 ++-- RELNOTES | 2 +- etc/7z.profile | 10 ++++++++++ etc/keepass.profile | 22 ++++++++++++++++++++++ etc/keepassx.profile | 23 +++++++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 2 ++ 8 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 etc/7z.profile create mode 100644 etc/keepass.profile create mode 100644 etc/keepassx.profile diff --git a/README b/README index 325ef2aa5..043e7445a 100644 --- a/README +++ b/README @@ -78,7 +78,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added DOSBox profile - evince profile enhancement vismir2 (https://github.com/vismir2) - - feh, ranger and zathura profiles + - feh, ranger, 7z, keepass, keepassx and zathura profiles - lots of profile fixes graywolf (https://github.com/graywolf) - spelling fix diff --git a/README.md b/README.md index 43aa183ef..6e50a7645 100644 --- a/README.md +++ b/README.md @@ -106,9 +106,9 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New profile commands -x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start +x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles -qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura +qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx diff --git a/RELNOTES b/RELNOTES index df495c31a..bdafb6ff0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,7 +16,7 @@ firejail (0.9.43) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape - * new profiles: feh, ranger, zathura + * new profiles: feh, ranger, zathura, 7z, keepass, keepassx * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/7z.profile b/etc/7z.profile new file mode 100644 index 000000000..c9455317a --- /dev/null +++ b/etc/7z.profile @@ -0,0 +1,10 @@ +# p7zip crompression tool profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp +nosound diff --git a/etc/keepass.profile b/etc/keepass.profile new file mode 100644 index 000000000..b2085f53d --- /dev/null +++ b/etc/keepass.profile @@ -0,0 +1,22 @@ +# keepass password manager profile + +noblacklist ${HOME}/.config/keepass +noblacklist ${HOME}/.keepass + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/etc/keepassx.profile b/etc/keepassx.profile new file mode 100644 index 000000000..415160df3 --- /dev/null +++ b/etc/keepassx.profile @@ -0,0 +1,23 @@ +# keepassx password manager profile + +noblacklist ${HOME}/.config/keepassx +noblacklist ${HOME}/.keepassx +noblacklist ${HOME}/keepassx.kdbx + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/platform/debian/conffiles b/platform/debian/conffiles index af8e74ba8..03fb2fe75 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -152,3 +152,6 @@ /etc/firejail/xz.profile /etc/firejail/xzdec.profile /etc/firejail/zathura.profile +/etc/firejail/7z.profile +/etc/firejail/keepass.profile +/etc/firejail/keepassx.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9e5ff7f12..95d3d5caa 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -142,6 +142,8 @@ ssh atom-beta atom ranger +keepass +keepassx # weather/climate aweather -- cgit v1.2.3-70-g09d2 From ae4e4fa1e0e6c9383b9e580c023bfffd6bdacbe0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 3 Oct 2016 16:34:46 -0400 Subject: removed private-tmp from sysutils --- etc/7z.profile | 3 +-- etc/cpio.profile | 1 - etc/file.profile | 1 - etc/gzip.profile | 1 - etc/less.profile | 1 - etc/strings.profile | 1 - etc/tar.profile | 1 - etc/unzip.profile | 1 - etc/uudeview.profile | 2 -- etc/xzdec.profile | 1 - 10 files changed, 1 insertion(+), 12 deletions(-) diff --git a/etc/7z.profile b/etc/7z.profile index c9455317a..0cb72ff8d 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -1,4 +1,4 @@ -# p7zip crompression tool profile +# 7zip crompression tool profile quiet ignore noroot include /etc/firejail/default.profile @@ -6,5 +6,4 @@ tracelog net none shell none private-dev -private-tmp nosound diff --git a/etc/cpio.profile b/etc/cpio.profile index 5772c7368..519bd244c 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -9,7 +9,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc private-dev -private-tmp seccomp caps.drop all net none diff --git a/etc/file.profile b/etc/file.profile index 860f7b104..2e54030b1 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -12,6 +12,5 @@ hostname file private-dev nosound no3d -private-tmp blacklist /tmp/.X11-unix diff --git a/etc/gzip.profile b/etc/gzip.profile index 4843839c5..5e73969c4 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,7 +5,6 @@ include /etc/firejail/default.profile tracelog net none shell none -private-tmp blacklist /tmp/.X11-unix private-dev nosound diff --git a/etc/less.profile b/etc/less.profile index 802e4196d..6dfae027e 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -6,5 +6,4 @@ tracelog net none shell none private-dev -private-tmp nosound diff --git a/etc/strings.profile b/etc/strings.profile index d013e7cb5..f99a65009 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -6,6 +6,5 @@ tracelog net none shell none private-dev -private-tmp nosound diff --git a/etc/tar.profile b/etc/tar.profile index 3f6599784..663ac3805 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -14,6 +14,5 @@ nosound no3d private-etc passwd,group,localtime hostname tar -private-tmp blacklist /tmp/.X11-unix diff --git a/etc/unzip.profile b/etc/unzip.profile index 957dbdd71..07224855f 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -12,6 +12,5 @@ hostname unzip private-dev nosound no3d -private-tmp blacklist /tmp/.X11-unix diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 51e413493..8ea9d5163 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,5 +1,4 @@ # uudeview profile -# the default profile will disable root user, enable seccomp filter etc. quiet ignore noroot include /etc/firejail/default.profile @@ -9,7 +8,6 @@ net none shell none private-bin uudeview private-dev -private-tmp private-etc nonexisting_fakefile_for_empty_etc hostname uudeview nosound diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 0647bddeb..a9d027c38 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,7 +5,6 @@ include /etc/firejail/default.profile tracelog net none shell none -private-tmp blacklist /tmp/.X11-unix private-dev nosound -- cgit v1.2.3-70-g09d2 From 94a3017d9b81d61216fabad875a49eb137fa1215 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 4 Oct 2016 12:07:40 -0400 Subject: apparmor fix --- etc/firejail-default | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/firejail-default b/etc/firejail-default index 8abf2400b..0b771f834 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -82,6 +82,8 @@ profile firejail-default { /usr/local/** ix, /usr/lib/** ix, /usr/games/** ix, +/opt/ r, +/opt/** r, /opt/** ix, #/home/** ix, -- cgit v1.2.3-70-g09d2 From cbe61efad39348acc81671a3c920232aa2d34277 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 5 Oct 2016 18:26:49 +0200 Subject: fixed recovery issue --- etc/libreoffice.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 75a52e9ff..d6aceb7a8 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -1,5 +1,6 @@ # Firejail profile for LibreOffice noblacklist ~/.config/libreoffice +noblacklist /usr/local/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -10,9 +11,9 @@ netfilter nogroups nonewprivs noroot -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp tracelog private-dev -whitelist /tmp/.X11-unix/ +# whitelist /tmp/.X11-unix/ -- cgit v1.2.3-70-g09d2 From fe3561f0d11032b3bad989a671ceb85b6142b5e2 Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:20:29 +0200 Subject: added emas and vim profiles --- etc/emacs.profile | 14 ++++++++++++++ etc/vim.profile | 14 ++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 etc/emacs.profile create mode 100644 etc/vim.profile diff --git a/etc/emacs.profile b/etc/emacs.profile new file mode 100644 index 000000000..2cf614ca7 --- /dev/null +++ b/etc/emacs.profile @@ -0,0 +1,14 @@ +# emacs profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp diff --git a/etc/vim.profile b/etc/vim.profile new file mode 100644 index 000000000..b16939475 --- /dev/null +++ b/etc/vim.profile @@ -0,0 +1,14 @@ +# vim profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From f6f7ac56d27fee5a62ded9b396f13045e5d97deb Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:25:59 +0200 Subject: just a test --- etc/test | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/test diff --git a/etc/test b/etc/test new file mode 100644 index 000000000..76e579ae4 --- /dev/null +++ b/etc/test @@ -0,0 +1,2 @@ +test + -- cgit v1.2.3-70-g09d2 From a2d80988d12762e4314b7a94fe57d1a74c872ac1 Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:26:53 +0200 Subject: another test --- etc/test2 | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/test2 diff --git a/etc/test2 b/etc/test2 new file mode 100644 index 000000000..180cf8328 --- /dev/null +++ b/etc/test2 @@ -0,0 +1 @@ +test2 -- cgit v1.2.3-70-g09d2 From 425603923633eee1c5f553567a025b59dd64411e Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:28:02 +0200 Subject: 3.test --- etc/test3 | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/test3 diff --git a/etc/test3 b/etc/test3 new file mode 100644 index 000000000..eefd60b4e --- /dev/null +++ b/etc/test3 @@ -0,0 +1,2 @@ +test3 + -- cgit v1.2.3-70-g09d2 From f0299a6c367d3f4ddb9a4953aca2135b75f218ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 6 Oct 2016 08:01:33 -0400 Subject: libreoffice profile fixes --- README | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README b/README index 043e7445a..e835c4f19 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +valoq (https://github.com/valoq) + - LibreOffice profile fixes vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - lots of profile fixes -- cgit v1.2.3-70-g09d2 From 1db14e970dc636b69a7d72dc1e04145ca36d6ffc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 8 Oct 2016 07:47:41 -0400 Subject: fix keepass profile --- etc/keepass.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/keepass.profile b/etc/keepass.profile index b2085f53d..23f9a7b40 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -13,7 +13,7 @@ nogroups nonewprivs noroot nosound -protocol unix +protocol unix,inet,inet6 seccomp netfilter shell none -- cgit v1.2.3-70-g09d2 From 40ed53c20b7a1a5569795a858c3bfe100083c666 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 8 Oct 2016 08:33:42 -0400 Subject: nvidia fix --- src/firejail/firejail.h | 3 +-- src/firejail/fs_dev.c | 2 +- src/firejail/main.c | 27 +++++++++++++++++++++------ src/firejail/util.c | 21 +++++---------------- 4 files changed, 28 insertions(+), 25 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f4d468394..c801ea262 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -457,8 +457,7 @@ char *expand_home(const char *path, const char* homedir); const char *gnu_basename(const char *path); uid_t pid_get_uid(pid_t pid); void invalid_filename(const char *fname); -uid_t get_tty_gid(void); -uid_t get_audio_gid(void); +uid_t get_group_id(const char *group); int remove_directory(const char *path); void flush_stdin(void); diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index daf0afd9e..aa5f7c28b 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -225,7 +225,7 @@ void fs_private_dev(void){ // mount /dev/pts - gid_t ttygid = get_tty_gid(); + gid_t ttygid = get_group_id("tty"); char *data; if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1) errExit("asprintf"); diff --git a/src/firejail/main.c b/src/firejail/main.c index 6d4eb21df..987a79d1c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2555,16 +2555,31 @@ int main(int argc, char **argv) { ptr += strlen(ptr); // add tty group - gid_t ttygid = get_tty_gid(); - if (ttygid) { - sprintf(ptr, "%d %d 1\n", ttygid, ttygid); + gid_t g = get_group_id("tty"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); ptr += strlen(ptr); } // add audio group - gid_t audiogid = get_audio_gid(); - if (ttygid) { - sprintf(ptr, "%d %d 1\n", audiogid, audiogid); + g = get_group_id("audio"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + + // add video group + g = get_group_id("video"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + + // add games group + g = get_group_id("games"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); } EUID_ROOT(); diff --git a/src/firejail/util.c b/src/firejail/util.c index 7aa0ae0e8..f38b02fd0 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -649,25 +649,14 @@ void invalid_filename(const char *fname) { } -uid_t get_tty_gid(void) { +uid_t get_group_id(const char *group) { // find tty group id - gid_t ttygid = 0; - struct group *g = getgrnam("tty"); + gid_t gid = 0; + struct group *g = getgrnam(group); if (g) - ttygid = g->gr_gid; + gid = g->gr_gid; - return ttygid; -} - - -uid_t get_audio_gid(void) { - // find tty group id - gid_t audiogid = 0; - struct group *g = getgrnam("audio"); - if (g) - audiogid = g->gr_gid; - - return audiogid; + return gid; } -- cgit v1.2.3-70-g09d2 From fe47611efe819382cb846b0ae1032080c2272fdc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 08:53:12 -0400 Subject: user name globbing for restricted shell --- src/firejail/restricted_shell.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 24ce27c2e..979bb1eed 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include #define MAX_READ 4096 // maximum line length char *restricted_user = NULL; @@ -49,7 +50,11 @@ int restricted_shell(const char *user) { if (*ptr == '\n' || *ptr == '#') continue; - // parse line + // + // parse line + // + + // extract users char *usr = ptr; char *args = strchr(usr, ':'); if (args == NULL) { @@ -63,7 +68,7 @@ int restricted_shell(const char *user) { if (ptr) *ptr = '\0'; - // if nothing follows, continue + // extract firejail command line arguments char *ptr2 = args; int found = 0; while (*ptr2 != '\0') { @@ -73,12 +78,13 @@ int restricted_shell(const char *user) { } ptr2++; } + // if nothing follows, continue if (!found) continue; - // process user - if (strcmp(user, usr) == 0) { - // extract program arguments + // user name globbing + if (fnmatch(usr, user, 0) == 0) { + // process program arguments fullargv[0] = "firejail"; int i; -- cgit v1.2.3-70-g09d2 From 5a90ef30aea9eef9791d28c3db941c24d2c970a8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 11:05:12 -0400 Subject: moving appimage mount point from /tmp to /run --- src/firejail/appimage.c | 27 ++++++++++++++++----------- src/firejail/firejail.h | 1 + src/firejail/fs.c | 4 ++++ 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 05bd8a1d8..d654e51fc 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -54,9 +54,13 @@ void appimage_set(const char *appimage_path) { exit(1); } + // populate /run/firejail directory EUID_ROOT(); + fs_build_firejail_dir(); + EUID_USER(); // find or allocate a free loop device to use + EUID_ROOT(); int cfd = open("/dev/loop-control", O_RDWR); int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); if (devnr == -1) { @@ -74,36 +78,37 @@ void appimage_set(const char *appimage_path) { } close(lfd); close(ffd); - EUID_USER(); - // creates directory with perms 0700 - char dirname[] = "/tmp/firejail-mnt-XXXXXX"; - mntdir = strdup(mkdtemp(dirname)); - if (mntdir == NULL) { - fprintf(stderr, "Error: cannot create temporary directory\n"); + // creates appimage mount point perms 0700 + if (asprintf(&mntdir, "%s/appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) + errExit("asprintf"); + EUID_ROOT(); + if (mkdir(mntdir, 0700) == -1) { + fprintf(stderr, "Error: cannot create appimage mount point\n"); exit(1); } if (chmod(mntdir, 0700) == -1) errExit("chmod"); + if (chown(mntdir, getuid(), getgid()) == -1) + errExit("chown"); + EUID_USER(); ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); + // mount char *mode; if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) errExit("asprintf"); - EUID_ROOT(); if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) errExit("mounting appimage"); - - if (arg_debug) printf("appimage mounted on %s\n", mntdir); EUID_USER(); + // set environment if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0) errExit("setenv"); - if (mntdir && setenv("APPDIR", mntdir, 1) < 0) errExit("setenv"); @@ -124,7 +129,7 @@ void appimage_clear(void) { if (mntdir) { rv = umount2(mntdir, MNT_FORCE); if (rv == -1 && errno == EBUSY) { - sleep(1); + sleep(5); rv = umount2(mntdir, MNT_FORCE); (void) rv; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c801ea262..15e108056 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -28,6 +28,7 @@ // filesystem #define RUN_FIREJAIL_BASEDIR "/run" #define RUN_FIREJAIL_DIR "/run/firejail" +#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage" #define RUN_FIREJAIL_NAME_DIR "/run/firejail/name" #define RUN_FIREJAIL_X11_DIR "/run/firejail/x11" #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b40f8a3fa..d63ed104f 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -104,6 +104,10 @@ void fs_build_firejail_dir(void) { create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); } + if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { + create_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); + } + create_empty_dir(); create_empty_file(); } -- cgit v1.2.3-70-g09d2 From 223543a7e5bc520af0373415f5baca4449bebff0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 11:12:34 -0400 Subject: moving appimage mount point from /tmp to /run - fixing --private-tmp --- src/firejail/fs_whitelist.c | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ad7fea227..849861805 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -550,29 +550,6 @@ void fs_whitelist(void) { if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting tmpfs on /tmp"); fs_logger("tmpfs /tmp"); - - // mount appimage directory if necessary - if (arg_appimage) { - const char *dir = appimage_getdir(); - assert(dir); - char *wdir; - if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1) - errExit("asprintf"); - - // create directory - if (mkdir(dir, 0755) < 0) - errExit("mkdir"); - if (chown(dir, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dir, 0755) < 0) - errExit("chmod"); - - // mount - if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("whitelist", dir); - free(wdir); - } } // /media mountpoint -- cgit v1.2.3-70-g09d2 From e0f28ab1a1551f78154670283e1dbb2af99853b5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 11:20:41 -0400 Subject: cleanup --- src/firejail/fs.c | 13 +++++++------ src/firejail/fs_bin.c | 2 +- src/firejail/fs_etc.c | 2 +- src/firejail/fs_home.c | 2 +- src/firejail/fs_trace.c | 2 +- src/firejail/fs_var.c | 2 +- src/firejail/seccomp.c | 8 ++++---- 7 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d63ed104f..a5f12c7df 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -77,14 +77,15 @@ void fs_build_firejail_dir(void) { if (stat(RUN_FIREJAIL_BASEDIR, &s)) { create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); } - else { // check /tmp/firejail directory belongs to root end exit if doesn't! + + // check /run/firejail directory belongs to root end exit if doesn't! + if (stat(RUN_FIREJAIL_DIR, &s) == 0) { if (s.st_uid != 0 || s.st_gid != 0) { fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR); exit(1); } } - - if (stat(RUN_FIREJAIL_DIR, &s)) { + else { create_dir_as_root(RUN_FIREJAIL_DIR, 0755); } @@ -113,7 +114,7 @@ void fs_build_firejail_dir(void) { } -// build /tmp/firejail/mnt directory +// build /run/firejail/mnt directory static int tmpfs_mounted = 0; #ifdef HAVE_CHROOT static void fs_build_remount_mnt_dir(void) { @@ -137,7 +138,7 @@ void fs_build_mnt_dir(void) { if (arg_debug) printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR); if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting /tmp/firejail/mnt"); + errExit("mounting /run/firejail/mnt"); tmpfs_mounted = 1; fs_logger2("tmpfs", RUN_MNT_DIR); } @@ -1254,7 +1255,7 @@ void fs_private_tmp(void) { if (arg_debug) printf("Mounting tmpfs on /tmp directory\n"); if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) - errExit("mounting /tmp/firejail/mnt"); + errExit("mounting tmpfs on /tmp directory"); fs_logger2("tmpfs", "/tmp"); } diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 40539305f..e65474f44 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -208,7 +208,7 @@ void fs_private_bin_list(void) { char *private_list = cfg.bin_private_keep; assert(private_list); - // create /tmp/firejail/mnt/bin directory + // create /run/firejail/mnt/bin directory fs_build_mnt_dir(); if (mkdir(RUN_BIN_DIR, 0755) == -1) errExit("mkdir"); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index e860bc173..fc9e40ca0 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -128,7 +128,7 @@ void fs_private_etc_list(void) { exit(1); } - // create /tmp/firejail/mnt/etc directory + // create /run/firejail/mnt/etc directory fs_build_mnt_dir(); if (mkdir(RUN_ETC_DIR, 0755) == -1) errExit("mkdir"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 63d5a1c5e..bd3c404e9 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -591,7 +591,7 @@ void fs_private_home_list(void) { exit(1); } - // create /tmp/firejail/mnt/home directory + // create /run/firejail/mnt/home directory fs_build_mnt_dir(); int rv = mkdir(RUN_HOME_DIR, 0755); if (rv == -1) diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 78fc8a647..37e899f12 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -44,7 +44,7 @@ void fs_trace_preload(void) { } void fs_trace(void) { - // create /tmp/firejail/mnt directory + // create /run/firejail/mnt directory fs_build_mnt_dir(); // create the new ld.so.preload file and mount-bind it diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index a578d04e6..4468efb10 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -317,7 +317,7 @@ void fs_var_utmp(void) { return; } - // create /tmp/firejail/mnt directory + // create /run/firejail/mnt directory fs_build_mnt_dir(); // create a new utmp file diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index c2da1168a..549359d94 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -708,7 +708,7 @@ int seccomp_filter_drop(int enforce_seccomp) { if (arg_debug) filter_debug(); - // save seccomp filter in /tmp/firejail/mnt/seccomp + // save seccomp filter in /run/firejail/mnt/seccomp // in order to use it in --join operations write_seccomp_file(); @@ -754,7 +754,7 @@ int seccomp_filter_keep(void) { if (arg_debug) filter_debug(); - // save seccomp filter in /tmp/firejail/mnt/seccomp + // save seccomp filter in /run/firejail/mnt/seccomp // in order to use it in --join operations write_seccomp_file(); @@ -796,7 +796,7 @@ int seccomp_filter_errno(void) { if (arg_debug) filter_debug(); - // save seccomp filter in /tmp/firejail/mnt/seccomp + // save seccomp filter in /run/firejail/mnt/seccomp // in order to use it in --join operations write_seccomp_file(); @@ -819,7 +819,7 @@ int seccomp_filter_errno(void) { void seccomp_set(void) { - // read seccomp filter from /tmp/firejail/mnt/seccomp + // read seccomp filter from /runp/firejail/mnt/seccomp read_seccomp_file(RUN_SECCOMP_CFG); // apply filter -- cgit v1.2.3-70-g09d2 From 31d271a5a87b22988c7bd145ac5fed6882f9255b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 11:29:02 -0400 Subject: appimage umount fix --- src/firejail/appimage.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index d654e51fc..375d6be24 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -126,16 +126,32 @@ void appimage_set(const char *appimage_path) { void appimage_clear(void) { int rv; + EUID_ROOT(); if (mntdir) { - rv = umount2(mntdir, MNT_FORCE); - if (rv == -1 && errno == EBUSY) { - sleep(5); + int i; + int rv = 0; + for (i = 0; i < 5; i++) { rv = umount2(mntdir, MNT_FORCE); - (void) rv; + if (rv == 0) + break; + if (rv == -1 && errno == EBUSY) { + if (!arg_quiet) + printf("Warning: EBUSY error trying to unmount %s\n", mntdir); + sleep(2); + continue; + } + // rv = -1 + if (!arg_quiet) { + printf("Warning: error trying to unmount %s\n", mntdir); + perror("umount"); + } + } + + if (rv == 0) { + rmdir(mntdir); + free(mntdir); } - rmdir(mntdir); - free(mntdir); } if (devloop) { -- cgit v1.2.3-70-g09d2 From ff4b558eefe0b7b96918529a23e5a9ff4ce8339f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 11:35:08 -0400 Subject: apparmor/appimage support --- etc/firejail-default | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/firejail-default b/etc/firejail-default index 0b771f834..1b0eb7658 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -31,6 +31,9 @@ profile firejail-default { /{,var/}run/user/**/pulse/ rw, /{,var/}run/user/**/pulse/** rw, /{,var/}run/firejail/mnt/fslogger r, +/{,var/}run/firejail/appimage r, +/{,var/}run/firejail/appimage/** r, +/{,var/}run/firejail/appimage/** ix, /{run,dev}/shm/ r, /{run,dev}/shm/** rmwk, -- cgit v1.2.3-70-g09d2 From 6226aeef298b58a8568acef2aff79d606ca0eec8 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 9 Oct 2016 18:37:30 +0200 Subject: fixed database not found error fix for https://github.com/netblue30/firejail/issues/850 --- etc/cherrytree.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7c324a34b..5d8067553 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,6 +1,7 @@ # cherrytree note taking application noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* +noblacklist ${HOME}/.config/cherrytree/ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From e7fdfc50f6372ecf0949b12005d776d1180c71e4 Mon Sep 17 00:00:00 2001 From: Dara Adib Date: Sun, 9 Oct 2016 14:53:15 -0400 Subject: Allow evince to access /tmp firefox will save files under /tmp/mozilla_* and try to open them with evince when evince is the default PDF reader. --- etc/evince.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/evince.profile b/etc/evince.profile index 374fa4aaa..894c7c70d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -15,5 +15,4 @@ shell none tracelog private-bin evince,evince-previewer,evince-thumbnailer -whitelist /tmp/.X11-unix private-dev -- cgit v1.2.3-70-g09d2 From 7a64973444272f381ae5ca7b9e99246e16c38daf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 19:45:44 -0400 Subject: readme --- README | 6 ++++-- README.md | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README b/README index e835c4f19..c0ed16e62 100644 --- a/README +++ b/README @@ -77,15 +77,17 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +Dara Adib (https://github.com/daradib) + - ssh profile fix + - evince profile fix valoq (https://github.com/valoq) - LibreOffice profile fixes + - cherrytree profile fixes vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - lots of profile fixes graywolf (https://github.com/graywolf) - spelling fix -Dara Adib (https://github.com/daradib) - - ssh profile fix Tomasz Jan Góralczyk (https://github.com/tjg) - fixed Steam profile pwnage-pineapple (https://github.com/pwnage-pineapple) diff --git a/README.md b/README.md index 6e50a7645..c5a6d88fe 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ If you keep your Firejail profiles in a public repository, please give us a link: * https://github.com/chiraag-nataraj/firejail-profiles + +* https://github.com/triceratops1/fe ````` ````` -- cgit v1.2.3-70-g09d2 From 457804e054aabc1ac530d452ddc9e73729ec4b67 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 19:49:10 -0400 Subject: cherrytree profile --- etc/cherrytree.profile | 9 --------- 1 file changed, 9 deletions(-) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 5d8067553..d16e7c067 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -16,13 +16,4 @@ seccomp protocol unix,inet,inet6,netlink tracelog -include /etc/firejail/whitelist-common.inc -# no private-bin support for various reasons: -#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree -#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" -#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree -#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null -#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc -# it requires acces to browser to show the online help -# it doesn't play nicely with expect -- cgit v1.2.3-70-g09d2 From 105d3aec81be03c9b3e897142265b0a1cd12326d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 19:55:59 -0400 Subject: vlc profile fix --- etc/vlc.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/vlc.profile b/etc/vlc.profile index cdd098dd5..446e47864 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -14,7 +14,6 @@ noroot protocol unix,inet,inet6 seccomp shell none -tracelog private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev -- cgit v1.2.3-70-g09d2 From 81485bba858194306b076dab1668eb900fe7b174 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Mon, 10 Oct 2016 13:17:44 +0200 Subject: Create mutt.profile --- etc/mutt.profile | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 etc/mutt.profile diff --git a/etc/mutt.profile b/etc/mutt.profile new file mode 100644 index 000000000..38874f6d8 --- /dev/null +++ b/etc/mutt.profile @@ -0,0 +1,31 @@ +# mutt email client profile + +noblacklist ~/.muttrc +noblacklist ~/.mutt/muttrc +noblacklist ~/.gnupg +noblacklist ~/.mail +noblacklist ~/.Mail +noblacklist ~/mail +noblacklist ~/Mail +noblacklist ~/.cache/mutt + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-bin mutt +private-dev +private-etc +# private-tmp +# whitelist /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From 193f38afa3066a2658b40ae92de27356df80afb4 Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:14:06 +0200 Subject: added mutt.prifile --- etc/mutt.profile | 16 +++++++++++----- etc/test | 2 -- etc/test2 | 1 - etc/test3 | 2 -- 4 files changed, 11 insertions(+), 10 deletions(-) delete mode 100644 etc/test delete mode 100644 etc/test2 delete mode 100644 etc/test3 diff --git a/etc/mutt.profile b/etc/mutt.profile index 38874f6d8..7f92efebe 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,13 +1,23 @@ # mutt email client profile noblacklist ~/.muttrc -noblacklist ~/.mutt/muttrc +noblacklist ~/.mutt +noblacklist ~/.mailcap noblacklist ~/.gnupg noblacklist ~/.mail noblacklist ~/.Mail noblacklist ~/mail noblacklist ~/Mail +noblacklist ~/sent +noblacklist ~/postponed noblacklist ~/.cache/mutt +noblacklist ~/.w3m +noblacklist ~/.elinks +noblacklist ~/.vim +noblacklist ~/.viminfo +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.bogofilter include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc @@ -24,8 +34,4 @@ protocol unix,inet,inet6 seccomp shell none -private-bin mutt private-dev -private-etc -# private-tmp -# whitelist /tmp/.X11-unix diff --git a/etc/test b/etc/test deleted file mode 100644 index 76e579ae4..000000000 --- a/etc/test +++ /dev/null @@ -1,2 +0,0 @@ -test - diff --git a/etc/test2 b/etc/test2 deleted file mode 100644 index 180cf8328..000000000 --- a/etc/test2 +++ /dev/null @@ -1 +0,0 @@ -test2 diff --git a/etc/test3 b/etc/test3 deleted file mode 100644 index eefd60b4e..000000000 --- a/etc/test3 +++ /dev/null @@ -1,2 +0,0 @@ -test3 - -- cgit v1.2.3-70-g09d2 From a1d0712d1ae6fb629c509ff827ac42694163732c Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:17:16 +0200 Subject: added testfile --- etc/test | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/test diff --git a/etc/test b/etc/test new file mode 100644 index 000000000..038d718da --- /dev/null +++ b/etc/test @@ -0,0 +1 @@ +testing -- cgit v1.2.3-70-g09d2 From 50c242a920f7a2cb1e27128de469714bbf518f1c Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:17:51 +0200 Subject: test --- etc/test | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/test b/etc/test index 038d718da..c9a2808b8 100644 --- a/etc/test +++ b/etc/test @@ -1 +1,4 @@ testing + +test2 + -- cgit v1.2.3-70-g09d2 From 96138a2bf56bf9f2469b302175f6a2fc1736651d Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:19:43 +0200 Subject: testing --- etc/test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/test b/etc/test index c9a2808b8..b2e6d6fbb 100644 --- a/etc/test +++ b/etc/test @@ -1,4 +1,4 @@ testing -test2 +test3 -- cgit v1.2.3-70-g09d2 From bfb22e2217a217ba4e914dcc3063774eadf9f167 Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:22:05 +0200 Subject: added git.profile --- etc/git.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/git.profile diff --git a/etc/git.profile b/etc/git.profile new file mode 100644 index 000000000..2fb55377d --- /dev/null +++ b/etc/git.profile @@ -0,0 +1,27 @@ +# git profile + +noblacklist ~/.gitconfig +noblacklist ~/.ssh +noblacklist ~/.gnupg +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.viminfo +noblacklist ~/.vim + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +quiet + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev -- cgit v1.2.3-70-g09d2 From 4120b2ca2d8a32296bb955e1dbbd3824277afc57 Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:35:40 +0200 Subject: added claws-mail profile --- etc/claws-mail.profile | 25 +++++++++++++++++++++++++ etc/mutt.profile | 1 + 2 files changed, 26 insertions(+) create mode 100644 etc/claws-mail.profile diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile new file mode 100644 index 000000000..6dbf893ab --- /dev/null +++ b/etc/claws-mail.profile @@ -0,0 +1,25 @@ +# claws-mail profile + +noblacklist ~/.claws-mail +noblacklist ~/.signature +noblacklist ~/.ssh +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + diff --git a/etc/mutt.profile b/etc/mutt.profile index 7f92efebe..4c9a30dac 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -17,6 +17,7 @@ noblacklist ~/.vim noblacklist ~/.viminfo noblacklist ~/.emacs noblacklist ~/.emacs.d +noblacklist ~/.signature noblacklist ~/.bogofilter include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From 2edd1511b6c90b389fc541d42f23f95818230f97 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Mon, 10 Oct 2016 14:45:25 +0200 Subject: Delete test --- etc/test | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 etc/test diff --git a/etc/test b/etc/test deleted file mode 100644 index b2e6d6fbb..000000000 --- a/etc/test +++ /dev/null @@ -1,4 +0,0 @@ -testing - -test3 - -- cgit v1.2.3-70-g09d2 From c297512764977e4f4683dc19500c5b61d2a06503 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 11 Oct 2016 09:21:22 -0400 Subject: new profiles --- README | 2 ++ README.md | 3 ++- RELNOTES | 3 ++- platform/debian/conffiles | 6 ++++++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README b/README index c0ed16e62..af09db5ca 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +vismir2 (https://github.com/vismir2) + - claws-mail, mutt, git, emacs, vim profiles Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix diff --git a/README.md b/README.md index c5a6d88fe..a51651948 100644 --- a/README.md +++ b/README.md @@ -112,5 +112,6 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles -qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx +qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, +claws-mail, mutt, git, emacs, vim diff --git a/RELNOTES b/RELNOTES index bdafb6ff0..14b84901c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,7 +16,8 @@ firejail (0.9.43) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape - * new profiles: feh, ranger, zathura, 7z, keepass, keepassx + * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, + * new profiles: claws-mail, mutt, git, emacs, vim * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 03fb2fe75..de9ed4277 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -155,3 +155,9 @@ /etc/firejail/7z.profile /etc/firejail/keepass.profile /etc/firejail/keepassx.profile +/etc/firejail/claws-mail +/etc/firejail/mutt +/etc/firejail/git +/etc/firejail/emacs +/etc/firejail/vim + -- cgit v1.2.3-70-g09d2 From c555a359be85264aaf5df01ee87b2463129fbca5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 11 Oct 2016 09:40:23 -0400 Subject: cherrytree fix --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c13885739..126ebea80 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -33,6 +33,7 @@ blacklist ${HOME}/.synfig blacklist ${HOME}/.inkscape blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/cherrytree # Media players -- cgit v1.2.3-70-g09d2 From 55f787761b8b2940b8b5e13c7ce4b13481c4bf1a Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:54:01 +0200 Subject: Update emacs.profile allowed accces to own configuration files --- etc/emacs.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/emacs.profile b/etc/emacs.profile index 2cf614ca7..cbdba7712 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,5 +1,8 @@ # emacs profile +noblacklist ~/.emacs +noblacklist ~/.emacs.d + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -- cgit v1.2.3-70-g09d2 From f4ab9ae4181373166c8eabb470dd0aeeb80a52e2 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:55:12 +0200 Subject: Update mutt.profile added vimrc config file --- etc/mutt.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/mutt.profile b/etc/mutt.profile index 4c9a30dac..cda7fc4bf 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -14,6 +14,7 @@ noblacklist ~/.cache/mutt noblacklist ~/.w3m noblacklist ~/.elinks noblacklist ~/.vim +noblacklist ~/.vimrc noblacklist ~/.viminfo noblacklist ~/.emacs noblacklist ~/.emacs.d -- cgit v1.2.3-70-g09d2 From 67afd0814f6d44b7fbbd48929c0bb675d36f3345 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:56:05 +0200 Subject: Update vim.profile allowed acces to own config files --- etc/vim.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/vim.profile b/etc/vim.profile index b16939475..3c1fefe41 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,10 +1,13 @@ # vim profile +noblacklist ~/.vim +noblacklist ~/.vimrc +noblacklist ~/.viminfo + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc - caps.drop all netfilter nonewprivs -- cgit v1.2.3-70-g09d2 From b360aff7b55079cca30dcf18eb2d3654bc536d72 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:57:01 +0200 Subject: Update claws-mail.profile removed access to ssh files --- etc/claws-mail.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 6dbf893ab..1b6d2f645 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -2,7 +2,6 @@ noblacklist ~/.claws-mail noblacklist ~/.signature -noblacklist ~/.ssh noblacklist ~/.gnupg include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From 06f4277d5c55d2e94381cd11add6e9691a159a2d Mon Sep 17 00:00:00 2001 From: Deelvesh Bunjun Date: Wed, 12 Oct 2016 23:06:03 +0400 Subject: add xpdf profile --- etc/xpdf.profile | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 etc/xpdf.profile diff --git a/etc/xpdf.profile b/etc/xpdf.profile new file mode 100644 index 000000000..e4e1a8ec2 --- /dev/null +++ b/etc/xpdf.profile @@ -0,0 +1,25 @@ +################################ +# xpdf application profile +################################ +#include /etc/firejail/disable-common.inc +#include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +shell none + +nonewprivs +noroot +protocol unix +seccomp + + +noblacklist /etc/xpdfrc +noblacklist ${HOME}/.xpdfrc + + +private-dev +private-tmp + + + -- cgit v1.2.3-70-g09d2 From a2fb272b3e03d9fe60e35ab21c613897f5b67c67 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 12 Oct 2016 16:20:18 -0400 Subject: xpdf profile --- README | 2 ++ README.md | 2 +- etc/disable-programs.inc | 1 + etc/xpdf.profile | 16 ++++++---------- platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 12 insertions(+), 11 deletions(-) diff --git a/README b/README index af09db5ca..46c314a64 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +Deelvesh Bunjun (https://github.com/DeelveshBunjun) + - added xpdf profile vismir2 (https://github.com/vismir2) - claws-mail, mutt, git, emacs, vim profiles Dara Adib (https://github.com/daradib) diff --git a/README.md b/README.md index a51651948..1038e1ef8 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim +claws-mail, mutt, git, emacs, vim, xpdf diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 126ebea80..369e4813c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -34,6 +34,7 @@ blacklist ${HOME}/.inkscape blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.xpdfrc # Media players diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e4e1a8ec2..e036fba21 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -1,25 +1,21 @@ ################################ # xpdf application profile ################################ -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +noblacklist ${HOME}/.xpdfrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all shell none - nonewprivs noroot protocol unix seccomp - - -noblacklist /etc/xpdfrc -noblacklist ${HOME}/.xpdfrc - - private-dev private-tmp +net none + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index de9ed4277..c6e243a03 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -160,4 +160,5 @@ /etc/firejail/git /etc/firejail/emacs /etc/firejail/vim +/etc/firejail/xpdf diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 95d3d5caa..31f6b2fd5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -134,6 +134,7 @@ Mathematica mathematica okular pix +xpdf xreader zathura -- cgit v1.2.3-70-g09d2 From b957e92acb7c923e72a1f394656eba2bf281851a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 12 Oct 2016 16:22:27 -0400 Subject: xpdf profile --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 14b84901c..4c191fc82 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,7 +17,7 @@ firejail (0.9.43) baseline; urgency=low * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From 84cb3ef42084d010e4658319afb20b0e58159f90 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 13 Oct 2016 12:27:13 -0400 Subject: 0.9.44~rc1 testing --- configure | 18 +++++++++--------- configure.ac | 2 +- platform/debian/conffiles | 13 ++++++------- src/firejail/firejail.h | 1 + 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/configure b/configure index 5e066a44d..48b891c40 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.43. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.43' -PACKAGE_STRING='firejail 0.9.43' +PACKAGE_VERSION='0.9.44~rc1' +PACKAGE_STRING='firejail 0.9.44~rc1' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.43 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.43:";; + short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.43 +firejail configure 0.9.44~rc1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.43, which was +It was created by firejail $as_me 0.9.44~rc1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.43, which was +This file was extended by firejail $as_me 0.9.44~rc1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.43 +firejail config.status 0.9.44~rc1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index a1d65cc63..108b558d4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.43, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c6e243a03..a8ed6f691 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -155,10 +155,9 @@ /etc/firejail/7z.profile /etc/firejail/keepass.profile /etc/firejail/keepassx.profile -/etc/firejail/claws-mail -/etc/firejail/mutt -/etc/firejail/git -/etc/firejail/emacs -/etc/firejail/vim -/etc/firejail/xpdf - +/etc/firejail/claws-mail.profile +/etc/firejail/mutt.profile +/etc/firejail/git.profile +/etc/firejail/emacs.profile +/etc/firejail/vim.profile +/etc/firejail/xpdf.profile diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 15e108056..5f736f700 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -672,6 +672,7 @@ extern char *xephyr_extra_params; extern char *netfilter_default; int checkcfg(int val); void print_compiletime_support(void); +void x11_xorg(void); // appimage.c void appimage_set(const char *appimage_path); -- cgit v1.2.3-70-g09d2 From b88cef5db1132c1e6e94ae282f94d980a959bb15 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 13 Oct 2016 16:45:28 -0400 Subject: testing --- Makefile.in | 5 +- src/include/common.h | 2 +- src/lib/common.c | 9 ++-- src/lib/pid.c | 2 +- test/apps-x11-xorg/apps-x11-xorg.sh | 35 +++++++++++++ test/apps-x11-xorg/firefox.exp | 90 +++++++++++++++++++++++++++++++++ test/apps-x11-xorg/icedove.exp | 85 +++++++++++++++++++++++++++++++ test/apps-x11-xorg/transmission-gtk.exp | 85 +++++++++++++++++++++++++++++++ 8 files changed, 307 insertions(+), 6 deletions(-) create mode 100755 test/apps-x11-xorg/apps-x11-xorg.sh create mode 100755 test/apps-x11-xorg/firefox.exp create mode 100755 test/apps-x11-xorg/icedove.exp create mode 100755 test/apps-x11-xorg/transmission-gtk.exp diff --git a/Makefile.in b/Makefile.in index 3f08c5952..ad81c8851 100644 --- a/Makefile.in +++ b/Makefile.in @@ -195,6 +195,9 @@ test-apps: test-apps-x11: cd test/apps-x11; ./apps-x11.sh | grep TESTING +test-apps-x11-xorg: + cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING + test-sysutils: cd test/sysutils; ./sysutils.sh | grep TESTING @@ -213,5 +216,5 @@ test-network: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-xorg-x11 test-filters echo "TEST COMPLETE" diff --git a/src/include/common.h b/src/include/common.h index e28870807..f7c8ea725 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -113,5 +113,5 @@ int join_namespace(pid_t pid, char *type); int name2pid(const char *name, pid_t *pid); char *pid_proc_comm(const pid_t pid); char *pid_proc_cmdline(const pid_t pid); -int pid_proc_cmdline_x11(const pid_t pid); +int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); #endif diff --git a/src/lib/common.c b/src/lib/common.c index acb6bd3b4..fc4c167ba 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -201,7 +201,7 @@ char *pid_proc_cmdline(const pid_t pid) { } // return 1 if firejail --x11 on command line -int pid_proc_cmdline_x11(const pid_t pid) { +int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { // if comm is not firejail return 0 char *comm = pid_proc_comm(pid); if (strcmp(comm, "firejail") != 0) { @@ -248,8 +248,11 @@ int pid_proc_cmdline_x11(const pid_t pid) { break; if (strncmp(arg, "--", 2) != 0) break; - - // check x11 + + if (strcmp(arg, "--x11=xorg") == 0) + return 0; + + // check x11 xpra or xephyr if (strncmp(arg, "--x11", 5) == 0) return 1; i += strlen(arg); diff --git a/src/lib/pid.c b/src/lib/pid.c index bbb123b81..ef1a428fb 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -341,7 +341,7 @@ void pid_read(pid_t mon_pid) { } if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { - if (pid_proc_cmdline_x11(pid)) + if (pid_proc_cmdline_x11_xpra_xephyr(pid)) pids[pid].level = -1; else pids[pid].level = 1; diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh new file mode 100755 index 000000000..b05914b52 --- /dev/null +++ b/test/apps-x11-xorg/apps-x11-xorg.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: firefox x11 xorg" + ./firefox.exp +else + echo "TESTING SKIP: firefox not found" +fi + +which transmission-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: transmission-gtk x11 xorg" + ./transmission-gtk.exp +else + echo "TESTING SKIP: transmission-gtk not found" +fi + +which icedove +if [ "$?" -eq 0 ]; +then + echo "TESTING: icedove x11 xorg" + ./icedove.exp +else + echo "TESTING SKIP: icedove not found" +fi + diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp new file mode 100755 index 000000000..5231bf8ed --- /dev/null +++ b/test/apps-x11-xorg/firefox.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "firefox" {puts "firefox detected\n";} + "iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} +sleep 1 +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp new file mode 100755 index 000000000..f676264ed --- /dev/null +++ b/test/apps-x11-xorg/icedove.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xorg icedove\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "icedove" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "icedove" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 2 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "icedove" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp new file mode 100755 index 000000000..a91a1be08 --- /dev/null +++ b/test/apps-x11-xorg/transmission-gtk.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xorg transmission-gtk\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "transmission-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "transmission-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "transmission-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From d56c76569033f94b91b9ada3ba4241d19c3c9e11 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 14 Oct 2016 07:44:59 -0400 Subject: cherrytree fix --- etc/cherrytree.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index d16e7c067..ec6d0d69d 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,7 +1,7 @@ # cherrytree note taking application noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* -noblacklist ${HOME}/.config/cherrytree/ +noblacklist ${HOME}/.config/cherrytree include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 82c6ce3168de710dc41ae4065610257c911848bb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 14 Oct 2016 08:34:04 -0400 Subject: 0.9.44~rc1 testing --- Makefile.in | 2 +- test/environment/allow-debuggers.exp | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/Makefile.in b/Makefile.in index ad81c8851..9574c74bc 100644 --- a/Makefile.in +++ b/Makefile.in @@ -216,5 +216,5 @@ test-network: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-xorg-x11 test-filters +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp index dde9c4cc1..8a404decb 100755 --- a/test/environment/allow-debuggers.exp +++ b/test/environment/allow-debuggers.exp @@ -11,19 +11,27 @@ expect { "Child process initialized" } expect { - timeout {puts "TESTING ERROR 1\n";exit} - "exited with 0" + timeout {puts "TESTING ERROR 1\n";exit} + "ioctl" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "exit_group" } after 100 send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "Child process initialized" } expect { - timeout {puts "TESTING ERROR 3\n";exit} - "exited with 0" + timeout {puts "TESTING ERROR 4\n";exit} + "ioctl" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "exit_group" } after 100 -- cgit v1.2.3-70-g09d2 From 45429215529c9d683322a4d272d1f33a67446fdd Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 15 Oct 2016 22:56:45 +0200 Subject: added /srv in whitelist option --- src/firejail/firejail.h | 2 ++ src/firejail/fs_whitelist.c | 61 ++++++++++++++++++++++++++++++++++++++++++-- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 4 files changed, 63 insertions(+), 4 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5f736f700..dafa5919c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -60,6 +60,7 @@ #define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" #define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" +#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv" #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" #define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority" @@ -173,6 +174,7 @@ typedef struct profile_entry_t { unsigned var_dir:1; // whitelist in /var directory unsigned dev_dir:1; // whitelist in /dev directory unsigned opt_dir:1; // whitelist in /opt directory + unsigned srv_dir:1; // whitelist in /srv directory }ProfileEntry; typedef struct config_t { diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 849861805..b1c2774e2 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -254,7 +254,16 @@ static void whitelist_path(ProfileEntry *entry) { if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) errExit("asprintf"); } + else if (entry->srv_dir) { + fname = path + 4; // strlen("/srv") + if (*fname == '\0') { + fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); + exit(1); + } + if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) + errExit("asprintf"); + } // check if the file exists struct stat s; if (wfile && stat(wfile, &s) == 0) { @@ -317,7 +326,7 @@ void fs_whitelist(void) { int var_dir = 0; // /var directory flag int dev_dir = 0; // /dev directory flag int opt_dir = 0; // /opt directory flag - + int srv_dir = 0; // /srv directory flag // verify whitelist files, extract symbolic links, etc. while (entry) { // handle only whitelist commands @@ -387,7 +396,9 @@ void fs_whitelist(void) { dev_dir = 1; else if (strncmp(new_name, "/opt/", 5) == 0) opt_dir = 1; - + else if (strncmp(new_name, "/srv/", 5) == 0) + opt_dir = 1; + continue; } @@ -481,6 +492,16 @@ void fs_whitelist(void) { goto errexit; } } + else if (strncmp(new_name, "/srv/", 5) == 0) { + entry->srv_dir = 1; + srv_dir = 1; + // both path and absolute path are under /srv + if (strncmp(fname, "/srv/", 5) != 0) { + if (arg_debug) + fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); + goto errexit; + } + } else { if (arg_debug) fprintf(stderr, "Debug %d: \n", __LINE__); @@ -675,6 +696,36 @@ void fs_whitelist(void) { fs_logger("tmpfs /opt"); } + // /srv mountpoint + if (srv_dir) { + // check if /srv directory exists + struct stat s; + if (stat("/srv", &s) == 0) { + // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR + int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); + if (rv == -1) + errExit("mkdir"); + if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0) + errExit("chown"); + if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0) + errExit("chmod"); + + if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + + // mount tmpfs on /srv + if (arg_debug || arg_debug_whitelists) + printf("Mounting tmpfs on /srv directory\n"); + if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mounting tmpfs on /srv"); + fs_logger("tmpfs /srv"); + } + else + srv_dir = 0; + } + + + // go through profile rules again, and interpret whitelist commands entry = cfg.profile; while (entry) { @@ -766,6 +817,12 @@ void fs_whitelist(void) { fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); } + // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR + if (srv_dir) { + if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mount tmpfs"); + fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); + if (new_name) free(new_name); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d420fab7a..09dc46bbc 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -218,7 +218,7 @@ Blacklist violations logged to syslog. Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /media, /mnt, /opt, /var, and /tmp. +user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. .br .br diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4aebb71e8..666a6a8ef 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1622,7 +1622,7 @@ $ firejail \-\-net=br0 --veth-name=if0 Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /media, /mnt, /opt, /var, and /tmp. +user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp. .br .br -- cgit v1.2.3-70-g09d2 From 979fcbdc2e83f8d9541e49108511b2b40487d879 Mon Sep 17 00:00:00 2001 From: Rafael Cavalcanti Date: Sat, 15 Oct 2016 18:40:39 -0300 Subject: Whitelist Arch's chromium-flags.conf to Chromium --- etc/chromium.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/chromium.profile b/etc/chromium.profile index 0d383aebf..4109af9a4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx whitelist ~/.lastpass whitelist ~/.config/lastpass +# specific to Arch +whitelist ~/.config/chromium-flags.conf + include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From f88f8c638f8178d07af3e7df6257727d88709fd5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 16 Oct 2016 08:51:52 -0400 Subject: merges --- README | 9 ++++++--- RELNOTES | 6 ++++-- src/firejail/fs_whitelist.c | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/README b/README index 46c314a64..f9933f592 100644 --- a/README +++ b/README @@ -77,6 +77,12 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +valoq (https://github.com/valoq) + - LibreOffice profile fixes + - cherrytree profile fixes + - added support for /srv in --whitelist feature +Rafael Cavalcanti (https://github.com/rccavalcanti) + - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile vismir2 (https://github.com/vismir2) @@ -84,9 +90,6 @@ vismir2 (https://github.com/vismir2) Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix -valoq (https://github.com/valoq) - - LibreOffice profile fixes - - cherrytree profile fixes vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - lots of profile fixes diff --git a/RELNOTES b/RELNOTES index 4c191fc82..0206e5433 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,9 +1,10 @@ -firejail (0.9.43) baseline; urgency=low +firejail (0.9.44~rc1) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich * development version * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev + * modifs: /srv supported by --whitelist * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit @@ -15,11 +16,12 @@ firejail (0.9.43) baseline; urgency=low * feature: X11 security extension (--x11=xorg) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands + * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf * bugfixes - -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 + -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b1c2774e2..8bbdbe5d3 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -822,6 +822,7 @@ void fs_whitelist(void) { if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mount tmpfs"); fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); + } if (new_name) free(new_name); -- cgit v1.2.3-70-g09d2 From bb6c744fd4f59d0f407c37955ba36f8d40cc60cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 08:41:39 -0400 Subject: allow user access to /sys/fs (--noblacklist=/sys/fs) --- RELNOTES | 1 + configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/fs.c | 6 +++++- test/fs/fs.sh | 3 +++ test/fs/sys_fs.exp | 44 ++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 63 insertions(+), 11 deletions(-) create mode 100755 test/fs/sys_fs.exp diff --git a/RELNOTES b/RELNOTES index 0206e5433..23e44a14f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,6 +5,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev * modifs: /srv supported by --whitelist + * feature: allow user access to /sys/fs (--noblacklist=/sys/fs) * feature: support starting/joining sandbox is a single command (--join-or-start) * feature: X11 detection support for --audit diff --git a/configure b/configure index 48b891c40..9a33f0401 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44~rc1' -PACKAGE_STRING='firejail 0.9.44~rc1' +PACKAGE_VERSION='0.9.44~rc2' +PACKAGE_STRING='firejail 0.9.44~rc2' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";; + short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44~rc1 +firejail configure 0.9.44~rc2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44~rc1, which was +It was created by firejail $as_me 0.9.44~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44~rc1, which was +This file was extended by firejail $as_me 0.9.44~rc2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44~rc1 +firejail config.status 0.9.44~rc2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 108b558d4..4496550fd 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a5f12c7df..6c566bd90 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/sys/firmware"); disable_file(BLACKLIST_FILE, "/sys/hypervisor"); - disable_file(BLACKLIST_FILE, "/sys/fs"); + { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line + EUID_USER(); + profile_add("blacklist /sys/fs"); + EUID_ROOT(); + } disable_file(BLACKLIST_FILE, "/sys/module"); disable_file(BLACKLIST_FILE, "/sys/power"); disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d45ef48bd..3139b8eae 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -6,6 +6,9 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" +./sys_fs.exp + echo "TESTING: kmsg access (test/fs/kmsg.exp)" ./kmsg.exp diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp new file mode 100755 index 000000000..f512776d9 --- /dev/null +++ b/test/fs/sys_fs.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /sys/fs\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "firejail --noblacklist=/sys/fs\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /sys/fs\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "cgroup" +} +after 100 +send -- "exit\r" +after 100 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From a35b70acbd4794452596a74ed165d0b5feb7fa8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:14:26 -0400 Subject: virtualbox profile --- README.md | 2 +- RELNOTES | 2 +- etc/virtualbox.profile | 12 ++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 etc/virtualbox.profile diff --git a/README.md b/README.md index 1038e1ef8..3e765e556 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox diff --git a/RELNOTES b/RELNOTES index 23e44a14f..69d0a9b75 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim, xpdf + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile new file mode 100644 index 000000000..148b7efc8 --- /dev/null +++ b/etc/virtualbox.profile @@ -0,0 +1,12 @@ +# VirtualBox profile + +noblacklist ${HOME}/.VirtualBox +noblacklist ${HOME}/VirtualBox VMs +noblacklist ${HOME}/.config/VirtualBox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all + + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a8ed6f691..90f4839a2 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -161,3 +161,4 @@ /etc/firejail/emacs.profile /etc/firejail/vim.profile /etc/firejail/xpdf.profile +/etc/firejail/virtualbox.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 31f6b2fd5..aec0dc8a5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -76,6 +76,7 @@ unbound mupen64plus wine dosbox +virtualbox # games 0ad -- cgit v1.2.3-70-g09d2 From dbec13243bde95b488fe0e77d1c472b72d09ba43 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:36:54 -0400 Subject: openshot profile --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3e765e556..e0e283e2b 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot diff --git a/RELNOTES b/RELNOTES index 69d0a9b75..bc7d657d4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 369e4813c..dda36abfe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -35,6 +35,7 @@ blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.openshot # Media players diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 90f4839a2..184aef75c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -162,3 +162,4 @@ /etc/firejail/vim.profile /etc/firejail/xpdf.profile /etc/firejail/virtualbox.profile +/etc/firejail/openshot.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index aec0dc8a5..9548d40b4 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -138,6 +138,7 @@ pix xpdf xreader zathura +openshot # other ssh -- cgit v1.2.3-70-g09d2 From 99abcd61b06076d7d371cd1070343e0e317caf5e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:44:41 -0400 Subject: flowblade profile --- README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 3 +++ etc/flowblade.profile | 13 +++++++++++++ etc/openshot.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 etc/flowblade.profile create mode 100644 etc/openshot.profile diff --git a/README.md b/README.md index e0e283e2b..5c061dad8 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade diff --git a/RELNOTES b/RELNOTES index bc7d657d4..7aa3155e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -21,6 +21,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot + * new profiles: Flowblade * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index dda36abfe..1ff486509 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -36,6 +36,9 @@ blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree blacklist ${HOME}/.xpdfrc blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.config/flowblade # Media players diff --git a/etc/flowblade.profile b/etc/flowblade.profile new file mode 100644 index 000000000..e1ec291bd --- /dev/null +++ b/etc/flowblade.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.flowblade +noblacklist ${HOME}/.config/flowblade +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/openshot.profile b/etc/openshot.profile new file mode 100644 index 000000000..f12bd7d11 --- /dev/null +++ b/etc/openshot.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.openshot +noblacklist ${HOME}/.openshot_qt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 184aef75c..2ffa6d035 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -163,3 +163,4 @@ /etc/firejail/xpdf.profile /etc/firejail/virtualbox.profile /etc/firejail/openshot.profile +/etc/firejail/flowblade.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9548d40b4..0c46f2dfa 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -139,6 +139,7 @@ xpdf xreader zathura openshot +flowblade # other ssh -- cgit v1.2.3-70-g09d2 From 994dc7904dc7801c9ad3f0a032961d7bfba7be43 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 Oct 2016 08:40:45 -0400 Subject: typo --- etc/disable-devel.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 971857710..2ac367f37 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* # clang/llvm blacklist /usr/bin/clang* blacklist /usr/bin/llvm* -blacklist /usb/bin/lldb* +blacklist /usr/bin/lldb* blacklist /usr/lib/llvm* # tcc - Tiny C Compiler -- cgit v1.2.3-70-g09d2 From c9f3b36f73b2bcf4609f61ea53a77bc83e4e854e Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 18 Oct 2016 16:58:02 +0200 Subject: added profiles --- etc/eog.profile | 23 +++++++++++++++++++++++ etc/evolution.profile | 25 +++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 etc/eog.profile create mode 100644 etc/evolution.profile diff --git a/etc/eog.profile b/etc/eog.profile new file mode 100644 index 000000000..32b54a042 --- /dev/null +++ b/etc/eog.profile @@ -0,0 +1,23 @@ +# eog (gnome image viewer) profile + +noblacklist ~/.config/eog + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix +seccomp +shell none + +private-bin eog +private-dev +private-etc fonts +private-tmp + diff --git a/etc/evolution.profile b/etc/evolution.profile new file mode 100644 index 000000000..cf581643d --- /dev/null +++ b/etc/evolution.profile @@ -0,0 +1,25 @@ +# evolution profile + +noblacklist ~/.config/evolution +noblacklist ~/.local/share/evolution +noblacklist ~/.cache/evolution +noblacklist ~/.pki +noblacklist ~/.pki/nssdb +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From b11e3ad8156e61ff72e0fe751a99a68feccb553f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 Oct 2016 14:34:41 -0400 Subject: eog and evolution profiles --- README | 1 + README.md | 4 +++- RELNOTES | 2 +- etc/disable-programs.inc | 4 ++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 13 insertions(+), 2 deletions(-) diff --git a/README b/README index f9933f592..10b0ab61b 100644 --- a/README +++ b/README @@ -81,6 +81,7 @@ valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes - added support for /srv in --whitelist feature + - Eye of GNOME and Evolution profiles Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/README.md b/README.md index 5c061dad8..ec95a4e9b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,8 @@ If you keep your Firejail profiles in a public repository, please give us a link * https://github.com/chiraag-nataraj/firejail-profiles * https://github.com/triceratops1/fe + +Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825 ````` ````` @@ -113,5 +115,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade, Eye of GNOME (eog), Evolution diff --git a/RELNOTES b/RELNOTES index 7aa3155e1..f1d6a8da1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -21,7 +21,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot - * new profiles: Flowblade + * new profiles: Flowblade, Eye of GNOME (eog), Evolution * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1ff486509..0094c6d11 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -39,6 +39,7 @@ blacklist ${HOME}/.openshot blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/eog # Media players @@ -78,6 +79,9 @@ blacklist ${HOME}/.config/inox blacklist ${HOME}/.muttrc blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.cache/evolution # Instant Messaging blacklist ${HOME}/.config/hexchat diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2ffa6d035..6d444b90d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -164,3 +164,5 @@ /etc/firejail/virtualbox.profile /etc/firejail/openshot.profile /etc/firejail/flowblade.profile +/etc/firejail/eog.profile +/etc/firejail/evolution.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 0c46f2dfa..2d2c7b20e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -47,6 +47,7 @@ seamonkey-bin thunderbird vivaldi-beta vivaldi +evolution # chat/messaging bitlbee @@ -140,6 +141,7 @@ xreader zathura openshot flowblade +eog # other ssh -- cgit v1.2.3-70-g09d2 From b53b92cb0d21ca137b340c3d9a47a53d6cb00c45 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 19 Oct 2016 18:09:30 +0200 Subject: blacklisted common suid programms --- etc/disable-common.inc | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..506d4e258 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,29 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# disable common suid programms +blacklist ${PATH}/firejail +blacklist ${PATH}/sudo +blacklist ${PATH}/su +blacklist ${PATH}/mount +blacklist ${PATH}/umount +blacklist ${PATH}/fusermount +blacklist ${PATH}/passwd +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd -- cgit v1.2.3-70-g09d2 From 24f53cde1d2ae75e23b3f82a925592c0c10c789a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 19 Oct 2016 12:27:18 -0400 Subject: replaced exit with _exit in forked child --- src/firejail/fs_mkdir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index b2a5927e6..cffe32a7a 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -81,7 +81,7 @@ void fs_mkdir(const char *name) { // create directory mkdir_recursive(expanded); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); @@ -126,7 +126,7 @@ void fs_mkfile(const char *name) { (void) rv; fclose(fp); } - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); -- cgit v1.2.3-70-g09d2 From eddb9419463e266c79d422ce5c4bbc91e579fbcd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 19 Oct 2016 14:30:30 -0400 Subject: replaced exit with _exit in forked child --- src/faudit/syscall.c | 3 ++- src/firejail/fs_bin.c | 4 +++- src/firejail/fs_etc.c | 4 +++- src/firejail/fs_home.c | 2 +- src/firejail/ls.c | 8 ++++---- src/firejail/main.c | 2 +- src/firejail/netfilter.c | 12 ++++++++---- src/firejail/x11.c | 12 ++++++------ src/firemon/interface.c | 2 +- 9 files changed, 29 insertions(+), 20 deletions(-) diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 9924be00f..3c87305df 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -92,7 +92,8 @@ void syscall_run(const char *name) { errExit("fork"); if (child == 0) { execl(prog, prog, "syscall", name, NULL); - exit(1); + perror("execl"); + _exit(1); } // wait for the child to finish diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index e65474f44..ba0633649 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -192,6 +192,8 @@ static void duplicate(char *fname) { if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) errExit("asprintf"); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); + perror("execlp"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -245,7 +247,7 @@ void fs_private_bin_list(void) { duplicate(ptr); free(dlist); fs_logger_print(); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index fc9e40ca0..de29c312e 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -106,6 +106,8 @@ static void duplicate(char *fname) { if (asprintf(&f, "/etc/%s", fname) == -1) errExit("asprintf"); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); + perror("execlp"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -169,7 +171,7 @@ void fs_private_etc_list(void) { duplicate(ptr); free(dlist); fs_logger_print(); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index bd3c404e9..75cc3e732 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -641,7 +641,7 @@ void fs_private_home_list(void) { fs_logger_print(); // save the current log free(dlist); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 39efaa0a6..dba82be0b 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -358,7 +358,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { fprintf(stderr, "Error: Cannot read %s\n", fname1); exit(1); } - exit(0); + _exit(0); } // wait for the child to finish @@ -391,7 +391,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { exit(1); } fclose(fp); - exit(0); + _exit(0); } // wait for the child to finish @@ -445,7 +445,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { fprintf(stderr, "Error: Cannot read %s\n", src_fname); exit(1); } - exit(0); + _exit(0); } // wait for the child to finish @@ -494,7 +494,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { } } - exit(0); + _exit(0); } // wait for the child to finish diff --git a/src/firejail/main.c b/src/firejail/main.c index 987a79d1c..0872a11bb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2506,7 +2506,7 @@ int main(int argc, char **argv) { network_main(child); if (arg_debug) printf("Host network configured\n"); - exit(0); + _exit(0); } // wait for the child to finish diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index b50d61039..c1f9a2c37 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -145,7 +145,8 @@ void netfilter(const char *fname) { // wipe out environment variables environ = NULL; execl(iptables_restore, iptables_restore, NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -163,7 +164,8 @@ void netfilter(const char *fname) { errExit("setregid"); environ = NULL; execl(iptables, iptables, "-vL", NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -256,7 +258,8 @@ void netfilter6(const char *fname) { // wipe out environment variables environ = NULL; execl(ip6tables_restore, ip6tables_restore, NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); @@ -269,7 +272,8 @@ void netfilter6(const char *fname) { if (child == 0) { environ = NULL; execl(ip6tables, ip6tables, "-vL", NULL); - // it will never get here!!! + perror("execl"); + _exit(1); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index d40d349e1..c79f1a74e 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -314,7 +314,7 @@ void x11_start_xephyr(int argc, char **argv) { execvp(server_argv[0], server_argv); perror("execvp"); - exit(1); + _exit(1); } if (arg_debug) @@ -355,7 +355,7 @@ void x11_start_xephyr(int argc, char **argv) { execvp(jail_argv[0], jail_argv); perror("execvp"); - exit(1); + _exit(1); } // cleanup @@ -434,7 +434,7 @@ void x11_start_xpra(int argc, char **argv) { execvp(server_argv[0], server_argv); perror("execvp"); - exit(1); + _exit(1); } // check X11 socket @@ -480,7 +480,7 @@ void x11_start_xpra(int argc, char **argv) { execvp(attach_argv[0], attach_argv); perror("execvp"); - exit(1); + _exit(1); } setenv("DISPLAY", display_str, 1); @@ -536,7 +536,7 @@ void x11_start_xpra(int argc, char **argv) { } execvp(stop_argv[0], stop_argv); perror("execvp"); - exit(1); + _exit(1); } // wait for xpra server to stop, 10 seconds limit @@ -672,7 +672,7 @@ void x11_xorg(void) { execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); - exit(0); + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 5a89e1491..bceed93d3 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -146,7 +146,7 @@ static void print_sandbox(pid_t pid) { return; net_ifprint(); printf("\n"); - exit(0); + _exit(0); } // wait for the child to finish -- cgit v1.2.3-70-g09d2 From 30481f427c2adcfe890916da3724592128c9a932 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 00:26:54 +0300 Subject: fix building on systems without bash --- mkuid.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkuid.sh b/mkuid.sh index c95741043..a59f58143 100755 --- a/mkuid.sh +++ b/mkuid.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh echo "extracting UID_MIN and GID_MIN" echo "#ifndef FIREJAIL_UIDS_H" > uids.h -- cgit v1.2.3-70-g09d2 From 9b693b4a0791584bc8c543bfae71bbcdb167f592 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 00:29:58 +0300 Subject: add missing include --- src/firemon/procevent.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 188c10183..c59c7423d 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -28,6 +28,8 @@ #include #include #include +//#include + #define PIDS_BUFLEN 4096 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA -- cgit v1.2.3-70-g09d2 From 900ffe37394940efb405b16998392d8d69206574 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 01:05:06 +0300 Subject: fix mutt.profile --- etc/disable-programs.inc | 1 + etc/mutt.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0094c6d11..edd4ee374 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -77,6 +77,7 @@ blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave blacklist ${HOME}/.config/inox blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc blacklist ${HOME}/.config/evolution diff --git a/etc/mutt.profile b/etc/mutt.profile index cda7fc4bf..b532ded67 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -2,6 +2,7 @@ noblacklist ~/.muttrc noblacklist ~/.mutt +noblacklist ~/.mutt/muttrc noblacklist ~/.mailcap noblacklist ~/.gnupg noblacklist ~/.mail -- cgit v1.2.3-70-g09d2 From 4ac74f0621fbb33a90dd4e3aa181ccd727c57514 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 01:23:26 +0300 Subject: add missing include --- src/firemon/procevent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index c59c7423d..78a3a4fb2 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -28,7 +28,7 @@ #include #include #include -//#include +#include #define PIDS_BUFLEN 4096 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA -- cgit v1.2.3-70-g09d2 From 287dc95bac1abce140459a7ecd0213833626b800 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 20 Oct 2016 15:47:34 +0200 Subject: removed blacklist duplate --- etc/disable-common.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 506d4e258..19a23d764 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -138,11 +138,11 @@ blacklist /etc/ssh blacklist /var/backup # system management -blacklist ${PATH}/umount -blacklist ${PATH}/mount -blacklist ${PATH}/fusermount -blacklist ${PATH}/su -blacklist ${PATH}/sudo +# blacklist ${PATH}/umount +# blacklist ${PATH}/mount +# blacklist ${PATH}/fusermount +# blacklist ${PATH}/su +# blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev -- cgit v1.2.3-70-g09d2 From 981ba13ec0b8a88f79b128a09b36bc1474c0f0a1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 21 Oct 2016 09:44:58 -0400 Subject: 0.9.44 testing --- RELNOTES | 7 ++++--- configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/main.c | 1 - src/man/firejail-login.txt | 4 ++++ 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/RELNOTES b/RELNOTES index f1d6a8da1..8617d2db7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,5 @@ -firejail (0.9.44~rc1) baseline; urgency=low +firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich - * development version * modifs: removed man firejail-config * modifs: --private-tmp whitelists /tmp/.X11-unix directory * modifs: Nvidia drivers added to --private-dev @@ -18,12 +17,14 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * feature: move files in sandbox (--put) + * feature: accept wildcard patterns in user name field of restricted + shell login feature * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * new profiles: Flowblade, Eye of GNOME (eog), Evolution * bugfixes - -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 + -- netblue30 Fri, 21 Oct 2016 08:00:00 -0500 firejail (0.9.42) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov diff --git a/configure b/configure index 9a33f0401..b92d9071c 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc2. +# Generated by GNU Autoconf 2.69 for firejail 0.9.44. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44~rc2' -PACKAGE_STRING='firejail 0.9.44~rc2' +PACKAGE_VERSION='0.9.44' +PACKAGE_STRING='firejail 0.9.44' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44~rc2 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.44 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44~rc2:";; + short | recursive ) echo "Configuration of firejail 0.9.44:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44~rc2 +firejail configure 0.9.44 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44~rc2, which was +It was created by firejail $as_me 0.9.44, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44~rc2, which was +This file was extended by firejail $as_me 0.9.44, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44~rc2 +firejail config.status 0.9.44 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 4496550fd..da4b31591 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.44, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/main.c b/src/firejail/main.c index 0872a11bb..b5a97c71e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2579,7 +2579,6 @@ int main(int argc, char **argv) { g = get_group_id("games"); if (g) { sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); } EUID_ROOT(); diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 691217253..796179d0b 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -13,6 +13,10 @@ Example: netblue:--net=none --protocol=unix +Wildcard patterns are accepted in the user name field: + + user*: --private + .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, -- cgit v1.2.3-70-g09d2 From 08106743010d1b005e8d6cd377d79fdc8fb0af96 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 21 Oct 2016 10:14:08 -0400 Subject: 0.9.44 testing --- test/filters/noroot.exp | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 2a7cb7975..b011f2bf9 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -46,20 +46,20 @@ expect { } send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 8\n";exit} + timeout {puts "TESTING ERROR 7\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} "Bad system call" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 7\n";exit} + timeout {puts "TESTING ERROR 8\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 8\n";exit} - "3" + timeout {puts "TESTING ERROR 9\n";exit} + "5" } puts "\n" @@ -70,59 +70,59 @@ sleep 2 send -- "firejail --name=test --noroot --noprofile\r" expect { - timeout {puts "TESTING ERROR 9\n";exit} + timeout {puts "TESTING ERROR 10\n";exit} "Child process initialized" } sleep 1 send -- "cat /proc/self/status\r" expect { - timeout {puts "TESTING ERROR 10\n";exit} + timeout {puts "TESTING ERROR 11\n";exit} "CapBnd:" } expect { - timeout {puts "TESTING ERROR 11\n";exit} + timeout {puts "TESTING ERROR 12\n";exit} "ffffffff" } expect { - timeout {puts "TESTING ERROR 12\n";exit} + timeout {puts "TESTING ERROR 13\n";exit} "Seccomp:" } expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 14\n";exit} "0" } expect { - timeout {puts "TESTING ERROR 14\n";exit} + timeout {puts "TESTING ERROR 15\n";exit} "Cpus_allowed:" } puts "\n" send -- "whoami\r" expect { - timeout {puts "TESTING ERROR 15\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} $env(USER) } send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 16\n";exit} + timeout {puts "TESTING ERROR 17\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } send -- "ping 0\r" expect { - timeout {puts "TESTING ERROR 17\n";exit} + timeout {puts "TESTING ERROR 18\n";exit} "Operation not permitted" } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 18\n";exit} + timeout {puts "TESTING ERROR 19\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 19\n";exit} - "3" + timeout {puts "TESTING ERROR 20\n";exit} + "5" } @@ -130,31 +130,31 @@ expect { spawn $env(SHELL) send -- "firejail --debug --join=test\r" expect { - timeout {puts "TESTING ERROR 20\n";exit} + timeout {puts "TESTING ERROR 21\n";exit} "User namespace detected" } expect { - timeout {puts "TESTING ERROR 21\n";exit} + timeout {puts "TESTING ERROR 22\n";exit} "Joining user namespace" } sleep 1 send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 22\n";exit} + timeout {puts "TESTING ERROR 23\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} "Permission denied" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 23\n";exit} + timeout {puts "TESTING ERROR 24\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 24\n";exit} - "3" + timeout {puts "TESTING ERROR 25\n";exit} + "5" } after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 7fbb382700760f533dedfe1c370031e1f911f88d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 21 Oct 2016 20:41:12 -0400 Subject: 0.9.44 fixes --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 9574c74bc..dbf53e2cb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -141,7 +141,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" dist: mv config.status config.status.old -- cgit v1.2.3-70-g09d2 From 0b32d832d23b6c2a6f2b800ebd7bb2842bc1d609 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 22 Oct 2016 08:39:55 -0400 Subject: 0.9.44 - build rpm --- platform/rpm/old-mkrpm.sh | 542 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 542 insertions(+) create mode 100755 platform/rpm/old-mkrpm.sh diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh new file mode 100755 index 000000000..017d5e1c3 --- /dev/null +++ b/platform/rpm/old-mkrpm.sh @@ -0,0 +1,542 @@ +#!/bin/bash +VERSION="0.9.44" +rm -fr ~/rpmbuild +rm -f firejail-$VERSION-1.x86_64.rpm + +mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp} +cat <~/.rpmmacros +%_topdir %(echo $HOME)/rpmbuild +%_tmppath %{_topdir}/tmp +EOF + +cd ~/rpmbuild +echo "building directory tree" + +mkdir -p firejail-$VERSION/usr/bin +install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/. +install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/. +install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/. + +mkdir -p firejail-$VERSION/usr/lib/firejail +install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/. +install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/. +install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/. +install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/. + +mkdir -p firejail-$VERSION/usr/share/man/man1 +install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/. +install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/. +install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/. + +mkdir -p firejail-$VERSION/usr/share/man/man5 +install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/. +install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/. + +mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail +install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/. +install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/. +install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/. + +mkdir -p firejail-$VERSION/etc/firejail +install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/. +install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/. + + +mkdir -p firejail-$VERSION/usr/share/bash-completion/completions +install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/. +install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/. +install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/. + +echo "building tar.gz archive" +tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION + +cp firejail-$VERSION.tar.gz SOURCES/. + +echo "building config spec" +cat < SPECS/firejail.spec +%define __spec_install_post %{nil} +%define debug_package %{nil} +%define __os_install_post %{_dbpath}/brp-compress + +Summary: Linux namepaces sandbox program +Name: firejail +Version: $VERSION +Release: 1 +License: GPL+ +Group: Development/Tools +SOURCE0 : %{name}-%{version}.tar.gz +URL: http://firejail.wordpress.com + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root + +%description +Firejail is a SUID sandbox program that reduces the risk of security +breaches by restricting the running environment of untrusted applications +using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. + +%prep +%setup -q + +%build + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot} + +cp -a * %{buildroot} + + +%clean +rm -rf %{buildroot} + + +%files +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile +%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile +%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/atom.profile +%config(noreplace) %{_sysconfdir}/%{name}/atril.profile +%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile +%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile +%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile +%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile +%config(noreplace) %{_sysconfdir}/%{name}/brave.profile +%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile +%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile +%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile +%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile +%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile +%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile +%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile +%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile +%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile +%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile +%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile +%config(noreplace) %{_sysconfdir}/%{name}/default.profile +%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile +%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile +%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc +%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc +%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc +%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc +%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile +%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile +%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile +%config(noreplace) %{_sysconfdir}/%{name}/eom.profile +%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile +%config(noreplace) %{_sysconfdir}/%{name}/evince.profile +%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile +%config(noreplace) %{_sysconfdir}/%{name}/file.profile +%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile +%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile +%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile +%config(noreplace) %{_sysconfdir}/%{name}/firejail.config +%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile +%config(noreplace) %{_sysconfdir}/%{name}/franz.profile +%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile +%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile +%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile +%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile +%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile +%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile +%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile +%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile +%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile +%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile +%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile +%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile +%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile +%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile +%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile +%config(noreplace) %{_sysconfdir}/%{name}/inox.profile +%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile +%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile +%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile +%config(noreplace) %{_sysconfdir}/%{name}/less.profile +%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile +%config(noreplace) %{_sysconfdir}/%{name}/localc.profile +%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile +%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile +%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile +%config(noreplace) %{_sysconfdir}/%{name}/login.users +%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile +%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile +%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile +%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile +%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile +%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile +%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile +%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile +%config(noreplace) %{_sysconfdir}/%{name}/midori.profile +%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile +%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile +%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile +%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net +%config(noreplace) %{_sysconfdir}/%{name}/okular.profile +%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/opera.profile +%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile +%config(noreplace) %{_sysconfdir}/%{name}/parole.profile +%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile +%config(noreplace) %{_sysconfdir}/%{name}/pix.profile +%config(noreplace) %{_sysconfdir}/%{name}/polari.profile +%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile +%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile +%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile +%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile +%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile +%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile +%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile +%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile +%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile +%config(noreplace) %{_sysconfdir}/%{name}/server.profile +%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile +%config(noreplace) %{_sysconfdir}/%{name}/skype.profile +%config(noreplace) %{_sysconfdir}/%{name}/slack.profile +%config(noreplace) %{_sysconfdir}/%{name}/snap.profile +%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile +%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile +%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile +%config(noreplace) %{_sysconfdir}/%{name}/steam.profile +%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile +%config(noreplace) %{_sysconfdir}/%{name}/strings.profile +%config(noreplace) %{_sysconfdir}/%{name}/tar.profile +%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile +%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile +%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile +%config(noreplace) %{_sysconfdir}/%{name}/totem.profile +%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile +%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile +%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile +%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile +%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile +%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile +%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile +%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile +%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile +%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile +%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile +%config(noreplace) %{_sysconfdir}/%{name}/webserver.net +%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile +%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile +%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile +%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc +%config(noreplace) %{_sysconfdir}/%{name}/wine.profile +%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile +%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile +%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile +%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile +%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile +%config(noreplace) %{_sysconfdir}/%{name}/xz.profile +%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile +%config(noreplace) %{_sysconfdir}/%{name}/7z.profile +%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile +%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile +%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile +%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile +%config(noreplace) %{_sysconfdir}/%{name}/git.profile +%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile +%config(noreplace) %{_sysconfdir}/%{name}/vim.profile +%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile +%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile +%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile +%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile +%config(noreplace) %{_sysconfdir}/%{name}/eog.profile +%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile +%config(noreplace) %{_sysconfdir}/%{name}/feh.profile +%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile +%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile +%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile +%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile +%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile +%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile +%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile + +/usr/bin/firejail +/usr/bin/firemon +/usr/bin/firecfg + +/usr/lib/firejail/libtrace.so +/usr/lib/firejail/libtracelog.so +/usr/lib/firejail/libconnect.so +/usr/lib/firejail/faudit +/usr/lib/firejail/ftee +/usr/lib/firejail/firecfg.config +/usr/lib/firejail/fshaper.sh + +/usr/share/doc/packages/firejail/COPYING +/usr/share/doc/packages/firejail/README +/usr/share/doc/packages/firejail/RELNOTES +/usr/share/man/man1/firejail.1.gz +/usr/share/man/man1/firemon.1.gz +/usr/share/man/man1/firecfg.1.gz +/usr/share/man/man5/firejail-profile.5.gz +/usr/share/man/man5/firejail-login.5.gz +/usr/share/bash-completion/completions/firejail +/usr/share/bash-completion/completions/firemon +/usr/share/bash-completion/completions/firecfg + +%post +chmod u+s /usr/bin/firejail + +%changelog +* Fri Oct 21 2016 netblue30 0.9.44-1 + - CVE-2016-7545 submitted by Aleksey Manevich + - modifs: removed man firejail-config + - modifs: --private-tmp whitelists /tmp/.X11-unix directory + - modifs: Nvidia drivers added to --private-dev + - modifs: /srv supported by --whitelist + - feature: allow user access to /sys/fs (--noblacklist=/sys/fs) + - feature: support starting/joining sandbox is a single command + (--join-or-start) + - feature: X11 detection support for --audit + - feature: assign a name to the interface connected to the bridge + (--veth-name) + - feature: all user home directories are visible (--allusers) + - feature: add files to sandbox container (--put) + - feature: blocking x11 (--x11=block) + - feature: X11 security extension (--x11=xorg) + - feature: disable 3D hardware acceleration (--no3d) + - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands + - feature: move files in sandbox (--put) + - feature: accept wildcard patterns in user name field of restricted + shell login feature + - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape + - new profiles: feh, ranger, zathura, 7z, keepass, keepassx, + - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot + - new profiles: Flowblade, Eye of GNOME (eog), Evolution + - bugfixes + +* Thu Sep 8 2016 netblue30 0.9.42-1 + - security: --whitelist deleted files, submitted by Vasya Novikov + - security: disable x32 ABI in seccomp, submitted by Jann Horn + - security: tighten --chroot, submitted by Jann Horn + - security: terminal sandbox escape, submitted by Stephan Sokolow + - security: several TOCTOU fixes submitted by Aleksey Manevich + - modifs: bringing back --private-home option + - modifs: deprecated --user option, please use "sudo -u username firejail" + - modifs: allow symlinks in home directory for --whitelist option + - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" + - modifs: recursive mkdir + - modifs: include /dev/snd in --private-dev + - modifs: seccomp filter update + - modifs: release archives moved to .xz format + - feature: AppImage support (--appimage) + - feature: AppArmor support (--apparmor) + - feature: Ubuntu snap support (/etc/firejail/snap.profile) + - feature: Sandbox auditing support (--audit) + - feature: remove environment variable (--rmenv) + - feature: noexec support (--noexec) + - feature: clean local overlay storage directory (--overlay-clean) + - feature: store and reuse overlay (--overlay-named) + - feature: allow debugging inside the sandbox with gdb and strace + (--allow-debuggers) + - feature: mkfile profile command + - feature: quiet profile command + - feature: x11 profile command + - feature: option to fix desktop files (firecfg --fix) + - compile time: Busybox support (--enable-busybox-workaround) + - compile time: disable overlayfs (--disable-overlayfs) + - compile time: disable whitlisting (--disable-whitelist) + - compile time: disable global config (--disable-globalcfg) + - run time: enable/disable overlayfs (overlayfs yes/no) + - run time: enable/disable quiet as default (quiet-by-default yes/no) + - run time: user-defined network filter (netfilter-default) + - run time: enable/disable whitelisting (whitelist yes/no) + - run time: enable/disable remounting of /proc and /sys + (remount-proc-sys yes/no) + - run time: enable/disable chroot desktop features (chroot-desktop yes/no) + - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice + - profiles: pix, audacity, xz, xzdec, gzip, cpio, less + - profiles: Atom Beta, Atom, jitsi, eom, uudeview + - profiles: tar (gtar), unzip, unrar, file, skypeforlinux, + - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox + - bugfixes + +EOF + +echo "building rpm" +rpmbuild -ba SPECS/firejail.spec +rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm +cd .. +rm -f firejail-$VERSION-1.x86_64.rpm +cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm . + -- cgit v1.2.3-70-g09d2 From 4802d8b42393e1128279d43f5ba8dac918ffc1df Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2016 08:20:22 -0400 Subject: starting 0.9.45 devel version --- README.md | 70 +----------------------------------------------------------- RELNOTES | 4 ++++ configure | 18 ++++++++-------- configure.ac | 2 +- 4 files changed, 15 insertions(+), 79 deletions(-) diff --git a/README.md b/README.md index ec95a4e9b..fe7c91f01 100644 --- a/README.md +++ b/README.md @@ -47,73 +47,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ````` -# Current development version: 0.9.43 - -## X11 development -````` - --x11=none - Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the - file specified in ${XAUTHORITY} environment variable. Remove - DISPLAY and XAUTHORITY environment variables. Stop with error - message if X11 abstract socket will be accessible in jail. - - --x11=xorg - Sandbox the application using the untrusted mode implemented by - X11 security extension. The extension is available in Xorg - package and it is installed by default on most Linux distribu‐ - tions. It provides support for a simple trusted/untrusted con‐ - nection model. Untrusted clients are restricted in certain ways - to prevent them from reading window contents of other clients, - stealing input events, etc. - - The untrusted mode has several limitations. A lot of regular - programs assume they are a trusted X11 clients and will crash - or lock up when run in untrusted mode. Chromium browser and - xterm are two examples. Firefox and transmission-gtk seem to be - working fine. A network namespace is not required for this - option. - - Example: - $ firejail --x11=xorg firefox -````` - -## Other command line options -````` - --put=name|pid src-filename dest-filename - Put src-filename in sandbox container. The container is specified by name or PID. - - --allusers - All user home directories are visible inside the sandbox. By default, only current user home - directory is visible. - - Example: - $ firejail --allusers - - --join-or-start=name - Join the sandbox identified by name or start a new one. Same as "firejail --join=name" if - sandbox with specified name exists, otherwise same as "firejail --name=name ..." - Note that in contrary to other join options there is respective profile option. - - --no3d Disable 3D hardware acceleration. - - Example: - $ firejail --no3d firefox - - --veth-name=name - Use this name for the interface connected to the bridge for - --net=bridge_interface commands, instead of the default one. - - Example: - $ firejail --net=br0 --veth-name=if0 - -````` - -## New profile commands - -x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start - -## New profiles - -qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade, Eye of GNOME (eog), Evolution +# Current development version: 0.9.45 diff --git a/RELNOTES b/RELNOTES index 8617d2db7..6e1f502c7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,7 @@ +firejail (0.9.45) baseline; urgency=low + * development version, work in progress + -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 + firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich * modifs: removed man firejail-config diff --git a/configure b/configure index b92d9071c..a470dffba 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.44. +# Generated by GNU Autoconf 2.69 for firejail 0.9.45. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.44' -PACKAGE_STRING='firejail 0.9.44' +PACKAGE_VERSION='0.9.45' +PACKAGE_STRING='firejail 0.9.45' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.44 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.45 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1320,7 +1320,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.44:";; + short | recursive ) echo "Configuration of firejail 0.9.45:";; esac cat <<\_ACEOF @@ -1424,7 +1424,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.44 +firejail configure 0.9.45 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.44, which was +It was created by firejail $as_me 0.9.45, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.44, which was +This file was extended by firejail $as_me 0.9.45, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4357,7 +4357,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.44 +firejail config.status 0.9.45 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index da4b31591..95947a8e3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.44, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) -- cgit v1.2.3-70-g09d2 From 4bcab4f4e6a53f2b7d402092983ee0d71d555259 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2016 09:02:39 -0400 Subject: appimage type 2 support --- src/firejail/appimage.c | 29 ++++++++- src/firejail/appimage_size.c | 143 +++++++++++++++++++++++++++++++++++++++++++ src/firejail/firejail.h | 4 ++ 3 files changed, 173 insertions(+), 3 deletions(-) create mode 100644 src/firejail/appimage_size.c diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 375d6be24..3f03c28bf 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -39,7 +39,7 @@ void appimage_set(const char *appimage_path) { assert(appimage_path); assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); - + #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h // check appimage_path if (access(appimage_path, R_OK) == -1) { @@ -47,6 +47,12 @@ void appimage_set(const char *appimage_path) { exit(1); } + // get appimage type and ELF size + // a value of 0 means we are dealing with a type1 appimage + long unsigned int size = appimage2_size(appimage_path); + if (arg_debug) + printf("AppImage ELF size %lu\n", size); + // open as user to prevent race condition int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); if (ffd == -1) { @@ -76,6 +82,15 @@ void appimage_set(const char *appimage_path) { fprintf(stderr, "Error: cannot configure the loopback device\n"); exit(1); } + + if (size) { + struct loop_info64 info; + memset(&info, 0, sizeof(struct loop_info64)); + info.lo_offset = size; + if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) + errExit("configure appimage offset"); + } + close(lfd); close(ffd); EUID_USER(); @@ -100,8 +115,16 @@ void appimage_set(const char *appimage_path) { if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) errExit("asprintf"); EUID_ROOT(); - if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) - errExit("mounting appimage"); + + if (size == 0) { + if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) + errExit("mounting appimage"); + } + else { + if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY, mode) < 0) + errExit("mounting appimage"); + } + if (arg_debug) printf("appimage mounted on %s\n", mntdir); EUID_USER(); diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c new file mode 100644 index 000000000..c8b3d28c5 --- /dev/null +++ b/src/firejail/appimage_size.c @@ -0,0 +1,143 @@ +/* +Compile with: +gcc elfsize.c -o elfsize +Example: +ls -l 126584 +Calculation using the values also reported by readelf -h: +Start of section headers e_shoff 124728 +Size of section headers e_shentsize 64 +Number of section headers e_shnum 29 +e_shoff + ( e_shentsize * e_shnum ) = 126584 +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef Elf32_Nhdr Elf_Nhdr; + +static Elf64_Ehdr ehdr; +static Elf64_Phdr *phdr; + +#if __BYTE_ORDER == __LITTLE_ENDIAN +#define ELFDATANATIVE ELFDATA2LSB +#elif __BYTE_ORDER == __BIG_ENDIAN +#define ELFDATANATIVE ELFDATA2MSB +#else +#error "Unknown machine endian" +#endif + +static uint16_t file16_to_cpu(uint16_t val) { + if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) + val = bswap_16(val); + return val; +} + + +static uint32_t file32_to_cpu(uint32_t val) { + if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) + val = bswap_32(val); + return val; +} + + +static uint64_t file64_to_cpu(uint64_t val) { + if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE) + val = bswap_64(val); + return val; +} + + +// return 0 if error +static long unsigned int read_elf32(int fd) { + Elf32_Ehdr ehdr32; + ssize_t ret, i; + + ret = pread(fd, &ehdr32, sizeof(ehdr32), 0); + if (ret < 0 || (size_t)ret != sizeof(ehdr)) + return 0; + + ehdr.e_shoff = file32_to_cpu(ehdr32.e_shoff); + ehdr.e_shentsize = file16_to_cpu(ehdr32.e_shentsize); + ehdr.e_shnum = file16_to_cpu(ehdr32.e_shnum); + + return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum)); +} + + +// return 0 if error +static long unsigned int read_elf64(int fd) { + Elf64_Ehdr ehdr64; + ssize_t ret, i; + + ret = pread(fd, &ehdr64, sizeof(ehdr64), 0); + if (ret < 0 || (size_t)ret != sizeof(ehdr)) + return 0; + + ehdr.e_shoff = file64_to_cpu(ehdr64.e_shoff); + ehdr.e_shentsize = file16_to_cpu(ehdr64.e_shentsize); + ehdr.e_shnum = file16_to_cpu(ehdr64.e_shnum); + + return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum)); +} + + +// return 0 if error +// return 0 if this is not an appimgage2 file +long unsigned int appimage2_size(const char *fname) { +/* TODO, FIXME: This assumes that the section header table (SHT) is +the last part of the ELF. This is usually the case but +it could also be that the last section is the last part +of the ELF. This should be checked for. +*/ + ssize_t ret; + int fd; + long unsigned int size = 0; + + fd = open(fname, O_RDONLY); + if (fd < 0) + return 0; + + ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); + if (ret != EI_NIDENT) + goto getout; + + if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && + (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) + goto getout; + + if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { + size = read_elf32(fd); + } + else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) { + size = read_elf64(fd); + } + else { + goto getout; + } + if (size == 0) + goto getout; + + + // look for a LZMA header at this location + unsigned char buf[4]; + ret = pread(fd, buf, 4, size); + if (ret != 4) { + size = 0; + goto getout; + } + if (memcmp(buf, "hsqs", 4) != 0) + size = 0; + +getout: + close(fd); + return size; +} + + diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index dafa5919c..9a9bb1ae7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -681,8 +681,12 @@ void appimage_set(const char *appimage_path); void appimage_clear(void); const char *appimage_getdir(void); +// appimage_size.c +long unsigned int appimage2_size(const char *fname); + // cmdline.c void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); + #endif -- cgit v1.2.3-70-g09d2 From 2399e09e66e94ca473c13a10e45f50bd38594bbe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2016 10:59:06 -0400 Subject: appimage fixes --- src/firejail/appimage.c | 2 +- src/firejail/sandbox.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 3f03c28bf..09b242964 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -96,7 +96,7 @@ void appimage_set(const char *appimage_path) { EUID_USER(); // creates appimage mount point perms 0700 - if (asprintf(&mntdir, "%s/appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) + if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) errExit("asprintf"); EUID_ROOT(); if (mkdir(mntdir, 0700) == -1) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8021ce9a3..f5cca7494 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -488,6 +488,13 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_SECCOMP int enforce_seccomp = 0; #endif + if (arg_appimage) { + enforce_filters(); +#ifdef HAVE_SECCOMP + enforce_seccomp = 1; +#endif + } + #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); -- cgit v1.2.3-70-g09d2 From 81c570e8e975c8ff3f62c45caffa4e5749296e9d Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 23 Oct 2016 14:31:56 -0500 Subject: tightened Spotify profile --- README | 1 + etc/spotify.profile | 26 +++++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/README b/README index 10b0ab61b..f4fd52666 100644 --- a/README +++ b/README @@ -77,6 +77,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement + - tightened Spotify profile valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/etc/spotify.profile b/etc/spotify.profile index 73d427db3..24e5c1023 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# Whitelist the folders needed by Spotify - This is more restrictive -# than a blacklist though, but this is all spotify requires for -# streaming audio +# Whitelist the folders needed by Spotify mkdir ${HOME}/.config/spotify whitelist ${HOME}/.config/spotify mkdir ${HOME}/.local/share/spotify whitelist ${HOME}/.local/share/spotify mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify -include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -27,5 +24,24 @@ protocol unix,inet,inet6,netlink seccomp shell none -#private-bin spotify +private-bin spotify +private-etc fonts,machine-id,pulse,resolv.conf private-dev +private-tmp + +blacklist ${HOME}/.Xauthority +blacklist ${HOME}/.bashrc +blacklist /boot +blacklist /lost+found +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /root +blacklist /sbin +blacklist /srv +blacklist /sys +blacklist /var +blacklist /initrd.img +blacklist /initrd.img.old +blacklist /vmlinuz +blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From 3b8453d5301608386d9a933c0862e5e049c4879e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 24 Oct 2016 15:21:41 -0500 Subject: blacklisted kernel files --- etc/disable-common.inc | 4 ++++ etc/spotify.profile | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..29de8cca9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# kernel files +blacklist /vmlinuz* +blacklist /initrd* diff --git a/etc/spotify.profile b/etc/spotify.profile index 24e5c1023..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -41,7 +41,3 @@ blacklist /sbin blacklist /srv blacklist /sys blacklist /var -blacklist /initrd.img -blacklist /initrd.img.old -blacklist /vmlinuz -blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From 88972056f4eb7919f41ca9412853725e80967240 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 23 Oct 2016 23:23:09 -0500 Subject: squash attempt 2 --- etc/atom-beta.profile | 2 +- etc/atom.profile | 2 +- etc/atril.profile | 2 +- etc/audacity.profile | 2 +- etc/aweather.profile | 2 +- etc/cherrytree.profile | 3 +-- etc/eog.profile | 3 +-- etc/evolution.profile | 2 +- etc/feh.profile | 6 +++--- etc/file.profile | 17 +++++++++-------- etc/filezilla.profile | 5 ++--- etc/flowblade.profile | 2 +- etc/franz.profile | 6 +++--- etc/gajim.profile | 2 +- etc/gimp.profile | 10 ++++++---- etc/git.profile | 4 ++-- etc/gpredict.profile | 2 +- etc/gwenview.profile | 5 +++-- etc/gzip.profile | 14 ++++++++------ etc/inkscape.profile | 10 ++++++---- etc/jitsi.profile | 2 +- etc/kmail.profile | 2 +- etc/less.profile | 6 ++++-- etc/luminance-hdr.profile | 14 ++++++++------ etc/okular.profile | 5 +++-- etc/pidgin.profile | 2 +- etc/pix.profile | 3 +-- etc/psi-plus.profile | 4 ++-- etc/qbittorrent.profile | 4 ++-- etc/qpdfview.profile | 2 +- etc/qtox.profile | 2 +- etc/quiterss.profile | 9 +++++---- etc/ranger.profile | 3 +-- etc/rhythmbox.profile | 2 +- etc/rtorrent.profile | 1 - etc/server.profile | 11 ++++++----- etc/slack.profile | 29 +++++++++++++++-------------- etc/strings.profile | 9 +++++---- etc/synfigstudio.profile | 6 ++++-- etc/tar.profile | 14 +++++++------- etc/telegram.profile | 1 - etc/transmission-gtk.profile | 2 +- etc/transmission-qt.profile | 5 +++-- etc/uget-gtk.profile | 13 ++++++------- etc/unrar.profile | 15 ++++++++------- etc/unzip.profile | 16 ++++++++-------- etc/uudeview.profile | 14 +++++++------- etc/vim.profile | 3 +-- etc/xpdf.profile | 9 +++------ etc/xplayer.profile | 2 +- etc/xzdec.profile | 14 ++++++++------ etc/zathura.profile | 6 +++--- 52 files changed, 171 insertions(+), 160 deletions(-) diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 9a8d93875..fa0b316bb 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6,netlink diff --git a/etc/atom.profile b/etc/atom.profile index 3cb86847e..61930d5c1 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6,netlink diff --git a/etc/atril.profile b/etc/atril.profile index d9e10b072..fbcca0c1b 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix diff --git a/etc/audacity.profile b/etc/audacity.profile index be3fac9be..827fa4301 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix seccomp diff --git a/etc/aweather.profile b/etc/aweather.profile index 4e5c36f50..fa8654f1e 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -11,8 +11,8 @@ whitelist ~/.config/aweather caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index ec6d0d69d..139dec8ec 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot nosound seccomp protocol unix,inet,inet6,netlink tracelog - - diff --git a/etc/eog.profile b/etc/eog.profile index 32b54a042..7eb7fd127 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -9,9 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix seccomp shell none @@ -20,4 +20,3 @@ private-bin eog private-dev private-etc fonts private-tmp - diff --git a/etc/evolution.profile b/etc/evolution.profile index cf581643d..d097c0f34 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -14,9 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp shell none diff --git a/etc/feh.profile b/etc/feh.profile index 5fcb6bf25..e3b1ec528 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix netfilter net none +nogroups nonewprivs noroot -nogroups nosound +protocol unix +seccomp shell none private-bin feh diff --git a/etc/file.profile b/etc/file.profile index 2e54030b1..199a97fad 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,16 +1,17 @@ # file profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname file net none +no3d +nosound +quiet shell none +tracelog + +private-dev private-bin file private-etc magic.mgc,magic,localtime -hostname file -private-dev -nosound -no3d -blacklist /tmp/.X11-unix - diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 551c17a78..fe1d9d20d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -13,10 +13,9 @@ noroot nosound protocol unix,inet,inet6 seccomp - shell none + private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp -whitelist /tmp/.X11-unix private-dev -nosound +whitelist /tmp/.X11-unix diff --git a/etc/flowblade.profile b/etc/flowblade.profile index e1ec291bd..12afdb0aa 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -1,4 +1,4 @@ -# OpenShot profile +# FlowBlade profile noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade include /etc/firejail/disable-common.inc diff --git a/etc/franz.profile b/etc/franz.profile index 3cb7942ab..0b3be551b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -#tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +#tracelog whitelist ${DOWNLOADS} mkdir ~/.config/Franz diff --git a/etc/gajim.profile b/etc/gajim.profile index 04902a734..809378ef9 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/gimp.profile b/etc/gimp.profile index 23361b771..cb441fc9d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp -nogroups -nosound + +private-dev +private-tmp diff --git a/etc/git.profile b/etc/git.profile index 2fb55377d..73122d347 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -quiet caps.drop all netfilter +nogroups nonewprivs noroot -nogroups nosound protocol unix,inet,inet6 +quiet seccomp shell none diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 353ecceae..0cc6c416b 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -11,8 +11,8 @@ whitelist ~/.config/Gpredict caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 67f10c4e1..c866c9e63 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups nonewprivs noroot -nogroups -private-dev protocol unix seccomp nosound +private-dev + #Experimental: #shell none #private-bin gwenview diff --git a/etc/gzip.profile b/etc/gzip.profile index 5e73969c4..d51b9a951 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,12 +1,14 @@ # gzip profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog -net none -shell none + blacklist /tmp/.X11-unix -private-dev -nosound + +net none no3d +nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cf885fba2..a0e86b6c9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp -nogroups -nosound + +private-dev +private-tmp diff --git a/etc/jitsi.profile b/etc/jitsi.profile index c61158f8b..046499abe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/kmail.profile b/etc/kmail.profile index 8c8fd18c4..bc21ba604 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/less.profile b/etc/less.profile index 6dfae027e..08758aead 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -2,8 +2,10 @@ quiet ignore noroot include /etc/firejail/default.profile -tracelog + net none +nosound shell none +tracelog + private-dev -nosound diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6e059ea52..76e864e0c 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +ipc-namespace netfilter -protocol unix +nogroups nonewprivs noroot +nosound +protocol unix seccomp shell none tracelog -private-tmp -private-dev + noexec ${HOME} noexec /tmp -nogroups -nosound -ipc-namespace + +private-tmp +private-dev diff --git a/etc/okular.profile b/etc/okular.profile index df142ccfc..b43a5fbea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot -private-dev protocol unix seccomp nosound +private-dev + #Experimental: #net none #shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 47be2b6ea..850706145 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/pix.profile b/etc/pix.profile index 80c05fd09..e21ddadc6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -20,4 +20,3 @@ tracelog private-bin pix whitelist /tmp/.X11-unix private-dev - diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 22c5bafc5..a9323448b 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+ mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ -include /etc/firejail/whitelist-common.inc - caps.drop all netfilter noroot protocol unix,inet,inet6 seccomp + +include /etc/firejail/whitelist-common.inc diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 138b6db55..67829c9ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -15,6 +15,6 @@ seccomp # there are some problems with "Open destination folder", see bug #536 #shell none #private-bin qbittorrent -whitelist /tmp/.X11-unix private-dev -nosound + +whitelist /tmp/.X11-unix diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 07ea173e6..06c0db206 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -18,5 +18,5 @@ shell none tracelog private-bin qpdfview -private-tmp private-dev +private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 927487037..81d8aa10e 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -11,8 +11,8 @@ whitelist ${DOWNLOADS} caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2ab5d8a8e..2b28fce73 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot -private-bin quiterss -private-dev nosound -#private-etc X11,ssl protocol unix,inet,inet6 seccomp shell none tracelog +private-bin quiterss +private-dev +#private-etc X11,ssl + include /etc/firejail/whitelist-common.inc diff --git a/etc/ranger.profile b/etc/ranger.profile index a040cd6bc..323e64dee 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter net none +nogroups nonewprivs noroot -nogroups protocol unix seccomp nosound private-tmp private-dev - diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0e8527ae7..e5e192486 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 15df2c374..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -16,4 +16,3 @@ shell none private-bin rtorrent whitelist /tmp/.X11-unix private-dev -nosound diff --git a/etc/server.profile b/etc/server.profile index 22cef0a3c..b8a34feb2 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -private -private-dev -nosound -no3d -private-tmp blacklist /tmp/.X11-unix + +no3d +nosound seccomp +private +private-dev +private-tmp diff --git a/etc/slack.profile b/etc/slack.profile index 1009f7ee0..a85a28f03 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,3 +1,4 @@ +# Firejail profile for Slack noblacklist ${HOME}/.config/Slack noblacklist ${HOME}/Downloads @@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -mkdir ${HOME}/.config -mkdir ${HOME}/.config/Slack -whitelist ${HOME}/.config/Slack -whitelist ${HOME}/Downloads - -protocol unix,inet,inet6,netlink -private-dev -private-tmp -private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime -name slack blacklist /var -include /etc/firejail/whitelist-common.inc - caps.drop all -seccomp +name slack netfilter -nonewprivs nogroups +nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp shell none + private-bin slack +private-dev +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +private-tmp + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc diff --git a/etc/strings.profile b/etc/strings.profile index f99a65009..7c464bf88 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,10 +1,11 @@ # strings profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog + net none -shell none -private-dev nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index d46467b99..69b2a0db2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -11,7 +11,9 @@ nonewprivs noroot protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp + +private-dev +private-tmp diff --git a/etc/tar.profile b/etc/tar.profile index 663ac3805..91fdaf48d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,18 +1,18 @@ # tar profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname tar net none +no3d +nosound +quiet shell none +tracelog # support compressed archives private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev -nosound -no3d private-etc passwd,group,localtime -hostname tar -blacklist /tmp/.X11-unix - diff --git a/etc/telegram.profile b/etc/telegram.profile index 8e91e426b..7615c8eef 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -10,4 +10,3 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp - diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0cfa4fcfc..316cdfec6 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,6 +18,6 @@ shell none tracelog private-bin transmission-gtk -whitelist /tmp/.X11-unix private-dev +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 754211a63..51c58e224 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -14,9 +14,10 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none tracelog -shell none private-bin transmission-qt -whitelist /tmp/.X11-unix private-dev + +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 522b4bd1e..f42e6c69a 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -9,17 +9,16 @@ caps.drop all netfilter nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp +shell none +private-bin uget-gtk +private-dev + +whitelist /tmp/.X11-unix whitelist ${DOWNLOADS} mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc - -shell none -private-bin uget-gtk -whitelist /tmp/.X11-unix -private-dev -nosound - diff --git a/etc/unrar.profile b/etc/unrar.profile index f29d1b51b..0700cafe9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,17 +1,18 @@ # unrar profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname unrar net none +no3d +nosound +quiet shell none +tracelog + private-bin unrar private-dev -nosound -no3d private-etc passwd,group,localtime -hostname unrar private-tmp -blacklist /tmp/.X11-unix - diff --git a/etc/unzip.profile b/etc/unzip.profile index 07224855f..a43785795 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,16 +1,16 @@ # unzip profile -quiet ignore noroot include /etc/firejail/default.profile +blacklist /tmp/.X11-unix -tracelog +hostname unzip net none +no3d +nosound +quiet shell none +tracelog + private-bin unzip -private-etc passwd,group,localtime -hostname unzip private-dev -nosound -no3d -blacklist /tmp/.X11-unix - +private-etc passwd,group,localtime diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8ea9d5163..5ba0896ab 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,15 +1,15 @@ # uudeview profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /etc + +hostname uudeview net none +nosound +quiet shell none +tracelog + private-bin uudeview private-dev -private-etc nonexisting_fakefile_for_empty_etc -hostname uudeview -nosound -uudeview - diff --git a/etc/vim.profile b/etc/vim.profile index 3c1fefe41..b161fcbb0 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,5 +1,4 @@ # vim profile - noblacklist ~/.vim noblacklist ~/.vimrc noblacklist ~/.viminfo @@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e036fba21..7ea368bbe 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -7,15 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -shell none +net none nonewprivs noroot protocol unix +shell none seccomp + private-dev private-tmp -net none - - - - diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 54d5ed89b..191d2f67f 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a9d027c38..04f98cef6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,12 +1,14 @@ # xzdec profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog -net none -shell none + blacklist /tmp/.X11-unix -private-dev -nosound + +net none no3d +nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..ab2e99dbc 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix netfilter +nogroups nonewprivs noroot -nogroups nosound shell none +seccomp +protocol unix private-bin zathura private-dev -- cgit v1.2.3-70-g09d2 From b588020b4540480fdd3aaa11da8bd472b2dfdb60 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 25 Oct 2016 12:26:17 -0400 Subject: fixes --- README | 2 ++ etc/disable-common.inc | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/README b/README index f4fd52666..6ed82907f 100644 --- a/README +++ b/README @@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) + - lots of profile fixes - added Vivaldi, Atril profiles - added PaleMoon profile - split Icedove and Thunderbird profiles @@ -83,6 +84,7 @@ valoq (https://github.com/valoq) - cherrytree profile fixes - added support for /srv in --whitelist feature - Eye of GNOME and Evolution profiles + - blacklist suid binaries in disable-common.inc Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -137,6 +137,11 @@ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + # system management blacklist ${PATH}/umount blacklist ${PATH}/mount @@ -149,11 +154,23 @@ blacklist ${PATH}/xev blacklist ${PATH}/strace blacklist ${PATH}/nc blacklist ${PATH}/ncat - -# system directories -blacklist /sbin -blacklist /usr/sbin -blacklist /usr/local/sbin +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -- cgit v1.2.3-70-g09d2 From 7e20af49b10d716154b21d5b19abf3a312a31c7e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 12:23:23 -0500 Subject: Added gpredict, TBB, and xiphos --- etc/gpredict.profile | 8 ++++---- etc/start-tor-browser.profile | 20 ++++++++++++++++++++ etc/xiphos.profile | 30 ++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 etc/start-tor-browser.profile create mode 100644 etc/xiphos.profile diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 0cc6c416b..f62bf11aa 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -6,20 +6,20 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config/Gpredict whitelist ~/.config/Gpredict caps.drop all netfilter -nogroups nonewprivs +nogroups noroot nosound protocol unix,inet,inet6 seccomp -shell none +#shell none tracelog -private-bin gpredict +#private-bin gpredict +private-etc fonts,resolv.conf private-dev private-tmp diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile new file mode 100644 index 000000000..ee19cee25 --- /dev/null +++ b/etc/start-tor-browser.profile @@ -0,0 +1,20 @@ +# Firejail profile for the Tor Brower Bundle +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-etc fonts +private-dev +private-tmp diff --git a/etc/xiphos.profile b/etc/xiphos.profile new file mode 100644 index 000000000..b7fb6ecf3 --- /dev/null +++ b/etc/xiphos.profile @@ -0,0 +1,30 @@ +# Firejail profile for xiphos +noblacklist ~/.sword +noblacklist ~/.xiphos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +blacklist ~/.bashrc +blacklist ~/.Xauthority + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin xiphos +private-etc fonts,resolv.conf,sword +private-dev +private-tmp + +whitelist ${HOME}/.sword +whitelist ${HOME}/.xiphos -- cgit v1.2.3-70-g09d2 From 388e2b9e4c36e65098e7c3ba43dbf1c0e7f4671f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 12:33:15 -0500 Subject: Extra profile files --- README | 3 ++- README.md | 5 +++++ RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README b/README index 6ed82907f..cbd15f02a 100644 --- a/README +++ b/README @@ -70,7 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added audacity profile - fixed Telegram and qtox profiles - added Atom Beta and Atom profiles - - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. + - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles - several private-bin conversions - added jitsi profile - pidgin private-bin conversion @@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added DOSBox profile - evince profile enhancement - tightened Spotify profile + - added xiphos and Tor Browser Bundle profiles valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/README.md b/README.md index fe7c91f01..ff1b2e8ba 100644 --- a/README.md +++ b/README.md @@ -48,4 +48,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` # Current development version: 0.9.45 +````` + +````` +## New Profiles +xiphos, Tor Browser Bundle diff --git a/RELNOTES b/RELNOTES index 6e1f502c7..c0fb8b20b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 + * new profiles: xiphos, Tor Browser Bundle firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index edd4ee374..6e22fe04d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -7,6 +7,8 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.sword +blacklist ${HOME}/.xiphos blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6d444b90d..0c2e85904 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -166,3 +166,5 @@ /etc/firejail/flowblade.profile /etc/firejail/eog.profile /etc/firejail/evolution.profile +/etc/firejail/start-tor-browser.profile +/etc/firejail/xiphos.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2d2c7b20e..e3e333497 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -42,6 +42,7 @@ opera-beta opera palemoon qutebrowser +start-tor-browser seamonkey seamonkey-bin thunderbird @@ -150,6 +151,7 @@ atom ranger keepass keepassx +xiphos # weather/climate aweather -- cgit v1.2.3-70-g09d2 From f7cbeea6b3e3dcdfe2a2b9f92d459913c5fc69a2 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 14:14:06 -0500 Subject: Fixed testing typo --- etc/gpredict.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/gpredict.profile b/etc/gpredict.profile index f62bf11aa..8dcfee2c4 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -16,10 +16,10 @@ noroot nosound protocol unix,inet,inet6 seccomp -#shell none +shell none tracelog -#private-bin gpredict +private-bin gpredict private-etc fonts,resolv.conf private-dev private-tmp -- cgit v1.2.3-70-g09d2 From b1221c082cf5d7423cf3fe58c552a1469cac3d2d Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 14:16:10 -0500 Subject: typo #2 --- etc/gpredict.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 8dcfee2c4..801304c18 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -10,8 +10,8 @@ whitelist ~/.config/Gpredict caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 -- cgit v1.2.3-70-g09d2 From 834da29e4c467ca074209b51effef38f8a238e84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 26 Oct 2016 09:15:50 -0400 Subject: removed ping blacklisting --- etc/disable-common.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3c0b2160c..848513454 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -169,7 +169,6 @@ blacklist ${PATH}/chsh blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry -blacklist ${PATH}/ping blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session -- cgit v1.2.3-70-g09d2 From ef0b9705614d061f6e974155fa1799964bc313ee Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 26 Oct 2016 18:10:30 +0200 Subject: minor fixes --- etc/disable-common.inc | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 82398473d..38a8b86d6 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -1,6 +1,7 @@ # History files in $HOME blacklist-nolog ${HOME}/.history blacklist-nolog ${HOME}/.*_history +blacklist-nolog ${HOME}/.bash_history blacklist ${HOME}/.local/share/systemd blacklist-nolog ${HOME}/.adobe blacklist-nolog ${HOME}/.macromedia @@ -23,6 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment blacklist ${HOME}/.gnomerc blacklist /etc/X11/Xsession.d/ +blacklist ${HOME}/.xpra # VirtualBox blacklist ${HOME}/.VirtualBox @@ -96,9 +98,6 @@ read-only ${HOME}/.emacs.d read-only ${HOME}/.nano read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc -read-only ${HOME}/.muttrc -read-only ${HOME}/.mutt/muttrc -read-only ${HOME}/.msmtprc read-only ${HOME}/.reportbugrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver @@ -143,11 +142,11 @@ blacklist /usr/sbin blacklist /usr/local/sbin # system management -# blacklist ${PATH}/umount -# blacklist ${PATH}/mount -# blacklist ${PATH}/fusermount -# blacklist ${PATH}/su -# blacklist ${PATH}/sudo +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev -- cgit v1.2.3-70-g09d2 From abe5cb027416771da3d01c9b55d12a8f70618ed8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 27 Oct 2016 08:58:48 -0400 Subject: network code split --- Makefile.in | 4 +- configure | 3 +- configure.ac | 2 +- src/firejail/Makefile.in | 4 +- src/firejail/appimage_size.c | 20 +++- src/firejail/firejail.h | 6 -- src/firejail/network.c | 46 --------- src/firejail/network_main.c | 87 +++++++++++++--- src/firejail/veth.c | 236 ------------------------------------------- src/fnet/Makefile.in | 43 ++++++++ src/fnet/fnet.h | 40 ++++++++ src/fnet/interface.c | 183 +++++++++++++++++++++++++++++++++ src/fnet/main.c | 63 ++++++++++++ src/fnet/veth.c | 230 +++++++++++++++++++++++++++++++++++++++++ 14 files changed, 658 insertions(+), 309 deletions(-) delete mode 100644 src/firejail/veth.c create mode 100644 src/fnet/Makefile.in create mode 100644 src/fnet/fnet.h create mode 100644 src/fnet/interface.c create mode 100644 src/fnet/main.c create mode 100644 src/fnet/veth.c diff --git a/Makefile.in b/Makefile.in index dbf53e2cb..0ae8fc903 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 prefix=@prefix@ @@ -76,6 +76,7 @@ realinstall: install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. @@ -124,6 +125,7 @@ install-strip: all strip src/libconnect/libconnect.so strip src/ftee/ftee strip src/faudit/faudit + strip src/fnet/fnet $(MAKE) realinstall uninstall: diff --git a/configure b/configure index a470dffba..58d236815 100755 --- a/configure +++ b/configure @@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4470,6 +4470,7 @@ do case $ac_config_target in "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; + "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; diff --git a/configure.ac b/configure.ac index 95947a8e3..c7125e9c5 100644 --- a/configure.ac +++ b/configure.ac @@ -148,7 +148,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile) +AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile) echo echo "Configuration options:" diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index fce460906..7d4bcb19b 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -30,11 +30,11 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -f *.o firejail firejail.1 firejail.1.gz diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index c8b3d28c5..64fff6901 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ /* Compile with: gcc elfsize.c -o elfsize @@ -9,7 +28,6 @@ Size of section headers e_shentsize 64 Number of section headers e_shnum 29 e_shoff + ( e_shentsize * e_shnum ) = 126584 */ - #include #include #include diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9a9bb1ae7..6c0441472 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -362,7 +362,6 @@ void net_if_ip6(const char *ifname, const char *addr6); int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu); int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw); void net_ifprint(void); -void net_bridge_add_interface(const char *bridge, const char *dev); uint32_t network_get_defaultgw(void); int net_config_mac(const char *ifname, const unsigned char mac[6]); int net_get_mac(const char *ifname, unsigned char mac[6]); @@ -432,11 +431,6 @@ uint32_t arp_assign(const char *dev, Bridge *br); // scan interface (--scan option) void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask); -// veth.c -int net_create_veth(const char *dev, const char *nsdev, unsigned pid); -int net_create_macvlan(const char *dev, const char *parent, unsigned pid); -int net_move_interface(const char *dev, unsigned pid); - // util.c void drop_privs(int nogroups); int mkpath_as_root(const char* path); diff --git a/src/firejail/network.c b/src/firejail/network.c index 4473ef099..ac0d86559 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -431,52 +431,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { } -// add a veth device to a bridge -void net_bridge_add_interface(const char *bridge, const char *dev) { - if (strlen(bridge) > IFNAMSIZ) { - fprintf(stderr, "Error: invalid network device name %s\n", bridge); - exit(1); - } - - // somehow adding the interface to the bridge resets MTU on bridge device!!! - // workaround: restore MTU on the bridge device - // todo: put a real fix in - int mtu1 = net_get_mtu(bridge); - - struct ifreq ifr; - int err; - int ifindex = if_nametoindex(dev); - - if (ifindex <= 0) - errExit("if_nametoindex"); - - int sock; - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - errExit("socket"); - - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, bridge, IFNAMSIZ); -#ifdef SIOCBRADDIF - ifr.ifr_ifindex = ifindex; - err = ioctl(sock, SIOCBRADDIF, &ifr); - if (err < 0) -#endif - { - unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 }; - - ifr.ifr_data = (char *) args; - err = ioctl(sock, SIOCDEVPRIVATE, &ifr); - } - (void) err; - close(sock); - - int mtu2 = net_get_mtu(bridge); - if (mtu1 != mtu2) { - if (arg_debug) - printf("Restoring MTU for %s\n", bridge); - net_set_mtu(bridge, mtu1); - } -} #define BUFSIZE 1024 uint32_t network_get_defaultgw(void) { diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 907b84642..d2aa84bb6 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -23,6 +23,50 @@ #include #include #include +#include + +static void fnet_run(int num, ...) { + int i; + va_list valist; + va_start(valist, num); + + char *fnet; + if (asprintf(&fnet, "%s/firejail/fnet", LIBDIR) == -1) + errExit("asprintf"); + + char *arg[num + 2]; + arg[0] = fnet; + for (i = 0; i < num; i++) + arg[i + 1] = va_arg(valist, char*); + arg[i + 1] = NULL; + + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // elevate privileges in order to get grsecurity working + if (setreuid(0, 0)) + errExit("setreuid"); + if (setregid(0, 0)) + errExit("setregid"); + + execvp(arg[0], arg); + perror("execl"); + _exit(1); + } + + int status; + if (waitpid(child, &status, 0) == -1 ) { + errExit("waitpid"); + } + if (WIFEXITED(status) && status != 0) { + fprintf(stderr, "Error: cannot run fnet\n"); + exit(1); + } + + va_end(valist); + free(fnet); +} // configure bridge structure // - extract ip address and mask from the bridge interface @@ -127,13 +171,12 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { else dev = br->veth_name; - net_create_veth(dev, ifname, child); - - // add interface to the bridge - net_bridge_add_interface(br->dev, dev); - - // bring up the interface - net_if_up(dev); +// net_create_veth(dev, ifname, child); + char *cstr; + if (asprintf(&cstr, "%d", child) == -1) + errExit("asprintf"); + fnet_run(6, "create", "veth", dev, ifname, br->dev, cstr); + free(cstr); char *msg; if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1) @@ -290,47 +333,61 @@ void net_dns_print(pid_t pid) { } void network_main(pid_t child) { + char *cstr; + if (asprintf(&cstr, "%d", child) == -1) + errExit("asprintf"); + // create veth pair or macvlan device if (cfg.bridge0.configured) { if (cfg.bridge0.macvlan == 0) { net_configure_veth_pair(&cfg.bridge0, "eth0", child); } else - net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); +// net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); + fnet_run(5, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); } if (cfg.bridge1.configured) { if (cfg.bridge1.macvlan == 0) net_configure_veth_pair(&cfg.bridge1, "eth1", child); else - net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); +// net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); + fnet_run(5, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); } if (cfg.bridge2.configured) { if (cfg.bridge2.macvlan == 0) net_configure_veth_pair(&cfg.bridge2, "eth2", child); else - net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); +// net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); + fnet_run(5, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); } if (cfg.bridge3.configured) { if (cfg.bridge3.macvlan == 0) net_configure_veth_pair(&cfg.bridge3, "eth3", child); else - net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); +// net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); + fnet_run(5, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); } // move interfaces in sandbox if (cfg.interface0.configured) { - net_move_interface(cfg.interface0.dev, child); +// net_move_interface(cfg.interface0.dev, child); + fnet_run(3, "moveif", cfg.interface0.dev, cstr); } if (cfg.interface1.configured) { - net_move_interface(cfg.interface1.dev, child); +// net_move_interface(cfg.interface1.dev, child); + fnet_run(3, "moveif", cfg.interface1.dev, cstr); } if (cfg.interface2.configured) { - net_move_interface(cfg.interface2.dev, child); +// net_move_interface(cfg.interface2.dev, child); + fnet_run(3, "moveif", cfg.interface3.dev, cstr); } if (cfg.interface3.configured) { - net_move_interface(cfg.interface3.dev, child); +// net_move_interface(cfg.interface3.dev, child); + fnet_run(3, "moveif", cfg.interface3.dev, cstr); } + + free(cstr); } diff --git a/src/firejail/veth.c b/src/firejail/veth.c deleted file mode 100644 index df3c1d1f9..000000000 --- a/src/firejail/veth.c +++ /dev/null @@ -1,236 +0,0 @@ -/* code based on iproute2 ip/iplink.c, modified to be included in firejail project - * - * Original source code: - * - * Information: - * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 - * - * Download: - * http://www.kernel.org/pub/linux/utils/net/iproute2/ - * - * Repository: - * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git - * - * License: GPL v2 - * - * Original copyright header - * - * iplink.c "ip link". - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version - * 2 of the License, or (at your option) any later version. - * - * Authors: Alexey Kuznetsov, - * - */ - /* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "firejail.h" -#include "../include/libnetlink.h" -#include -#include - -struct iplink_req -{ - struct nlmsghdr n; - struct ifinfomsg i; - char buf[1024]; -}; - -static struct rtnl_handle rth = { .fd = -1 }; - -int net_create_veth(const char *dev, const char *nsdev, unsigned pid) { - int len; - struct iplink_req req; - - if (arg_debug) - printf("create veth %s/%s/%u\n", dev, nsdev, pid); - assert(dev); - assert(nsdev); - assert(pid); - - if (rtnl_open(&rth, 0) < 0) { - fprintf(stderr, "cannot open netlink\n"); - exit(1); - } - - memset(&req, 0, sizeof(req)); - - req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); - req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; - req.n.nlmsg_type = RTM_NEWLINK; - req.i.ifi_family = 0; - - if (dev) { - len = strlen(dev) + 1; - addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); - } - - struct rtattr *linkinfo = NLMSG_TAIL(&req.n); - addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0); - addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "veth", strlen("veth")); - - struct rtattr * data = NLMSG_TAIL(&req.n); - addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0); - - struct rtattr * peerdata = NLMSG_TAIL(&req.n); - addattr_l (&req.n, sizeof(req), VETH_INFO_PEER, NULL, 0); - req.n.nlmsg_len += sizeof(struct ifinfomsg); - - // place the link in the child namespace - addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); - - if (nsdev) { - int len = strlen(nsdev) + 1; - addattr_l(&req.n, sizeof(req), IFLA_IFNAME, nsdev, len); - } - peerdata->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)peerdata; - - data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; - linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; - - // send message - if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) - exit(2); - - return 0; -} - - -int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { - int len; - struct iplink_req req; - if (arg_debug) - printf("create macvlan %s, parent %s\n", dev, parent); - assert(dev); - assert(parent); - - if (rtnl_open(&rth, 0) < 0) { - fprintf(stderr, "cannot open netlink\n"); - exit(1); - } - - memset(&req, 0, sizeof(req)); - - req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); - req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; - req.n.nlmsg_type = RTM_NEWLINK; - req.i.ifi_family = 0; - - // find parent ifindex - int parent_ifindex = if_nametoindex(parent); - if (parent_ifindex <= 0) { - fprintf(stderr, "Error: cannot find network device %s\n", parent); - exit(1); - } - - // add parent - addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4); - - // add new interface name - len = strlen(dev) + 1; - addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); - - // place the interface in child namespace - addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); - - - // add link info for the new interface - struct rtattr *linkinfo = NLMSG_TAIL(&req.n); - addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0); - addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "macvlan", strlen("macvlan")); - - // set macvlan bridge mode - struct rtattr * data = NLMSG_TAIL(&req.n); - addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0); - int macvlan_type = MACVLAN_MODE_BRIDGE; - addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4); - - data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; -// req.n.nlmsg_len += sizeof(struct ifinfomsg); - - - data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; - linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; - - // send message - if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) - exit(2); - - return 0; -} - -// move the interface dev in namespace of program pid -// when the interface is moved, netlink does not preserve interface configuration -int net_move_interface(const char *dev, unsigned pid) { - struct iplink_req req; - if (arg_debug) - printf("move device %s inside the namespace\n", dev); - assert(dev); - - if (rtnl_open(&rth, 0) < 0) { - fprintf(stderr, "cannot open netlink\n"); - exit(1); - } - - memset(&req, 0, sizeof(req)); - - req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); - req.n.nlmsg_flags = NLM_F_REQUEST; - req.n.nlmsg_type = RTM_NEWLINK; - req.i.ifi_family = 0; - - // find ifindex - int ifindex = if_nametoindex(dev); - if (ifindex <= 0) { - fprintf(stderr, "Error: cannot find interface %s\n", dev); - exit(1); - } - req.i.ifi_index = ifindex; - - // place the interface in child namespace - addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); - - // send message - if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) - exit(2); - - return 0; -} - -/* -int main(int argc, char **argv) { - printf("Hello\n"); - - - char *dev = argv[3]; - char *nsdev = argv[8]; - unsigned pid; - sscanf(argv[10], "%u", &pid); - - - net_create_veth(dev, nsdev, pid); - - return 0; -} -*/ \ No newline at end of file diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in new file mode 100644 index 000000000..1bfb4c68d --- /dev/null +++ b/src/fnet/Makefile.in @@ -0,0 +1,43 @@ +all: fnet + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +sysconfdir=@sysconfdir@ + +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ +HAVE_SECCOMP=@HAVE_SECCOMP@ +HAVE_CHROOT=@HAVE_CHROOT@ +HAVE_BIND=@HAVE_BIND@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ +HAVE_X11=@HAVE_X11@ +HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + +clean:; rm -f *.o fnet + +distclean: clean + rm -fr Makefile + diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h new file mode 100644 index 000000000..58efbbed5 --- /dev/null +++ b/src/fnet/fnet.h @@ -0,0 +1,40 @@ + /* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#ifndef FNET_H +#define FNET_H + +#include +#include +#include +#include +#include "../include/common.h" + +// veth.c +int net_create_veth(const char *dev, const char *nsdev, unsigned pid); +int net_create_macvlan(const char *dev, const char *parent, unsigned pid); +int net_move_interface(const char *dev, unsigned pid); + +// interface.c +void net_bridge_add_interface(const char *bridge, const char *dev); +void net_if_up(const char *ifname); +int net_get_mtu(const char *ifname); +void net_set_mtu(const char *ifname, int mtu); + +#endif diff --git a/src/fnet/interface.c b/src/fnet/interface.c new file mode 100644 index 000000000..b1903dd46 --- /dev/null +++ b/src/fnet/interface.c @@ -0,0 +1,183 @@ + /* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fnet.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// add a veth device to a bridge +void net_bridge_add_interface(const char *bridge, const char *dev) { + if (strlen(bridge) > IFNAMSIZ) { + fprintf(stderr, "Error fnet: invalid network device name %s\n", bridge); + exit(1); + } + + // somehow adding the interface to the bridge resets MTU on bridge device!!! + // workaround: restore MTU on the bridge device + // todo: put a real fix in + int mtu1 = net_get_mtu(bridge); + + struct ifreq ifr; + int err; + int ifindex = if_nametoindex(dev); + + if (ifindex <= 0) + errExit("if_nametoindex"); + + int sock; + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + errExit("socket"); + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, bridge, IFNAMSIZ); +#ifdef SIOCBRADDIF + ifr.ifr_ifindex = ifindex; + err = ioctl(sock, SIOCBRADDIF, &ifr); + if (err < 0) +#endif + { + unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 }; + + ifr.ifr_data = (char *) args; + err = ioctl(sock, SIOCDEVPRIVATE, &ifr); + } + (void) err; + close(sock); + + int mtu2 = net_get_mtu(bridge); + if (mtu1 != mtu2) { + net_set_mtu(bridge, mtu1); + } +} + + +// bring interface up +void net_if_up(const char *ifname) { + if (strlen(ifname) > IFNAMSIZ) { + fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); + exit(1); + } + + int sock = socket(AF_INET,SOCK_DGRAM,0); + if (sock < 0) + errExit("socket"); + + // get the existing interface flags + struct ifreq ifr; + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_addr.sa_family = AF_INET; + + // read the existing flags + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { + close(sock); + printf("Error fnet: cannot bring up interface %s\n", ifname); + errExit("ioctl"); + } + + ifr.ifr_flags |= IFF_UP; + + // set the new flags + if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { + close(sock); + printf("Error fnet: cannot bring up interface %s\n", ifname); + errExit("ioctl"); + } + + // checking + // read the existing flags + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { + close(sock); + printf("Error fnet: cannot bring up interface %s\n", ifname); + errExit("ioctl"); + } + + // wait not more than 500ms for the interface to come up + int cnt = 0; + while (cnt < 50) { + usleep(10000); // sleep 10ms + + // read the existing flags + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { + close(sock); + printf("Error fnet: cannot bring up interface %s\n", ifname); + errExit("ioctl"); + } + if (ifr.ifr_flags & IFF_RUNNING) + break; + cnt++; + } + + close(sock); +} + +int net_get_mtu(const char *ifname) { + int mtu = 0; + if (strlen(ifname) > IFNAMSIZ) { + fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); + exit(1); + } + + int s; + struct ifreq ifr; + + if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) + errExit("socket"); + + memset(&ifr, 0, sizeof(ifr)); + ifr.ifr_addr.sa_family = AF_INET; + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) + mtu = ifr.ifr_mtu; + close(s); + + + return mtu; +} + +void net_set_mtu(const char *ifname, int mtu) { + if (strlen(ifname) > IFNAMSIZ) { + fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); + exit(1); + } + + int s; + struct ifreq ifr; + + if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) + errExit("socket"); + + memset(&ifr, 0, sizeof(ifr)); + ifr.ifr_addr.sa_family = AF_INET; + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_mtu = mtu; + if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) + fprintf(stderr, "Warning fnet: cannot set mtu for interface %s\n", ifname); + close(s); +} + + diff --git a/src/fnet/main.c b/src/fnet/main.c new file mode 100644 index 000000000..ae780c2ea --- /dev/null +++ b/src/fnet/main.c @@ -0,0 +1,63 @@ + /* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include +#include +#include +#include +#include + +static void usage(void) { + printf("Usage:\n"); + printf("\tfnet create veth dev1 dev2 bridge child\n"); + printf("\tfnet create macvlan dev parent child\n"); + printf("\tfnet moveif dev proc\n"); +} + +int main(int argc, char **argv) { + if (argc < 2) + return 1; + + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + usage(); + return 0; + } + else if (argc == 7 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "veth") == 0) { + // create veth pair and move one end in the the namespace + net_create_veth(argv[3], argv[4], atoi(argv[6])); + + // connect the ohter veth end to the bridge ... + net_bridge_add_interface(argv[5], argv[3]); + + // ... and bring it up + net_if_up(argv[3]); + } + else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) { + net_create_macvlan(argv[3], argv[4], atoi(argv[5])); + } + else if (argc == 4 && strcmp(argv[1], "moveif") == 0) { + net_move_interface(argv[2], atoi(argv[3])); + } + else { + fprintf(stderr, "Error fnet: invalid arguments\n"); + return 1; + } + + return 0; +} diff --git a/src/fnet/veth.c b/src/fnet/veth.c new file mode 100644 index 000000000..d06bc9256 --- /dev/null +++ b/src/fnet/veth.c @@ -0,0 +1,230 @@ +/* code based on iproute2 ip/iplink.c, modified to be included in firejail project + * + * Original source code: + * + * Information: + * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 + * + * Download: + * http://www.kernel.org/pub/linux/utils/net/iproute2/ + * + * Repository: + * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git + * + * License: GPL v2 + * + * Original copyright header + * + * iplink.c "ip link". + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Alexey Kuznetsov, + * + */ + /* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "fnet.h" +#include "../include/libnetlink.h" +#include +#include + +struct iplink_req +{ + struct nlmsghdr n; + struct ifinfomsg i; + char buf[1024]; +}; + +static struct rtnl_handle rth = { .fd = -1 }; + +int net_create_veth(const char *dev, const char *nsdev, unsigned pid) { + int len; + struct iplink_req req; + + assert(dev); + assert(nsdev); + assert(pid); + + if (rtnl_open(&rth, 0) < 0) { + fprintf(stderr, "cannot open netlink\n"); + exit(1); + } + + memset(&req, 0, sizeof(req)); + + req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; + req.n.nlmsg_type = RTM_NEWLINK; + req.i.ifi_family = 0; + + if (dev) { + len = strlen(dev) + 1; + addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); + } + + struct rtattr *linkinfo = NLMSG_TAIL(&req.n); + addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0); + addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "veth", strlen("veth")); + + struct rtattr * data = NLMSG_TAIL(&req.n); + addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0); + + struct rtattr * peerdata = NLMSG_TAIL(&req.n); + addattr_l (&req.n, sizeof(req), VETH_INFO_PEER, NULL, 0); + req.n.nlmsg_len += sizeof(struct ifinfomsg); + + // place the link in the child namespace + addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); + + if (nsdev) { + int len = strlen(nsdev) + 1; + addattr_l(&req.n, sizeof(req), IFLA_IFNAME, nsdev, len); + } + peerdata->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)peerdata; + + data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; + linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; + + // send message + if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) + exit(2); + + return 0; +} + + +int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { + int len; + struct iplink_req req; + assert(dev); + assert(parent); + + if (rtnl_open(&rth, 0) < 0) { + fprintf(stderr, "cannot open netlink\n"); + exit(1); + } + + memset(&req, 0, sizeof(req)); + + req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; + req.n.nlmsg_type = RTM_NEWLINK; + req.i.ifi_family = 0; + + // find parent ifindex + int parent_ifindex = if_nametoindex(parent); + if (parent_ifindex <= 0) { + fprintf(stderr, "Error: cannot find network device %s\n", parent); + exit(1); + } + + // add parent + addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4); + + // add new interface name + len = strlen(dev) + 1; + addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); + + // place the interface in child namespace + addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); + + + // add link info for the new interface + struct rtattr *linkinfo = NLMSG_TAIL(&req.n); + addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0); + addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "macvlan", strlen("macvlan")); + + // set macvlan bridge mode + struct rtattr * data = NLMSG_TAIL(&req.n); + addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0); + int macvlan_type = MACVLAN_MODE_BRIDGE; + addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4); + + data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; +// req.n.nlmsg_len += sizeof(struct ifinfomsg); + + + data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; + linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; + + // send message + if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) + exit(2); + + return 0; +} + +// move the interface dev in namespace of program pid +// when the interface is moved, netlink does not preserve interface configuration +int net_move_interface(const char *dev, unsigned pid) { + struct iplink_req req; + assert(dev); + + if (rtnl_open(&rth, 0) < 0) { + fprintf(stderr, "cannot open netlink\n"); + exit(1); + } + + memset(&req, 0, sizeof(req)); + + req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + req.n.nlmsg_flags = NLM_F_REQUEST; + req.n.nlmsg_type = RTM_NEWLINK; + req.i.ifi_family = 0; + + // find ifindex + int ifindex = if_nametoindex(dev); + if (ifindex <= 0) { + fprintf(stderr, "Error: cannot find interface %s\n", dev); + exit(1); + } + req.i.ifi_index = ifindex; + + // place the interface in child namespace + addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); + + // send message + if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) + exit(2); + + return 0; +} + +/* +int main(int argc, char **argv) { + printf("Hello\n"); + + + char *dev = argv[3]; + char *nsdev = argv[8]; + unsigned pid; + sscanf(argv[10], "%u", &pid); + + + net_create_veth(dev, nsdev, pid); + + return 0; +} +*/ \ No newline at end of file -- cgit v1.2.3-70-g09d2 From 6144229605177764b7f3f3450c1a47f56595dc9e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 27 Oct 2016 10:16:07 -0400 Subject: security: overwrite /etc/resolv.conf --- RELNOTES | 5 ++++- src/firejail/main.c | 8 ++++++++ src/firejail/util.c | 8 +++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index c0fb8b20b..7aeac4f8d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,7 +1,10 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress - -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 + * security: overwrite /etc/resolv.conf found by Martin Carpenter + * feature: split most of networking code in a separate executable * new profiles: xiphos, Tor Browser Bundle + * bugfixes + -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich diff --git a/src/firejail/main.c b/src/firejail/main.c index b5a97c71e..f41d5fcd3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1605,6 +1605,14 @@ int main(int argc, char **argv) { return 1; } + // don't allow "--chroot=/" + char *rpath = realpath(cfg.chrootdir, NULL); + if (rpath == NULL || strcmp(rpath, "/") == 0) { + fprintf(stderr, "Error: invalid chroot directory\n"); + exit(1); + } + free(rpath); + // check chroot directory structure if (fs_check_chroot_dir(cfg.chrootdir)) { fprintf(stderr, "Error: invalid chroot\n"); diff --git a/src/firejail/util.c b/src/firejail/util.c index f38b02fd0..4b2e09953 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -171,11 +171,17 @@ void logerr(const char *msg) { } -// return -1 if error, 0 if no error +// return -1 if error, 0 if no error; if destname already exists, return error int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { assert(srcname); assert(destname); + struct stat s; + if (stat(destname, &s) == 0) { + fprintf(stderr, "Error: file %s already exists\n", destname); + return -1; + } + // open source int src = open(srcname, O_RDONLY); if (src < 0) { -- cgit v1.2.3-70-g09d2 From 096333704e0c3d6b7cf23fe6f4e34e99fdc9770f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 27 Oct 2016 10:54:34 -0400 Subject: remove tmpfs from /dev/shm for root user --- RELNOTES | 1 + src/firejail/fs.c | 12 ++++++------ src/firejail/fs_dev.c | 2 ++ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/RELNOTES b/RELNOTES index 7aeac4f8d..16c03fc23 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress * security: overwrite /etc/resolv.conf found by Martin Carpenter + * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: split most of networking code in a separate executable * new profiles: xiphos, Tor Browser Bundle * bugfixes diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6c566bd90..572b08205 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -754,8 +754,8 @@ void fs_basic_fs(void) { fs_rdonly("/usr"); // update /var directory in order to support multiple sandboxes running on the same root directory - if (!arg_private_dev) - fs_dev_shm(); +// if (!arg_private_dev) +// fs_dev_shm(); fs_var_lock(); fs_var_tmp(); fs_var_log(); @@ -1061,8 +1061,8 @@ void fs_overlayfs(void) { errExit("chroot"); // update /var directory in order to support multiple sandboxes running on the same root directory - if (!arg_private_dev) - fs_dev_shm(); +// if (!arg_private_dev) +// fs_dev_shm(); fs_var_lock(); fs_var_tmp(); fs_var_log(); @@ -1233,8 +1233,8 @@ void fs_chroot(const char *rootdir) { if (checkcfg(CFG_CHROOT_DESKTOP)) { // update /var directory in order to support multiple sandboxes running on the same root directory - if (!arg_private_dev) - fs_dev_shm(); +// if (!arg_private_dev) +// fs_dev_shm(); fs_var_lock(); fs_var_tmp(); fs_var_log(); diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index aa5f7c28b..0186c6f82 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -244,6 +244,7 @@ void fs_private_dev(void){ } +#if 0 void fs_dev_shm(void) { uid_t uid = getuid(); // set a new shm only if we started as root if (uid) @@ -282,6 +283,7 @@ void fs_dev_shm(void) { } } +#endif static void disable_file_or_dir(const char *fname) { if (arg_debug) -- cgit v1.2.3-70-g09d2 From 196a857a11848d0bff33ea1485884fb22bf42da6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 27 Oct 2016 21:37:18 -0400 Subject: sbox --- .gitignore | 1 + src/firejail/Makefile.in | 2 +- src/firejail/firejail.h | 12 +++ src/firejail/list.c | 101 ------------------------- src/firejail/main.c | 27 ++++--- src/firejail/network_main.c | 61 +++------------ src/firejail/protocol.c | 2 +- src/firejail/sbox.c | 177 ++++++++++++++++++++++++++++++++++++++++++++ src/firejail/seccomp.c | 2 +- src/firejail/seccomp.h | 149 ------------------------------------- src/fnet/main.c | 11 +++ src/include/seccomp.h | 149 +++++++++++++++++++++++++++++++++++++ 12 files changed, 378 insertions(+), 316 deletions(-) delete mode 100644 src/firejail/list.c create mode 100644 src/firejail/sbox.c delete mode 100644 src/firejail/seccomp.h create mode 100644 src/include/seccomp.h diff --git a/.gitignore b/.gitignore index 0d5979c8b..6acb6775c 100644 --- a/.gitignore +++ b/.gitignore @@ -18,4 +18,5 @@ src/firecfg/firecfg src/ftee/ftee src/tags src/faudit/faudit +src/fnet/fnet uids.h diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 7d4bcb19b..c4c168236 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -30,7 +30,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6c0441472..367f599ec 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -25,6 +25,7 @@ // debug restricted shell //#define DEBUG_RESTRICTED_SHELL + // filesystem #define RUN_FIREJAIL_BASEDIR "/run" #define RUN_FIREJAIL_DIR "/run/firejail" @@ -681,6 +682,17 @@ long unsigned int appimage2_size(const char *fname); // cmdline.c void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); +// sbox.c +// programs +#define PATH_FNET (LIBDIR "/firejail/fnet") +#define PATH_FIREMON (PREFIX "/bin/firemon") +// bitmapped filters for sbox_run +#define SBOX_ROOT 1 +#define SBOX_USER 2 +#define SBOX_CAPS 4 +#define SBOX_SECCOMP 8 +int sbox_run(unsigned filter, int num, ...); + #endif diff --git a/src/firejail/list.c b/src/firejail/list.c deleted file mode 100644 index d093a1f85..000000000 --- a/src/firejail/list.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "firejail.h" -#include -#include - -static void set_privileges(void) { - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - EUID_ROOT(); - - // elevate privileges - if (setreuid(0, 0)) - errExit("setreuid"); - if (setregid(0, 0)) - errExit("setregid"); - } - else - drop_privs(1); -} - -static char *get_firemon_path(const char *cmd) { - assert(cmd); - - // start the argv[0] program in a new sandbox - char *firemon; - if (asprintf(&firemon, "%s/bin/firemon %s", PREFIX, cmd) == -1) - errExit("asprintf"); - - return firemon; -} - -void top(void) { - EUID_ASSERT(); - drop_privs(1); - char *cmd = get_firemon_path("--top"); - - char *arg[4]; - arg[0] = "bash"; - arg[1] = "-c"; - arg[2] = cmd; - arg[3] = NULL; - execvp("/bin/bash", arg); -} - -void netstats(void) { - EUID_ASSERT(); - set_privileges(); - char *cmd = get_firemon_path("--netstats"); - - char *arg[4]; - arg[0] = "bash"; - arg[1] = "-c"; - arg[2] = cmd; - arg[3] = NULL; - execvp("/bin/bash", arg); -} - -void list(void) { - EUID_ASSERT(); - drop_privs(1); - char *cmd = get_firemon_path("--list"); - - char *arg[4]; - arg[0] = "bash"; - arg[1] = "-c"; - arg[2] = cmd; - arg[3] = NULL; - execvp("/bin/bash", arg); -} - -void tree(void) { - EUID_ASSERT(); - drop_privs(1); - char *cmd = get_firemon_path("--tree"); - - char *arg[4]; - arg[0] = "bash"; - arg[1] = "-c"; - arg[2] = cmd; - arg[3] = NULL; - execvp("/bin/bash", arg); -} - diff --git a/src/firejail/main.c b/src/firejail/main.c index f41d5fcd3..15d42a4e0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -54,9 +54,9 @@ Config cfg; // configuration int arg_private = 0; // mount private /home and /tmp directoryu int arg_private_template = 0; // mount private /home using a template int arg_debug = 0; // print debug messages -int arg_debug_check_filename; // print debug messages for filename checking -int arg_debug_blacklists; // print debug messages for blacklists -int arg_debug_whitelists; // print debug messages for whitelists +int arg_debug_check_filename = 0; // print debug messages for filename checking +int arg_debug_blacklists = 0; // print debug messages for blacklists +int arg_debug_whitelists = 0; // print debug messages for whitelists int arg_nonetwork = 0; // --net=none int arg_command = 0; // -c int arg_overlay = 0; // overlay option @@ -498,27 +498,32 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--list") == 0) { - list(); - exit(0); + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); + exit(rv); } else if (strcmp(argv[i], "--tree") == 0) { - tree(); - exit(0); + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); + exit(rv); } else if (strcmp(argv[i], "--top") == 0) { - top(); - exit(0); + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); + exit(rv); } #ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netstats") == 0) { if (checkcfg(CFG_NETWORK)) { - netstats(); + struct stat s; + int rv; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) + rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); + exit(rv); } else { fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); exit(1); } - exit(0); } #endif #ifdef HAVE_FILE_TRANSFER diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index d2aa84bb6..35d6dd214 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -25,49 +25,6 @@ #include #include -static void fnet_run(int num, ...) { - int i; - va_list valist; - va_start(valist, num); - - char *fnet; - if (asprintf(&fnet, "%s/firejail/fnet", LIBDIR) == -1) - errExit("asprintf"); - - char *arg[num + 2]; - arg[0] = fnet; - for (i = 0; i < num; i++) - arg[i + 1] = va_arg(valist, char*); - arg[i + 1] = NULL; - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // elevate privileges in order to get grsecurity working - if (setreuid(0, 0)) - errExit("setreuid"); - if (setregid(0, 0)) - errExit("setregid"); - - execvp(arg[0], arg); - perror("execl"); - _exit(1); - } - - int status; - if (waitpid(child, &status, 0) == -1 ) { - errExit("waitpid"); - } - if (WIFEXITED(status) && status != 0) { - fprintf(stderr, "Error: cannot run fnet\n"); - exit(1); - } - - va_end(valist); - free(fnet); -} - // configure bridge structure // - extract ip address and mask from the bridge interface void net_configure_bridge(Bridge *br, char *dev_name) { @@ -175,7 +132,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { char *cstr; if (asprintf(&cstr, "%d", child) == -1) errExit("asprintf"); - fnet_run(6, "create", "veth", dev, ifname, br->dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr); free(cstr); char *msg; @@ -344,7 +301,7 @@ void network_main(pid_t child) { } else // net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); - fnet_run(5, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); } if (cfg.bridge1.configured) { @@ -352,7 +309,7 @@ void network_main(pid_t child) { net_configure_veth_pair(&cfg.bridge1, "eth1", child); else // net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); - fnet_run(5, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); } if (cfg.bridge2.configured) { @@ -360,7 +317,7 @@ void network_main(pid_t child) { net_configure_veth_pair(&cfg.bridge2, "eth2", child); else // net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); - fnet_run(5, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); } if (cfg.bridge3.configured) { @@ -368,25 +325,25 @@ void network_main(pid_t child) { net_configure_veth_pair(&cfg.bridge3, "eth3", child); else // net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); - fnet_run(5, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); } // move interfaces in sandbox if (cfg.interface0.configured) { // net_move_interface(cfg.interface0.dev, child); - fnet_run(3, "moveif", cfg.interface0.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr); } if (cfg.interface1.configured) { // net_move_interface(cfg.interface1.dev, child); - fnet_run(3, "moveif", cfg.interface1.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr); } if (cfg.interface2.configured) { // net_move_interface(cfg.interface2.dev, child); - fnet_run(3, "moveif", cfg.interface3.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); } if (cfg.interface3.configured) { // net_move_interface(cfg.interface3.dev, child); - fnet_run(3, "moveif", cfg.interface3.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); } free(cstr); diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 1ef5bf13d..6321c703a 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -47,7 +47,7 @@ #ifdef HAVE_SECCOMP #include "firejail.h" -#include "seccomp.h" +#include "../include/seccomp.h" #include #include diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c new file mode 100644 index 000000000..8c6ace27e --- /dev/null +++ b/src/firejail/sbox.c @@ -0,0 +1,177 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "firejail.h" +#include +#include +#include +#include +#include +#include "../include/seccomp.h" + +static struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + +#if defined(__x86_64__) +#define X32_SYSCALL_BIT 0x40000000 + // handle X32 ABI + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), + RETURN_ERRNO(EPERM), +#endif + + // syscall list +#ifdef SYS_mount + BLACKLIST(SYS_mount), // mount/unmount filesystems +#endif +#ifdef SYS_umount2 + BLACKLIST(SYS_umount2), +#endif +#ifdef SYS_ptrace + BLACKLIST(SYS_ptrace), // trace processes +#endif +#ifdef SYS_kexec_file_load + BLACKLIST(SYS_kexec_file_load), +#endif +#ifdef SYS_kexec_load + BLACKLIST(SYS_kexec_load), // loading a different kernel +#endif +#ifdef SYS_name_to_handle_at + BLACKLIST(SYS_name_to_handle_at), +#endif +#ifdef SYS_open_by_handle_at + BLACKLIST(SYS_open_by_handle_at), // open by handle +#endif +#ifdef SYS_init_module + BLACKLIST(SYS_init_module), // kernel module handling +#endif +#ifdef SYS_finit_module // introduced in 2013 + BLACKLIST(SYS_finit_module), +#endif +#ifdef SYS_create_module + BLACKLIST(SYS_create_module), +#endif +#ifdef SYS_delete_module + BLACKLIST(SYS_delete_module), +#endif +#ifdef SYS_iopl + BLACKLIST(SYS_iopl), // io permissions +#endif +#ifdef SYS_ioperm + BLACKLIST(SYS_ioperm), +#endif +#ifdef SYS_iopl + BLACKLIST(SYS_iopl), // io permissions +#endif +#ifdef SYS_ioprio_set + BLACKLIST(SYS_ioprio_set), +#endif +#ifdef SYS_ni_syscall // new io permissions call on arm devices + BLACKLIST(SYS_ni_syscall), +#endif +#ifdef SYS_swapon + BLACKLIST(SYS_swapon), // swap on/off +#endif +#ifdef SYS_swapoff + BLACKLIST(SYS_swapoff), +#endif +#ifdef SYS_syslog + BLACKLIST(SYS_syslog), // kernel printk control +#endif + RETURN_ALLOW +}; + +static struct sock_fprog prog = { + .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), + .filter = filter, +}; + +typedef struct sbox_config { + char *name; + char *path; + unsigned filters; +} SboxConfig; + + +int sbox_run(unsigned filter, int num, ...) { + EUID_ROOT(); + char *path = NULL; + int i; + va_list valist; + va_start(valist, num); + + // build argument list + char *arg[num + 1]; + for (i = 0; i < num; i++) + arg[i] = va_arg(valist, char*); + arg[i] = NULL; + va_end(valist); + +#if 0 +{ +int i; +for (i = 0; i <= num; i++) + printf("#%s# ", arg[i]); +printf("\n"); +} +#endif + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // apply filters + if (filter & SBOX_CAPS) + caps_drop_all(); + + if (filter & SBOX_SECCOMP) { + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + } + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { + perror("prctl(PR_SET_SECCOMP)"); + } + } + + if (filter & SBOX_ROOT) { + // elevate privileges in order to get grsecurity working + if (setreuid(0, 0)) + errExit("setreuid"); + if (setregid(0, 0)) + errExit("setregid"); + } + else if (filter & SBOX_USER) + drop_privs(1); + + execvp(arg[0], arg); + perror("execl"); + _exit(1); + } + + int status; + if (waitpid(child, &status, 0) == -1 ) { + errExit("waitpid"); + } + if (WIFEXITED(status) && status != 0) { + fprintf(stderr, "Error: cannot run fnet\n"); + exit(1); + } + + return status; +} diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 549359d94..09862ec20 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -20,7 +20,7 @@ #ifdef HAVE_SECCOMP #include "firejail.h" -#include "seccomp.h" +#include "../include/seccomp.h" #define SECSIZE 128 // initial filter size static struct sock_filter *sfilter = NULL; diff --git a/src/firejail/seccomp.h b/src/firejail/seccomp.h deleted file mode 100644 index 7d646dd9e..000000000 --- a/src/firejail/seccomp.h +++ /dev/null @@ -1,149 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -/* default seccomp filter - // seccomp - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - BLACKLIST(SYS_mount), // mount/unmount filesystems - BLACKLIST(SYS_umount2), - BLACKLIST(SYS_ptrace), // trace processes - BLACKLIST(SYS_kexec_load), // loading a different kernel - BLACKLIST(SYS_open_by_handle_at), // open by handle - BLACKLIST(SYS_init_module), // kernel module handling - BLACKLIST(SYS_finit_module), - BLACKLIST(SYS_delete_module), - BLACKLIST(SYS_iopl), // io permissions - BLACKLIST(SYS_ioperm), - BLACKLIST(SYS_iopl), // io permissions - BLACKLIST(SYS_ni_syscall), - BLACKLIST(SYS_swapon), // swap on/off - BLACKLIST(SYS_swapoff), - BLACKLIST(SYS_syslog), // kernel printk control - RETURN_ALLOW - }; - - struct sock_fprog prog = { - .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), - .filter = filter, - }; - - - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - perror("prctl(NO_NEW_PRIVS)"); - return 1; - } - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { - perror("prctl"); - return 1; - } -*/ - -#ifndef SECCOMP_H -#define SECCOMP_H -#include -#include -#include -#include -#include -#include -#include - -#include -#ifndef PR_SET_NO_NEW_PRIVS -# define PR_SET_NO_NEW_PRIVS 38 -#endif - -#if HAVE_SECCOMP_H -#include -#else -#define SECCOMP_MODE_FILTER 2 -#define SECCOMP_RET_KILL 0x00000000U -#define SECCOMP_RET_TRAP 0x00030000U -#define SECCOMP_RET_ALLOW 0x7fff0000U -#define SECCOMP_RET_ERRNO 0x00050000U -#define SECCOMP_RET_DATA 0x0000ffffU -struct seccomp_data { - int nr; - __u32 arch; - __u64 instruction_pointer; - __u64 args[6]; -}; -#endif - -#if defined(__i386__) -# define ARCH_NR AUDIT_ARCH_I386 -#elif defined(__x86_64__) -# define ARCH_NR AUDIT_ARCH_X86_64 -#elif defined(__arm__) -# define ARCH_NR AUDIT_ARCH_ARM -#else -# warning "Platform does not support seccomp filter yet" -# define ARCH_NR 0 -#endif - -#define VALIDATE_ARCHITECTURE \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - -#define VALIDATE_ARCHITECTURE_64 \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - -#define VALIDATE_ARCHITECTURE_32 \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - -#define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ - (offsetof(struct seccomp_data, nr))) - -#define EXAMINE_ARGUMENT(nr) BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ - (offsetof(struct seccomp_data, args[nr]))) - -#define ONLY(syscall_nr) \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - -#define BLACKLIST(syscall_nr) \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) - -#define WHITELIST(syscall_nr) \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - -#define BLACKLIST_ERRNO(syscall_nr, nr) \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) - -#define RETURN_ALLOW \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - -#define RETURN_ERRNO(nr) \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) - -#define KILL_PROCESS \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) - -#endif diff --git a/src/fnet/main.c b/src/fnet/main.c index ae780c2ea..88f71c4b3 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -31,9 +31,20 @@ static void usage(void) { } int main(int argc, char **argv) { +#if 0 +{ +system("cat /proc/self/status"); +int i; +for (i = 0; i < argc; i++) + printf("*%s* ", argv[i]); +printf("\n"); +} +#endif if (argc < 2) return 1; + + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { usage(); return 0; diff --git a/src/include/seccomp.h b/src/include/seccomp.h new file mode 100644 index 000000000..7d646dd9e --- /dev/null +++ b/src/include/seccomp.h @@ -0,0 +1,149 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +/* default seccomp filter + // seccomp + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + BLACKLIST(SYS_mount), // mount/unmount filesystems + BLACKLIST(SYS_umount2), + BLACKLIST(SYS_ptrace), // trace processes + BLACKLIST(SYS_kexec_load), // loading a different kernel + BLACKLIST(SYS_open_by_handle_at), // open by handle + BLACKLIST(SYS_init_module), // kernel module handling + BLACKLIST(SYS_finit_module), + BLACKLIST(SYS_delete_module), + BLACKLIST(SYS_iopl), // io permissions + BLACKLIST(SYS_ioperm), + BLACKLIST(SYS_iopl), // io permissions + BLACKLIST(SYS_ni_syscall), + BLACKLIST(SYS_swapon), // swap on/off + BLACKLIST(SYS_swapoff), + BLACKLIST(SYS_syslog), // kernel printk control + RETURN_ALLOW + }; + + struct sock_fprog prog = { + .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), + .filter = filter, + }; + + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + return 1; + } + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { + perror("prctl"); + return 1; + } +*/ + +#ifndef SECCOMP_H +#define SECCOMP_H +#include +#include +#include +#include +#include +#include +#include + +#include +#ifndef PR_SET_NO_NEW_PRIVS +# define PR_SET_NO_NEW_PRIVS 38 +#endif + +#if HAVE_SECCOMP_H +#include +#else +#define SECCOMP_MODE_FILTER 2 +#define SECCOMP_RET_KILL 0x00000000U +#define SECCOMP_RET_TRAP 0x00030000U +#define SECCOMP_RET_ALLOW 0x7fff0000U +#define SECCOMP_RET_ERRNO 0x00050000U +#define SECCOMP_RET_DATA 0x0000ffffU +struct seccomp_data { + int nr; + __u32 arch; + __u64 instruction_pointer; + __u64 args[6]; +}; +#endif + +#if defined(__i386__) +# define ARCH_NR AUDIT_ARCH_I386 +#elif defined(__x86_64__) +# define ARCH_NR AUDIT_ARCH_X86_64 +#elif defined(__arm__) +# define ARCH_NR AUDIT_ARCH_ARM +#else +# warning "Platform does not support seccomp filter yet" +# define ARCH_NR 0 +#endif + +#define VALIDATE_ARCHITECTURE \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +#define VALIDATE_ARCHITECTURE_64 \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +#define VALIDATE_ARCHITECTURE_32 \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_I386, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +#define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + (offsetof(struct seccomp_data, nr))) + +#define EXAMINE_ARGUMENT(nr) BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + (offsetof(struct seccomp_data, args[nr]))) + +#define ONLY(syscall_nr) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +#define BLACKLIST(syscall_nr) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + +#define WHITELIST(syscall_nr) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +#define BLACKLIST_ERRNO(syscall_nr, nr) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) + +#define RETURN_ALLOW \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + +#define RETURN_ERRNO(nr) \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) + +#define KILL_PROCESS \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + +#endif -- cgit v1.2.3-70-g09d2 From 5e5686588744eb93db9e8e33e7737adabae54945 Mon Sep 17 00:00:00 2001 From: "Vadim A. Misbakh-Soloviov" Date: Fri, 28 Oct 2016 15:55:02 +0700 Subject: Adding XDG-compat fontconfig's fonts path --- etc/whitelist-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index fd44c2528..e533fe596 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -14,6 +14,7 @@ whitelist ~/.fonts.d whitelist ~/.fontconfig whitelist ~/.fonts.conf whitelist ~/.fonts.conf.d +whitelist ~/.local/share/fonts whitelist ~/.config/fontconfig whitelist ~/.cache/fontconfig -- cgit v1.2.3-70-g09d2 From ceb85ea65b71ab202d20ecb8cc9034f0746ca7b8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 28 Oct 2016 17:34:16 -0400 Subject: moving --profile to sbox --- Makefile.in | 4 +- configure | 3 +- configure.ac | 3 +- src/firejail/Makefile.in | 2 +- src/firejail/errno.c | 11 - src/firejail/firejail.h | 7 +- src/firejail/join.c | 2 +- src/firejail/main.c | 22 +- src/firejail/profile.c | 14 +- src/firejail/protocol.c | 247 +-- src/firejail/sandbox.c | 20 +- src/firejail/sbox.c | 6 +- src/firejail/syscall.c | 13 +- src/firejail/syscall.h | 5114 ---------------------------------------------- src/include/syscall.h | 5113 +++++++++++++++++++++++++++++++++++++++++++++ 15 files changed, 5201 insertions(+), 5380 deletions(-) delete mode 100644 src/firejail/syscall.h create mode 100644 src/include/syscall.h diff --git a/Makefile.in b/Makefile.in index 0ae8fc903..86acc206c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 prefix=@prefix@ @@ -77,6 +77,7 @@ realinstall: install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. @@ -126,6 +127,7 @@ install-strip: all strip src/ftee/ftee strip src/faudit/faudit strip src/fnet/fnet + strip src/fseccomp/fseccomp $(MAKE) realinstall uninstall: diff --git a/configure b/configure index 58d236815..a89fddbef 100755 --- a/configure +++ b/configure @@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4479,6 +4479,7 @@ do "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; "src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;; + "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff --git a/configure.ac b/configure.ac index c7125e9c5..9e7680d7d 100644 --- a/configure.ac +++ b/configure.ac @@ -148,7 +148,8 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile) +AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile \ +src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) echo echo "Configuration options:" diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index c4c168236..c99b6c30c 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -30,7 +30,7 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o diff --git a/src/firejail/errno.c b/src/firejail/errno.c index c493dfa09..03f10bb14 100644 --- a/src/firejail/errno.c +++ b/src/firejail/errno.c @@ -206,15 +206,4 @@ char *errno_find_nr(int nr) { return "unknown"; } -void errno_print(void) { - EUID_ASSERT(); - - int i; - int elems = sizeof(errnolist) / sizeof(errnolist[0]); - for (i = 0; i < elems; i++) { - printf("%d\t- %s\n", errnolist[i].nr, errnolist[i].name); - } - printf("\n"); -} - #endif // HAVE_SECCOMP diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 367f599ec..749656f8b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -39,6 +39,7 @@ #define RUN_RO_FILE "/run/firejail/firejail.ro.file" #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" +#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" #define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup" #define RUN_CPU_CFG "/run/firejail/mnt/cpu" #define RUN_GROUPS_CFG "/run/firejail/mnt/groups" @@ -514,8 +515,6 @@ void caps_print_filter_name(const char *name); const char *syscall_find_nr(int nr); // return -1 if error, 0 if no error int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg); -// print all available syscallsseccomp -void syscall_print(void); // fs_trace.c void fs_trace_preload(void); @@ -598,7 +597,7 @@ void protocol_list(); void protocol_print_filter_name(const char *name); void protocol_print_filter(pid_t pid); void protocol_store(const char *prlist); -void protocol_filter(void); +void protocol_filter(const char *fname); void protocol_filter_save(void); void protocol_filter_load(const char *fname); @@ -686,11 +685,13 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar // programs #define PATH_FNET (LIBDIR "/firejail/fnet") #define PATH_FIREMON (PREFIX "/bin/firemon") +#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") // bitmapped filters for sbox_run #define SBOX_ROOT 1 #define SBOX_USER 2 #define SBOX_CAPS 4 #define SBOX_SECCOMP 8 +// run sbox int sbox_run(unsigned filter, int num, ...); diff --git a/src/firejail/join.c b/src/firejail/join.c index ea44019ca..9b5fba24d 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -296,7 +296,7 @@ void join(pid_t pid, int argc, char **argv, int index) { if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 - protocol_filter(); + protocol_filter(RUN_SECCOMP_PROTOCOL); } // set seccomp filter diff --git a/src/firejail/main.c b/src/firejail/main.c index 15d42a4e0..e210ceb31 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -404,8 +404,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { #ifdef HAVE_SECCOMP else if (strcmp(argv[i], "--debug-syscalls") == 0) { if (checkcfg(CFG_SECCOMP)) { - syscall_print(); - exit(0); + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); + exit(rv); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -414,7 +414,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } else if (strcmp(argv[i], "--debug-errnos") == 0) { if (checkcfg(CFG_SECCOMP)) { - errno_print(); + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); + exit(rv); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -438,8 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--debug-protocols") == 0) { - protocol_list(); - exit(0); + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); + exit(rv); } else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1117,7 +1118,16 @@ int main(int argc, char **argv) { #ifdef HAVE_SECCOMP else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { - protocol_store(argv[i] + 11); + if (cfg.protocol) { + if (!arg_quiet) + fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); + } + else { + // store list + cfg.protocol = strdup(argv[i] + 11); + if (!cfg.protocol) + errExit("strdup"); + } } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e5c35a89d..f7d5e87e6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -497,8 +497,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strncmp(ptr, "protocol ", 9) == 0) { #ifdef HAVE_SECCOMP - if (checkcfg(CFG_SECCOMP)) - protocol_store(ptr + 9); + if (checkcfg(CFG_SECCOMP)) { + if (cfg.protocol) { + if (!arg_quiet) + fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); + return 0; + } + + // store list + cfg.protocol = strdup(ptr + 9); + if (!cfg.protocol) + errExit("strdup"); + } else fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); #endif diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 6321c703a..43f30e30a 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -18,241 +18,44 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -/* - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ONLY(SYS_socket), - EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else - WHITELIST(AF_INET), - WHITELIST(AF_INET6), - WHITELIST(AF_PACKET), - RETURN_ERRNO(ENOTSUP) - }; - struct sock_fprog prog = { - .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), - .filter = filter, - }; - - - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - perror("prctl(NO_NEW_PRIVS)"); - return 1; - } - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { - perror("prctl"); - return 1; - } -*/ - #ifdef HAVE_SECCOMP #include "firejail.h" #include "../include/seccomp.h" -#include -#include - -static char *protocol[] = { - "unix", - "inet", - "inet6", - "netlink", - "packet", - NULL -}; - -static struct sock_filter protocol_filter_command[] = { - WHITELIST(AF_UNIX), - WHITELIST(AF_INET), - WHITELIST(AF_INET6), - WHITELIST(AF_NETLINK), - WHITELIST(AF_PACKET) -}; -// Note: protocol[] and protocol_filter_command are synchronized - -// command length -struct sock_filter whitelist[] = { - WHITELIST(AF_UNIX) -}; -unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter); - - -static int is_protocol(const char *p) { - int i = 0; - while (protocol[i] != NULL) { - if (strcmp(protocol[i], p) == 0) - return 1; - i++; - } - - return 0; -} - -static struct sock_filter *find_protocol_domain(const char *p) { - int i = 0; - while (protocol[i] != NULL) { - if (strcmp(protocol[i], p) == 0) - return &protocol_filter_command[i * whitelist_len]; - i++; - } - - return NULL; -} - -// --debug-protocols -void protocol_list(void) { - EUID_ASSERT(); - +// install protocol filter +void protocol_filter(const char *fname) { #ifndef SYS_socket - fprintf(stderr, "Warning: --protocol not supported on this platform\n"); + if (arg_debug) + printf("No support for --protocol on this platform\n"); return; -#endif - - int i = 0; - while (protocol[i] != NULL) { - printf("%s, ", protocol[i]); - i++; - } - printf("\n"); -} - +#else + assert(fname); -// check protocol list and store it in cfg structure -void protocol_store(const char *prlist) { - EUID_ASSERT(); - assert(prlist); - - if (cfg.protocol && !arg_quiet) { - fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", prlist); - return; + // check file + struct stat s; + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error: cannot read protocol filter file\n"); + exit(1); } - - // temporary list - char *tmplist = strdup(prlist); - if (!tmplist) - errExit("strdup"); - - // check list - char *token = strtok(tmplist, ","); - if (!token) - goto errout; - - while (token) { - if (!is_protocol(token)) - goto errout; - token = strtok(NULL, ","); - } - free(tmplist); - - // store list - cfg.protocol = strdup(prlist); - if (!cfg.protocol) - errExit("strdup"); - return; - -errout: - fprintf(stderr, "Error: invalid protocol list\n"); - exit(1); -} + int size = s.st_size; -// install protocol filter -void protocol_filter(void) { - assert(cfg.protocol); - if (arg_debug) - printf("Set protocol filter: %s\n", cfg.protocol); - -#ifndef SYS_socket - (void) find_protocol_domain; - fprintf(stderr, "Warning: --protocol not supported on this platform\n"); - return; -#else - // build the filter + // read filter struct sock_filter filter[32]; // big enough memset(&filter[0], 0, sizeof(filter)); - uint8_t *ptr = (uint8_t *) &filter[0]; - - // header - struct sock_filter filter_start[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - ONLY(SYS_socket), - EXAMINE_ARGUMENT(0) - }; - memcpy(ptr, &filter_start[0], sizeof(filter_start)); - ptr += sizeof(filter_start); - -#if 0 -printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter))); -{ - unsigned j; - unsigned char *ptr2 = (unsigned char *) &filter[0]; - for (j = 0; j < sizeof(filter); j++, ptr2++) { - if ((j % (sizeof(struct sock_filter))) == 0) - printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); - printf("%02x, ", (*ptr2) & 0xff); - } - printf("\n"); -} -printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter)); -#endif - - - // parse list and add commands - char *tmplist = strdup(cfg.protocol); - if (!tmplist) - errExit("strdup"); - char *token = strtok(tmplist, ","); - if (!token) - errExit("strtok"); - - while (token) { - struct sock_filter *domain = find_protocol_domain(token); - assert(domain); - memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); - ptr += whitelist_len * sizeof(struct sock_filter); - token = strtok(NULL, ","); - -#if 0 -printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); -{ - unsigned j; - unsigned char *ptr2 = (unsigned char *) &filter[0]; - for (j = 0; j < sizeof(filter); j++, ptr2++) { - if ((j % (sizeof(struct sock_filter))) == 0) - printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); - printf("%02x, ", (*ptr2) & 0xff); - } - printf("\n"); -} -#endif - - - } - free(tmplist); - - // add end of filter - struct sock_filter filter_end[] = { - RETURN_ERRNO(ENOTSUP) - }; - memcpy(ptr, &filter_end[0], sizeof(filter_end)); - ptr += sizeof(filter_end); - -#if 0 -printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); -{ - unsigned j; - unsigned char *ptr2 = (unsigned char *) &filter[0]; - for (j = 0; j < sizeof(filter); j++, ptr2++) { - if ((j % (sizeof(struct sock_filter))) == 0) - printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); - printf("%02x, ", (*ptr2) & 0xff); + int src = open(fname, O_RDONLY); + int rd = 0; + while (rd < size) { + int rv = read(src, (unsigned char *) filter + rd, size - rd); + if (rv == -1) { + fprintf(stderr, "Error: cannot read %s file\n", fname); + exit(1); + } + rd += rv; } - printf("\n"); -} -#endif + close(src); // install filter - unsigned short entries = (unsigned short) ((uintptr_t) ptr - (uintptr_t) (filter)) / (unsigned) sizeof(struct sock_filter); + unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); struct sock_fprog prog = { .len = entries, .filter = filter, @@ -262,7 +65,7 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); return; } -#endif // SYS_socket +#endif } void protocol_filter_save(void) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f5cca7494..7a63461ef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -819,8 +819,24 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_SECCOMP // install protocol filter if (cfg.protocol) { - protocol_filter(); // install filter - protocol_filter_save(); // save filter in PROTOCOL_CFG + if (arg_debug) + printf("Set protocol filter: %s\n", cfg.protocol); + // as root, create RUN_SECCOMP_PROTOCOL file + // this is where fseccomp program will store the protocol filter + int dst = open(RUN_SECCOMP_PROTOCOL, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (dst == -1) + errExit("open"); + close(dst); + if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) + errExit("chown"); + + // build the seccomp filter as a regular user + int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 5, + PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL); + if (rv) + exit(rv); + protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter + protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG } // if a keep list is available, disregard the drop list diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 8c6ace27e..d3ef2578c 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -124,14 +124,14 @@ int sbox_run(unsigned filter, int num, ...) { arg[i] = NULL; va_end(valist); -#if 0 +//#if 0 { int i; for (i = 0; i <= num; i++) printf("#%s# ", arg[i]); printf("\n"); } -#endif +//#endif pid_t child = fork(); if (child < 0) errExit("fork"); @@ -169,7 +169,7 @@ printf("\n"); errExit("waitpid"); } if (WIFEXITED(status) && status != 0) { - fprintf(stderr, "Error: cannot run fnet\n"); + fprintf(stderr, "Error: failed to run %s\n", arg[0]); exit(1); } diff --git a/src/firejail/syscall.c b/src/firejail/syscall.c index 985cc8bb8..f405f23c8 100644 --- a/src/firejail/syscall.c +++ b/src/firejail/syscall.c @@ -31,7 +31,7 @@ static SyscallEntry syslist[] = { // // code generated using tools/extract-syscall // -#include "syscall.h" +#include "../include/syscall.h" // // end of generated code // @@ -102,15 +102,4 @@ int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg) return 0; } -void syscall_print(void) { - EUID_ASSERT(); - - int i; - int elems = sizeof(syslist) / sizeof(syslist[0]); - for (i = 0; i < elems; i++) { - printf("%d\t- %s\n", syslist[i].nr, syslist[i].name); - } - printf("\n"); -} - #endif // HAVE_SECCOMP diff --git a/src/firejail/syscall.h b/src/firejail/syscall.h deleted file mode 100644 index 68d4b5736..000000000 --- a/src/firejail/syscall.h +++ /dev/null @@ -1,5114 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -// content extracted from /bits/syscall.h file form glibc 2.22 -// using ../tools/extract_syscall tool - -#if !defined __x86_64__ -#ifdef SYS__llseek -#ifdef __NR__llseek - {"_llseek", __NR__llseek}, -#endif -#endif -#ifdef SYS__newselect -#ifdef __NR__newselect - {"_newselect", __NR__newselect}, -#endif -#endif -#ifdef SYS__sysctl -#ifdef __NR__sysctl - {"_sysctl", __NR__sysctl}, -#endif -#endif -#ifdef SYS_accept4 -#ifdef __NR_accept4 - {"accept4", __NR_accept4}, -#endif -#endif -#ifdef SYS_access -#ifdef __NR_access - {"access", __NR_access}, -#endif -#endif -#ifdef SYS_acct -#ifdef __NR_acct - {"acct", __NR_acct}, -#endif -#endif -#ifdef SYS_add_key -#ifdef __NR_add_key - {"add_key", __NR_add_key}, -#endif -#endif -#ifdef SYS_adjtimex -#ifdef __NR_adjtimex - {"adjtimex", __NR_adjtimex}, -#endif -#endif -#ifdef SYS_afs_syscall -#ifdef __NR_afs_syscall - {"afs_syscall", __NR_afs_syscall}, -#endif -#endif -#ifdef SYS_alarm -#ifdef __NR_alarm - {"alarm", __NR_alarm}, -#endif -#endif -#ifdef SYS_bdflush -#ifdef __NR_bdflush - {"bdflush", __NR_bdflush}, -#endif -#endif -#ifdef SYS_bind -#ifdef __NR_bind - {"bind", __NR_bind}, -#endif -#endif -#ifdef SYS_bpf -#ifdef __NR_bpf - {"bpf", __NR_bpf}, -#endif -#endif -#ifdef SYS_break -#ifdef __NR_break - {"break", __NR_break}, -#endif -#endif -#ifdef SYS_brk -#ifdef __NR_brk - {"brk", __NR_brk}, -#endif -#endif -#ifdef SYS_capget -#ifdef __NR_capget - {"capget", __NR_capget}, -#endif -#endif -#ifdef SYS_capset -#ifdef __NR_capset - {"capset", __NR_capset}, -#endif -#endif -#ifdef SYS_chdir -#ifdef __NR_chdir - {"chdir", __NR_chdir}, -#endif -#endif -#ifdef SYS_chmod -#ifdef __NR_chmod - {"chmod", __NR_chmod}, -#endif -#endif -#ifdef SYS_chown -#ifdef __NR_chown - {"chown", __NR_chown}, -#endif -#endif -#ifdef SYS_chown32 -#ifdef __NR_chown32 - {"chown32", __NR_chown32}, -#endif -#endif -#ifdef SYS_chroot -#ifdef __NR_chroot - {"chroot", __NR_chroot}, -#endif -#endif -#ifdef SYS_clock_adjtime -#ifdef __NR_clock_adjtime - {"clock_adjtime", __NR_clock_adjtime}, -#endif -#endif -#ifdef SYS_clock_getres -#ifdef __NR_clock_getres - {"clock_getres", __NR_clock_getres}, -#endif -#endif -#ifdef SYS_clock_gettime -#ifdef __NR_clock_gettime - {"clock_gettime", __NR_clock_gettime}, -#endif -#endif -#ifdef SYS_clock_nanosleep -#ifdef __NR_clock_nanosleep - {"clock_nanosleep", __NR_clock_nanosleep}, -#endif -#endif -#ifdef SYS_clock_settime -#ifdef __NR_clock_settime - {"clock_settime", __NR_clock_settime}, -#endif -#endif -#ifdef SYS_clone -#ifdef __NR_clone - {"clone", __NR_clone}, -#endif -#endif -#ifdef SYS_close -#ifdef __NR_close - {"close", __NR_close}, -#endif -#endif -#ifdef SYS_connect -#ifdef __NR_connect - {"connect", __NR_connect}, -#endif -#endif -#ifdef SYS_copy_file_range -#ifdef __NR_copy_file_range - {"copy_file_range", __NR_copy_file_range}, -#endif -#endif -#ifdef SYS_creat -#ifdef __NR_creat - {"creat", __NR_creat}, -#endif -#endif -#ifdef SYS_create_module -#ifdef __NR_create_module - {"create_module", __NR_create_module}, -#endif -#endif -#ifdef SYS_delete_module -#ifdef __NR_delete_module - {"delete_module", __NR_delete_module}, -#endif -#endif -#ifdef SYS_dup -#ifdef __NR_dup - {"dup", __NR_dup}, -#endif -#endif -#ifdef SYS_dup2 -#ifdef __NR_dup2 - {"dup2", __NR_dup2}, -#endif -#endif -#ifdef SYS_dup3 -#ifdef __NR_dup3 - {"dup3", __NR_dup3}, -#endif -#endif -#ifdef SYS_epoll_create -#ifdef __NR_epoll_create - {"epoll_create", __NR_epoll_create}, -#endif -#endif -#ifdef SYS_epoll_create1 -#ifdef __NR_epoll_create1 - {"epoll_create1", __NR_epoll_create1}, -#endif -#endif -#ifdef SYS_epoll_ctl -#ifdef __NR_epoll_ctl - {"epoll_ctl", __NR_epoll_ctl}, -#endif -#endif -#ifdef SYS_epoll_pwait -#ifdef __NR_epoll_pwait - {"epoll_pwait", __NR_epoll_pwait}, -#endif -#endif -#ifdef SYS_epoll_wait -#ifdef __NR_epoll_wait - {"epoll_wait", __NR_epoll_wait}, -#endif -#endif -#ifdef SYS_eventfd -#ifdef __NR_eventfd - {"eventfd", __NR_eventfd}, -#endif -#endif -#ifdef SYS_eventfd2 -#ifdef __NR_eventfd2 - {"eventfd2", __NR_eventfd2}, -#endif -#endif -#ifdef SYS_execve -#ifdef __NR_execve - {"execve", __NR_execve}, -#endif -#endif -#ifdef SYS_execveat -#ifdef __NR_execveat - {"execveat", __NR_execveat}, -#endif -#endif -#ifdef SYS_exit -#ifdef __NR_exit - {"exit", __NR_exit}, -#endif -#endif -#ifdef SYS_exit_group -#ifdef __NR_exit_group - {"exit_group", __NR_exit_group}, -#endif -#endif -#ifdef SYS_faccessat -#ifdef __NR_faccessat - {"faccessat", __NR_faccessat}, -#endif -#endif -#ifdef SYS_fadvise64 -#ifdef __NR_fadvise64 - {"fadvise64", __NR_fadvise64}, -#endif -#endif -#ifdef SYS_fadvise64_64 -#ifdef __NR_fadvise64_64 - {"fadvise64_64", __NR_fadvise64_64}, -#endif -#endif -#ifdef SYS_fallocate -#ifdef __NR_fallocate - {"fallocate", __NR_fallocate}, -#endif -#endif -#ifdef SYS_fanotify_init -#ifdef __NR_fanotify_init - {"fanotify_init", __NR_fanotify_init}, -#endif -#endif -#ifdef SYS_fanotify_mark -#ifdef __NR_fanotify_mark - {"fanotify_mark", __NR_fanotify_mark}, -#endif -#endif -#ifdef SYS_fchdir -#ifdef __NR_fchdir - {"fchdir", __NR_fchdir}, -#endif -#endif -#ifdef SYS_fchmod -#ifdef __NR_fchmod - {"fchmod", __NR_fchmod}, -#endif -#endif -#ifdef SYS_fchmodat -#ifdef __NR_fchmodat - {"fchmodat", __NR_fchmodat}, -#endif -#endif -#ifdef SYS_fchown -#ifdef __NR_fchown - {"fchown", __NR_fchown}, -#endif -#endif -#ifdef SYS_fchown32 -#ifdef __NR_fchown32 - {"fchown32", __NR_fchown32}, -#endif -#endif -#ifdef SYS_fchownat -#ifdef __NR_fchownat - {"fchownat", __NR_fchownat}, -#endif -#endif -#ifdef SYS_fcntl -#ifdef __NR_fcntl - {"fcntl", __NR_fcntl}, -#endif -#endif -#ifdef SYS_fcntl64 -#ifdef __NR_fcntl64 - {"fcntl64", __NR_fcntl64}, -#endif -#endif -#ifdef SYS_fdatasync -#ifdef __NR_fdatasync - {"fdatasync", __NR_fdatasync}, -#endif -#endif -#ifdef SYS_fgetxattr -#ifdef __NR_fgetxattr - {"fgetxattr", __NR_fgetxattr}, -#endif -#endif -#ifdef SYS_finit_module -#ifdef __NR_finit_module - {"finit_module", __NR_finit_module}, -#endif -#endif -#ifdef SYS_flistxattr -#ifdef __NR_flistxattr - {"flistxattr", __NR_flistxattr}, -#endif -#endif -#ifdef SYS_flock -#ifdef __NR_flock - {"flock", __NR_flock}, -#endif -#endif -#ifdef SYS_fork -#ifdef __NR_fork - {"fork", __NR_fork}, -#endif -#endif -#ifdef SYS_fremovexattr -#ifdef __NR_fremovexattr - {"fremovexattr", __NR_fremovexattr}, -#endif -#endif -#ifdef SYS_fsetxattr -#ifdef __NR_fsetxattr - {"fsetxattr", __NR_fsetxattr}, -#endif -#endif -#ifdef SYS_fstat -#ifdef __NR_fstat - {"fstat", __NR_fstat}, -#endif -#endif -#ifdef SYS_fstat64 -#ifdef __NR_fstat64 - {"fstat64", __NR_fstat64}, -#endif -#endif -#ifdef SYS_fstatat64 -#ifdef __NR_fstatat64 - {"fstatat64", __NR_fstatat64}, -#endif -#endif -#ifdef SYS_fstatfs -#ifdef __NR_fstatfs - {"fstatfs", __NR_fstatfs}, -#endif -#endif -#ifdef SYS_fstatfs64 -#ifdef __NR_fstatfs64 - {"fstatfs64", __NR_fstatfs64}, -#endif -#endif -#ifdef SYS_fsync -#ifdef __NR_fsync - {"fsync", __NR_fsync}, -#endif -#endif -#ifdef SYS_ftime -#ifdef __NR_ftime - {"ftime", __NR_ftime}, -#endif -#endif -#ifdef SYS_ftruncate -#ifdef __NR_ftruncate - {"ftruncate", __NR_ftruncate}, -#endif -#endif -#ifdef SYS_ftruncate64 -#ifdef __NR_ftruncate64 - {"ftruncate64", __NR_ftruncate64}, -#endif -#endif -#ifdef SYS_futex -#ifdef __NR_futex - {"futex", __NR_futex}, -#endif -#endif -#ifdef SYS_futimesat -#ifdef __NR_futimesat - {"futimesat", __NR_futimesat}, -#endif -#endif -#ifdef SYS_get_kernel_syms -#ifdef __NR_get_kernel_syms - {"get_kernel_syms", __NR_get_kernel_syms}, -#endif -#endif -#ifdef SYS_get_mempolicy -#ifdef __NR_get_mempolicy - {"get_mempolicy", __NR_get_mempolicy}, -#endif -#endif -#ifdef SYS_get_robust_list -#ifdef __NR_get_robust_list - {"get_robust_list", __NR_get_robust_list}, -#endif -#endif -#ifdef SYS_get_thread_area -#ifdef __NR_get_thread_area - {"get_thread_area", __NR_get_thread_area}, -#endif -#endif -#ifdef SYS_getcpu -#ifdef __NR_getcpu - {"getcpu", __NR_getcpu}, -#endif -#endif -#ifdef SYS_getcwd -#ifdef __NR_getcwd - {"getcwd", __NR_getcwd}, -#endif -#endif -#ifdef SYS_getdents -#ifdef __NR_getdents - {"getdents", __NR_getdents}, -#endif -#endif -#ifdef SYS_getdents64 -#ifdef __NR_getdents64 - {"getdents64", __NR_getdents64}, -#endif -#endif -#ifdef SYS_getegid -#ifdef __NR_getegid - {"getegid", __NR_getegid}, -#endif -#endif -#ifdef SYS_getegid32 -#ifdef __NR_getegid32 - {"getegid32", __NR_getegid32}, -#endif -#endif -#ifdef SYS_geteuid -#ifdef __NR_geteuid - {"geteuid", __NR_geteuid}, -#endif -#endif -#ifdef SYS_geteuid32 -#ifdef __NR_geteuid32 - {"geteuid32", __NR_geteuid32}, -#endif -#endif -#ifdef SYS_getgid -#ifdef __NR_getgid - {"getgid", __NR_getgid}, -#endif -#endif -#ifdef SYS_getgid32 -#ifdef __NR_getgid32 - {"getgid32", __NR_getgid32}, -#endif -#endif -#ifdef SYS_getgroups -#ifdef __NR_getgroups - {"getgroups", __NR_getgroups}, -#endif -#endif -#ifdef SYS_getgroups32 -#ifdef __NR_getgroups32 - {"getgroups32", __NR_getgroups32}, -#endif -#endif -#ifdef SYS_getitimer -#ifdef __NR_getitimer - {"getitimer", __NR_getitimer}, -#endif -#endif -#ifdef SYS_getpeername -#ifdef __NR_getpeername - {"getpeername", __NR_getpeername}, -#endif -#endif -#ifdef SYS_getpgid -#ifdef __NR_getpgid - {"getpgid", __NR_getpgid}, -#endif -#endif -#ifdef SYS_getpgrp -#ifdef __NR_getpgrp - {"getpgrp", __NR_getpgrp}, -#endif -#endif -#ifdef SYS_getpid -#ifdef __NR_getpid - {"getpid", __NR_getpid}, -#endif -#endif -#ifdef SYS_getpmsg -#ifdef __NR_getpmsg - {"getpmsg", __NR_getpmsg}, -#endif -#endif -#ifdef SYS_getppid -#ifdef __NR_getppid - {"getppid", __NR_getppid}, -#endif -#endif -#ifdef SYS_getpriority -#ifdef __NR_getpriority - {"getpriority", __NR_getpriority}, -#endif -#endif -#ifdef SYS_getrandom -#ifdef __NR_getrandom - {"getrandom", __NR_getrandom}, -#endif -#endif -#ifdef SYS_getresgid -#ifdef __NR_getresgid - {"getresgid", __NR_getresgid}, -#endif -#endif -#ifdef SYS_getresgid32 -#ifdef __NR_getresgid32 - {"getresgid32", __NR_getresgid32}, -#endif -#endif -#ifdef SYS_getresuid -#ifdef __NR_getresuid - {"getresuid", __NR_getresuid}, -#endif -#endif -#ifdef SYS_getresuid32 -#ifdef __NR_getresuid32 - {"getresuid32", __NR_getresuid32}, -#endif -#endif -#ifdef SYS_getrlimit -#ifdef __NR_getrlimit - {"getrlimit", __NR_getrlimit}, -#endif -#endif -#ifdef SYS_getrusage -#ifdef __NR_getrusage - {"getrusage", __NR_getrusage}, -#endif -#endif -#ifdef SYS_getsid -#ifdef __NR_getsid - {"getsid", __NR_getsid}, -#endif -#endif -#ifdef SYS_getsockname -#ifdef __NR_getsockname - {"getsockname", __NR_getsockname}, -#endif -#endif -#ifdef SYS_getsockopt -#ifdef __NR_getsockopt - {"getsockopt", __NR_getsockopt}, -#endif -#endif -#ifdef SYS_gettid -#ifdef __NR_gettid - {"gettid", __NR_gettid}, -#endif -#endif -#ifdef SYS_gettimeofday -#ifdef __NR_gettimeofday - {"gettimeofday", __NR_gettimeofday}, -#endif -#endif -#ifdef SYS_getuid -#ifdef __NR_getuid - {"getuid", __NR_getuid}, -#endif -#endif -#ifdef SYS_getuid32 -#ifdef __NR_getuid32 - {"getuid32", __NR_getuid32}, -#endif -#endif -#ifdef SYS_getxattr -#ifdef __NR_getxattr - {"getxattr", __NR_getxattr}, -#endif -#endif -#ifdef SYS_gtty -#ifdef __NR_gtty - {"gtty", __NR_gtty}, -#endif -#endif -#ifdef SYS_idle -#ifdef __NR_idle - {"idle", __NR_idle}, -#endif -#endif -#ifdef SYS_init_module -#ifdef __NR_init_module - {"init_module", __NR_init_module}, -#endif -#endif -#ifdef SYS_inotify_add_watch -#ifdef __NR_inotify_add_watch - {"inotify_add_watch", __NR_inotify_add_watch}, -#endif -#endif -#ifdef SYS_inotify_init -#ifdef __NR_inotify_init - {"inotify_init", __NR_inotify_init}, -#endif -#endif -#ifdef SYS_inotify_init1 -#ifdef __NR_inotify_init1 - {"inotify_init1", __NR_inotify_init1}, -#endif -#endif -#ifdef SYS_inotify_rm_watch -#ifdef __NR_inotify_rm_watch - {"inotify_rm_watch", __NR_inotify_rm_watch}, -#endif -#endif -#ifdef SYS_io_cancel -#ifdef __NR_io_cancel - {"io_cancel", __NR_io_cancel}, -#endif -#endif -#ifdef SYS_io_destroy -#ifdef __NR_io_destroy - {"io_destroy", __NR_io_destroy}, -#endif -#endif -#ifdef SYS_io_getevents -#ifdef __NR_io_getevents - {"io_getevents", __NR_io_getevents}, -#endif -#endif -#ifdef SYS_io_setup -#ifdef __NR_io_setup - {"io_setup", __NR_io_setup}, -#endif -#endif -#ifdef SYS_io_submit -#ifdef __NR_io_submit - {"io_submit", __NR_io_submit}, -#endif -#endif -#ifdef SYS_ioctl -#ifdef __NR_ioctl - {"ioctl", __NR_ioctl}, -#endif -#endif -#ifdef SYS_ioperm -#ifdef __NR_ioperm - {"ioperm", __NR_ioperm}, -#endif -#endif -#ifdef SYS_iopl -#ifdef __NR_iopl - {"iopl", __NR_iopl}, -#endif -#endif -#ifdef SYS_ioprio_get -#ifdef __NR_ioprio_get - {"ioprio_get", __NR_ioprio_get}, -#endif -#endif -#ifdef SYS_ioprio_set -#ifdef __NR_ioprio_set - {"ioprio_set", __NR_ioprio_set}, -#endif -#endif -#ifdef SYS_ipc -#ifdef __NR_ipc - {"ipc", __NR_ipc}, -#endif -#endif -#ifdef SYS_kcmp -#ifdef __NR_kcmp - {"kcmp", __NR_kcmp}, -#endif -#endif -#ifdef SYS_kexec_load -#ifdef __NR_kexec_load - {"kexec_load", __NR_kexec_load}, -#endif -#endif -#ifdef SYS_keyctl -#ifdef __NR_keyctl - {"keyctl", __NR_keyctl}, -#endif -#endif -#ifdef SYS_kill -#ifdef __NR_kill - {"kill", __NR_kill}, -#endif -#endif -#ifdef SYS_lchown -#ifdef __NR_lchown - {"lchown", __NR_lchown}, -#endif -#endif -#ifdef SYS_lchown32 -#ifdef __NR_lchown32 - {"lchown32", __NR_lchown32}, -#endif -#endif -#ifdef SYS_lgetxattr -#ifdef __NR_lgetxattr - {"lgetxattr", __NR_lgetxattr}, -#endif -#endif -#ifdef SYS_link -#ifdef __NR_link - {"link", __NR_link}, -#endif -#endif -#ifdef SYS_linkat -#ifdef __NR_linkat - {"linkat", __NR_linkat}, -#endif -#endif -#ifdef SYS_listen -#ifdef __NR_listen - {"listen", __NR_listen}, -#endif -#endif -#ifdef SYS_listxattr -#ifdef __NR_listxattr - {"listxattr", __NR_listxattr}, -#endif -#endif -#ifdef SYS_llistxattr -#ifdef __NR_llistxattr - {"llistxattr", __NR_llistxattr}, -#endif -#endif -#ifdef SYS_lock -#ifdef __NR_lock - {"lock", __NR_lock}, -#endif -#endif -#ifdef SYS_lookup_dcookie -#ifdef __NR_lookup_dcookie - {"lookup_dcookie", __NR_lookup_dcookie}, -#endif -#endif -#ifdef SYS_lremovexattr -#ifdef __NR_lremovexattr - {"lremovexattr", __NR_lremovexattr}, -#endif -#endif -#ifdef SYS_lseek -#ifdef __NR_lseek - {"lseek", __NR_lseek}, -#endif -#endif -#ifdef SYS_lsetxattr -#ifdef __NR_lsetxattr - {"lsetxattr", __NR_lsetxattr}, -#endif -#endif -#ifdef SYS_lstat -#ifdef __NR_lstat - {"lstat", __NR_lstat}, -#endif -#endif -#ifdef SYS_lstat64 -#ifdef __NR_lstat64 - {"lstat64", __NR_lstat64}, -#endif -#endif -#ifdef SYS_madvise -#ifdef __NR_madvise - {"madvise", __NR_madvise}, -#endif -#endif -#ifdef SYS_mbind -#ifdef __NR_mbind - {"mbind", __NR_mbind}, -#endif -#endif -#ifdef SYS_membarrier -#ifdef __NR_membarrier - {"membarrier", __NR_membarrier}, -#endif -#endif -#ifdef SYS_memfd_create -#ifdef __NR_memfd_create - {"memfd_create", __NR_memfd_create}, -#endif -#endif -#ifdef SYS_migrate_pages -#ifdef __NR_migrate_pages - {"migrate_pages", __NR_migrate_pages}, -#endif -#endif -#ifdef SYS_mincore -#ifdef __NR_mincore - {"mincore", __NR_mincore}, -#endif -#endif -#ifdef SYS_mkdir -#ifdef __NR_mkdir - {"mkdir", __NR_mkdir}, -#endif -#endif -#ifdef SYS_mkdirat -#ifdef __NR_mkdirat - {"mkdirat", __NR_mkdirat}, -#endif -#endif -#ifdef SYS_mknod -#ifdef __NR_mknod - {"mknod", __NR_mknod}, -#endif -#endif -#ifdef SYS_mknodat -#ifdef __NR_mknodat - {"mknodat", __NR_mknodat}, -#endif -#endif -#ifdef SYS_mlock -#ifdef __NR_mlock - {"mlock", __NR_mlock}, -#endif -#endif -#ifdef SYS_mlock2 -#ifdef __NR_mlock2 - {"mlock2", __NR_mlock2}, -#endif -#endif -#ifdef SYS_mlockall -#ifdef __NR_mlockall - {"mlockall", __NR_mlockall}, -#endif -#endif -#ifdef SYS_mmap -#ifdef __NR_mmap - {"mmap", __NR_mmap}, -#endif -#endif -#ifdef SYS_mmap2 -#ifdef __NR_mmap2 - {"mmap2", __NR_mmap2}, -#endif -#endif -#ifdef SYS_modify_ldt -#ifdef __NR_modify_ldt - {"modify_ldt", __NR_modify_ldt}, -#endif -#endif -#ifdef SYS_mount -#ifdef __NR_mount - {"mount", __NR_mount}, -#endif -#endif -#ifdef SYS_move_pages -#ifdef __NR_move_pages - {"move_pages", __NR_move_pages}, -#endif -#endif -#ifdef SYS_mprotect -#ifdef __NR_mprotect - {"mprotect", __NR_mprotect}, -#endif -#endif -#ifdef SYS_mpx -#ifdef __NR_mpx - {"mpx", __NR_mpx}, -#endif -#endif -#ifdef SYS_mq_getsetattr -#ifdef __NR_mq_getsetattr - {"mq_getsetattr", __NR_mq_getsetattr}, -#endif -#endif -#ifdef SYS_mq_notify -#ifdef __NR_mq_notify - {"mq_notify", __NR_mq_notify}, -#endif -#endif -#ifdef SYS_mq_open -#ifdef __NR_mq_open - {"mq_open", __NR_mq_open}, -#endif -#endif -#ifdef SYS_mq_timedreceive -#ifdef __NR_mq_timedreceive - {"mq_timedreceive", __NR_mq_timedreceive}, -#endif -#endif -#ifdef SYS_mq_timedsend -#ifdef __NR_mq_timedsend - {"mq_timedsend", __NR_mq_timedsend}, -#endif -#endif -#ifdef SYS_mq_unlink -#ifdef __NR_mq_unlink - {"mq_unlink", __NR_mq_unlink}, -#endif -#endif -#ifdef SYS_mremap -#ifdef __NR_mremap - {"mremap", __NR_mremap}, -#endif -#endif -#ifdef SYS_msync -#ifdef __NR_msync - {"msync", __NR_msync}, -#endif -#endif -#ifdef SYS_munlock -#ifdef __NR_munlock - {"munlock", __NR_munlock}, -#endif -#endif -#ifdef SYS_munlockall -#ifdef __NR_munlockall - {"munlockall", __NR_munlockall}, -#endif -#endif -#ifdef SYS_munmap -#ifdef __NR_munmap - {"munmap", __NR_munmap}, -#endif -#endif -#ifdef SYS_name_to_handle_at -#ifdef __NR_name_to_handle_at - {"name_to_handle_at", __NR_name_to_handle_at}, -#endif -#endif -#ifdef SYS_nanosleep -#ifdef __NR_nanosleep - {"nanosleep", __NR_nanosleep}, -#endif -#endif -#ifdef SYS_nfsservctl -#ifdef __NR_nfsservctl - {"nfsservctl", __NR_nfsservctl}, -#endif -#endif -#ifdef SYS_nice -#ifdef __NR_nice - {"nice", __NR_nice}, -#endif -#endif -#ifdef SYS_oldfstat -#ifdef __NR_oldfstat - {"oldfstat", __NR_oldfstat}, -#endif -#endif -#ifdef SYS_oldlstat -#ifdef __NR_oldlstat - {"oldlstat", __NR_oldlstat}, -#endif -#endif -#ifdef SYS_oldolduname -#ifdef __NR_oldolduname - {"oldolduname", __NR_oldolduname}, -#endif -#endif -#ifdef SYS_oldstat -#ifdef __NR_oldstat - {"oldstat", __NR_oldstat}, -#endif -#endif -#ifdef SYS_olduname -#ifdef __NR_olduname - {"olduname", __NR_olduname}, -#endif -#endif -#ifdef SYS_open -#ifdef __NR_open - {"open", __NR_open}, -#endif -#endif -#ifdef SYS_open_by_handle_at -#ifdef __NR_open_by_handle_at - {"open_by_handle_at", __NR_open_by_handle_at}, -#endif -#endif -#ifdef SYS_openat -#ifdef __NR_openat - {"openat", __NR_openat}, -#endif -#endif -#ifdef SYS_pause -#ifdef __NR_pause - {"pause", __NR_pause}, -#endif -#endif -#ifdef SYS_perf_event_open -#ifdef __NR_perf_event_open - {"perf_event_open", __NR_perf_event_open}, -#endif -#endif -#ifdef SYS_personality -#ifdef __NR_personality - {"personality", __NR_personality}, -#endif -#endif -#ifdef SYS_pipe -#ifdef __NR_pipe - {"pipe", __NR_pipe}, -#endif -#endif -#ifdef SYS_pipe2 -#ifdef __NR_pipe2 - {"pipe2", __NR_pipe2}, -#endif -#endif -#ifdef SYS_pivot_root -#ifdef __NR_pivot_root - {"pivot_root", __NR_pivot_root}, -#endif -#endif -#ifdef SYS_poll -#ifdef __NR_poll - {"poll", __NR_poll}, -#endif -#endif -#ifdef SYS_ppoll -#ifdef __NR_ppoll - {"ppoll", __NR_ppoll}, -#endif -#endif -#ifdef SYS_prctl -#ifdef __NR_prctl - {"prctl", __NR_prctl}, -#endif -#endif -#ifdef SYS_pread64 -#ifdef __NR_pread64 - {"pread64", __NR_pread64}, -#endif -#endif -#ifdef SYS_preadv -#ifdef __NR_preadv - {"preadv", __NR_preadv}, -#endif -#endif -#ifdef SYS_prlimit64 -#ifdef __NR_prlimit64 - {"prlimit64", __NR_prlimit64}, -#endif -#endif -#ifdef SYS_process_vm_readv -#ifdef __NR_process_vm_readv - {"process_vm_readv", __NR_process_vm_readv}, -#endif -#endif -#ifdef SYS_process_vm_writev -#ifdef __NR_process_vm_writev - {"process_vm_writev", __NR_process_vm_writev}, -#endif -#endif -#ifdef SYS_prof -#ifdef __NR_prof - {"prof", __NR_prof}, -#endif -#endif -#ifdef SYS_profil -#ifdef __NR_profil - {"profil", __NR_profil}, -#endif -#endif -#ifdef SYS_pselect6 -#ifdef __NR_pselect6 - {"pselect6", __NR_pselect6}, -#endif -#endif -#ifdef SYS_ptrace -#ifdef __NR_ptrace - {"ptrace", __NR_ptrace}, -#endif -#endif -#ifdef SYS_putpmsg -#ifdef __NR_putpmsg - {"putpmsg", __NR_putpmsg}, -#endif -#endif -#ifdef SYS_pwrite64 -#ifdef __NR_pwrite64 - {"pwrite64", __NR_pwrite64}, -#endif -#endif -#ifdef SYS_pwritev -#ifdef __NR_pwritev - {"pwritev", __NR_pwritev}, -#endif -#endif -#ifdef SYS_query_module -#ifdef __NR_query_module - {"query_module", __NR_query_module}, -#endif -#endif -#ifdef SYS_quotactl -#ifdef __NR_quotactl - {"quotactl", __NR_quotactl}, -#endif -#endif -#ifdef SYS_read -#ifdef __NR_read - {"read", __NR_read}, -#endif -#endif -#ifdef SYS_readahead -#ifdef __NR_readahead - {"readahead", __NR_readahead}, -#endif -#endif -#ifdef SYS_readdir -#ifdef __NR_readdir - {"readdir", __NR_readdir}, -#endif -#endif -#ifdef SYS_readlink -#ifdef __NR_readlink - {"readlink", __NR_readlink}, -#endif -#endif -#ifdef SYS_readlinkat -#ifdef __NR_readlinkat - {"readlinkat", __NR_readlinkat}, -#endif -#endif -#ifdef SYS_readv -#ifdef __NR_readv - {"readv", __NR_readv}, -#endif -#endif -#ifdef SYS_reboot -#ifdef __NR_reboot - {"reboot", __NR_reboot}, -#endif -#endif -#ifdef SYS_recvfrom -#ifdef __NR_recvfrom - {"recvfrom", __NR_recvfrom}, -#endif -#endif -#ifdef SYS_recvmmsg -#ifdef __NR_recvmmsg - {"recvmmsg", __NR_recvmmsg}, -#endif -#endif -#ifdef SYS_recvmsg -#ifdef __NR_recvmsg - {"recvmsg", __NR_recvmsg}, -#endif -#endif -#ifdef SYS_remap_file_pages -#ifdef __NR_remap_file_pages - {"remap_file_pages", __NR_remap_file_pages}, -#endif -#endif -#ifdef SYS_removexattr -#ifdef __NR_removexattr - {"removexattr", __NR_removexattr}, -#endif -#endif -#ifdef SYS_rename -#ifdef __NR_rename - {"rename", __NR_rename}, -#endif -#endif -#ifdef SYS_renameat -#ifdef __NR_renameat - {"renameat", __NR_renameat}, -#endif -#endif -#ifdef SYS_renameat2 -#ifdef __NR_renameat2 - {"renameat2", __NR_renameat2}, -#endif -#endif -#ifdef SYS_request_key -#ifdef __NR_request_key - {"request_key", __NR_request_key}, -#endif -#endif -#ifdef SYS_restart_syscall -#ifdef __NR_restart_syscall - {"restart_syscall", __NR_restart_syscall}, -#endif -#endif -#ifdef SYS_rmdir -#ifdef __NR_rmdir - {"rmdir", __NR_rmdir}, -#endif -#endif -#ifdef SYS_rt_sigaction -#ifdef __NR_rt_sigaction - {"rt_sigaction", __NR_rt_sigaction}, -#endif -#endif -#ifdef SYS_rt_sigpending -#ifdef __NR_rt_sigpending - {"rt_sigpending", __NR_rt_sigpending}, -#endif -#endif -#ifdef SYS_rt_sigprocmask -#ifdef __NR_rt_sigprocmask - {"rt_sigprocmask", __NR_rt_sigprocmask}, -#endif -#endif -#ifdef SYS_rt_sigqueueinfo -#ifdef __NR_rt_sigqueueinfo - {"rt_sigqueueinfo", __NR_rt_sigqueueinfo}, -#endif -#endif -#ifdef SYS_rt_sigreturn -#ifdef __NR_rt_sigreturn - {"rt_sigreturn", __NR_rt_sigreturn}, -#endif -#endif -#ifdef SYS_rt_sigsuspend -#ifdef __NR_rt_sigsuspend - {"rt_sigsuspend", __NR_rt_sigsuspend}, -#endif -#endif -#ifdef SYS_rt_sigtimedwait -#ifdef __NR_rt_sigtimedwait - {"rt_sigtimedwait", __NR_rt_sigtimedwait}, -#endif -#endif -#ifdef SYS_rt_tgsigqueueinfo -#ifdef __NR_rt_tgsigqueueinfo - {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo}, -#endif -#endif -#ifdef SYS_sched_get_priority_max -#ifdef __NR_sched_get_priority_max - {"sched_get_priority_max", __NR_sched_get_priority_max}, -#endif -#endif -#ifdef SYS_sched_get_priority_min -#ifdef __NR_sched_get_priority_min - {"sched_get_priority_min", __NR_sched_get_priority_min}, -#endif -#endif -#ifdef SYS_sched_getaffinity -#ifdef __NR_sched_getaffinity - {"sched_getaffinity", __NR_sched_getaffinity}, -#endif -#endif -#ifdef SYS_sched_getattr -#ifdef __NR_sched_getattr - {"sched_getattr", __NR_sched_getattr}, -#endif -#endif -#ifdef SYS_sched_getparam -#ifdef __NR_sched_getparam - {"sched_getparam", __NR_sched_getparam}, -#endif -#endif -#ifdef SYS_sched_getscheduler -#ifdef __NR_sched_getscheduler - {"sched_getscheduler", __NR_sched_getscheduler}, -#endif -#endif -#ifdef SYS_sched_rr_get_interval -#ifdef __NR_sched_rr_get_interval - {"sched_rr_get_interval", __NR_sched_rr_get_interval}, -#endif -#endif -#ifdef SYS_sched_setaffinity -#ifdef __NR_sched_setaffinity - {"sched_setaffinity", __NR_sched_setaffinity}, -#endif -#endif -#ifdef SYS_sched_setattr -#ifdef __NR_sched_setattr - {"sched_setattr", __NR_sched_setattr}, -#endif -#endif -#ifdef SYS_sched_setparam -#ifdef __NR_sched_setparam - {"sched_setparam", __NR_sched_setparam}, -#endif -#endif -#ifdef SYS_sched_setscheduler -#ifdef __NR_sched_setscheduler - {"sched_setscheduler", __NR_sched_setscheduler}, -#endif -#endif -#ifdef SYS_sched_yield -#ifdef __NR_sched_yield - {"sched_yield", __NR_sched_yield}, -#endif -#endif -#ifdef SYS_seccomp -#ifdef __NR_seccomp - {"seccomp", __NR_seccomp}, -#endif -#endif -#ifdef SYS_select -#ifdef __NR_select - {"select", __NR_select}, -#endif -#endif -#ifdef SYS_sendfile -#ifdef __NR_sendfile - {"sendfile", __NR_sendfile}, -#endif -#endif -#ifdef SYS_sendfile64 -#ifdef __NR_sendfile64 - {"sendfile64", __NR_sendfile64}, -#endif -#endif -#ifdef SYS_sendmmsg -#ifdef __NR_sendmmsg - {"sendmmsg", __NR_sendmmsg}, -#endif -#endif -#ifdef SYS_sendmsg -#ifdef __NR_sendmsg - {"sendmsg", __NR_sendmsg}, -#endif -#endif -#ifdef SYS_sendto -#ifdef __NR_sendto - {"sendto", __NR_sendto}, -#endif -#endif -#ifdef SYS_set_mempolicy -#ifdef __NR_set_mempolicy - {"set_mempolicy", __NR_set_mempolicy}, -#endif -#endif -#ifdef SYS_set_robust_list -#ifdef __NR_set_robust_list - {"set_robust_list", __NR_set_robust_list}, -#endif -#endif -#ifdef SYS_set_thread_area -#ifdef __NR_set_thread_area - {"set_thread_area", __NR_set_thread_area}, -#endif -#endif -#ifdef SYS_set_tid_address -#ifdef __NR_set_tid_address - {"set_tid_address", __NR_set_tid_address}, -#endif -#endif -#ifdef SYS_setdomainname -#ifdef __NR_setdomainname - {"setdomainname", __NR_setdomainname}, -#endif -#endif -#ifdef SYS_setfsgid -#ifdef __NR_setfsgid - {"setfsgid", __NR_setfsgid}, -#endif -#endif -#ifdef SYS_setfsgid32 -#ifdef __NR_setfsgid32 - {"setfsgid32", __NR_setfsgid32}, -#endif -#endif -#ifdef SYS_setfsuid -#ifdef __NR_setfsuid - {"setfsuid", __NR_setfsuid}, -#endif -#endif -#ifdef SYS_setfsuid32 -#ifdef __NR_setfsuid32 - {"setfsuid32", __NR_setfsuid32}, -#endif -#endif -#ifdef SYS_setgid -#ifdef __NR_setgid - {"setgid", __NR_setgid}, -#endif -#endif -#ifdef SYS_setgid32 -#ifdef __NR_setgid32 - {"setgid32", __NR_setgid32}, -#endif -#endif -#ifdef SYS_setgroups -#ifdef __NR_setgroups - {"setgroups", __NR_setgroups}, -#endif -#endif -#ifdef SYS_setgroups32 -#ifdef __NR_setgroups32 - {"setgroups32", __NR_setgroups32}, -#endif -#endif -#ifdef SYS_sethostname -#ifdef __NR_sethostname - {"sethostname", __NR_sethostname}, -#endif -#endif -#ifdef SYS_setitimer -#ifdef __NR_setitimer - {"setitimer", __NR_setitimer}, -#endif -#endif -#ifdef SYS_setns -#ifdef __NR_setns - {"setns", __NR_setns}, -#endif -#endif -#ifdef SYS_setpgid -#ifdef __NR_setpgid - {"setpgid", __NR_setpgid}, -#endif -#endif -#ifdef SYS_setpriority -#ifdef __NR_setpriority - {"setpriority", __NR_setpriority}, -#endif -#endif -#ifdef SYS_setregid -#ifdef __NR_setregid - {"setregid", __NR_setregid}, -#endif -#endif -#ifdef SYS_setregid32 -#ifdef __NR_setregid32 - {"setregid32", __NR_setregid32}, -#endif -#endif -#ifdef SYS_setresgid -#ifdef __NR_setresgid - {"setresgid", __NR_setresgid}, -#endif -#endif -#ifdef SYS_setresgid32 -#ifdef __NR_setresgid32 - {"setresgid32", __NR_setresgid32}, -#endif -#endif -#ifdef SYS_setresuid -#ifdef __NR_setresuid - {"setresuid", __NR_setresuid}, -#endif -#endif -#ifdef SYS_setresuid32 -#ifdef __NR_setresuid32 - {"setresuid32", __NR_setresuid32}, -#endif -#endif -#ifdef SYS_setreuid -#ifdef __NR_setreuid - {"setreuid", __NR_setreuid}, -#endif -#endif -#ifdef SYS_setreuid32 -#ifdef __NR_setreuid32 - {"setreuid32", __NR_setreuid32}, -#endif -#endif -#ifdef SYS_setrlimit -#ifdef __NR_setrlimit - {"setrlimit", __NR_setrlimit}, -#endif -#endif -#ifdef SYS_setsid -#ifdef __NR_setsid - {"setsid", __NR_setsid}, -#endif -#endif -#ifdef SYS_setsockopt -#ifdef __NR_setsockopt - {"setsockopt", __NR_setsockopt}, -#endif -#endif -#ifdef SYS_settimeofday -#ifdef __NR_settimeofday - {"settimeofday", __NR_settimeofday}, -#endif -#endif -#ifdef SYS_setuid -#ifdef __NR_setuid - {"setuid", __NR_setuid}, -#endif -#endif -#ifdef SYS_setuid32 -#ifdef __NR_setuid32 - {"setuid32", __NR_setuid32}, -#endif -#endif -#ifdef SYS_setxattr -#ifdef __NR_setxattr - {"setxattr", __NR_setxattr}, -#endif -#endif -#ifdef SYS_sgetmask -#ifdef __NR_sgetmask - {"sgetmask", __NR_sgetmask}, -#endif -#endif -#ifdef SYS_shutdown -#ifdef __NR_shutdown - {"shutdown", __NR_shutdown}, -#endif -#endif -#ifdef SYS_sigaction -#ifdef __NR_sigaction - {"sigaction", __NR_sigaction}, -#endif -#endif -#ifdef SYS_sigaltstack -#ifdef __NR_sigaltstack - {"sigaltstack", __NR_sigaltstack}, -#endif -#endif -#ifdef SYS_signal -#ifdef __NR_signal - {"signal", __NR_signal}, -#endif -#endif -#ifdef SYS_signalfd -#ifdef __NR_signalfd - {"signalfd", __NR_signalfd}, -#endif -#endif -#ifdef SYS_signalfd4 -#ifdef __NR_signalfd4 - {"signalfd4", __NR_signalfd4}, -#endif -#endif -#ifdef SYS_sigpending -#ifdef __NR_sigpending - {"sigpending", __NR_sigpending}, -#endif -#endif -#ifdef SYS_sigprocmask -#ifdef __NR_sigprocmask - {"sigprocmask", __NR_sigprocmask}, -#endif -#endif -#ifdef SYS_sigreturn -#ifdef __NR_sigreturn - {"sigreturn", __NR_sigreturn}, -#endif -#endif -#ifdef SYS_sigsuspend -#ifdef __NR_sigsuspend - {"sigsuspend", __NR_sigsuspend}, -#endif -#endif -#ifdef SYS_socket -#ifdef __NR_socket - {"socket", __NR_socket}, -#endif -#endif -#ifdef SYS_socketcall -#ifdef __NR_socketcall - {"socketcall", __NR_socketcall}, -#endif -#endif -#ifdef SYS_socketpair -#ifdef __NR_socketpair - {"socketpair", __NR_socketpair}, -#endif -#endif -#ifdef SYS_splice -#ifdef __NR_splice - {"splice", __NR_splice}, -#endif -#endif -#ifdef SYS_ssetmask -#ifdef __NR_ssetmask - {"ssetmask", __NR_ssetmask}, -#endif -#endif -#ifdef SYS_stat -#ifdef __NR_stat - {"stat", __NR_stat}, -#endif -#endif -#ifdef SYS_stat64 -#ifdef __NR_stat64 - {"stat64", __NR_stat64}, -#endif -#endif -#ifdef SYS_statfs -#ifdef __NR_statfs - {"statfs", __NR_statfs}, -#endif -#endif -#ifdef SYS_statfs64 -#ifdef __NR_statfs64 - {"statfs64", __NR_statfs64}, -#endif -#endif -#ifdef SYS_stime -#ifdef __NR_stime - {"stime", __NR_stime}, -#endif -#endif -#ifdef SYS_stty -#ifdef __NR_stty - {"stty", __NR_stty}, -#endif -#endif -#ifdef SYS_swapoff -#ifdef __NR_swapoff - {"swapoff", __NR_swapoff}, -#endif -#endif -#ifdef SYS_swapon -#ifdef __NR_swapon - {"swapon", __NR_swapon}, -#endif -#endif -#ifdef SYS_symlink -#ifdef __NR_symlink - {"symlink", __NR_symlink}, -#endif -#endif -#ifdef SYS_symlinkat -#ifdef __NR_symlinkat - {"symlinkat", __NR_symlinkat}, -#endif -#endif -#ifdef SYS_sync -#ifdef __NR_sync - {"sync", __NR_sync}, -#endif -#endif -#ifdef SYS_sync_file_range -#ifdef __NR_sync_file_range - {"sync_file_range", __NR_sync_file_range}, -#endif -#endif -#ifdef SYS_syncfs -#ifdef __NR_syncfs - {"syncfs", __NR_syncfs}, -#endif -#endif -#ifdef SYS_sysfs -#ifdef __NR_sysfs - {"sysfs", __NR_sysfs}, -#endif -#endif -#ifdef SYS_sysinfo -#ifdef __NR_sysinfo - {"sysinfo", __NR_sysinfo}, -#endif -#endif -#ifdef SYS_syslog -#ifdef __NR_syslog - {"syslog", __NR_syslog}, -#endif -#endif -#ifdef SYS_tee -#ifdef __NR_tee - {"tee", __NR_tee}, -#endif -#endif -#ifdef SYS_tgkill -#ifdef __NR_tgkill - {"tgkill", __NR_tgkill}, -#endif -#endif -#ifdef SYS_time -#ifdef __NR_time - {"time", __NR_time}, -#endif -#endif -#ifdef SYS_timer_create -#ifdef __NR_timer_create - {"timer_create", __NR_timer_create}, -#endif -#endif -#ifdef SYS_timer_delete -#ifdef __NR_timer_delete - {"timer_delete", __NR_timer_delete}, -#endif -#endif -#ifdef SYS_timer_getoverrun -#ifdef __NR_timer_getoverrun - {"timer_getoverrun", __NR_timer_getoverrun}, -#endif -#endif -#ifdef SYS_timer_gettime -#ifdef __NR_timer_gettime - {"timer_gettime", __NR_timer_gettime}, -#endif -#endif -#ifdef SYS_timer_settime -#ifdef __NR_timer_settime - {"timer_settime", __NR_timer_settime}, -#endif -#endif -#ifdef SYS_timerfd_create -#ifdef __NR_timerfd_create - {"timerfd_create", __NR_timerfd_create}, -#endif -#endif -#ifdef SYS_timerfd_gettime -#ifdef __NR_timerfd_gettime - {"timerfd_gettime", __NR_timerfd_gettime}, -#endif -#endif -#ifdef SYS_timerfd_settime -#ifdef __NR_timerfd_settime - {"timerfd_settime", __NR_timerfd_settime}, -#endif -#endif -#ifdef SYS_times -#ifdef __NR_times - {"times", __NR_times}, -#endif -#endif -#ifdef SYS_tkill -#ifdef __NR_tkill - {"tkill", __NR_tkill}, -#endif -#endif -#ifdef SYS_truncate -#ifdef __NR_truncate - {"truncate", __NR_truncate}, -#endif -#endif -#ifdef SYS_truncate64 -#ifdef __NR_truncate64 - {"truncate64", __NR_truncate64}, -#endif -#endif -#ifdef SYS_ugetrlimit -#ifdef __NR_ugetrlimit - {"ugetrlimit", __NR_ugetrlimit}, -#endif -#endif -#ifdef SYS_ulimit -#ifdef __NR_ulimit - {"ulimit", __NR_ulimit}, -#endif -#endif -#ifdef SYS_umask -#ifdef __NR_umask - {"umask", __NR_umask}, -#endif -#endif -#ifdef SYS_umount -#ifdef __NR_umount - {"umount", __NR_umount}, -#endif -#endif -#ifdef SYS_umount2 -#ifdef __NR_umount2 - {"umount2", __NR_umount2}, -#endif -#endif -#ifdef SYS_uname -#ifdef __NR_uname - {"uname", __NR_uname}, -#endif -#endif -#ifdef SYS_unlink -#ifdef __NR_unlink - {"unlink", __NR_unlink}, -#endif -#endif -#ifdef SYS_unlinkat -#ifdef __NR_unlinkat - {"unlinkat", __NR_unlinkat}, -#endif -#endif -#ifdef SYS_unshare -#ifdef __NR_unshare - {"unshare", __NR_unshare}, -#endif -#endif -#ifdef SYS_uselib -#ifdef __NR_uselib - {"uselib", __NR_uselib}, -#endif -#endif -#ifdef SYS_userfaultfd -#ifdef __NR_userfaultfd - {"userfaultfd", __NR_userfaultfd}, -#endif -#endif -#ifdef SYS_ustat -#ifdef __NR_ustat - {"ustat", __NR_ustat}, -#endif -#endif -#ifdef SYS_utime -#ifdef __NR_utime - {"utime", __NR_utime}, -#endif -#endif -#ifdef SYS_utimensat -#ifdef __NR_utimensat - {"utimensat", __NR_utimensat}, -#endif -#endif -#ifdef SYS_utimes -#ifdef __NR_utimes - {"utimes", __NR_utimes}, -#endif -#endif -#ifdef SYS_vfork -#ifdef __NR_vfork - {"vfork", __NR_vfork}, -#endif -#endif -#ifdef SYS_vhangup -#ifdef __NR_vhangup - {"vhangup", __NR_vhangup}, -#endif -#endif -#ifdef SYS_vm86 -#ifdef __NR_vm86 - {"vm86", __NR_vm86}, -#endif -#endif -#ifdef SYS_vm86old -#ifdef __NR_vm86old - {"vm86old", __NR_vm86old}, -#endif -#endif -#ifdef SYS_vmsplice -#ifdef __NR_vmsplice - {"vmsplice", __NR_vmsplice}, -#endif -#endif -#ifdef SYS_vserver -#ifdef __NR_vserver - {"vserver", __NR_vserver}, -#endif -#endif -#ifdef SYS_wait4 -#ifdef __NR_wait4 - {"wait4", __NR_wait4}, -#endif -#endif -#ifdef SYS_waitid -#ifdef __NR_waitid - {"waitid", __NR_waitid}, -#endif -#endif -#ifdef SYS_waitpid -#ifdef __NR_waitpid - {"waitpid", __NR_waitpid}, -#endif -#endif -#ifdef SYS_write -#ifdef __NR_write - {"write", __NR_write}, -#endif -#endif -#ifdef SYS_writev -#ifdef __NR_writev - {"writev", __NR_writev}, -#endif -#endif -#endif -#if defined __x86_64__ && defined __LP64__ -#ifdef SYS__sysctl -#ifdef __NR__sysctl - {"_sysctl", __NR__sysctl}, -#endif -#endif -#ifdef SYS_accept -#ifdef __NR_accept - {"accept", __NR_accept}, -#endif -#endif -#ifdef SYS_accept4 -#ifdef __NR_accept4 - {"accept4", __NR_accept4}, -#endif -#endif -#ifdef SYS_access -#ifdef __NR_access - {"access", __NR_access}, -#endif -#endif -#ifdef SYS_acct -#ifdef __NR_acct - {"acct", __NR_acct}, -#endif -#endif -#ifdef SYS_add_key -#ifdef __NR_add_key - {"add_key", __NR_add_key}, -#endif -#endif -#ifdef SYS_adjtimex -#ifdef __NR_adjtimex - {"adjtimex", __NR_adjtimex}, -#endif -#endif -#ifdef SYS_afs_syscall -#ifdef __NR_afs_syscall - {"afs_syscall", __NR_afs_syscall}, -#endif -#endif -#ifdef SYS_alarm -#ifdef __NR_alarm - {"alarm", __NR_alarm}, -#endif -#endif -#ifdef SYS_arch_prctl -#ifdef __NR_arch_prctl - {"arch_prctl", __NR_arch_prctl}, -#endif -#endif -#ifdef SYS_bind -#ifdef __NR_bind - {"bind", __NR_bind}, -#endif -#endif -#ifdef SYS_bpf -#ifdef __NR_bpf - {"bpf", __NR_bpf}, -#endif -#endif -#ifdef SYS_brk -#ifdef __NR_brk - {"brk", __NR_brk}, -#endif -#endif -#ifdef SYS_capget -#ifdef __NR_capget - {"capget", __NR_capget}, -#endif -#endif -#ifdef SYS_capset -#ifdef __NR_capset - {"capset", __NR_capset}, -#endif -#endif -#ifdef SYS_chdir -#ifdef __NR_chdir - {"chdir", __NR_chdir}, -#endif -#endif -#ifdef SYS_chmod -#ifdef __NR_chmod - {"chmod", __NR_chmod}, -#endif -#endif -#ifdef SYS_chown -#ifdef __NR_chown - {"chown", __NR_chown}, -#endif -#endif -#ifdef SYS_chroot -#ifdef __NR_chroot - {"chroot", __NR_chroot}, -#endif -#endif -#ifdef SYS_clock_adjtime -#ifdef __NR_clock_adjtime - {"clock_adjtime", __NR_clock_adjtime}, -#endif -#endif -#ifdef SYS_clock_getres -#ifdef __NR_clock_getres - {"clock_getres", __NR_clock_getres}, -#endif -#endif -#ifdef SYS_clock_gettime -#ifdef __NR_clock_gettime - {"clock_gettime", __NR_clock_gettime}, -#endif -#endif -#ifdef SYS_clock_nanosleep -#ifdef __NR_clock_nanosleep - {"clock_nanosleep", __NR_clock_nanosleep}, -#endif -#endif -#ifdef SYS_clock_settime -#ifdef __NR_clock_settime - {"clock_settime", __NR_clock_settime}, -#endif -#endif -#ifdef SYS_clone -#ifdef __NR_clone - {"clone", __NR_clone}, -#endif -#endif -#ifdef SYS_close -#ifdef __NR_close - {"close", __NR_close}, -#endif -#endif -#ifdef SYS_connect -#ifdef __NR_connect - {"connect", __NR_connect}, -#endif -#endif -#ifdef SYS_copy_file_range -#ifdef __NR_copy_file_range - {"copy_file_range", __NR_copy_file_range}, -#endif -#endif -#ifdef SYS_creat -#ifdef __NR_creat - {"creat", __NR_creat}, -#endif -#endif -#ifdef SYS_create_module -#ifdef __NR_create_module - {"create_module", __NR_create_module}, -#endif -#endif -#ifdef SYS_delete_module -#ifdef __NR_delete_module - {"delete_module", __NR_delete_module}, -#endif -#endif -#ifdef SYS_dup -#ifdef __NR_dup - {"dup", __NR_dup}, -#endif -#endif -#ifdef SYS_dup2 -#ifdef __NR_dup2 - {"dup2", __NR_dup2}, -#endif -#endif -#ifdef SYS_dup3 -#ifdef __NR_dup3 - {"dup3", __NR_dup3}, -#endif -#endif -#ifdef SYS_epoll_create -#ifdef __NR_epoll_create - {"epoll_create", __NR_epoll_create}, -#endif -#endif -#ifdef SYS_epoll_create1 -#ifdef __NR_epoll_create1 - {"epoll_create1", __NR_epoll_create1}, -#endif -#endif -#ifdef SYS_epoll_ctl -#ifdef __NR_epoll_ctl - {"epoll_ctl", __NR_epoll_ctl}, -#endif -#endif -#ifdef SYS_epoll_ctl_old -#ifdef __NR_epoll_ctl_old - {"epoll_ctl_old", __NR_epoll_ctl_old}, -#endif -#endif -#ifdef SYS_epoll_pwait -#ifdef __NR_epoll_pwait - {"epoll_pwait", __NR_epoll_pwait}, -#endif -#endif -#ifdef SYS_epoll_wait -#ifdef __NR_epoll_wait - {"epoll_wait", __NR_epoll_wait}, -#endif -#endif -#ifdef SYS_epoll_wait_old -#ifdef __NR_epoll_wait_old - {"epoll_wait_old", __NR_epoll_wait_old}, -#endif -#endif -#ifdef SYS_eventfd -#ifdef __NR_eventfd - {"eventfd", __NR_eventfd}, -#endif -#endif -#ifdef SYS_eventfd2 -#ifdef __NR_eventfd2 - {"eventfd2", __NR_eventfd2}, -#endif -#endif -#ifdef SYS_execve -#ifdef __NR_execve - {"execve", __NR_execve}, -#endif -#endif -#ifdef SYS_execveat -#ifdef __NR_execveat - {"execveat", __NR_execveat}, -#endif -#endif -#ifdef SYS_exit -#ifdef __NR_exit - {"exit", __NR_exit}, -#endif -#endif -#ifdef SYS_exit_group -#ifdef __NR_exit_group - {"exit_group", __NR_exit_group}, -#endif -#endif -#ifdef SYS_faccessat -#ifdef __NR_faccessat - {"faccessat", __NR_faccessat}, -#endif -#endif -#ifdef SYS_fadvise64 -#ifdef __NR_fadvise64 - {"fadvise64", __NR_fadvise64}, -#endif -#endif -#ifdef SYS_fallocate -#ifdef __NR_fallocate - {"fallocate", __NR_fallocate}, -#endif -#endif -#ifdef SYS_fanotify_init -#ifdef __NR_fanotify_init - {"fanotify_init", __NR_fanotify_init}, -#endif -#endif -#ifdef SYS_fanotify_mark -#ifdef __NR_fanotify_mark - {"fanotify_mark", __NR_fanotify_mark}, -#endif -#endif -#ifdef SYS_fchdir -#ifdef __NR_fchdir - {"fchdir", __NR_fchdir}, -#endif -#endif -#ifdef SYS_fchmod -#ifdef __NR_fchmod - {"fchmod", __NR_fchmod}, -#endif -#endif -#ifdef SYS_fchmodat -#ifdef __NR_fchmodat - {"fchmodat", __NR_fchmodat}, -#endif -#endif -#ifdef SYS_fchown -#ifdef __NR_fchown - {"fchown", __NR_fchown}, -#endif -#endif -#ifdef SYS_fchownat -#ifdef __NR_fchownat - {"fchownat", __NR_fchownat}, -#endif -#endif -#ifdef SYS_fcntl -#ifdef __NR_fcntl - {"fcntl", __NR_fcntl}, -#endif -#endif -#ifdef SYS_fdatasync -#ifdef __NR_fdatasync - {"fdatasync", __NR_fdatasync}, -#endif -#endif -#ifdef SYS_fgetxattr -#ifdef __NR_fgetxattr - {"fgetxattr", __NR_fgetxattr}, -#endif -#endif -#ifdef SYS_finit_module -#ifdef __NR_finit_module - {"finit_module", __NR_finit_module}, -#endif -#endif -#ifdef SYS_flistxattr -#ifdef __NR_flistxattr - {"flistxattr", __NR_flistxattr}, -#endif -#endif -#ifdef SYS_flock -#ifdef __NR_flock - {"flock", __NR_flock}, -#endif -#endif -#ifdef SYS_fork -#ifdef __NR_fork - {"fork", __NR_fork}, -#endif -#endif -#ifdef SYS_fremovexattr -#ifdef __NR_fremovexattr - {"fremovexattr", __NR_fremovexattr}, -#endif -#endif -#ifdef SYS_fsetxattr -#ifdef __NR_fsetxattr - {"fsetxattr", __NR_fsetxattr}, -#endif -#endif -#ifdef SYS_fstat -#ifdef __NR_fstat - {"fstat", __NR_fstat}, -#endif -#endif -#ifdef SYS_fstatfs -#ifdef __NR_fstatfs - {"fstatfs", __NR_fstatfs}, -#endif -#endif -#ifdef SYS_fsync -#ifdef __NR_fsync - {"fsync", __NR_fsync}, -#endif -#endif -#ifdef SYS_ftruncate -#ifdef __NR_ftruncate - {"ftruncate", __NR_ftruncate}, -#endif -#endif -#ifdef SYS_futex -#ifdef __NR_futex - {"futex", __NR_futex}, -#endif -#endif -#ifdef SYS_futimesat -#ifdef __NR_futimesat - {"futimesat", __NR_futimesat}, -#endif -#endif -#ifdef SYS_get_kernel_syms -#ifdef __NR_get_kernel_syms - {"get_kernel_syms", __NR_get_kernel_syms}, -#endif -#endif -#ifdef SYS_get_mempolicy -#ifdef __NR_get_mempolicy - {"get_mempolicy", __NR_get_mempolicy}, -#endif -#endif -#ifdef SYS_get_robust_list -#ifdef __NR_get_robust_list - {"get_robust_list", __NR_get_robust_list}, -#endif -#endif -#ifdef SYS_get_thread_area -#ifdef __NR_get_thread_area - {"get_thread_area", __NR_get_thread_area}, -#endif -#endif -#ifdef SYS_getcpu -#ifdef __NR_getcpu - {"getcpu", __NR_getcpu}, -#endif -#endif -#ifdef SYS_getcwd -#ifdef __NR_getcwd - {"getcwd", __NR_getcwd}, -#endif -#endif -#ifdef SYS_getdents -#ifdef __NR_getdents - {"getdents", __NR_getdents}, -#endif -#endif -#ifdef SYS_getdents64 -#ifdef __NR_getdents64 - {"getdents64", __NR_getdents64}, -#endif -#endif -#ifdef SYS_getegid -#ifdef __NR_getegid - {"getegid", __NR_getegid}, -#endif -#endif -#ifdef SYS_geteuid -#ifdef __NR_geteuid - {"geteuid", __NR_geteuid}, -#endif -#endif -#ifdef SYS_getgid -#ifdef __NR_getgid - {"getgid", __NR_getgid}, -#endif -#endif -#ifdef SYS_getgroups -#ifdef __NR_getgroups - {"getgroups", __NR_getgroups}, -#endif -#endif -#ifdef SYS_getitimer -#ifdef __NR_getitimer - {"getitimer", __NR_getitimer}, -#endif -#endif -#ifdef SYS_getpeername -#ifdef __NR_getpeername - {"getpeername", __NR_getpeername}, -#endif -#endif -#ifdef SYS_getpgid -#ifdef __NR_getpgid - {"getpgid", __NR_getpgid}, -#endif -#endif -#ifdef SYS_getpgrp -#ifdef __NR_getpgrp - {"getpgrp", __NR_getpgrp}, -#endif -#endif -#ifdef SYS_getpid -#ifdef __NR_getpid - {"getpid", __NR_getpid}, -#endif -#endif -#ifdef SYS_getpmsg -#ifdef __NR_getpmsg - {"getpmsg", __NR_getpmsg}, -#endif -#endif -#ifdef SYS_getppid -#ifdef __NR_getppid - {"getppid", __NR_getppid}, -#endif -#endif -#ifdef SYS_getpriority -#ifdef __NR_getpriority - {"getpriority", __NR_getpriority}, -#endif -#endif -#ifdef SYS_getrandom -#ifdef __NR_getrandom - {"getrandom", __NR_getrandom}, -#endif -#endif -#ifdef SYS_getresgid -#ifdef __NR_getresgid - {"getresgid", __NR_getresgid}, -#endif -#endif -#ifdef SYS_getresuid -#ifdef __NR_getresuid - {"getresuid", __NR_getresuid}, -#endif -#endif -#ifdef SYS_getrlimit -#ifdef __NR_getrlimit - {"getrlimit", __NR_getrlimit}, -#endif -#endif -#ifdef SYS_getrusage -#ifdef __NR_getrusage - {"getrusage", __NR_getrusage}, -#endif -#endif -#ifdef SYS_getsid -#ifdef __NR_getsid - {"getsid", __NR_getsid}, -#endif -#endif -#ifdef SYS_getsockname -#ifdef __NR_getsockname - {"getsockname", __NR_getsockname}, -#endif -#endif -#ifdef SYS_getsockopt -#ifdef __NR_getsockopt - {"getsockopt", __NR_getsockopt}, -#endif -#endif -#ifdef SYS_gettid -#ifdef __NR_gettid - {"gettid", __NR_gettid}, -#endif -#endif -#ifdef SYS_gettimeofday -#ifdef __NR_gettimeofday - {"gettimeofday", __NR_gettimeofday}, -#endif -#endif -#ifdef SYS_getuid -#ifdef __NR_getuid - {"getuid", __NR_getuid}, -#endif -#endif -#ifdef SYS_getxattr -#ifdef __NR_getxattr - {"getxattr", __NR_getxattr}, -#endif -#endif -#ifdef SYS_init_module -#ifdef __NR_init_module - {"init_module", __NR_init_module}, -#endif -#endif -#ifdef SYS_inotify_add_watch -#ifdef __NR_inotify_add_watch - {"inotify_add_watch", __NR_inotify_add_watch}, -#endif -#endif -#ifdef SYS_inotify_init -#ifdef __NR_inotify_init - {"inotify_init", __NR_inotify_init}, -#endif -#endif -#ifdef SYS_inotify_init1 -#ifdef __NR_inotify_init1 - {"inotify_init1", __NR_inotify_init1}, -#endif -#endif -#ifdef SYS_inotify_rm_watch -#ifdef __NR_inotify_rm_watch - {"inotify_rm_watch", __NR_inotify_rm_watch}, -#endif -#endif -#ifdef SYS_io_cancel -#ifdef __NR_io_cancel - {"io_cancel", __NR_io_cancel}, -#endif -#endif -#ifdef SYS_io_destroy -#ifdef __NR_io_destroy - {"io_destroy", __NR_io_destroy}, -#endif -#endif -#ifdef SYS_io_getevents -#ifdef __NR_io_getevents - {"io_getevents", __NR_io_getevents}, -#endif -#endif -#ifdef SYS_io_setup -#ifdef __NR_io_setup - {"io_setup", __NR_io_setup}, -#endif -#endif -#ifdef SYS_io_submit -#ifdef __NR_io_submit - {"io_submit", __NR_io_submit}, -#endif -#endif -#ifdef SYS_ioctl -#ifdef __NR_ioctl - {"ioctl", __NR_ioctl}, -#endif -#endif -#ifdef SYS_ioperm -#ifdef __NR_ioperm - {"ioperm", __NR_ioperm}, -#endif -#endif -#ifdef SYS_iopl -#ifdef __NR_iopl - {"iopl", __NR_iopl}, -#endif -#endif -#ifdef SYS_ioprio_get -#ifdef __NR_ioprio_get - {"ioprio_get", __NR_ioprio_get}, -#endif -#endif -#ifdef SYS_ioprio_set -#ifdef __NR_ioprio_set - {"ioprio_set", __NR_ioprio_set}, -#endif -#endif -#ifdef SYS_kcmp -#ifdef __NR_kcmp - {"kcmp", __NR_kcmp}, -#endif -#endif -#ifdef SYS_kexec_file_load -#ifdef __NR_kexec_file_load - {"kexec_file_load", __NR_kexec_file_load}, -#endif -#endif -#ifdef SYS_kexec_load -#ifdef __NR_kexec_load - {"kexec_load", __NR_kexec_load}, -#endif -#endif -#ifdef SYS_keyctl -#ifdef __NR_keyctl - {"keyctl", __NR_keyctl}, -#endif -#endif -#ifdef SYS_kill -#ifdef __NR_kill - {"kill", __NR_kill}, -#endif -#endif -#ifdef SYS_lchown -#ifdef __NR_lchown - {"lchown", __NR_lchown}, -#endif -#endif -#ifdef SYS_lgetxattr -#ifdef __NR_lgetxattr - {"lgetxattr", __NR_lgetxattr}, -#endif -#endif -#ifdef SYS_link -#ifdef __NR_link - {"link", __NR_link}, -#endif -#endif -#ifdef SYS_linkat -#ifdef __NR_linkat - {"linkat", __NR_linkat}, -#endif -#endif -#ifdef SYS_listen -#ifdef __NR_listen - {"listen", __NR_listen}, -#endif -#endif -#ifdef SYS_listxattr -#ifdef __NR_listxattr - {"listxattr", __NR_listxattr}, -#endif -#endif -#ifdef SYS_llistxattr -#ifdef __NR_llistxattr - {"llistxattr", __NR_llistxattr}, -#endif -#endif -#ifdef SYS_lookup_dcookie -#ifdef __NR_lookup_dcookie - {"lookup_dcookie", __NR_lookup_dcookie}, -#endif -#endif -#ifdef SYS_lremovexattr -#ifdef __NR_lremovexattr - {"lremovexattr", __NR_lremovexattr}, -#endif -#endif -#ifdef SYS_lseek -#ifdef __NR_lseek - {"lseek", __NR_lseek}, -#endif -#endif -#ifdef SYS_lsetxattr -#ifdef __NR_lsetxattr - {"lsetxattr", __NR_lsetxattr}, -#endif -#endif -#ifdef SYS_lstat -#ifdef __NR_lstat - {"lstat", __NR_lstat}, -#endif -#endif -#ifdef SYS_madvise -#ifdef __NR_madvise - {"madvise", __NR_madvise}, -#endif -#endif -#ifdef SYS_mbind -#ifdef __NR_mbind - {"mbind", __NR_mbind}, -#endif -#endif -#ifdef SYS_membarrier -#ifdef __NR_membarrier - {"membarrier", __NR_membarrier}, -#endif -#endif -#ifdef SYS_memfd_create -#ifdef __NR_memfd_create - {"memfd_create", __NR_memfd_create}, -#endif -#endif -#ifdef SYS_migrate_pages -#ifdef __NR_migrate_pages - {"migrate_pages", __NR_migrate_pages}, -#endif -#endif -#ifdef SYS_mincore -#ifdef __NR_mincore - {"mincore", __NR_mincore}, -#endif -#endif -#ifdef SYS_mkdir -#ifdef __NR_mkdir - {"mkdir", __NR_mkdir}, -#endif -#endif -#ifdef SYS_mkdirat -#ifdef __NR_mkdirat - {"mkdirat", __NR_mkdirat}, -#endif -#endif -#ifdef SYS_mknod -#ifdef __NR_mknod - {"mknod", __NR_mknod}, -#endif -#endif -#ifdef SYS_mknodat -#ifdef __NR_mknodat - {"mknodat", __NR_mknodat}, -#endif -#endif -#ifdef SYS_mlock -#ifdef __NR_mlock - {"mlock", __NR_mlock}, -#endif -#endif -#ifdef SYS_mlock2 -#ifdef __NR_mlock2 - {"mlock2", __NR_mlock2}, -#endif -#endif -#ifdef SYS_mlockall -#ifdef __NR_mlockall - {"mlockall", __NR_mlockall}, -#endif -#endif -#ifdef SYS_mmap -#ifdef __NR_mmap - {"mmap", __NR_mmap}, -#endif -#endif -#ifdef SYS_modify_ldt -#ifdef __NR_modify_ldt - {"modify_ldt", __NR_modify_ldt}, -#endif -#endif -#ifdef SYS_mount -#ifdef __NR_mount - {"mount", __NR_mount}, -#endif -#endif -#ifdef SYS_move_pages -#ifdef __NR_move_pages - {"move_pages", __NR_move_pages}, -#endif -#endif -#ifdef SYS_mprotect -#ifdef __NR_mprotect - {"mprotect", __NR_mprotect}, -#endif -#endif -#ifdef SYS_mq_getsetattr -#ifdef __NR_mq_getsetattr - {"mq_getsetattr", __NR_mq_getsetattr}, -#endif -#endif -#ifdef SYS_mq_notify -#ifdef __NR_mq_notify - {"mq_notify", __NR_mq_notify}, -#endif -#endif -#ifdef SYS_mq_open -#ifdef __NR_mq_open - {"mq_open", __NR_mq_open}, -#endif -#endif -#ifdef SYS_mq_timedreceive -#ifdef __NR_mq_timedreceive - {"mq_timedreceive", __NR_mq_timedreceive}, -#endif -#endif -#ifdef SYS_mq_timedsend -#ifdef __NR_mq_timedsend - {"mq_timedsend", __NR_mq_timedsend}, -#endif -#endif -#ifdef SYS_mq_unlink -#ifdef __NR_mq_unlink - {"mq_unlink", __NR_mq_unlink}, -#endif -#endif -#ifdef SYS_mremap -#ifdef __NR_mremap - {"mremap", __NR_mremap}, -#endif -#endif -#ifdef SYS_msgctl -#ifdef __NR_msgctl - {"msgctl", __NR_msgctl}, -#endif -#endif -#ifdef SYS_msgget -#ifdef __NR_msgget - {"msgget", __NR_msgget}, -#endif -#endif -#ifdef SYS_msgrcv -#ifdef __NR_msgrcv - {"msgrcv", __NR_msgrcv}, -#endif -#endif -#ifdef SYS_msgsnd -#ifdef __NR_msgsnd - {"msgsnd", __NR_msgsnd}, -#endif -#endif -#ifdef SYS_msync -#ifdef __NR_msync - {"msync", __NR_msync}, -#endif -#endif -#ifdef SYS_munlock -#ifdef __NR_munlock - {"munlock", __NR_munlock}, -#endif -#endif -#ifdef SYS_munlockall -#ifdef __NR_munlockall - {"munlockall", __NR_munlockall}, -#endif -#endif -#ifdef SYS_munmap -#ifdef __NR_munmap - {"munmap", __NR_munmap}, -#endif -#endif -#ifdef SYS_name_to_handle_at -#ifdef __NR_name_to_handle_at - {"name_to_handle_at", __NR_name_to_handle_at}, -#endif -#endif -#ifdef SYS_nanosleep -#ifdef __NR_nanosleep - {"nanosleep", __NR_nanosleep}, -#endif -#endif -#ifdef SYS_newfstatat -#ifdef __NR_newfstatat - {"newfstatat", __NR_newfstatat}, -#endif -#endif -#ifdef SYS_nfsservctl -#ifdef __NR_nfsservctl - {"nfsservctl", __NR_nfsservctl}, -#endif -#endif -#ifdef SYS_open -#ifdef __NR_open - {"open", __NR_open}, -#endif -#endif -#ifdef SYS_open_by_handle_at -#ifdef __NR_open_by_handle_at - {"open_by_handle_at", __NR_open_by_handle_at}, -#endif -#endif -#ifdef SYS_openat -#ifdef __NR_openat - {"openat", __NR_openat}, -#endif -#endif -#ifdef SYS_pause -#ifdef __NR_pause - {"pause", __NR_pause}, -#endif -#endif -#ifdef SYS_perf_event_open -#ifdef __NR_perf_event_open - {"perf_event_open", __NR_perf_event_open}, -#endif -#endif -#ifdef SYS_personality -#ifdef __NR_personality - {"personality", __NR_personality}, -#endif -#endif -#ifdef SYS_pipe -#ifdef __NR_pipe - {"pipe", __NR_pipe}, -#endif -#endif -#ifdef SYS_pipe2 -#ifdef __NR_pipe2 - {"pipe2", __NR_pipe2}, -#endif -#endif -#ifdef SYS_pivot_root -#ifdef __NR_pivot_root - {"pivot_root", __NR_pivot_root}, -#endif -#endif -#ifdef SYS_poll -#ifdef __NR_poll - {"poll", __NR_poll}, -#endif -#endif -#ifdef SYS_ppoll -#ifdef __NR_ppoll - {"ppoll", __NR_ppoll}, -#endif -#endif -#ifdef SYS_prctl -#ifdef __NR_prctl - {"prctl", __NR_prctl}, -#endif -#endif -#ifdef SYS_pread64 -#ifdef __NR_pread64 - {"pread64", __NR_pread64}, -#endif -#endif -#ifdef SYS_preadv -#ifdef __NR_preadv - {"preadv", __NR_preadv}, -#endif -#endif -#ifdef SYS_prlimit64 -#ifdef __NR_prlimit64 - {"prlimit64", __NR_prlimit64}, -#endif -#endif -#ifdef SYS_process_vm_readv -#ifdef __NR_process_vm_readv - {"process_vm_readv", __NR_process_vm_readv}, -#endif -#endif -#ifdef SYS_process_vm_writev -#ifdef __NR_process_vm_writev - {"process_vm_writev", __NR_process_vm_writev}, -#endif -#endif -#ifdef SYS_pselect6 -#ifdef __NR_pselect6 - {"pselect6", __NR_pselect6}, -#endif -#endif -#ifdef SYS_ptrace -#ifdef __NR_ptrace - {"ptrace", __NR_ptrace}, -#endif -#endif -#ifdef SYS_putpmsg -#ifdef __NR_putpmsg - {"putpmsg", __NR_putpmsg}, -#endif -#endif -#ifdef SYS_pwrite64 -#ifdef __NR_pwrite64 - {"pwrite64", __NR_pwrite64}, -#endif -#endif -#ifdef SYS_pwritev -#ifdef __NR_pwritev - {"pwritev", __NR_pwritev}, -#endif -#endif -#ifdef SYS_query_module -#ifdef __NR_query_module - {"query_module", __NR_query_module}, -#endif -#endif -#ifdef SYS_quotactl -#ifdef __NR_quotactl - {"quotactl", __NR_quotactl}, -#endif -#endif -#ifdef SYS_read -#ifdef __NR_read - {"read", __NR_read}, -#endif -#endif -#ifdef SYS_readahead -#ifdef __NR_readahead - {"readahead", __NR_readahead}, -#endif -#endif -#ifdef SYS_readlink -#ifdef __NR_readlink - {"readlink", __NR_readlink}, -#endif -#endif -#ifdef SYS_readlinkat -#ifdef __NR_readlinkat - {"readlinkat", __NR_readlinkat}, -#endif -#endif -#ifdef SYS_readv -#ifdef __NR_readv - {"readv", __NR_readv}, -#endif -#endif -#ifdef SYS_reboot -#ifdef __NR_reboot - {"reboot", __NR_reboot}, -#endif -#endif -#ifdef SYS_recvfrom -#ifdef __NR_recvfrom - {"recvfrom", __NR_recvfrom}, -#endif -#endif -#ifdef SYS_recvmmsg -#ifdef __NR_recvmmsg - {"recvmmsg", __NR_recvmmsg}, -#endif -#endif -#ifdef SYS_recvmsg -#ifdef __NR_recvmsg - {"recvmsg", __NR_recvmsg}, -#endif -#endif -#ifdef SYS_remap_file_pages -#ifdef __NR_remap_file_pages - {"remap_file_pages", __NR_remap_file_pages}, -#endif -#endif -#ifdef SYS_removexattr -#ifdef __NR_removexattr - {"removexattr", __NR_removexattr}, -#endif -#endif -#ifdef SYS_rename -#ifdef __NR_rename - {"rename", __NR_rename}, -#endif -#endif -#ifdef SYS_renameat -#ifdef __NR_renameat - {"renameat", __NR_renameat}, -#endif -#endif -#ifdef SYS_renameat2 -#ifdef __NR_renameat2 - {"renameat2", __NR_renameat2}, -#endif -#endif -#ifdef SYS_request_key -#ifdef __NR_request_key - {"request_key", __NR_request_key}, -#endif -#endif -#ifdef SYS_restart_syscall -#ifdef __NR_restart_syscall - {"restart_syscall", __NR_restart_syscall}, -#endif -#endif -#ifdef SYS_rmdir -#ifdef __NR_rmdir - {"rmdir", __NR_rmdir}, -#endif -#endif -#ifdef SYS_rt_sigaction -#ifdef __NR_rt_sigaction - {"rt_sigaction", __NR_rt_sigaction}, -#endif -#endif -#ifdef SYS_rt_sigpending -#ifdef __NR_rt_sigpending - {"rt_sigpending", __NR_rt_sigpending}, -#endif -#endif -#ifdef SYS_rt_sigprocmask -#ifdef __NR_rt_sigprocmask - {"rt_sigprocmask", __NR_rt_sigprocmask}, -#endif -#endif -#ifdef SYS_rt_sigqueueinfo -#ifdef __NR_rt_sigqueueinfo - {"rt_sigqueueinfo", __NR_rt_sigqueueinfo}, -#endif -#endif -#ifdef SYS_rt_sigreturn -#ifdef __NR_rt_sigreturn - {"rt_sigreturn", __NR_rt_sigreturn}, -#endif -#endif -#ifdef SYS_rt_sigsuspend -#ifdef __NR_rt_sigsuspend - {"rt_sigsuspend", __NR_rt_sigsuspend}, -#endif -#endif -#ifdef SYS_rt_sigtimedwait -#ifdef __NR_rt_sigtimedwait - {"rt_sigtimedwait", __NR_rt_sigtimedwait}, -#endif -#endif -#ifdef SYS_rt_tgsigqueueinfo -#ifdef __NR_rt_tgsigqueueinfo - {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo}, -#endif -#endif -#ifdef SYS_sched_get_priority_max -#ifdef __NR_sched_get_priority_max - {"sched_get_priority_max", __NR_sched_get_priority_max}, -#endif -#endif -#ifdef SYS_sched_get_priority_min -#ifdef __NR_sched_get_priority_min - {"sched_get_priority_min", __NR_sched_get_priority_min}, -#endif -#endif -#ifdef SYS_sched_getaffinity -#ifdef __NR_sched_getaffinity - {"sched_getaffinity", __NR_sched_getaffinity}, -#endif -#endif -#ifdef SYS_sched_getattr -#ifdef __NR_sched_getattr - {"sched_getattr", __NR_sched_getattr}, -#endif -#endif -#ifdef SYS_sched_getparam -#ifdef __NR_sched_getparam - {"sched_getparam", __NR_sched_getparam}, -#endif -#endif -#ifdef SYS_sched_getscheduler -#ifdef __NR_sched_getscheduler - {"sched_getscheduler", __NR_sched_getscheduler}, -#endif -#endif -#ifdef SYS_sched_rr_get_interval -#ifdef __NR_sched_rr_get_interval - {"sched_rr_get_interval", __NR_sched_rr_get_interval}, -#endif -#endif -#ifdef SYS_sched_setaffinity -#ifdef __NR_sched_setaffinity - {"sched_setaffinity", __NR_sched_setaffinity}, -#endif -#endif -#ifdef SYS_sched_setattr -#ifdef __NR_sched_setattr - {"sched_setattr", __NR_sched_setattr}, -#endif -#endif -#ifdef SYS_sched_setparam -#ifdef __NR_sched_setparam - {"sched_setparam", __NR_sched_setparam}, -#endif -#endif -#ifdef SYS_sched_setscheduler -#ifdef __NR_sched_setscheduler - {"sched_setscheduler", __NR_sched_setscheduler}, -#endif -#endif -#ifdef SYS_sched_yield -#ifdef __NR_sched_yield - {"sched_yield", __NR_sched_yield}, -#endif -#endif -#ifdef SYS_seccomp -#ifdef __NR_seccomp - {"seccomp", __NR_seccomp}, -#endif -#endif -#ifdef SYS_security -#ifdef __NR_security - {"security", __NR_security}, -#endif -#endif -#ifdef SYS_select -#ifdef __NR_select - {"select", __NR_select}, -#endif -#endif -#ifdef SYS_semctl -#ifdef __NR_semctl - {"semctl", __NR_semctl}, -#endif -#endif -#ifdef SYS_semget -#ifdef __NR_semget - {"semget", __NR_semget}, -#endif -#endif -#ifdef SYS_semop -#ifdef __NR_semop - {"semop", __NR_semop}, -#endif -#endif -#ifdef SYS_semtimedop -#ifdef __NR_semtimedop - {"semtimedop", __NR_semtimedop}, -#endif -#endif -#ifdef SYS_sendfile -#ifdef __NR_sendfile - {"sendfile", __NR_sendfile}, -#endif -#endif -#ifdef SYS_sendmmsg -#ifdef __NR_sendmmsg - {"sendmmsg", __NR_sendmmsg}, -#endif -#endif -#ifdef SYS_sendmsg -#ifdef __NR_sendmsg - {"sendmsg", __NR_sendmsg}, -#endif -#endif -#ifdef SYS_sendto -#ifdef __NR_sendto - {"sendto", __NR_sendto}, -#endif -#endif -#ifdef SYS_set_mempolicy -#ifdef __NR_set_mempolicy - {"set_mempolicy", __NR_set_mempolicy}, -#endif -#endif -#ifdef SYS_set_robust_list -#ifdef __NR_set_robust_list - {"set_robust_list", __NR_set_robust_list}, -#endif -#endif -#ifdef SYS_set_thread_area -#ifdef __NR_set_thread_area - {"set_thread_area", __NR_set_thread_area}, -#endif -#endif -#ifdef SYS_set_tid_address -#ifdef __NR_set_tid_address - {"set_tid_address", __NR_set_tid_address}, -#endif -#endif -#ifdef SYS_setdomainname -#ifdef __NR_setdomainname - {"setdomainname", __NR_setdomainname}, -#endif -#endif -#ifdef SYS_setfsgid -#ifdef __NR_setfsgid - {"setfsgid", __NR_setfsgid}, -#endif -#endif -#ifdef SYS_setfsuid -#ifdef __NR_setfsuid - {"setfsuid", __NR_setfsuid}, -#endif -#endif -#ifdef SYS_setgid -#ifdef __NR_setgid - {"setgid", __NR_setgid}, -#endif -#endif -#ifdef SYS_setgroups -#ifdef __NR_setgroups - {"setgroups", __NR_setgroups}, -#endif -#endif -#ifdef SYS_sethostname -#ifdef __NR_sethostname - {"sethostname", __NR_sethostname}, -#endif -#endif -#ifdef SYS_setitimer -#ifdef __NR_setitimer - {"setitimer", __NR_setitimer}, -#endif -#endif -#ifdef SYS_setns -#ifdef __NR_setns - {"setns", __NR_setns}, -#endif -#endif -#ifdef SYS_setpgid -#ifdef __NR_setpgid - {"setpgid", __NR_setpgid}, -#endif -#endif -#ifdef SYS_setpriority -#ifdef __NR_setpriority - {"setpriority", __NR_setpriority}, -#endif -#endif -#ifdef SYS_setregid -#ifdef __NR_setregid - {"setregid", __NR_setregid}, -#endif -#endif -#ifdef SYS_setresgid -#ifdef __NR_setresgid - {"setresgid", __NR_setresgid}, -#endif -#endif -#ifdef SYS_setresuid -#ifdef __NR_setresuid - {"setresuid", __NR_setresuid}, -#endif -#endif -#ifdef SYS_setreuid -#ifdef __NR_setreuid - {"setreuid", __NR_setreuid}, -#endif -#endif -#ifdef SYS_setrlimit -#ifdef __NR_setrlimit - {"setrlimit", __NR_setrlimit}, -#endif -#endif -#ifdef SYS_setsid -#ifdef __NR_setsid - {"setsid", __NR_setsid}, -#endif -#endif -#ifdef SYS_setsockopt -#ifdef __NR_setsockopt - {"setsockopt", __NR_setsockopt}, -#endif -#endif -#ifdef SYS_settimeofday -#ifdef __NR_settimeofday - {"settimeofday", __NR_settimeofday}, -#endif -#endif -#ifdef SYS_setuid -#ifdef __NR_setuid - {"setuid", __NR_setuid}, -#endif -#endif -#ifdef SYS_setxattr -#ifdef __NR_setxattr - {"setxattr", __NR_setxattr}, -#endif -#endif -#ifdef SYS_shmat -#ifdef __NR_shmat - {"shmat", __NR_shmat}, -#endif -#endif -#ifdef SYS_shmctl -#ifdef __NR_shmctl - {"shmctl", __NR_shmctl}, -#endif -#endif -#ifdef SYS_shmdt -#ifdef __NR_shmdt - {"shmdt", __NR_shmdt}, -#endif -#endif -#ifdef SYS_shmget -#ifdef __NR_shmget - {"shmget", __NR_shmget}, -#endif -#endif -#ifdef SYS_shutdown -#ifdef __NR_shutdown - {"shutdown", __NR_shutdown}, -#endif -#endif -#ifdef SYS_sigaltstack -#ifdef __NR_sigaltstack - {"sigaltstack", __NR_sigaltstack}, -#endif -#endif -#ifdef SYS_signalfd -#ifdef __NR_signalfd - {"signalfd", __NR_signalfd}, -#endif -#endif -#ifdef SYS_signalfd4 -#ifdef __NR_signalfd4 - {"signalfd4", __NR_signalfd4}, -#endif -#endif -#ifdef SYS_socket -#ifdef __NR_socket - {"socket", __NR_socket}, -#endif -#endif -#ifdef SYS_socketpair -#ifdef __NR_socketpair - {"socketpair", __NR_socketpair}, -#endif -#endif -#ifdef SYS_splice -#ifdef __NR_splice - {"splice", __NR_splice}, -#endif -#endif -#ifdef SYS_stat -#ifdef __NR_stat - {"stat", __NR_stat}, -#endif -#endif -#ifdef SYS_statfs -#ifdef __NR_statfs - {"statfs", __NR_statfs}, -#endif -#endif -#ifdef SYS_swapoff -#ifdef __NR_swapoff - {"swapoff", __NR_swapoff}, -#endif -#endif -#ifdef SYS_swapon -#ifdef __NR_swapon - {"swapon", __NR_swapon}, -#endif -#endif -#ifdef SYS_symlink -#ifdef __NR_symlink - {"symlink", __NR_symlink}, -#endif -#endif -#ifdef SYS_symlinkat -#ifdef __NR_symlinkat - {"symlinkat", __NR_symlinkat}, -#endif -#endif -#ifdef SYS_sync -#ifdef __NR_sync - {"sync", __NR_sync}, -#endif -#endif -#ifdef SYS_sync_file_range -#ifdef __NR_sync_file_range - {"sync_file_range", __NR_sync_file_range}, -#endif -#endif -#ifdef SYS_syncfs -#ifdef __NR_syncfs - {"syncfs", __NR_syncfs}, -#endif -#endif -#ifdef SYS_sysfs -#ifdef __NR_sysfs - {"sysfs", __NR_sysfs}, -#endif -#endif -#ifdef SYS_sysinfo -#ifdef __NR_sysinfo - {"sysinfo", __NR_sysinfo}, -#endif -#endif -#ifdef SYS_syslog -#ifdef __NR_syslog - {"syslog", __NR_syslog}, -#endif -#endif -#ifdef SYS_tee -#ifdef __NR_tee - {"tee", __NR_tee}, -#endif -#endif -#ifdef SYS_tgkill -#ifdef __NR_tgkill - {"tgkill", __NR_tgkill}, -#endif -#endif -#ifdef SYS_time -#ifdef __NR_time - {"time", __NR_time}, -#endif -#endif -#ifdef SYS_timer_create -#ifdef __NR_timer_create - {"timer_create", __NR_timer_create}, -#endif -#endif -#ifdef SYS_timer_delete -#ifdef __NR_timer_delete - {"timer_delete", __NR_timer_delete}, -#endif -#endif -#ifdef SYS_timer_getoverrun -#ifdef __NR_timer_getoverrun - {"timer_getoverrun", __NR_timer_getoverrun}, -#endif -#endif -#ifdef SYS_timer_gettime -#ifdef __NR_timer_gettime - {"timer_gettime", __NR_timer_gettime}, -#endif -#endif -#ifdef SYS_timer_settime -#ifdef __NR_timer_settime - {"timer_settime", __NR_timer_settime}, -#endif -#endif -#ifdef SYS_timerfd_create -#ifdef __NR_timerfd_create - {"timerfd_create", __NR_timerfd_create}, -#endif -#endif -#ifdef SYS_timerfd_gettime -#ifdef __NR_timerfd_gettime - {"timerfd_gettime", __NR_timerfd_gettime}, -#endif -#endif -#ifdef SYS_timerfd_settime -#ifdef __NR_timerfd_settime - {"timerfd_settime", __NR_timerfd_settime}, -#endif -#endif -#ifdef SYS_times -#ifdef __NR_times - {"times", __NR_times}, -#endif -#endif -#ifdef SYS_tkill -#ifdef __NR_tkill - {"tkill", __NR_tkill}, -#endif -#endif -#ifdef SYS_truncate -#ifdef __NR_truncate - {"truncate", __NR_truncate}, -#endif -#endif -#ifdef SYS_tuxcall -#ifdef __NR_tuxcall - {"tuxcall", __NR_tuxcall}, -#endif -#endif -#ifdef SYS_umask -#ifdef __NR_umask - {"umask", __NR_umask}, -#endif -#endif -#ifdef SYS_umount2 -#ifdef __NR_umount2 - {"umount2", __NR_umount2}, -#endif -#endif -#ifdef SYS_uname -#ifdef __NR_uname - {"uname", __NR_uname}, -#endif -#endif -#ifdef SYS_unlink -#ifdef __NR_unlink - {"unlink", __NR_unlink}, -#endif -#endif -#ifdef SYS_unlinkat -#ifdef __NR_unlinkat - {"unlinkat", __NR_unlinkat}, -#endif -#endif -#ifdef SYS_unshare -#ifdef __NR_unshare - {"unshare", __NR_unshare}, -#endif -#endif -#ifdef SYS_uselib -#ifdef __NR_uselib - {"uselib", __NR_uselib}, -#endif -#endif -#ifdef SYS_userfaultfd -#ifdef __NR_userfaultfd - {"userfaultfd", __NR_userfaultfd}, -#endif -#endif -#ifdef SYS_ustat -#ifdef __NR_ustat - {"ustat", __NR_ustat}, -#endif -#endif -#ifdef SYS_utime -#ifdef __NR_utime - {"utime", __NR_utime}, -#endif -#endif -#ifdef SYS_utimensat -#ifdef __NR_utimensat - {"utimensat", __NR_utimensat}, -#endif -#endif -#ifdef SYS_utimes -#ifdef __NR_utimes - {"utimes", __NR_utimes}, -#endif -#endif -#ifdef SYS_vfork -#ifdef __NR_vfork - {"vfork", __NR_vfork}, -#endif -#endif -#ifdef SYS_vhangup -#ifdef __NR_vhangup - {"vhangup", __NR_vhangup}, -#endif -#endif -#ifdef SYS_vmsplice -#ifdef __NR_vmsplice - {"vmsplice", __NR_vmsplice}, -#endif -#endif -#ifdef SYS_vserver -#ifdef __NR_vserver - {"vserver", __NR_vserver}, -#endif -#endif -#ifdef SYS_wait4 -#ifdef __NR_wait4 - {"wait4", __NR_wait4}, -#endif -#endif -#ifdef SYS_waitid -#ifdef __NR_waitid - {"waitid", __NR_waitid}, -#endif -#endif -#ifdef SYS_write -#ifdef __NR_write - {"write", __NR_write}, -#endif -#endif -#ifdef SYS_writev -#ifdef __NR_writev - {"writev", __NR_writev}, -#endif -#endif -#endif -#if defined __x86_64__ && defined __ILP32__ -#ifdef SYS_accept -#ifdef __NR_accept - {"accept", __NR_accept}, -#endif -#endif -#ifdef SYS_accept4 -#ifdef __NR_accept4 - {"accept4", __NR_accept4}, -#endif -#endif -#ifdef SYS_access -#ifdef __NR_access - {"access", __NR_access}, -#endif -#endif -#ifdef SYS_acct -#ifdef __NR_acct - {"acct", __NR_acct}, -#endif -#endif -#ifdef SYS_add_key -#ifdef __NR_add_key - {"add_key", __NR_add_key}, -#endif -#endif -#ifdef SYS_adjtimex -#ifdef __NR_adjtimex - {"adjtimex", __NR_adjtimex}, -#endif -#endif -#ifdef SYS_afs_syscall -#ifdef __NR_afs_syscall - {"afs_syscall", __NR_afs_syscall}, -#endif -#endif -#ifdef SYS_alarm -#ifdef __NR_alarm - {"alarm", __NR_alarm}, -#endif -#endif -#ifdef SYS_arch_prctl -#ifdef __NR_arch_prctl - {"arch_prctl", __NR_arch_prctl}, -#endif -#endif -#ifdef SYS_bind -#ifdef __NR_bind - {"bind", __NR_bind}, -#endif -#endif -#ifdef SYS_bpf -#ifdef __NR_bpf - {"bpf", __NR_bpf}, -#endif -#endif -#ifdef SYS_brk -#ifdef __NR_brk - {"brk", __NR_brk}, -#endif -#endif -#ifdef SYS_capget -#ifdef __NR_capget - {"capget", __NR_capget}, -#endif -#endif -#ifdef SYS_capset -#ifdef __NR_capset - {"capset", __NR_capset}, -#endif -#endif -#ifdef SYS_chdir -#ifdef __NR_chdir - {"chdir", __NR_chdir}, -#endif -#endif -#ifdef SYS_chmod -#ifdef __NR_chmod - {"chmod", __NR_chmod}, -#endif -#endif -#ifdef SYS_chown -#ifdef __NR_chown - {"chown", __NR_chown}, -#endif -#endif -#ifdef SYS_chroot -#ifdef __NR_chroot - {"chroot", __NR_chroot}, -#endif -#endif -#ifdef SYS_clock_adjtime -#ifdef __NR_clock_adjtime - {"clock_adjtime", __NR_clock_adjtime}, -#endif -#endif -#ifdef SYS_clock_getres -#ifdef __NR_clock_getres - {"clock_getres", __NR_clock_getres}, -#endif -#endif -#ifdef SYS_clock_gettime -#ifdef __NR_clock_gettime - {"clock_gettime", __NR_clock_gettime}, -#endif -#endif -#ifdef SYS_clock_nanosleep -#ifdef __NR_clock_nanosleep - {"clock_nanosleep", __NR_clock_nanosleep}, -#endif -#endif -#ifdef SYS_clock_settime -#ifdef __NR_clock_settime - {"clock_settime", __NR_clock_settime}, -#endif -#endif -#ifdef SYS_clone -#ifdef __NR_clone - {"clone", __NR_clone}, -#endif -#endif -#ifdef SYS_close -#ifdef __NR_close - {"close", __NR_close}, -#endif -#endif -#ifdef SYS_connect -#ifdef __NR_connect - {"connect", __NR_connect}, -#endif -#endif -#ifdef SYS_copy_file_range -#ifdef __NR_copy_file_range - {"copy_file_range", __NR_copy_file_range}, -#endif -#endif -#ifdef SYS_creat -#ifdef __NR_creat - {"creat", __NR_creat}, -#endif -#endif -#ifdef SYS_delete_module -#ifdef __NR_delete_module - {"delete_module", __NR_delete_module}, -#endif -#endif -#ifdef SYS_dup -#ifdef __NR_dup - {"dup", __NR_dup}, -#endif -#endif -#ifdef SYS_dup2 -#ifdef __NR_dup2 - {"dup2", __NR_dup2}, -#endif -#endif -#ifdef SYS_dup3 -#ifdef __NR_dup3 - {"dup3", __NR_dup3}, -#endif -#endif -#ifdef SYS_epoll_create -#ifdef __NR_epoll_create - {"epoll_create", __NR_epoll_create}, -#endif -#endif -#ifdef SYS_epoll_create1 -#ifdef __NR_epoll_create1 - {"epoll_create1", __NR_epoll_create1}, -#endif -#endif -#ifdef SYS_epoll_ctl -#ifdef __NR_epoll_ctl - {"epoll_ctl", __NR_epoll_ctl}, -#endif -#endif -#ifdef SYS_epoll_pwait -#ifdef __NR_epoll_pwait - {"epoll_pwait", __NR_epoll_pwait}, -#endif -#endif -#ifdef SYS_epoll_wait -#ifdef __NR_epoll_wait - {"epoll_wait", __NR_epoll_wait}, -#endif -#endif -#ifdef SYS_eventfd -#ifdef __NR_eventfd - {"eventfd", __NR_eventfd}, -#endif -#endif -#ifdef SYS_eventfd2 -#ifdef __NR_eventfd2 - {"eventfd2", __NR_eventfd2}, -#endif -#endif -#ifdef SYS_execve -#ifdef __NR_execve - {"execve", __NR_execve}, -#endif -#endif -#ifdef SYS_execveat -#ifdef __NR_execveat - {"execveat", __NR_execveat}, -#endif -#endif -#ifdef SYS_exit -#ifdef __NR_exit - {"exit", __NR_exit}, -#endif -#endif -#ifdef SYS_exit_group -#ifdef __NR_exit_group - {"exit_group", __NR_exit_group}, -#endif -#endif -#ifdef SYS_faccessat -#ifdef __NR_faccessat - {"faccessat", __NR_faccessat}, -#endif -#endif -#ifdef SYS_fadvise64 -#ifdef __NR_fadvise64 - {"fadvise64", __NR_fadvise64}, -#endif -#endif -#ifdef SYS_fallocate -#ifdef __NR_fallocate - {"fallocate", __NR_fallocate}, -#endif -#endif -#ifdef SYS_fanotify_init -#ifdef __NR_fanotify_init - {"fanotify_init", __NR_fanotify_init}, -#endif -#endif -#ifdef SYS_fanotify_mark -#ifdef __NR_fanotify_mark - {"fanotify_mark", __NR_fanotify_mark}, -#endif -#endif -#ifdef SYS_fchdir -#ifdef __NR_fchdir - {"fchdir", __NR_fchdir}, -#endif -#endif -#ifdef SYS_fchmod -#ifdef __NR_fchmod - {"fchmod", __NR_fchmod}, -#endif -#endif -#ifdef SYS_fchmodat -#ifdef __NR_fchmodat - {"fchmodat", __NR_fchmodat}, -#endif -#endif -#ifdef SYS_fchown -#ifdef __NR_fchown - {"fchown", __NR_fchown}, -#endif -#endif -#ifdef SYS_fchownat -#ifdef __NR_fchownat - {"fchownat", __NR_fchownat}, -#endif -#endif -#ifdef SYS_fcntl -#ifdef __NR_fcntl - {"fcntl", __NR_fcntl}, -#endif -#endif -#ifdef SYS_fdatasync -#ifdef __NR_fdatasync - {"fdatasync", __NR_fdatasync}, -#endif -#endif -#ifdef SYS_fgetxattr -#ifdef __NR_fgetxattr - {"fgetxattr", __NR_fgetxattr}, -#endif -#endif -#ifdef SYS_finit_module -#ifdef __NR_finit_module - {"finit_module", __NR_finit_module}, -#endif -#endif -#ifdef SYS_flistxattr -#ifdef __NR_flistxattr - {"flistxattr", __NR_flistxattr}, -#endif -#endif -#ifdef SYS_flock -#ifdef __NR_flock - {"flock", __NR_flock}, -#endif -#endif -#ifdef SYS_fork -#ifdef __NR_fork - {"fork", __NR_fork}, -#endif -#endif -#ifdef SYS_fremovexattr -#ifdef __NR_fremovexattr - {"fremovexattr", __NR_fremovexattr}, -#endif -#endif -#ifdef SYS_fsetxattr -#ifdef __NR_fsetxattr - {"fsetxattr", __NR_fsetxattr}, -#endif -#endif -#ifdef SYS_fstat -#ifdef __NR_fstat - {"fstat", __NR_fstat}, -#endif -#endif -#ifdef SYS_fstatfs -#ifdef __NR_fstatfs - {"fstatfs", __NR_fstatfs}, -#endif -#endif -#ifdef SYS_fsync -#ifdef __NR_fsync - {"fsync", __NR_fsync}, -#endif -#endif -#ifdef SYS_ftruncate -#ifdef __NR_ftruncate - {"ftruncate", __NR_ftruncate}, -#endif -#endif -#ifdef SYS_futex -#ifdef __NR_futex - {"futex", __NR_futex}, -#endif -#endif -#ifdef SYS_futimesat -#ifdef __NR_futimesat - {"futimesat", __NR_futimesat}, -#endif -#endif -#ifdef SYS_get_mempolicy -#ifdef __NR_get_mempolicy - {"get_mempolicy", __NR_get_mempolicy}, -#endif -#endif -#ifdef SYS_get_robust_list -#ifdef __NR_get_robust_list - {"get_robust_list", __NR_get_robust_list}, -#endif -#endif -#ifdef SYS_getcpu -#ifdef __NR_getcpu - {"getcpu", __NR_getcpu}, -#endif -#endif -#ifdef SYS_getcwd -#ifdef __NR_getcwd - {"getcwd", __NR_getcwd}, -#endif -#endif -#ifdef SYS_getdents -#ifdef __NR_getdents - {"getdents", __NR_getdents}, -#endif -#endif -#ifdef SYS_getdents64 -#ifdef __NR_getdents64 - {"getdents64", __NR_getdents64}, -#endif -#endif -#ifdef SYS_getegid -#ifdef __NR_getegid - {"getegid", __NR_getegid}, -#endif -#endif -#ifdef SYS_geteuid -#ifdef __NR_geteuid - {"geteuid", __NR_geteuid}, -#endif -#endif -#ifdef SYS_getgid -#ifdef __NR_getgid - {"getgid", __NR_getgid}, -#endif -#endif -#ifdef SYS_getgroups -#ifdef __NR_getgroups - {"getgroups", __NR_getgroups}, -#endif -#endif -#ifdef SYS_getitimer -#ifdef __NR_getitimer - {"getitimer", __NR_getitimer}, -#endif -#endif -#ifdef SYS_getpeername -#ifdef __NR_getpeername - {"getpeername", __NR_getpeername}, -#endif -#endif -#ifdef SYS_getpgid -#ifdef __NR_getpgid - {"getpgid", __NR_getpgid}, -#endif -#endif -#ifdef SYS_getpgrp -#ifdef __NR_getpgrp - {"getpgrp", __NR_getpgrp}, -#endif -#endif -#ifdef SYS_getpid -#ifdef __NR_getpid - {"getpid", __NR_getpid}, -#endif -#endif -#ifdef SYS_getpmsg -#ifdef __NR_getpmsg - {"getpmsg", __NR_getpmsg}, -#endif -#endif -#ifdef SYS_getppid -#ifdef __NR_getppid - {"getppid", __NR_getppid}, -#endif -#endif -#ifdef SYS_getpriority -#ifdef __NR_getpriority - {"getpriority", __NR_getpriority}, -#endif -#endif -#ifdef SYS_getrandom -#ifdef __NR_getrandom - {"getrandom", __NR_getrandom}, -#endif -#endif -#ifdef SYS_getresgid -#ifdef __NR_getresgid - {"getresgid", __NR_getresgid}, -#endif -#endif -#ifdef SYS_getresuid -#ifdef __NR_getresuid - {"getresuid", __NR_getresuid}, -#endif -#endif -#ifdef SYS_getrlimit -#ifdef __NR_getrlimit - {"getrlimit", __NR_getrlimit}, -#endif -#endif -#ifdef SYS_getrusage -#ifdef __NR_getrusage - {"getrusage", __NR_getrusage}, -#endif -#endif -#ifdef SYS_getsid -#ifdef __NR_getsid - {"getsid", __NR_getsid}, -#endif -#endif -#ifdef SYS_getsockname -#ifdef __NR_getsockname - {"getsockname", __NR_getsockname}, -#endif -#endif -#ifdef SYS_getsockopt -#ifdef __NR_getsockopt - {"getsockopt", __NR_getsockopt}, -#endif -#endif -#ifdef SYS_gettid -#ifdef __NR_gettid - {"gettid", __NR_gettid}, -#endif -#endif -#ifdef SYS_gettimeofday -#ifdef __NR_gettimeofday - {"gettimeofday", __NR_gettimeofday}, -#endif -#endif -#ifdef SYS_getuid -#ifdef __NR_getuid - {"getuid", __NR_getuid}, -#endif -#endif -#ifdef SYS_getxattr -#ifdef __NR_getxattr - {"getxattr", __NR_getxattr}, -#endif -#endif -#ifdef SYS_init_module -#ifdef __NR_init_module - {"init_module", __NR_init_module}, -#endif -#endif -#ifdef SYS_inotify_add_watch -#ifdef __NR_inotify_add_watch - {"inotify_add_watch", __NR_inotify_add_watch}, -#endif -#endif -#ifdef SYS_inotify_init -#ifdef __NR_inotify_init - {"inotify_init", __NR_inotify_init}, -#endif -#endif -#ifdef SYS_inotify_init1 -#ifdef __NR_inotify_init1 - {"inotify_init1", __NR_inotify_init1}, -#endif -#endif -#ifdef SYS_inotify_rm_watch -#ifdef __NR_inotify_rm_watch - {"inotify_rm_watch", __NR_inotify_rm_watch}, -#endif -#endif -#ifdef SYS_io_cancel -#ifdef __NR_io_cancel - {"io_cancel", __NR_io_cancel}, -#endif -#endif -#ifdef SYS_io_destroy -#ifdef __NR_io_destroy - {"io_destroy", __NR_io_destroy}, -#endif -#endif -#ifdef SYS_io_getevents -#ifdef __NR_io_getevents - {"io_getevents", __NR_io_getevents}, -#endif -#endif -#ifdef SYS_io_setup -#ifdef __NR_io_setup - {"io_setup", __NR_io_setup}, -#endif -#endif -#ifdef SYS_io_submit -#ifdef __NR_io_submit - {"io_submit", __NR_io_submit}, -#endif -#endif -#ifdef SYS_ioctl -#ifdef __NR_ioctl - {"ioctl", __NR_ioctl}, -#endif -#endif -#ifdef SYS_ioperm -#ifdef __NR_ioperm - {"ioperm", __NR_ioperm}, -#endif -#endif -#ifdef SYS_iopl -#ifdef __NR_iopl - {"iopl", __NR_iopl}, -#endif -#endif -#ifdef SYS_ioprio_get -#ifdef __NR_ioprio_get - {"ioprio_get", __NR_ioprio_get}, -#endif -#endif -#ifdef SYS_ioprio_set -#ifdef __NR_ioprio_set - {"ioprio_set", __NR_ioprio_set}, -#endif -#endif -#ifdef SYS_kcmp -#ifdef __NR_kcmp - {"kcmp", __NR_kcmp}, -#endif -#endif -#ifdef SYS_kexec_file_load -#ifdef __NR_kexec_file_load - {"kexec_file_load", __NR_kexec_file_load}, -#endif -#endif -#ifdef SYS_kexec_load -#ifdef __NR_kexec_load - {"kexec_load", __NR_kexec_load}, -#endif -#endif -#ifdef SYS_keyctl -#ifdef __NR_keyctl - {"keyctl", __NR_keyctl}, -#endif -#endif -#ifdef SYS_kill -#ifdef __NR_kill - {"kill", __NR_kill}, -#endif -#endif -#ifdef SYS_lchown -#ifdef __NR_lchown - {"lchown", __NR_lchown}, -#endif -#endif -#ifdef SYS_lgetxattr -#ifdef __NR_lgetxattr - {"lgetxattr", __NR_lgetxattr}, -#endif -#endif -#ifdef SYS_link -#ifdef __NR_link - {"link", __NR_link}, -#endif -#endif -#ifdef SYS_linkat -#ifdef __NR_linkat - {"linkat", __NR_linkat}, -#endif -#endif -#ifdef SYS_listen -#ifdef __NR_listen - {"listen", __NR_listen}, -#endif -#endif -#ifdef SYS_listxattr -#ifdef __NR_listxattr - {"listxattr", __NR_listxattr}, -#endif -#endif -#ifdef SYS_llistxattr -#ifdef __NR_llistxattr - {"llistxattr", __NR_llistxattr}, -#endif -#endif -#ifdef SYS_lookup_dcookie -#ifdef __NR_lookup_dcookie - {"lookup_dcookie", __NR_lookup_dcookie}, -#endif -#endif -#ifdef SYS_lremovexattr -#ifdef __NR_lremovexattr - {"lremovexattr", __NR_lremovexattr}, -#endif -#endif -#ifdef SYS_lseek -#ifdef __NR_lseek - {"lseek", __NR_lseek}, -#endif -#endif -#ifdef SYS_lsetxattr -#ifdef __NR_lsetxattr - {"lsetxattr", __NR_lsetxattr}, -#endif -#endif -#ifdef SYS_lstat -#ifdef __NR_lstat - {"lstat", __NR_lstat}, -#endif -#endif -#ifdef SYS_madvise -#ifdef __NR_madvise - {"madvise", __NR_madvise}, -#endif -#endif -#ifdef SYS_mbind -#ifdef __NR_mbind - {"mbind", __NR_mbind}, -#endif -#endif -#ifdef SYS_membarrier -#ifdef __NR_membarrier - {"membarrier", __NR_membarrier}, -#endif -#endif -#ifdef SYS_memfd_create -#ifdef __NR_memfd_create - {"memfd_create", __NR_memfd_create}, -#endif -#endif -#ifdef SYS_migrate_pages -#ifdef __NR_migrate_pages - {"migrate_pages", __NR_migrate_pages}, -#endif -#endif -#ifdef SYS_mincore -#ifdef __NR_mincore - {"mincore", __NR_mincore}, -#endif -#endif -#ifdef SYS_mkdir -#ifdef __NR_mkdir - {"mkdir", __NR_mkdir}, -#endif -#endif -#ifdef SYS_mkdirat -#ifdef __NR_mkdirat - {"mkdirat", __NR_mkdirat}, -#endif -#endif -#ifdef SYS_mknod -#ifdef __NR_mknod - {"mknod", __NR_mknod}, -#endif -#endif -#ifdef SYS_mknodat -#ifdef __NR_mknodat - {"mknodat", __NR_mknodat}, -#endif -#endif -#ifdef SYS_mlock -#ifdef __NR_mlock - {"mlock", __NR_mlock}, -#endif -#endif -#ifdef SYS_mlock2 -#ifdef __NR_mlock2 - {"mlock2", __NR_mlock2}, -#endif -#endif -#ifdef SYS_mlockall -#ifdef __NR_mlockall - {"mlockall", __NR_mlockall}, -#endif -#endif -#ifdef SYS_mmap -#ifdef __NR_mmap - {"mmap", __NR_mmap}, -#endif -#endif -#ifdef SYS_modify_ldt -#ifdef __NR_modify_ldt - {"modify_ldt", __NR_modify_ldt}, -#endif -#endif -#ifdef SYS_mount -#ifdef __NR_mount - {"mount", __NR_mount}, -#endif -#endif -#ifdef SYS_move_pages -#ifdef __NR_move_pages - {"move_pages", __NR_move_pages}, -#endif -#endif -#ifdef SYS_mprotect -#ifdef __NR_mprotect - {"mprotect", __NR_mprotect}, -#endif -#endif -#ifdef SYS_mq_getsetattr -#ifdef __NR_mq_getsetattr - {"mq_getsetattr", __NR_mq_getsetattr}, -#endif -#endif -#ifdef SYS_mq_notify -#ifdef __NR_mq_notify - {"mq_notify", __NR_mq_notify}, -#endif -#endif -#ifdef SYS_mq_open -#ifdef __NR_mq_open - {"mq_open", __NR_mq_open}, -#endif -#endif -#ifdef SYS_mq_timedreceive -#ifdef __NR_mq_timedreceive - {"mq_timedreceive", __NR_mq_timedreceive}, -#endif -#endif -#ifdef SYS_mq_timedsend -#ifdef __NR_mq_timedsend - {"mq_timedsend", __NR_mq_timedsend}, -#endif -#endif -#ifdef SYS_mq_unlink -#ifdef __NR_mq_unlink - {"mq_unlink", __NR_mq_unlink}, -#endif -#endif -#ifdef SYS_mremap -#ifdef __NR_mremap - {"mremap", __NR_mremap}, -#endif -#endif -#ifdef SYS_msgctl -#ifdef __NR_msgctl - {"msgctl", __NR_msgctl}, -#endif -#endif -#ifdef SYS_msgget -#ifdef __NR_msgget - {"msgget", __NR_msgget}, -#endif -#endif -#ifdef SYS_msgrcv -#ifdef __NR_msgrcv - {"msgrcv", __NR_msgrcv}, -#endif -#endif -#ifdef SYS_msgsnd -#ifdef __NR_msgsnd - {"msgsnd", __NR_msgsnd}, -#endif -#endif -#ifdef SYS_msync -#ifdef __NR_msync - {"msync", __NR_msync}, -#endif -#endif -#ifdef SYS_munlock -#ifdef __NR_munlock - {"munlock", __NR_munlock}, -#endif -#endif -#ifdef SYS_munlockall -#ifdef __NR_munlockall - {"munlockall", __NR_munlockall}, -#endif -#endif -#ifdef SYS_munmap -#ifdef __NR_munmap - {"munmap", __NR_munmap}, -#endif -#endif -#ifdef SYS_name_to_handle_at -#ifdef __NR_name_to_handle_at - {"name_to_handle_at", __NR_name_to_handle_at}, -#endif -#endif -#ifdef SYS_nanosleep -#ifdef __NR_nanosleep - {"nanosleep", __NR_nanosleep}, -#endif -#endif -#ifdef SYS_newfstatat -#ifdef __NR_newfstatat - {"newfstatat", __NR_newfstatat}, -#endif -#endif -#ifdef SYS_open -#ifdef __NR_open - {"open", __NR_open}, -#endif -#endif -#ifdef SYS_open_by_handle_at -#ifdef __NR_open_by_handle_at - {"open_by_handle_at", __NR_open_by_handle_at}, -#endif -#endif -#ifdef SYS_openat -#ifdef __NR_openat - {"openat", __NR_openat}, -#endif -#endif -#ifdef SYS_pause -#ifdef __NR_pause - {"pause", __NR_pause}, -#endif -#endif -#ifdef SYS_perf_event_open -#ifdef __NR_perf_event_open - {"perf_event_open", __NR_perf_event_open}, -#endif -#endif -#ifdef SYS_personality -#ifdef __NR_personality - {"personality", __NR_personality}, -#endif -#endif -#ifdef SYS_pipe -#ifdef __NR_pipe - {"pipe", __NR_pipe}, -#endif -#endif -#ifdef SYS_pipe2 -#ifdef __NR_pipe2 - {"pipe2", __NR_pipe2}, -#endif -#endif -#ifdef SYS_pivot_root -#ifdef __NR_pivot_root - {"pivot_root", __NR_pivot_root}, -#endif -#endif -#ifdef SYS_poll -#ifdef __NR_poll - {"poll", __NR_poll}, -#endif -#endif -#ifdef SYS_ppoll -#ifdef __NR_ppoll - {"ppoll", __NR_ppoll}, -#endif -#endif -#ifdef SYS_prctl -#ifdef __NR_prctl - {"prctl", __NR_prctl}, -#endif -#endif -#ifdef SYS_pread64 -#ifdef __NR_pread64 - {"pread64", __NR_pread64}, -#endif -#endif -#ifdef SYS_preadv -#ifdef __NR_preadv - {"preadv", __NR_preadv}, -#endif -#endif -#ifdef SYS_prlimit64 -#ifdef __NR_prlimit64 - {"prlimit64", __NR_prlimit64}, -#endif -#endif -#ifdef SYS_process_vm_readv -#ifdef __NR_process_vm_readv - {"process_vm_readv", __NR_process_vm_readv}, -#endif -#endif -#ifdef SYS_process_vm_writev -#ifdef __NR_process_vm_writev - {"process_vm_writev", __NR_process_vm_writev}, -#endif -#endif -#ifdef SYS_pselect6 -#ifdef __NR_pselect6 - {"pselect6", __NR_pselect6}, -#endif -#endif -#ifdef SYS_ptrace -#ifdef __NR_ptrace - {"ptrace", __NR_ptrace}, -#endif -#endif -#ifdef SYS_putpmsg -#ifdef __NR_putpmsg - {"putpmsg", __NR_putpmsg}, -#endif -#endif -#ifdef SYS_pwrite64 -#ifdef __NR_pwrite64 - {"pwrite64", __NR_pwrite64}, -#endif -#endif -#ifdef SYS_pwritev -#ifdef __NR_pwritev - {"pwritev", __NR_pwritev}, -#endif -#endif -#ifdef SYS_quotactl -#ifdef __NR_quotactl - {"quotactl", __NR_quotactl}, -#endif -#endif -#ifdef SYS_read -#ifdef __NR_read - {"read", __NR_read}, -#endif -#endif -#ifdef SYS_readahead -#ifdef __NR_readahead - {"readahead", __NR_readahead}, -#endif -#endif -#ifdef SYS_readlink -#ifdef __NR_readlink - {"readlink", __NR_readlink}, -#endif -#endif -#ifdef SYS_readlinkat -#ifdef __NR_readlinkat - {"readlinkat", __NR_readlinkat}, -#endif -#endif -#ifdef SYS_readv -#ifdef __NR_readv - {"readv", __NR_readv}, -#endif -#endif -#ifdef SYS_reboot -#ifdef __NR_reboot - {"reboot", __NR_reboot}, -#endif -#endif -#ifdef SYS_recvfrom -#ifdef __NR_recvfrom - {"recvfrom", __NR_recvfrom}, -#endif -#endif -#ifdef SYS_recvmmsg -#ifdef __NR_recvmmsg - {"recvmmsg", __NR_recvmmsg}, -#endif -#endif -#ifdef SYS_recvmsg -#ifdef __NR_recvmsg - {"recvmsg", __NR_recvmsg}, -#endif -#endif -#ifdef SYS_remap_file_pages -#ifdef __NR_remap_file_pages - {"remap_file_pages", __NR_remap_file_pages}, -#endif -#endif -#ifdef SYS_removexattr -#ifdef __NR_removexattr - {"removexattr", __NR_removexattr}, -#endif -#endif -#ifdef SYS_rename -#ifdef __NR_rename - {"rename", __NR_rename}, -#endif -#endif -#ifdef SYS_renameat -#ifdef __NR_renameat - {"renameat", __NR_renameat}, -#endif -#endif -#ifdef SYS_renameat2 -#ifdef __NR_renameat2 - {"renameat2", __NR_renameat2}, -#endif -#endif -#ifdef SYS_request_key -#ifdef __NR_request_key - {"request_key", __NR_request_key}, -#endif -#endif -#ifdef SYS_restart_syscall -#ifdef __NR_restart_syscall - {"restart_syscall", __NR_restart_syscall}, -#endif -#endif -#ifdef SYS_rmdir -#ifdef __NR_rmdir - {"rmdir", __NR_rmdir}, -#endif -#endif -#ifdef SYS_rt_sigaction -#ifdef __NR_rt_sigaction - {"rt_sigaction", __NR_rt_sigaction}, -#endif -#endif -#ifdef SYS_rt_sigpending -#ifdef __NR_rt_sigpending - {"rt_sigpending", __NR_rt_sigpending}, -#endif -#endif -#ifdef SYS_rt_sigprocmask -#ifdef __NR_rt_sigprocmask - {"rt_sigprocmask", __NR_rt_sigprocmask}, -#endif -#endif -#ifdef SYS_rt_sigqueueinfo -#ifdef __NR_rt_sigqueueinfo - {"rt_sigqueueinfo", __NR_rt_sigqueueinfo}, -#endif -#endif -#ifdef SYS_rt_sigreturn -#ifdef __NR_rt_sigreturn - {"rt_sigreturn", __NR_rt_sigreturn}, -#endif -#endif -#ifdef SYS_rt_sigsuspend -#ifdef __NR_rt_sigsuspend - {"rt_sigsuspend", __NR_rt_sigsuspend}, -#endif -#endif -#ifdef SYS_rt_sigtimedwait -#ifdef __NR_rt_sigtimedwait - {"rt_sigtimedwait", __NR_rt_sigtimedwait}, -#endif -#endif -#ifdef SYS_rt_tgsigqueueinfo -#ifdef __NR_rt_tgsigqueueinfo - {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo}, -#endif -#endif -#ifdef SYS_sched_get_priority_max -#ifdef __NR_sched_get_priority_max - {"sched_get_priority_max", __NR_sched_get_priority_max}, -#endif -#endif -#ifdef SYS_sched_get_priority_min -#ifdef __NR_sched_get_priority_min - {"sched_get_priority_min", __NR_sched_get_priority_min}, -#endif -#endif -#ifdef SYS_sched_getaffinity -#ifdef __NR_sched_getaffinity - {"sched_getaffinity", __NR_sched_getaffinity}, -#endif -#endif -#ifdef SYS_sched_getattr -#ifdef __NR_sched_getattr - {"sched_getattr", __NR_sched_getattr}, -#endif -#endif -#ifdef SYS_sched_getparam -#ifdef __NR_sched_getparam - {"sched_getparam", __NR_sched_getparam}, -#endif -#endif -#ifdef SYS_sched_getscheduler -#ifdef __NR_sched_getscheduler - {"sched_getscheduler", __NR_sched_getscheduler}, -#endif -#endif -#ifdef SYS_sched_rr_get_interval -#ifdef __NR_sched_rr_get_interval - {"sched_rr_get_interval", __NR_sched_rr_get_interval}, -#endif -#endif -#ifdef SYS_sched_setaffinity -#ifdef __NR_sched_setaffinity - {"sched_setaffinity", __NR_sched_setaffinity}, -#endif -#endif -#ifdef SYS_sched_setattr -#ifdef __NR_sched_setattr - {"sched_setattr", __NR_sched_setattr}, -#endif -#endif -#ifdef SYS_sched_setparam -#ifdef __NR_sched_setparam - {"sched_setparam", __NR_sched_setparam}, -#endif -#endif -#ifdef SYS_sched_setscheduler -#ifdef __NR_sched_setscheduler - {"sched_setscheduler", __NR_sched_setscheduler}, -#endif -#endif -#ifdef SYS_sched_yield -#ifdef __NR_sched_yield - {"sched_yield", __NR_sched_yield}, -#endif -#endif -#ifdef SYS_seccomp -#ifdef __NR_seccomp - {"seccomp", __NR_seccomp}, -#endif -#endif -#ifdef SYS_security -#ifdef __NR_security - {"security", __NR_security}, -#endif -#endif -#ifdef SYS_select -#ifdef __NR_select - {"select", __NR_select}, -#endif -#endif -#ifdef SYS_semctl -#ifdef __NR_semctl - {"semctl", __NR_semctl}, -#endif -#endif -#ifdef SYS_semget -#ifdef __NR_semget - {"semget", __NR_semget}, -#endif -#endif -#ifdef SYS_semop -#ifdef __NR_semop - {"semop", __NR_semop}, -#endif -#endif -#ifdef SYS_semtimedop -#ifdef __NR_semtimedop - {"semtimedop", __NR_semtimedop}, -#endif -#endif -#ifdef SYS_sendfile -#ifdef __NR_sendfile - {"sendfile", __NR_sendfile}, -#endif -#endif -#ifdef SYS_sendmmsg -#ifdef __NR_sendmmsg - {"sendmmsg", __NR_sendmmsg}, -#endif -#endif -#ifdef SYS_sendmsg -#ifdef __NR_sendmsg - {"sendmsg", __NR_sendmsg}, -#endif -#endif -#ifdef SYS_sendto -#ifdef __NR_sendto - {"sendto", __NR_sendto}, -#endif -#endif -#ifdef SYS_set_mempolicy -#ifdef __NR_set_mempolicy - {"set_mempolicy", __NR_set_mempolicy}, -#endif -#endif -#ifdef SYS_set_robust_list -#ifdef __NR_set_robust_list - {"set_robust_list", __NR_set_robust_list}, -#endif -#endif -#ifdef SYS_set_tid_address -#ifdef __NR_set_tid_address - {"set_tid_address", __NR_set_tid_address}, -#endif -#endif -#ifdef SYS_setdomainname -#ifdef __NR_setdomainname - {"setdomainname", __NR_setdomainname}, -#endif -#endif -#ifdef SYS_setfsgid -#ifdef __NR_setfsgid - {"setfsgid", __NR_setfsgid}, -#endif -#endif -#ifdef SYS_setfsuid -#ifdef __NR_setfsuid - {"setfsuid", __NR_setfsuid}, -#endif -#endif -#ifdef SYS_setgid -#ifdef __NR_setgid - {"setgid", __NR_setgid}, -#endif -#endif -#ifdef SYS_setgroups -#ifdef __NR_setgroups - {"setgroups", __NR_setgroups}, -#endif -#endif -#ifdef SYS_sethostname -#ifdef __NR_sethostname - {"sethostname", __NR_sethostname}, -#endif -#endif -#ifdef SYS_setitimer -#ifdef __NR_setitimer - {"setitimer", __NR_setitimer}, -#endif -#endif -#ifdef SYS_setns -#ifdef __NR_setns - {"setns", __NR_setns}, -#endif -#endif -#ifdef SYS_setpgid -#ifdef __NR_setpgid - {"setpgid", __NR_setpgid}, -#endif -#endif -#ifdef SYS_setpriority -#ifdef __NR_setpriority - {"setpriority", __NR_setpriority}, -#endif -#endif -#ifdef SYS_setregid -#ifdef __NR_setregid - {"setregid", __NR_setregid}, -#endif -#endif -#ifdef SYS_setresgid -#ifdef __NR_setresgid - {"setresgid", __NR_setresgid}, -#endif -#endif -#ifdef SYS_setresuid -#ifdef __NR_setresuid - {"setresuid", __NR_setresuid}, -#endif -#endif -#ifdef SYS_setreuid -#ifdef __NR_setreuid - {"setreuid", __NR_setreuid}, -#endif -#endif -#ifdef SYS_setrlimit -#ifdef __NR_setrlimit - {"setrlimit", __NR_setrlimit}, -#endif -#endif -#ifdef SYS_setsid -#ifdef __NR_setsid - {"setsid", __NR_setsid}, -#endif -#endif -#ifdef SYS_setsockopt -#ifdef __NR_setsockopt - {"setsockopt", __NR_setsockopt}, -#endif -#endif -#ifdef SYS_settimeofday -#ifdef __NR_settimeofday - {"settimeofday", __NR_settimeofday}, -#endif -#endif -#ifdef SYS_setuid -#ifdef __NR_setuid - {"setuid", __NR_setuid}, -#endif -#endif -#ifdef SYS_setxattr -#ifdef __NR_setxattr - {"setxattr", __NR_setxattr}, -#endif -#endif -#ifdef SYS_shmat -#ifdef __NR_shmat - {"shmat", __NR_shmat}, -#endif -#endif -#ifdef SYS_shmctl -#ifdef __NR_shmctl - {"shmctl", __NR_shmctl}, -#endif -#endif -#ifdef SYS_shmdt -#ifdef __NR_shmdt - {"shmdt", __NR_shmdt}, -#endif -#endif -#ifdef SYS_shmget -#ifdef __NR_shmget - {"shmget", __NR_shmget}, -#endif -#endif -#ifdef SYS_shutdown -#ifdef __NR_shutdown - {"shutdown", __NR_shutdown}, -#endif -#endif -#ifdef SYS_sigaltstack -#ifdef __NR_sigaltstack - {"sigaltstack", __NR_sigaltstack}, -#endif -#endif -#ifdef SYS_signalfd -#ifdef __NR_signalfd - {"signalfd", __NR_signalfd}, -#endif -#endif -#ifdef SYS_signalfd4 -#ifdef __NR_signalfd4 - {"signalfd4", __NR_signalfd4}, -#endif -#endif -#ifdef SYS_socket -#ifdef __NR_socket - {"socket", __NR_socket}, -#endif -#endif -#ifdef SYS_socketpair -#ifdef __NR_socketpair - {"socketpair", __NR_socketpair}, -#endif -#endif -#ifdef SYS_splice -#ifdef __NR_splice - {"splice", __NR_splice}, -#endif -#endif -#ifdef SYS_stat -#ifdef __NR_stat - {"stat", __NR_stat}, -#endif -#endif -#ifdef SYS_statfs -#ifdef __NR_statfs - {"statfs", __NR_statfs}, -#endif -#endif -#ifdef SYS_swapoff -#ifdef __NR_swapoff - {"swapoff", __NR_swapoff}, -#endif -#endif -#ifdef SYS_swapon -#ifdef __NR_swapon - {"swapon", __NR_swapon}, -#endif -#endif -#ifdef SYS_symlink -#ifdef __NR_symlink - {"symlink", __NR_symlink}, -#endif -#endif -#ifdef SYS_symlinkat -#ifdef __NR_symlinkat - {"symlinkat", __NR_symlinkat}, -#endif -#endif -#ifdef SYS_sync -#ifdef __NR_sync - {"sync", __NR_sync}, -#endif -#endif -#ifdef SYS_sync_file_range -#ifdef __NR_sync_file_range - {"sync_file_range", __NR_sync_file_range}, -#endif -#endif -#ifdef SYS_syncfs -#ifdef __NR_syncfs - {"syncfs", __NR_syncfs}, -#endif -#endif -#ifdef SYS_sysfs -#ifdef __NR_sysfs - {"sysfs", __NR_sysfs}, -#endif -#endif -#ifdef SYS_sysinfo -#ifdef __NR_sysinfo - {"sysinfo", __NR_sysinfo}, -#endif -#endif -#ifdef SYS_syslog -#ifdef __NR_syslog - {"syslog", __NR_syslog}, -#endif -#endif -#ifdef SYS_tee -#ifdef __NR_tee - {"tee", __NR_tee}, -#endif -#endif -#ifdef SYS_tgkill -#ifdef __NR_tgkill - {"tgkill", __NR_tgkill}, -#endif -#endif -#ifdef SYS_time -#ifdef __NR_time - {"time", __NR_time}, -#endif -#endif -#ifdef SYS_timer_create -#ifdef __NR_timer_create - {"timer_create", __NR_timer_create}, -#endif -#endif -#ifdef SYS_timer_delete -#ifdef __NR_timer_delete - {"timer_delete", __NR_timer_delete}, -#endif -#endif -#ifdef SYS_timer_getoverrun -#ifdef __NR_timer_getoverrun - {"timer_getoverrun", __NR_timer_getoverrun}, -#endif -#endif -#ifdef SYS_timer_gettime -#ifdef __NR_timer_gettime - {"timer_gettime", __NR_timer_gettime}, -#endif -#endif -#ifdef SYS_timer_settime -#ifdef __NR_timer_settime - {"timer_settime", __NR_timer_settime}, -#endif -#endif -#ifdef SYS_timerfd_create -#ifdef __NR_timerfd_create - {"timerfd_create", __NR_timerfd_create}, -#endif -#endif -#ifdef SYS_timerfd_gettime -#ifdef __NR_timerfd_gettime - {"timerfd_gettime", __NR_timerfd_gettime}, -#endif -#endif -#ifdef SYS_timerfd_settime -#ifdef __NR_timerfd_settime - {"timerfd_settime", __NR_timerfd_settime}, -#endif -#endif -#ifdef SYS_times -#ifdef __NR_times - {"times", __NR_times}, -#endif -#endif -#ifdef SYS_tkill -#ifdef __NR_tkill - {"tkill", __NR_tkill}, -#endif -#endif -#ifdef SYS_truncate -#ifdef __NR_truncate - {"truncate", __NR_truncate}, -#endif -#endif -#ifdef SYS_tuxcall -#ifdef __NR_tuxcall - {"tuxcall", __NR_tuxcall}, -#endif -#endif -#ifdef SYS_umask -#ifdef __NR_umask - {"umask", __NR_umask}, -#endif -#endif -#ifdef SYS_umount2 -#ifdef __NR_umount2 - {"umount2", __NR_umount2}, -#endif -#endif -#ifdef SYS_uname -#ifdef __NR_uname - {"uname", __NR_uname}, -#endif -#endif -#ifdef SYS_unlink -#ifdef __NR_unlink - {"unlink", __NR_unlink}, -#endif -#endif -#ifdef SYS_unlinkat -#ifdef __NR_unlinkat - {"unlinkat", __NR_unlinkat}, -#endif -#endif -#ifdef SYS_unshare -#ifdef __NR_unshare - {"unshare", __NR_unshare}, -#endif -#endif -#ifdef SYS_userfaultfd -#ifdef __NR_userfaultfd - {"userfaultfd", __NR_userfaultfd}, -#endif -#endif -#ifdef SYS_ustat -#ifdef __NR_ustat - {"ustat", __NR_ustat}, -#endif -#endif -#ifdef SYS_utime -#ifdef __NR_utime - {"utime", __NR_utime}, -#endif -#endif -#ifdef SYS_utimensat -#ifdef __NR_utimensat - {"utimensat", __NR_utimensat}, -#endif -#endif -#ifdef SYS_utimes -#ifdef __NR_utimes - {"utimes", __NR_utimes}, -#endif -#endif -#ifdef SYS_vfork -#ifdef __NR_vfork - {"vfork", __NR_vfork}, -#endif -#endif -#ifdef SYS_vhangup -#ifdef __NR_vhangup - {"vhangup", __NR_vhangup}, -#endif -#endif -#ifdef SYS_vmsplice -#ifdef __NR_vmsplice - {"vmsplice", __NR_vmsplice}, -#endif -#endif -#ifdef SYS_wait4 -#ifdef __NR_wait4 - {"wait4", __NR_wait4}, -#endif -#endif -#ifdef SYS_waitid -#ifdef __NR_waitid - {"waitid", __NR_waitid}, -#endif -#endif -#ifdef SYS_write -#ifdef __NR_write - {"write", __NR_write}, -#endif -#endif -#ifdef SYS_writev -#ifdef __NR_writev - {"writev", __NR_writev}, -#endif -#endif -#endif diff --git a/src/include/syscall.h b/src/include/syscall.h new file mode 100644 index 000000000..9a29779c9 --- /dev/null +++ b/src/include/syscall.h @@ -0,0 +1,5113 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +// content extracted from /bits/syscall.h file form glibc 2.22 +// using ../tools/extract_syscall tool +#if !defined __x86_64__ +#ifdef SYS__llseek +#ifdef __NR__llseek + {"_llseek", __NR__llseek}, +#endif +#endif +#ifdef SYS__newselect +#ifdef __NR__newselect + {"_newselect", __NR__newselect}, +#endif +#endif +#ifdef SYS__sysctl +#ifdef __NR__sysctl + {"_sysctl", __NR__sysctl}, +#endif +#endif +#ifdef SYS_accept4 +#ifdef __NR_accept4 + {"accept4", __NR_accept4}, +#endif +#endif +#ifdef SYS_access +#ifdef __NR_access + {"access", __NR_access}, +#endif +#endif +#ifdef SYS_acct +#ifdef __NR_acct + {"acct", __NR_acct}, +#endif +#endif +#ifdef SYS_add_key +#ifdef __NR_add_key + {"add_key", __NR_add_key}, +#endif +#endif +#ifdef SYS_adjtimex +#ifdef __NR_adjtimex + {"adjtimex", __NR_adjtimex}, +#endif +#endif +#ifdef SYS_afs_syscall +#ifdef __NR_afs_syscall + {"afs_syscall", __NR_afs_syscall}, +#endif +#endif +#ifdef SYS_alarm +#ifdef __NR_alarm + {"alarm", __NR_alarm}, +#endif +#endif +#ifdef SYS_bdflush +#ifdef __NR_bdflush + {"bdflush", __NR_bdflush}, +#endif +#endif +#ifdef SYS_bind +#ifdef __NR_bind + {"bind", __NR_bind}, +#endif +#endif +#ifdef SYS_bpf +#ifdef __NR_bpf + {"bpf", __NR_bpf}, +#endif +#endif +#ifdef SYS_break +#ifdef __NR_break + {"break", __NR_break}, +#endif +#endif +#ifdef SYS_brk +#ifdef __NR_brk + {"brk", __NR_brk}, +#endif +#endif +#ifdef SYS_capget +#ifdef __NR_capget + {"capget", __NR_capget}, +#endif +#endif +#ifdef SYS_capset +#ifdef __NR_capset + {"capset", __NR_capset}, +#endif +#endif +#ifdef SYS_chdir +#ifdef __NR_chdir + {"chdir", __NR_chdir}, +#endif +#endif +#ifdef SYS_chmod +#ifdef __NR_chmod + {"chmod", __NR_chmod}, +#endif +#endif +#ifdef SYS_chown +#ifdef __NR_chown + {"chown", __NR_chown}, +#endif +#endif +#ifdef SYS_chown32 +#ifdef __NR_chown32 + {"chown32", __NR_chown32}, +#endif +#endif +#ifdef SYS_chroot +#ifdef __NR_chroot + {"chroot", __NR_chroot}, +#endif +#endif +#ifdef SYS_clock_adjtime +#ifdef __NR_clock_adjtime + {"clock_adjtime", __NR_clock_adjtime}, +#endif +#endif +#ifdef SYS_clock_getres +#ifdef __NR_clock_getres + {"clock_getres", __NR_clock_getres}, +#endif +#endif +#ifdef SYS_clock_gettime +#ifdef __NR_clock_gettime + {"clock_gettime", __NR_clock_gettime}, +#endif +#endif +#ifdef SYS_clock_nanosleep +#ifdef __NR_clock_nanosleep + {"clock_nanosleep", __NR_clock_nanosleep}, +#endif +#endif +#ifdef SYS_clock_settime +#ifdef __NR_clock_settime + {"clock_settime", __NR_clock_settime}, +#endif +#endif +#ifdef SYS_clone +#ifdef __NR_clone + {"clone", __NR_clone}, +#endif +#endif +#ifdef SYS_close +#ifdef __NR_close + {"close", __NR_close}, +#endif +#endif +#ifdef SYS_connect +#ifdef __NR_connect + {"connect", __NR_connect}, +#endif +#endif +#ifdef SYS_copy_file_range +#ifdef __NR_copy_file_range + {"copy_file_range", __NR_copy_file_range}, +#endif +#endif +#ifdef SYS_creat +#ifdef __NR_creat + {"creat", __NR_creat}, +#endif +#endif +#ifdef SYS_create_module +#ifdef __NR_create_module + {"create_module", __NR_create_module}, +#endif +#endif +#ifdef SYS_delete_module +#ifdef __NR_delete_module + {"delete_module", __NR_delete_module}, +#endif +#endif +#ifdef SYS_dup +#ifdef __NR_dup + {"dup", __NR_dup}, +#endif +#endif +#ifdef SYS_dup2 +#ifdef __NR_dup2 + {"dup2", __NR_dup2}, +#endif +#endif +#ifdef SYS_dup3 +#ifdef __NR_dup3 + {"dup3", __NR_dup3}, +#endif +#endif +#ifdef SYS_epoll_create +#ifdef __NR_epoll_create + {"epoll_create", __NR_epoll_create}, +#endif +#endif +#ifdef SYS_epoll_create1 +#ifdef __NR_epoll_create1 + {"epoll_create1", __NR_epoll_create1}, +#endif +#endif +#ifdef SYS_epoll_ctl +#ifdef __NR_epoll_ctl + {"epoll_ctl", __NR_epoll_ctl}, +#endif +#endif +#ifdef SYS_epoll_pwait +#ifdef __NR_epoll_pwait + {"epoll_pwait", __NR_epoll_pwait}, +#endif +#endif +#ifdef SYS_epoll_wait +#ifdef __NR_epoll_wait + {"epoll_wait", __NR_epoll_wait}, +#endif +#endif +#ifdef SYS_eventfd +#ifdef __NR_eventfd + {"eventfd", __NR_eventfd}, +#endif +#endif +#ifdef SYS_eventfd2 +#ifdef __NR_eventfd2 + {"eventfd2", __NR_eventfd2}, +#endif +#endif +#ifdef SYS_execve +#ifdef __NR_execve + {"execve", __NR_execve}, +#endif +#endif +#ifdef SYS_execveat +#ifdef __NR_execveat + {"execveat", __NR_execveat}, +#endif +#endif +#ifdef SYS_exit +#ifdef __NR_exit + {"exit", __NR_exit}, +#endif +#endif +#ifdef SYS_exit_group +#ifdef __NR_exit_group + {"exit_group", __NR_exit_group}, +#endif +#endif +#ifdef SYS_faccessat +#ifdef __NR_faccessat + {"faccessat", __NR_faccessat}, +#endif +#endif +#ifdef SYS_fadvise64 +#ifdef __NR_fadvise64 + {"fadvise64", __NR_fadvise64}, +#endif +#endif +#ifdef SYS_fadvise64_64 +#ifdef __NR_fadvise64_64 + {"fadvise64_64", __NR_fadvise64_64}, +#endif +#endif +#ifdef SYS_fallocate +#ifdef __NR_fallocate + {"fallocate", __NR_fallocate}, +#endif +#endif +#ifdef SYS_fanotify_init +#ifdef __NR_fanotify_init + {"fanotify_init", __NR_fanotify_init}, +#endif +#endif +#ifdef SYS_fanotify_mark +#ifdef __NR_fanotify_mark + {"fanotify_mark", __NR_fanotify_mark}, +#endif +#endif +#ifdef SYS_fchdir +#ifdef __NR_fchdir + {"fchdir", __NR_fchdir}, +#endif +#endif +#ifdef SYS_fchmod +#ifdef __NR_fchmod + {"fchmod", __NR_fchmod}, +#endif +#endif +#ifdef SYS_fchmodat +#ifdef __NR_fchmodat + {"fchmodat", __NR_fchmodat}, +#endif +#endif +#ifdef SYS_fchown +#ifdef __NR_fchown + {"fchown", __NR_fchown}, +#endif +#endif +#ifdef SYS_fchown32 +#ifdef __NR_fchown32 + {"fchown32", __NR_fchown32}, +#endif +#endif +#ifdef SYS_fchownat +#ifdef __NR_fchownat + {"fchownat", __NR_fchownat}, +#endif +#endif +#ifdef SYS_fcntl +#ifdef __NR_fcntl + {"fcntl", __NR_fcntl}, +#endif +#endif +#ifdef SYS_fcntl64 +#ifdef __NR_fcntl64 + {"fcntl64", __NR_fcntl64}, +#endif +#endif +#ifdef SYS_fdatasync +#ifdef __NR_fdatasync + {"fdatasync", __NR_fdatasync}, +#endif +#endif +#ifdef SYS_fgetxattr +#ifdef __NR_fgetxattr + {"fgetxattr", __NR_fgetxattr}, +#endif +#endif +#ifdef SYS_finit_module +#ifdef __NR_finit_module + {"finit_module", __NR_finit_module}, +#endif +#endif +#ifdef SYS_flistxattr +#ifdef __NR_flistxattr + {"flistxattr", __NR_flistxattr}, +#endif +#endif +#ifdef SYS_flock +#ifdef __NR_flock + {"flock", __NR_flock}, +#endif +#endif +#ifdef SYS_fork +#ifdef __NR_fork + {"fork", __NR_fork}, +#endif +#endif +#ifdef SYS_fremovexattr +#ifdef __NR_fremovexattr + {"fremovexattr", __NR_fremovexattr}, +#endif +#endif +#ifdef SYS_fsetxattr +#ifdef __NR_fsetxattr + {"fsetxattr", __NR_fsetxattr}, +#endif +#endif +#ifdef SYS_fstat +#ifdef __NR_fstat + {"fstat", __NR_fstat}, +#endif +#endif +#ifdef SYS_fstat64 +#ifdef __NR_fstat64 + {"fstat64", __NR_fstat64}, +#endif +#endif +#ifdef SYS_fstatat64 +#ifdef __NR_fstatat64 + {"fstatat64", __NR_fstatat64}, +#endif +#endif +#ifdef SYS_fstatfs +#ifdef __NR_fstatfs + {"fstatfs", __NR_fstatfs}, +#endif +#endif +#ifdef SYS_fstatfs64 +#ifdef __NR_fstatfs64 + {"fstatfs64", __NR_fstatfs64}, +#endif +#endif +#ifdef SYS_fsync +#ifdef __NR_fsync + {"fsync", __NR_fsync}, +#endif +#endif +#ifdef SYS_ftime +#ifdef __NR_ftime + {"ftime", __NR_ftime}, +#endif +#endif +#ifdef SYS_ftruncate +#ifdef __NR_ftruncate + {"ftruncate", __NR_ftruncate}, +#endif +#endif +#ifdef SYS_ftruncate64 +#ifdef __NR_ftruncate64 + {"ftruncate64", __NR_ftruncate64}, +#endif +#endif +#ifdef SYS_futex +#ifdef __NR_futex + {"futex", __NR_futex}, +#endif +#endif +#ifdef SYS_futimesat +#ifdef __NR_futimesat + {"futimesat", __NR_futimesat}, +#endif +#endif +#ifdef SYS_get_kernel_syms +#ifdef __NR_get_kernel_syms + {"get_kernel_syms", __NR_get_kernel_syms}, +#endif +#endif +#ifdef SYS_get_mempolicy +#ifdef __NR_get_mempolicy + {"get_mempolicy", __NR_get_mempolicy}, +#endif +#endif +#ifdef SYS_get_robust_list +#ifdef __NR_get_robust_list + {"get_robust_list", __NR_get_robust_list}, +#endif +#endif +#ifdef SYS_get_thread_area +#ifdef __NR_get_thread_area + {"get_thread_area", __NR_get_thread_area}, +#endif +#endif +#ifdef SYS_getcpu +#ifdef __NR_getcpu + {"getcpu", __NR_getcpu}, +#endif +#endif +#ifdef SYS_getcwd +#ifdef __NR_getcwd + {"getcwd", __NR_getcwd}, +#endif +#endif +#ifdef SYS_getdents +#ifdef __NR_getdents + {"getdents", __NR_getdents}, +#endif +#endif +#ifdef SYS_getdents64 +#ifdef __NR_getdents64 + {"getdents64", __NR_getdents64}, +#endif +#endif +#ifdef SYS_getegid +#ifdef __NR_getegid + {"getegid", __NR_getegid}, +#endif +#endif +#ifdef SYS_getegid32 +#ifdef __NR_getegid32 + {"getegid32", __NR_getegid32}, +#endif +#endif +#ifdef SYS_geteuid +#ifdef __NR_geteuid + {"geteuid", __NR_geteuid}, +#endif +#endif +#ifdef SYS_geteuid32 +#ifdef __NR_geteuid32 + {"geteuid32", __NR_geteuid32}, +#endif +#endif +#ifdef SYS_getgid +#ifdef __NR_getgid + {"getgid", __NR_getgid}, +#endif +#endif +#ifdef SYS_getgid32 +#ifdef __NR_getgid32 + {"getgid32", __NR_getgid32}, +#endif +#endif +#ifdef SYS_getgroups +#ifdef __NR_getgroups + {"getgroups", __NR_getgroups}, +#endif +#endif +#ifdef SYS_getgroups32 +#ifdef __NR_getgroups32 + {"getgroups32", __NR_getgroups32}, +#endif +#endif +#ifdef SYS_getitimer +#ifdef __NR_getitimer + {"getitimer", __NR_getitimer}, +#endif +#endif +#ifdef SYS_getpeername +#ifdef __NR_getpeername + {"getpeername", __NR_getpeername}, +#endif +#endif +#ifdef SYS_getpgid +#ifdef __NR_getpgid + {"getpgid", __NR_getpgid}, +#endif +#endif +#ifdef SYS_getpgrp +#ifdef __NR_getpgrp + {"getpgrp", __NR_getpgrp}, +#endif +#endif +#ifdef SYS_getpid +#ifdef __NR_getpid + {"getpid", __NR_getpid}, +#endif +#endif +#ifdef SYS_getpmsg +#ifdef __NR_getpmsg + {"getpmsg", __NR_getpmsg}, +#endif +#endif +#ifdef SYS_getppid +#ifdef __NR_getppid + {"getppid", __NR_getppid}, +#endif +#endif +#ifdef SYS_getpriority +#ifdef __NR_getpriority + {"getpriority", __NR_getpriority}, +#endif +#endif +#ifdef SYS_getrandom +#ifdef __NR_getrandom + {"getrandom", __NR_getrandom}, +#endif +#endif +#ifdef SYS_getresgid +#ifdef __NR_getresgid + {"getresgid", __NR_getresgid}, +#endif +#endif +#ifdef SYS_getresgid32 +#ifdef __NR_getresgid32 + {"getresgid32", __NR_getresgid32}, +#endif +#endif +#ifdef SYS_getresuid +#ifdef __NR_getresuid + {"getresuid", __NR_getresuid}, +#endif +#endif +#ifdef SYS_getresuid32 +#ifdef __NR_getresuid32 + {"getresuid32", __NR_getresuid32}, +#endif +#endif +#ifdef SYS_getrlimit +#ifdef __NR_getrlimit + {"getrlimit", __NR_getrlimit}, +#endif +#endif +#ifdef SYS_getrusage +#ifdef __NR_getrusage + {"getrusage", __NR_getrusage}, +#endif +#endif +#ifdef SYS_getsid +#ifdef __NR_getsid + {"getsid", __NR_getsid}, +#endif +#endif +#ifdef SYS_getsockname +#ifdef __NR_getsockname + {"getsockname", __NR_getsockname}, +#endif +#endif +#ifdef SYS_getsockopt +#ifdef __NR_getsockopt + {"getsockopt", __NR_getsockopt}, +#endif +#endif +#ifdef SYS_gettid +#ifdef __NR_gettid + {"gettid", __NR_gettid}, +#endif +#endif +#ifdef SYS_gettimeofday +#ifdef __NR_gettimeofday + {"gettimeofday", __NR_gettimeofday}, +#endif +#endif +#ifdef SYS_getuid +#ifdef __NR_getuid + {"getuid", __NR_getuid}, +#endif +#endif +#ifdef SYS_getuid32 +#ifdef __NR_getuid32 + {"getuid32", __NR_getuid32}, +#endif +#endif +#ifdef SYS_getxattr +#ifdef __NR_getxattr + {"getxattr", __NR_getxattr}, +#endif +#endif +#ifdef SYS_gtty +#ifdef __NR_gtty + {"gtty", __NR_gtty}, +#endif +#endif +#ifdef SYS_idle +#ifdef __NR_idle + {"idle", __NR_idle}, +#endif +#endif +#ifdef SYS_init_module +#ifdef __NR_init_module + {"init_module", __NR_init_module}, +#endif +#endif +#ifdef SYS_inotify_add_watch +#ifdef __NR_inotify_add_watch + {"inotify_add_watch", __NR_inotify_add_watch}, +#endif +#endif +#ifdef SYS_inotify_init +#ifdef __NR_inotify_init + {"inotify_init", __NR_inotify_init}, +#endif +#endif +#ifdef SYS_inotify_init1 +#ifdef __NR_inotify_init1 + {"inotify_init1", __NR_inotify_init1}, +#endif +#endif +#ifdef SYS_inotify_rm_watch +#ifdef __NR_inotify_rm_watch + {"inotify_rm_watch", __NR_inotify_rm_watch}, +#endif +#endif +#ifdef SYS_io_cancel +#ifdef __NR_io_cancel + {"io_cancel", __NR_io_cancel}, +#endif +#endif +#ifdef SYS_io_destroy +#ifdef __NR_io_destroy + {"io_destroy", __NR_io_destroy}, +#endif +#endif +#ifdef SYS_io_getevents +#ifdef __NR_io_getevents + {"io_getevents", __NR_io_getevents}, +#endif +#endif +#ifdef SYS_io_setup +#ifdef __NR_io_setup + {"io_setup", __NR_io_setup}, +#endif +#endif +#ifdef SYS_io_submit +#ifdef __NR_io_submit + {"io_submit", __NR_io_submit}, +#endif +#endif +#ifdef SYS_ioctl +#ifdef __NR_ioctl + {"ioctl", __NR_ioctl}, +#endif +#endif +#ifdef SYS_ioperm +#ifdef __NR_ioperm + {"ioperm", __NR_ioperm}, +#endif +#endif +#ifdef SYS_iopl +#ifdef __NR_iopl + {"iopl", __NR_iopl}, +#endif +#endif +#ifdef SYS_ioprio_get +#ifdef __NR_ioprio_get + {"ioprio_get", __NR_ioprio_get}, +#endif +#endif +#ifdef SYS_ioprio_set +#ifdef __NR_ioprio_set + {"ioprio_set", __NR_ioprio_set}, +#endif +#endif +#ifdef SYS_ipc +#ifdef __NR_ipc + {"ipc", __NR_ipc}, +#endif +#endif +#ifdef SYS_kcmp +#ifdef __NR_kcmp + {"kcmp", __NR_kcmp}, +#endif +#endif +#ifdef SYS_kexec_load +#ifdef __NR_kexec_load + {"kexec_load", __NR_kexec_load}, +#endif +#endif +#ifdef SYS_keyctl +#ifdef __NR_keyctl + {"keyctl", __NR_keyctl}, +#endif +#endif +#ifdef SYS_kill +#ifdef __NR_kill + {"kill", __NR_kill}, +#endif +#endif +#ifdef SYS_lchown +#ifdef __NR_lchown + {"lchown", __NR_lchown}, +#endif +#endif +#ifdef SYS_lchown32 +#ifdef __NR_lchown32 + {"lchown32", __NR_lchown32}, +#endif +#endif +#ifdef SYS_lgetxattr +#ifdef __NR_lgetxattr + {"lgetxattr", __NR_lgetxattr}, +#endif +#endif +#ifdef SYS_link +#ifdef __NR_link + {"link", __NR_link}, +#endif +#endif +#ifdef SYS_linkat +#ifdef __NR_linkat + {"linkat", __NR_linkat}, +#endif +#endif +#ifdef SYS_listen +#ifdef __NR_listen + {"listen", __NR_listen}, +#endif +#endif +#ifdef SYS_listxattr +#ifdef __NR_listxattr + {"listxattr", __NR_listxattr}, +#endif +#endif +#ifdef SYS_llistxattr +#ifdef __NR_llistxattr + {"llistxattr", __NR_llistxattr}, +#endif +#endif +#ifdef SYS_lock +#ifdef __NR_lock + {"lock", __NR_lock}, +#endif +#endif +#ifdef SYS_lookup_dcookie +#ifdef __NR_lookup_dcookie + {"lookup_dcookie", __NR_lookup_dcookie}, +#endif +#endif +#ifdef SYS_lremovexattr +#ifdef __NR_lremovexattr + {"lremovexattr", __NR_lremovexattr}, +#endif +#endif +#ifdef SYS_lseek +#ifdef __NR_lseek + {"lseek", __NR_lseek}, +#endif +#endif +#ifdef SYS_lsetxattr +#ifdef __NR_lsetxattr + {"lsetxattr", __NR_lsetxattr}, +#endif +#endif +#ifdef SYS_lstat +#ifdef __NR_lstat + {"lstat", __NR_lstat}, +#endif +#endif +#ifdef SYS_lstat64 +#ifdef __NR_lstat64 + {"lstat64", __NR_lstat64}, +#endif +#endif +#ifdef SYS_madvise +#ifdef __NR_madvise + {"madvise", __NR_madvise}, +#endif +#endif +#ifdef SYS_mbind +#ifdef __NR_mbind + {"mbind", __NR_mbind}, +#endif +#endif +#ifdef SYS_membarrier +#ifdef __NR_membarrier + {"membarrier", __NR_membarrier}, +#endif +#endif +#ifdef SYS_memfd_create +#ifdef __NR_memfd_create + {"memfd_create", __NR_memfd_create}, +#endif +#endif +#ifdef SYS_migrate_pages +#ifdef __NR_migrate_pages + {"migrate_pages", __NR_migrate_pages}, +#endif +#endif +#ifdef SYS_mincore +#ifdef __NR_mincore + {"mincore", __NR_mincore}, +#endif +#endif +#ifdef SYS_mkdir +#ifdef __NR_mkdir + {"mkdir", __NR_mkdir}, +#endif +#endif +#ifdef SYS_mkdirat +#ifdef __NR_mkdirat + {"mkdirat", __NR_mkdirat}, +#endif +#endif +#ifdef SYS_mknod +#ifdef __NR_mknod + {"mknod", __NR_mknod}, +#endif +#endif +#ifdef SYS_mknodat +#ifdef __NR_mknodat + {"mknodat", __NR_mknodat}, +#endif +#endif +#ifdef SYS_mlock +#ifdef __NR_mlock + {"mlock", __NR_mlock}, +#endif +#endif +#ifdef SYS_mlock2 +#ifdef __NR_mlock2 + {"mlock2", __NR_mlock2}, +#endif +#endif +#ifdef SYS_mlockall +#ifdef __NR_mlockall + {"mlockall", __NR_mlockall}, +#endif +#endif +#ifdef SYS_mmap +#ifdef __NR_mmap + {"mmap", __NR_mmap}, +#endif +#endif +#ifdef SYS_mmap2 +#ifdef __NR_mmap2 + {"mmap2", __NR_mmap2}, +#endif +#endif +#ifdef SYS_modify_ldt +#ifdef __NR_modify_ldt + {"modify_ldt", __NR_modify_ldt}, +#endif +#endif +#ifdef SYS_mount +#ifdef __NR_mount + {"mount", __NR_mount}, +#endif +#endif +#ifdef SYS_move_pages +#ifdef __NR_move_pages + {"move_pages", __NR_move_pages}, +#endif +#endif +#ifdef SYS_mprotect +#ifdef __NR_mprotect + {"mprotect", __NR_mprotect}, +#endif +#endif +#ifdef SYS_mpx +#ifdef __NR_mpx + {"mpx", __NR_mpx}, +#endif +#endif +#ifdef SYS_mq_getsetattr +#ifdef __NR_mq_getsetattr + {"mq_getsetattr", __NR_mq_getsetattr}, +#endif +#endif +#ifdef SYS_mq_notify +#ifdef __NR_mq_notify + {"mq_notify", __NR_mq_notify}, +#endif +#endif +#ifdef SYS_mq_open +#ifdef __NR_mq_open + {"mq_open", __NR_mq_open}, +#endif +#endif +#ifdef SYS_mq_timedreceive +#ifdef __NR_mq_timedreceive + {"mq_timedreceive", __NR_mq_timedreceive}, +#endif +#endif +#ifdef SYS_mq_timedsend +#ifdef __NR_mq_timedsend + {"mq_timedsend", __NR_mq_timedsend}, +#endif +#endif +#ifdef SYS_mq_unlink +#ifdef __NR_mq_unlink + {"mq_unlink", __NR_mq_unlink}, +#endif +#endif +#ifdef SYS_mremap +#ifdef __NR_mremap + {"mremap", __NR_mremap}, +#endif +#endif +#ifdef SYS_msync +#ifdef __NR_msync + {"msync", __NR_msync}, +#endif +#endif +#ifdef SYS_munlock +#ifdef __NR_munlock + {"munlock", __NR_munlock}, +#endif +#endif +#ifdef SYS_munlockall +#ifdef __NR_munlockall + {"munlockall", __NR_munlockall}, +#endif +#endif +#ifdef SYS_munmap +#ifdef __NR_munmap + {"munmap", __NR_munmap}, +#endif +#endif +#ifdef SYS_name_to_handle_at +#ifdef __NR_name_to_handle_at + {"name_to_handle_at", __NR_name_to_handle_at}, +#endif +#endif +#ifdef SYS_nanosleep +#ifdef __NR_nanosleep + {"nanosleep", __NR_nanosleep}, +#endif +#endif +#ifdef SYS_nfsservctl +#ifdef __NR_nfsservctl + {"nfsservctl", __NR_nfsservctl}, +#endif +#endif +#ifdef SYS_nice +#ifdef __NR_nice + {"nice", __NR_nice}, +#endif +#endif +#ifdef SYS_oldfstat +#ifdef __NR_oldfstat + {"oldfstat", __NR_oldfstat}, +#endif +#endif +#ifdef SYS_oldlstat +#ifdef __NR_oldlstat + {"oldlstat", __NR_oldlstat}, +#endif +#endif +#ifdef SYS_oldolduname +#ifdef __NR_oldolduname + {"oldolduname", __NR_oldolduname}, +#endif +#endif +#ifdef SYS_oldstat +#ifdef __NR_oldstat + {"oldstat", __NR_oldstat}, +#endif +#endif +#ifdef SYS_olduname +#ifdef __NR_olduname + {"olduname", __NR_olduname}, +#endif +#endif +#ifdef SYS_open +#ifdef __NR_open + {"open", __NR_open}, +#endif +#endif +#ifdef SYS_open_by_handle_at +#ifdef __NR_open_by_handle_at + {"open_by_handle_at", __NR_open_by_handle_at}, +#endif +#endif +#ifdef SYS_openat +#ifdef __NR_openat + {"openat", __NR_openat}, +#endif +#endif +#ifdef SYS_pause +#ifdef __NR_pause + {"pause", __NR_pause}, +#endif +#endif +#ifdef SYS_perf_event_open +#ifdef __NR_perf_event_open + {"perf_event_open", __NR_perf_event_open}, +#endif +#endif +#ifdef SYS_personality +#ifdef __NR_personality + {"personality", __NR_personality}, +#endif +#endif +#ifdef SYS_pipe +#ifdef __NR_pipe + {"pipe", __NR_pipe}, +#endif +#endif +#ifdef SYS_pipe2 +#ifdef __NR_pipe2 + {"pipe2", __NR_pipe2}, +#endif +#endif +#ifdef SYS_pivot_root +#ifdef __NR_pivot_root + {"pivot_root", __NR_pivot_root}, +#endif +#endif +#ifdef SYS_poll +#ifdef __NR_poll + {"poll", __NR_poll}, +#endif +#endif +#ifdef SYS_ppoll +#ifdef __NR_ppoll + {"ppoll", __NR_ppoll}, +#endif +#endif +#ifdef SYS_prctl +#ifdef __NR_prctl + {"prctl", __NR_prctl}, +#endif +#endif +#ifdef SYS_pread64 +#ifdef __NR_pread64 + {"pread64", __NR_pread64}, +#endif +#endif +#ifdef SYS_preadv +#ifdef __NR_preadv + {"preadv", __NR_preadv}, +#endif +#endif +#ifdef SYS_prlimit64 +#ifdef __NR_prlimit64 + {"prlimit64", __NR_prlimit64}, +#endif +#endif +#ifdef SYS_process_vm_readv +#ifdef __NR_process_vm_readv + {"process_vm_readv", __NR_process_vm_readv}, +#endif +#endif +#ifdef SYS_process_vm_writev +#ifdef __NR_process_vm_writev + {"process_vm_writev", __NR_process_vm_writev}, +#endif +#endif +#ifdef SYS_prof +#ifdef __NR_prof + {"prof", __NR_prof}, +#endif +#endif +#ifdef SYS_profil +#ifdef __NR_profil + {"profil", __NR_profil}, +#endif +#endif +#ifdef SYS_pselect6 +#ifdef __NR_pselect6 + {"pselect6", __NR_pselect6}, +#endif +#endif +#ifdef SYS_ptrace +#ifdef __NR_ptrace + {"ptrace", __NR_ptrace}, +#endif +#endif +#ifdef SYS_putpmsg +#ifdef __NR_putpmsg + {"putpmsg", __NR_putpmsg}, +#endif +#endif +#ifdef SYS_pwrite64 +#ifdef __NR_pwrite64 + {"pwrite64", __NR_pwrite64}, +#endif +#endif +#ifdef SYS_pwritev +#ifdef __NR_pwritev + {"pwritev", __NR_pwritev}, +#endif +#endif +#ifdef SYS_query_module +#ifdef __NR_query_module + {"query_module", __NR_query_module}, +#endif +#endif +#ifdef SYS_quotactl +#ifdef __NR_quotactl + {"quotactl", __NR_quotactl}, +#endif +#endif +#ifdef SYS_read +#ifdef __NR_read + {"read", __NR_read}, +#endif +#endif +#ifdef SYS_readahead +#ifdef __NR_readahead + {"readahead", __NR_readahead}, +#endif +#endif +#ifdef SYS_readdir +#ifdef __NR_readdir + {"readdir", __NR_readdir}, +#endif +#endif +#ifdef SYS_readlink +#ifdef __NR_readlink + {"readlink", __NR_readlink}, +#endif +#endif +#ifdef SYS_readlinkat +#ifdef __NR_readlinkat + {"readlinkat", __NR_readlinkat}, +#endif +#endif +#ifdef SYS_readv +#ifdef __NR_readv + {"readv", __NR_readv}, +#endif +#endif +#ifdef SYS_reboot +#ifdef __NR_reboot + {"reboot", __NR_reboot}, +#endif +#endif +#ifdef SYS_recvfrom +#ifdef __NR_recvfrom + {"recvfrom", __NR_recvfrom}, +#endif +#endif +#ifdef SYS_recvmmsg +#ifdef __NR_recvmmsg + {"recvmmsg", __NR_recvmmsg}, +#endif +#endif +#ifdef SYS_recvmsg +#ifdef __NR_recvmsg + {"recvmsg", __NR_recvmsg}, +#endif +#endif +#ifdef SYS_remap_file_pages +#ifdef __NR_remap_file_pages + {"remap_file_pages", __NR_remap_file_pages}, +#endif +#endif +#ifdef SYS_removexattr +#ifdef __NR_removexattr + {"removexattr", __NR_removexattr}, +#endif +#endif +#ifdef SYS_rename +#ifdef __NR_rename + {"rename", __NR_rename}, +#endif +#endif +#ifdef SYS_renameat +#ifdef __NR_renameat + {"renameat", __NR_renameat}, +#endif +#endif +#ifdef SYS_renameat2 +#ifdef __NR_renameat2 + {"renameat2", __NR_renameat2}, +#endif +#endif +#ifdef SYS_request_key +#ifdef __NR_request_key + {"request_key", __NR_request_key}, +#endif +#endif +#ifdef SYS_restart_syscall +#ifdef __NR_restart_syscall + {"restart_syscall", __NR_restart_syscall}, +#endif +#endif +#ifdef SYS_rmdir +#ifdef __NR_rmdir + {"rmdir", __NR_rmdir}, +#endif +#endif +#ifdef SYS_rt_sigaction +#ifdef __NR_rt_sigaction + {"rt_sigaction", __NR_rt_sigaction}, +#endif +#endif +#ifdef SYS_rt_sigpending +#ifdef __NR_rt_sigpending + {"rt_sigpending", __NR_rt_sigpending}, +#endif +#endif +#ifdef SYS_rt_sigprocmask +#ifdef __NR_rt_sigprocmask + {"rt_sigprocmask", __NR_rt_sigprocmask}, +#endif +#endif +#ifdef SYS_rt_sigqueueinfo +#ifdef __NR_rt_sigqueueinfo + {"rt_sigqueueinfo", __NR_rt_sigqueueinfo}, +#endif +#endif +#ifdef SYS_rt_sigreturn +#ifdef __NR_rt_sigreturn + {"rt_sigreturn", __NR_rt_sigreturn}, +#endif +#endif +#ifdef SYS_rt_sigsuspend +#ifdef __NR_rt_sigsuspend + {"rt_sigsuspend", __NR_rt_sigsuspend}, +#endif +#endif +#ifdef SYS_rt_sigtimedwait +#ifdef __NR_rt_sigtimedwait + {"rt_sigtimedwait", __NR_rt_sigtimedwait}, +#endif +#endif +#ifdef SYS_rt_tgsigqueueinfo +#ifdef __NR_rt_tgsigqueueinfo + {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo}, +#endif +#endif +#ifdef SYS_sched_get_priority_max +#ifdef __NR_sched_get_priority_max + {"sched_get_priority_max", __NR_sched_get_priority_max}, +#endif +#endif +#ifdef SYS_sched_get_priority_min +#ifdef __NR_sched_get_priority_min + {"sched_get_priority_min", __NR_sched_get_priority_min}, +#endif +#endif +#ifdef SYS_sched_getaffinity +#ifdef __NR_sched_getaffinity + {"sched_getaffinity", __NR_sched_getaffinity}, +#endif +#endif +#ifdef SYS_sched_getattr +#ifdef __NR_sched_getattr + {"sched_getattr", __NR_sched_getattr}, +#endif +#endif +#ifdef SYS_sched_getparam +#ifdef __NR_sched_getparam + {"sched_getparam", __NR_sched_getparam}, +#endif +#endif +#ifdef SYS_sched_getscheduler +#ifdef __NR_sched_getscheduler + {"sched_getscheduler", __NR_sched_getscheduler}, +#endif +#endif +#ifdef SYS_sched_rr_get_interval +#ifdef __NR_sched_rr_get_interval + {"sched_rr_get_interval", __NR_sched_rr_get_interval}, +#endif +#endif +#ifdef SYS_sched_setaffinity +#ifdef __NR_sched_setaffinity + {"sched_setaffinity", __NR_sched_setaffinity}, +#endif +#endif +#ifdef SYS_sched_setattr +#ifdef __NR_sched_setattr + {"sched_setattr", __NR_sched_setattr}, +#endif +#endif +#ifdef SYS_sched_setparam +#ifdef __NR_sched_setparam + {"sched_setparam", __NR_sched_setparam}, +#endif +#endif +#ifdef SYS_sched_setscheduler +#ifdef __NR_sched_setscheduler + {"sched_setscheduler", __NR_sched_setscheduler}, +#endif +#endif +#ifdef SYS_sched_yield +#ifdef __NR_sched_yield + {"sched_yield", __NR_sched_yield}, +#endif +#endif +#ifdef SYS_seccomp +#ifdef __NR_seccomp + {"seccomp", __NR_seccomp}, +#endif +#endif +#ifdef SYS_select +#ifdef __NR_select + {"select", __NR_select}, +#endif +#endif +#ifdef SYS_sendfile +#ifdef __NR_sendfile + {"sendfile", __NR_sendfile}, +#endif +#endif +#ifdef SYS_sendfile64 +#ifdef __NR_sendfile64 + {"sendfile64", __NR_sendfile64}, +#endif +#endif +#ifdef SYS_sendmmsg +#ifdef __NR_sendmmsg + {"sendmmsg", __NR_sendmmsg}, +#endif +#endif +#ifdef SYS_sendmsg +#ifdef __NR_sendmsg + {"sendmsg", __NR_sendmsg}, +#endif +#endif +#ifdef SYS_sendto +#ifdef __NR_sendto + {"sendto", __NR_sendto}, +#endif +#endif +#ifdef SYS_set_mempolicy +#ifdef __NR_set_mempolicy + {"set_mempolicy", __NR_set_mempolicy}, +#endif +#endif +#ifdef SYS_set_robust_list +#ifdef __NR_set_robust_list + {"set_robust_list", __NR_set_robust_list}, +#endif +#endif +#ifdef SYS_set_thread_area +#ifdef __NR_set_thread_area + {"set_thread_area", __NR_set_thread_area}, +#endif +#endif +#ifdef SYS_set_tid_address +#ifdef __NR_set_tid_address + {"set_tid_address", __NR_set_tid_address}, +#endif +#endif +#ifdef SYS_setdomainname +#ifdef __NR_setdomainname + {"setdomainname", __NR_setdomainname}, +#endif +#endif +#ifdef SYS_setfsgid +#ifdef __NR_setfsgid + {"setfsgid", __NR_setfsgid}, +#endif +#endif +#ifdef SYS_setfsgid32 +#ifdef __NR_setfsgid32 + {"setfsgid32", __NR_setfsgid32}, +#endif +#endif +#ifdef SYS_setfsuid +#ifdef __NR_setfsuid + {"setfsuid", __NR_setfsuid}, +#endif +#endif +#ifdef SYS_setfsuid32 +#ifdef __NR_setfsuid32 + {"setfsuid32", __NR_setfsuid32}, +#endif +#endif +#ifdef SYS_setgid +#ifdef __NR_setgid + {"setgid", __NR_setgid}, +#endif +#endif +#ifdef SYS_setgid32 +#ifdef __NR_setgid32 + {"setgid32", __NR_setgid32}, +#endif +#endif +#ifdef SYS_setgroups +#ifdef __NR_setgroups + {"setgroups", __NR_setgroups}, +#endif +#endif +#ifdef SYS_setgroups32 +#ifdef __NR_setgroups32 + {"setgroups32", __NR_setgroups32}, +#endif +#endif +#ifdef SYS_sethostname +#ifdef __NR_sethostname + {"sethostname", __NR_sethostname}, +#endif +#endif +#ifdef SYS_setitimer +#ifdef __NR_setitimer + {"setitimer", __NR_setitimer}, +#endif +#endif +#ifdef SYS_setns +#ifdef __NR_setns + {"setns", __NR_setns}, +#endif +#endif +#ifdef SYS_setpgid +#ifdef __NR_setpgid + {"setpgid", __NR_setpgid}, +#endif +#endif +#ifdef SYS_setpriority +#ifdef __NR_setpriority + {"setpriority", __NR_setpriority}, +#endif +#endif +#ifdef SYS_setregid +#ifdef __NR_setregid + {"setregid", __NR_setregid}, +#endif +#endif +#ifdef SYS_setregid32 +#ifdef __NR_setregid32 + {"setregid32", __NR_setregid32}, +#endif +#endif +#ifdef SYS_setresgid +#ifdef __NR_setresgid + {"setresgid", __NR_setresgid}, +#endif +#endif +#ifdef SYS_setresgid32 +#ifdef __NR_setresgid32 + {"setresgid32", __NR_setresgid32}, +#endif +#endif +#ifdef SYS_setresuid +#ifdef __NR_setresuid + {"setresuid", __NR_setresuid}, +#endif +#endif +#ifdef SYS_setresuid32 +#ifdef __NR_setresuid32 + {"setresuid32", __NR_setresuid32}, +#endif +#endif +#ifdef SYS_setreuid +#ifdef __NR_setreuid + {"setreuid", __NR_setreuid}, +#endif +#endif +#ifdef SYS_setreuid32 +#ifdef __NR_setreuid32 + {"setreuid32", __NR_setreuid32}, +#endif +#endif +#ifdef SYS_setrlimit +#ifdef __NR_setrlimit + {"setrlimit", __NR_setrlimit}, +#endif +#endif +#ifdef SYS_setsid +#ifdef __NR_setsid + {"setsid", __NR_setsid}, +#endif +#endif +#ifdef SYS_setsockopt +#ifdef __NR_setsockopt + {"setsockopt", __NR_setsockopt}, +#endif +#endif +#ifdef SYS_settimeofday +#ifdef __NR_settimeofday + {"settimeofday", __NR_settimeofday}, +#endif +#endif +#ifdef SYS_setuid +#ifdef __NR_setuid + {"setuid", __NR_setuid}, +#endif +#endif +#ifdef SYS_setuid32 +#ifdef __NR_setuid32 + {"setuid32", __NR_setuid32}, +#endif +#endif +#ifdef SYS_setxattr +#ifdef __NR_setxattr + {"setxattr", __NR_setxattr}, +#endif +#endif +#ifdef SYS_sgetmask +#ifdef __NR_sgetmask + {"sgetmask", __NR_sgetmask}, +#endif +#endif +#ifdef SYS_shutdown +#ifdef __NR_shutdown + {"shutdown", __NR_shutdown}, +#endif +#endif +#ifdef SYS_sigaction +#ifdef __NR_sigaction + {"sigaction", __NR_sigaction}, +#endif +#endif +#ifdef SYS_sigaltstack +#ifdef __NR_sigaltstack + {"sigaltstack", __NR_sigaltstack}, +#endif +#endif +#ifdef SYS_signal +#ifdef __NR_signal + {"signal", __NR_signal}, +#endif +#endif +#ifdef SYS_signalfd +#ifdef __NR_signalfd + {"signalfd", __NR_signalfd}, +#endif +#endif +#ifdef SYS_signalfd4 +#ifdef __NR_signalfd4 + {"signalfd4", __NR_signalfd4}, +#endif +#endif +#ifdef SYS_sigpending +#ifdef __NR_sigpending + {"sigpending", __NR_sigpending}, +#endif +#endif +#ifdef SYS_sigprocmask +#ifdef __NR_sigprocmask + {"sigprocmask", __NR_sigprocmask}, +#endif +#endif +#ifdef SYS_sigreturn +#ifdef __NR_sigreturn + {"sigreturn", __NR_sigreturn}, +#endif +#endif +#ifdef SYS_sigsuspend +#ifdef __NR_sigsuspend + {"sigsuspend", __NR_sigsuspend}, +#endif +#endif +#ifdef SYS_socket +#ifdef __NR_socket + {"socket", __NR_socket}, +#endif +#endif +#ifdef SYS_socketcall +#ifdef __NR_socketcall + {"socketcall", __NR_socketcall}, +#endif +#endif +#ifdef SYS_socketpair +#ifdef __NR_socketpair + {"socketpair", __NR_socketpair}, +#endif +#endif +#ifdef SYS_splice +#ifdef __NR_splice + {"splice", __NR_splice}, +#endif +#endif +#ifdef SYS_ssetmask +#ifdef __NR_ssetmask + {"ssetmask", __NR_ssetmask}, +#endif +#endif +#ifdef SYS_stat +#ifdef __NR_stat + {"stat", __NR_stat}, +#endif +#endif +#ifdef SYS_stat64 +#ifdef __NR_stat64 + {"stat64", __NR_stat64}, +#endif +#endif +#ifdef SYS_statfs +#ifdef __NR_statfs + {"statfs", __NR_statfs}, +#endif +#endif +#ifdef SYS_statfs64 +#ifdef __NR_statfs64 + {"statfs64", __NR_statfs64}, +#endif +#endif +#ifdef SYS_stime +#ifdef __NR_stime + {"stime", __NR_stime}, +#endif +#endif +#ifdef SYS_stty +#ifdef __NR_stty + {"stty", __NR_stty}, +#endif +#endif +#ifdef SYS_swapoff +#ifdef __NR_swapoff + {"swapoff", __NR_swapoff}, +#endif +#endif +#ifdef SYS_swapon +#ifdef __NR_swapon + {"swapon", __NR_swapon}, +#endif +#endif +#ifdef SYS_symlink +#ifdef __NR_symlink + {"symlink", __NR_symlink}, +#endif +#endif +#ifdef SYS_symlinkat +#ifdef __NR_symlinkat + {"symlinkat", __NR_symlinkat}, +#endif +#endif +#ifdef SYS_sync +#ifdef __NR_sync + {"sync", __NR_sync}, +#endif +#endif +#ifdef SYS_sync_file_range +#ifdef __NR_sync_file_range + {"sync_file_range", __NR_sync_file_range}, +#endif +#endif +#ifdef SYS_syncfs +#ifdef __NR_syncfs + {"syncfs", __NR_syncfs}, +#endif +#endif +#ifdef SYS_sysfs +#ifdef __NR_sysfs + {"sysfs", __NR_sysfs}, +#endif +#endif +#ifdef SYS_sysinfo +#ifdef __NR_sysinfo + {"sysinfo", __NR_sysinfo}, +#endif +#endif +#ifdef SYS_syslog +#ifdef __NR_syslog + {"syslog", __NR_syslog}, +#endif +#endif +#ifdef SYS_tee +#ifdef __NR_tee + {"tee", __NR_tee}, +#endif +#endif +#ifdef SYS_tgkill +#ifdef __NR_tgkill + {"tgkill", __NR_tgkill}, +#endif +#endif +#ifdef SYS_time +#ifdef __NR_time + {"time", __NR_time}, +#endif +#endif +#ifdef SYS_timer_create +#ifdef __NR_timer_create + {"timer_create", __NR_timer_create}, +#endif +#endif +#ifdef SYS_timer_delete +#ifdef __NR_timer_delete + {"timer_delete", __NR_timer_delete}, +#endif +#endif +#ifdef SYS_timer_getoverrun +#ifdef __NR_timer_getoverrun + {"timer_getoverrun", __NR_timer_getoverrun}, +#endif +#endif +#ifdef SYS_timer_gettime +#ifdef __NR_timer_gettime + {"timer_gettime", __NR_timer_gettime}, +#endif +#endif +#ifdef SYS_timer_settime +#ifdef __NR_timer_settime + {"timer_settime", __NR_timer_settime}, +#endif +#endif +#ifdef SYS_timerfd_create +#ifdef __NR_timerfd_create + {"timerfd_create", __NR_timerfd_create}, +#endif +#endif +#ifdef SYS_timerfd_gettime +#ifdef __NR_timerfd_gettime + {"timerfd_gettime", __NR_timerfd_gettime}, +#endif +#endif +#ifdef SYS_timerfd_settime +#ifdef __NR_timerfd_settime + {"timerfd_settime", __NR_timerfd_settime}, +#endif +#endif +#ifdef SYS_times +#ifdef __NR_times + {"times", __NR_times}, +#endif +#endif +#ifdef SYS_tkill +#ifdef __NR_tkill + {"tkill", __NR_tkill}, +#endif +#endif +#ifdef SYS_truncate +#ifdef __NR_truncate + {"truncate", __NR_truncate}, +#endif +#endif +#ifdef SYS_truncate64 +#ifdef __NR_truncate64 + {"truncate64", __NR_truncate64}, +#endif +#endif +#ifdef SYS_ugetrlimit +#ifdef __NR_ugetrlimit + {"ugetrlimit", __NR_ugetrlimit}, +#endif +#endif +#ifdef SYS_ulimit +#ifdef __NR_ulimit + {"ulimit", __NR_ulimit}, +#endif +#endif +#ifdef SYS_umask +#ifdef __NR_umask + {"umask", __NR_umask}, +#endif +#endif +#ifdef SYS_umount +#ifdef __NR_umount + {"umount", __NR_umount}, +#endif +#endif +#ifdef SYS_umount2 +#ifdef __NR_umount2 + {"umount2", __NR_umount2}, +#endif +#endif +#ifdef SYS_uname +#ifdef __NR_uname + {"uname", __NR_uname}, +#endif +#endif +#ifdef SYS_unlink +#ifdef __NR_unlink + {"unlink", __NR_unlink}, +#endif +#endif +#ifdef SYS_unlinkat +#ifdef __NR_unlinkat + {"unlinkat", __NR_unlinkat}, +#endif +#endif +#ifdef SYS_unshare +#ifdef __NR_unshare + {"unshare", __NR_unshare}, +#endif +#endif +#ifdef SYS_uselib +#ifdef __NR_uselib + {"uselib", __NR_uselib}, +#endif +#endif +#ifdef SYS_userfaultfd +#ifdef __NR_userfaultfd + {"userfaultfd", __NR_userfaultfd}, +#endif +#endif +#ifdef SYS_ustat +#ifdef __NR_ustat + {"ustat", __NR_ustat}, +#endif +#endif +#ifdef SYS_utime +#ifdef __NR_utime + {"utime", __NR_utime}, +#endif +#endif +#ifdef SYS_utimensat +#ifdef __NR_utimensat + {"utimensat", __NR_utimensat}, +#endif +#endif +#ifdef SYS_utimes +#ifdef __NR_utimes + {"utimes", __NR_utimes}, +#endif +#endif +#ifdef SYS_vfork +#ifdef __NR_vfork + {"vfork", __NR_vfork}, +#endif +#endif +#ifdef SYS_vhangup +#ifdef __NR_vhangup + {"vhangup", __NR_vhangup}, +#endif +#endif +#ifdef SYS_vm86 +#ifdef __NR_vm86 + {"vm86", __NR_vm86}, +#endif +#endif +#ifdef SYS_vm86old +#ifdef __NR_vm86old + {"vm86old", __NR_vm86old}, +#endif +#endif +#ifdef SYS_vmsplice +#ifdef __NR_vmsplice + {"vmsplice", __NR_vmsplice}, +#endif +#endif +#ifdef SYS_vserver +#ifdef __NR_vserver + {"vserver", __NR_vserver}, +#endif +#endif +#ifdef SYS_wait4 +#ifdef __NR_wait4 + {"wait4", __NR_wait4}, +#endif +#endif +#ifdef SYS_waitid +#ifdef __NR_waitid + {"waitid", __NR_waitid}, +#endif +#endif +#ifdef SYS_waitpid +#ifdef __NR_waitpid + {"waitpid", __NR_waitpid}, +#endif +#endif +#ifdef SYS_write +#ifdef __NR_write + {"write", __NR_write}, +#endif +#endif +#ifdef SYS_writev +#ifdef __NR_writev + {"writev", __NR_writev}, +#endif +#endif +#endif +#if defined __x86_64__ && defined __LP64__ +#ifdef SYS__sysctl +#ifdef __NR__sysctl + {"_sysctl", __NR__sysctl}, +#endif +#endif +#ifdef SYS_accept +#ifdef __NR_accept + {"accept", __NR_accept}, +#endif +#endif +#ifdef SYS_accept4 +#ifdef __NR_accept4 + {"accept4", __NR_accept4}, +#endif +#endif +#ifdef SYS_access +#ifdef __NR_access + {"access", __NR_access}, +#endif +#endif +#ifdef SYS_acct +#ifdef __NR_acct + {"acct", __NR_acct}, +#endif +#endif +#ifdef SYS_add_key +#ifdef __NR_add_key + {"add_key", __NR_add_key}, +#endif +#endif +#ifdef SYS_adjtimex +#ifdef __NR_adjtimex + {"adjtimex", __NR_adjtimex}, +#endif +#endif +#ifdef SYS_afs_syscall +#ifdef __NR_afs_syscall + {"afs_syscall", __NR_afs_syscall}, +#endif +#endif +#ifdef SYS_alarm +#ifdef __NR_alarm + {"alarm", __NR_alarm}, +#endif +#endif +#ifdef SYS_arch_prctl +#ifdef __NR_arch_prctl + {"arch_prctl", __NR_arch_prctl}, +#endif +#endif +#ifdef SYS_bind +#ifdef __NR_bind + {"bind", __NR_bind}, +#endif +#endif +#ifdef SYS_bpf +#ifdef __NR_bpf + {"bpf", __NR_bpf}, +#endif +#endif +#ifdef SYS_brk +#ifdef __NR_brk + {"brk", __NR_brk}, +#endif +#endif +#ifdef SYS_capget +#ifdef __NR_capget + {"capget", __NR_capget}, +#endif +#endif +#ifdef SYS_capset +#ifdef __NR_capset + {"capset", __NR_capset}, +#endif +#endif +#ifdef SYS_chdir +#ifdef __NR_chdir + {"chdir", __NR_chdir}, +#endif +#endif +#ifdef SYS_chmod +#ifdef __NR_chmod + {"chmod", __NR_chmod}, +#endif +#endif +#ifdef SYS_chown +#ifdef __NR_chown + {"chown", __NR_chown}, +#endif +#endif +#ifdef SYS_chroot +#ifdef __NR_chroot + {"chroot", __NR_chroot}, +#endif +#endif +#ifdef SYS_clock_adjtime +#ifdef __NR_clock_adjtime + {"clock_adjtime", __NR_clock_adjtime}, +#endif +#endif +#ifdef SYS_clock_getres +#ifdef __NR_clock_getres + {"clock_getres", __NR_clock_getres}, +#endif +#endif +#ifdef SYS_clock_gettime +#ifdef __NR_clock_gettime + {"clock_gettime", __NR_clock_gettime}, +#endif +#endif +#ifdef SYS_clock_nanosleep +#ifdef __NR_clock_nanosleep + {"clock_nanosleep", __NR_clock_nanosleep}, +#endif +#endif +#ifdef SYS_clock_settime +#ifdef __NR_clock_settime + {"clock_settime", __NR_clock_settime}, +#endif +#endif +#ifdef SYS_clone +#ifdef __NR_clone + {"clone", __NR_clone}, +#endif +#endif +#ifdef SYS_close +#ifdef __NR_close + {"close", __NR_close}, +#endif +#endif +#ifdef SYS_connect +#ifdef __NR_connect + {"connect", __NR_connect}, +#endif +#endif +#ifdef SYS_copy_file_range +#ifdef __NR_copy_file_range + {"copy_file_range", __NR_copy_file_range}, +#endif +#endif +#ifdef SYS_creat +#ifdef __NR_creat + {"creat", __NR_creat}, +#endif +#endif +#ifdef SYS_create_module +#ifdef __NR_create_module + {"create_module", __NR_create_module}, +#endif +#endif +#ifdef SYS_delete_module +#ifdef __NR_delete_module + {"delete_module", __NR_delete_module}, +#endif +#endif +#ifdef SYS_dup +#ifdef __NR_dup + {"dup", __NR_dup}, +#endif +#endif +#ifdef SYS_dup2 +#ifdef __NR_dup2 + {"dup2", __NR_dup2}, +#endif +#endif +#ifdef SYS_dup3 +#ifdef __NR_dup3 + {"dup3", __NR_dup3}, +#endif +#endif +#ifdef SYS_epoll_create +#ifdef __NR_epoll_create + {"epoll_create", __NR_epoll_create}, +#endif +#endif +#ifdef SYS_epoll_create1 +#ifdef __NR_epoll_create1 + {"epoll_create1", __NR_epoll_create1}, +#endif +#endif +#ifdef SYS_epoll_ctl +#ifdef __NR_epoll_ctl + {"epoll_ctl", __NR_epoll_ctl}, +#endif +#endif +#ifdef SYS_epoll_ctl_old +#ifdef __NR_epoll_ctl_old + {"epoll_ctl_old", __NR_epoll_ctl_old}, +#endif +#endif +#ifdef SYS_epoll_pwait +#ifdef __NR_epoll_pwait + {"epoll_pwait", __NR_epoll_pwait}, +#endif +#endif +#ifdef SYS_epoll_wait +#ifdef __NR_epoll_wait + {"epoll_wait", __NR_epoll_wait}, +#endif +#endif +#ifdef SYS_epoll_wait_old +#ifdef __NR_epoll_wait_old + {"epoll_wait_old", __NR_epoll_wait_old}, +#endif +#endif +#ifdef SYS_eventfd +#ifdef __NR_eventfd + {"eventfd", __NR_eventfd}, +#endif +#endif +#ifdef SYS_eventfd2 +#ifdef __NR_eventfd2 + {"eventfd2", __NR_eventfd2}, +#endif +#endif +#ifdef SYS_execve +#ifdef __NR_execve + {"execve", __NR_execve}, +#endif +#endif +#ifdef SYS_execveat +#ifdef __NR_execveat + {"execveat", __NR_execveat}, +#endif +#endif +#ifdef SYS_exit +#ifdef __NR_exit + {"exit", __NR_exit}, +#endif +#endif +#ifdef SYS_exit_group +#ifdef __NR_exit_group + {"exit_group", __NR_exit_group}, +#endif +#endif +#ifdef SYS_faccessat +#ifdef __NR_faccessat + {"faccessat", __NR_faccessat}, +#endif +#endif +#ifdef SYS_fadvise64 +#ifdef __NR_fadvise64 + {"fadvise64", __NR_fadvise64}, +#endif +#endif +#ifdef SYS_fallocate +#ifdef __NR_fallocate + {"fallocate", __NR_fallocate}, +#endif +#endif +#ifdef SYS_fanotify_init +#ifdef __NR_fanotify_init + {"fanotify_init", __NR_fanotify_init}, +#endif +#endif +#ifdef SYS_fanotify_mark +#ifdef __NR_fanotify_mark + {"fanotify_mark", __NR_fanotify_mark}, +#endif +#endif +#ifdef SYS_fchdir +#ifdef __NR_fchdir + {"fchdir", __NR_fchdir}, +#endif +#endif +#ifdef SYS_fchmod +#ifdef __NR_fchmod + {"fchmod", __NR_fchmod}, +#endif +#endif +#ifdef SYS_fchmodat +#ifdef __NR_fchmodat + {"fchmodat", __NR_fchmodat}, +#endif +#endif +#ifdef SYS_fchown +#ifdef __NR_fchown + {"fchown", __NR_fchown}, +#endif +#endif +#ifdef SYS_fchownat +#ifdef __NR_fchownat + {"fchownat", __NR_fchownat}, +#endif +#endif +#ifdef SYS_fcntl +#ifdef __NR_fcntl + {"fcntl", __NR_fcntl}, +#endif +#endif +#ifdef SYS_fdatasync +#ifdef __NR_fdatasync + {"fdatasync", __NR_fdatasync}, +#endif +#endif +#ifdef SYS_fgetxattr +#ifdef __NR_fgetxattr + {"fgetxattr", __NR_fgetxattr}, +#endif +#endif +#ifdef SYS_finit_module +#ifdef __NR_finit_module + {"finit_module", __NR_finit_module}, +#endif +#endif +#ifdef SYS_flistxattr +#ifdef __NR_flistxattr + {"flistxattr", __NR_flistxattr}, +#endif +#endif +#ifdef SYS_flock +#ifdef __NR_flock + {"flock", __NR_flock}, +#endif +#endif +#ifdef SYS_fork +#ifdef __NR_fork + {"fork", __NR_fork}, +#endif +#endif +#ifdef SYS_fremovexattr +#ifdef __NR_fremovexattr + {"fremovexattr", __NR_fremovexattr}, +#endif +#endif +#ifdef SYS_fsetxattr +#ifdef __NR_fsetxattr + {"fsetxattr", __NR_fsetxattr}, +#endif +#endif +#ifdef SYS_fstat +#ifdef __NR_fstat + {"fstat", __NR_fstat}, +#endif +#endif +#ifdef SYS_fstatfs +#ifdef __NR_fstatfs + {"fstatfs", __NR_fstatfs}, +#endif +#endif +#ifdef SYS_fsync +#ifdef __NR_fsync + {"fsync", __NR_fsync}, +#endif +#endif +#ifdef SYS_ftruncate +#ifdef __NR_ftruncate + {"ftruncate", __NR_ftruncate}, +#endif +#endif +#ifdef SYS_futex +#ifdef __NR_futex + {"futex", __NR_futex}, +#endif +#endif +#ifdef SYS_futimesat +#ifdef __NR_futimesat + {"futimesat", __NR_futimesat}, +#endif +#endif +#ifdef SYS_get_kernel_syms +#ifdef __NR_get_kernel_syms + {"get_kernel_syms", __NR_get_kernel_syms}, +#endif +#endif +#ifdef SYS_get_mempolicy +#ifdef __NR_get_mempolicy + {"get_mempolicy", __NR_get_mempolicy}, +#endif +#endif +#ifdef SYS_get_robust_list +#ifdef __NR_get_robust_list + {"get_robust_list", __NR_get_robust_list}, +#endif +#endif +#ifdef SYS_get_thread_area +#ifdef __NR_get_thread_area + {"get_thread_area", __NR_get_thread_area}, +#endif +#endif +#ifdef SYS_getcpu +#ifdef __NR_getcpu + {"getcpu", __NR_getcpu}, +#endif +#endif +#ifdef SYS_getcwd +#ifdef __NR_getcwd + {"getcwd", __NR_getcwd}, +#endif +#endif +#ifdef SYS_getdents +#ifdef __NR_getdents + {"getdents", __NR_getdents}, +#endif +#endif +#ifdef SYS_getdents64 +#ifdef __NR_getdents64 + {"getdents64", __NR_getdents64}, +#endif +#endif +#ifdef SYS_getegid +#ifdef __NR_getegid + {"getegid", __NR_getegid}, +#endif +#endif +#ifdef SYS_geteuid +#ifdef __NR_geteuid + {"geteuid", __NR_geteuid}, +#endif +#endif +#ifdef SYS_getgid +#ifdef __NR_getgid + {"getgid", __NR_getgid}, +#endif +#endif +#ifdef SYS_getgroups +#ifdef __NR_getgroups + {"getgroups", __NR_getgroups}, +#endif +#endif +#ifdef SYS_getitimer +#ifdef __NR_getitimer + {"getitimer", __NR_getitimer}, +#endif +#endif +#ifdef SYS_getpeername +#ifdef __NR_getpeername + {"getpeername", __NR_getpeername}, +#endif +#endif +#ifdef SYS_getpgid +#ifdef __NR_getpgid + {"getpgid", __NR_getpgid}, +#endif +#endif +#ifdef SYS_getpgrp +#ifdef __NR_getpgrp + {"getpgrp", __NR_getpgrp}, +#endif +#endif +#ifdef SYS_getpid +#ifdef __NR_getpid + {"getpid", __NR_getpid}, +#endif +#endif +#ifdef SYS_getpmsg +#ifdef __NR_getpmsg + {"getpmsg", __NR_getpmsg}, +#endif +#endif +#ifdef SYS_getppid +#ifdef __NR_getppid + {"getppid", __NR_getppid}, +#endif +#endif +#ifdef SYS_getpriority +#ifdef __NR_getpriority + {"getpriority", __NR_getpriority}, +#endif +#endif +#ifdef SYS_getrandom +#ifdef __NR_getrandom + {"getrandom", __NR_getrandom}, +#endif +#endif +#ifdef SYS_getresgid +#ifdef __NR_getresgid + {"getresgid", __NR_getresgid}, +#endif +#endif +#ifdef SYS_getresuid +#ifdef __NR_getresuid + {"getresuid", __NR_getresuid}, +#endif +#endif +#ifdef SYS_getrlimit +#ifdef __NR_getrlimit + {"getrlimit", __NR_getrlimit}, +#endif +#endif +#ifdef SYS_getrusage +#ifdef __NR_getrusage + {"getrusage", __NR_getrusage}, +#endif +#endif +#ifdef SYS_getsid +#ifdef __NR_getsid + {"getsid", __NR_getsid}, +#endif +#endif +#ifdef SYS_getsockname +#ifdef __NR_getsockname + {"getsockname", __NR_getsockname}, +#endif +#endif +#ifdef SYS_getsockopt +#ifdef __NR_getsockopt + {"getsockopt", __NR_getsockopt}, +#endif +#endif +#ifdef SYS_gettid +#ifdef __NR_gettid + {"gettid", __NR_gettid}, +#endif +#endif +#ifdef SYS_gettimeofday +#ifdef __NR_gettimeofday + {"gettimeofday", __NR_gettimeofday}, +#endif +#endif +#ifdef SYS_getuid +#ifdef __NR_getuid + {"getuid", __NR_getuid}, +#endif +#endif +#ifdef SYS_getxattr +#ifdef __NR_getxattr + {"getxattr", __NR_getxattr}, +#endif +#endif +#ifdef SYS_init_module +#ifdef __NR_init_module + {"init_module", __NR_init_module}, +#endif +#endif +#ifdef SYS_inotify_add_watch +#ifdef __NR_inotify_add_watch + {"inotify_add_watch", __NR_inotify_add_watch}, +#endif +#endif +#ifdef SYS_inotify_init +#ifdef __NR_inotify_init + {"inotify_init", __NR_inotify_init}, +#endif +#endif +#ifdef SYS_inotify_init1 +#ifdef __NR_inotify_init1 + {"inotify_init1", __NR_inotify_init1}, +#endif +#endif +#ifdef SYS_inotify_rm_watch +#ifdef __NR_inotify_rm_watch + {"inotify_rm_watch", __NR_inotify_rm_watch}, +#endif +#endif +#ifdef SYS_io_cancel +#ifdef __NR_io_cancel + {"io_cancel", __NR_io_cancel}, +#endif +#endif +#ifdef SYS_io_destroy +#ifdef __NR_io_destroy + {"io_destroy", __NR_io_destroy}, +#endif +#endif +#ifdef SYS_io_getevents +#ifdef __NR_io_getevents + {"io_getevents", __NR_io_getevents}, +#endif +#endif +#ifdef SYS_io_setup +#ifdef __NR_io_setup + {"io_setup", __NR_io_setup}, +#endif +#endif +#ifdef SYS_io_submit +#ifdef __NR_io_submit + {"io_submit", __NR_io_submit}, +#endif +#endif +#ifdef SYS_ioctl +#ifdef __NR_ioctl + {"ioctl", __NR_ioctl}, +#endif +#endif +#ifdef SYS_ioperm +#ifdef __NR_ioperm + {"ioperm", __NR_ioperm}, +#endif +#endif +#ifdef SYS_iopl +#ifdef __NR_iopl + {"iopl", __NR_iopl}, +#endif +#endif +#ifdef SYS_ioprio_get +#ifdef __NR_ioprio_get + {"ioprio_get", __NR_ioprio_get}, +#endif +#endif +#ifdef SYS_ioprio_set +#ifdef __NR_ioprio_set + {"ioprio_set", __NR_ioprio_set}, +#endif +#endif +#ifdef SYS_kcmp +#ifdef __NR_kcmp + {"kcmp", __NR_kcmp}, +#endif +#endif +#ifdef SYS_kexec_file_load +#ifdef __NR_kexec_file_load + {"kexec_file_load", __NR_kexec_file_load}, +#endif +#endif +#ifdef SYS_kexec_load +#ifdef __NR_kexec_load + {"kexec_load", __NR_kexec_load}, +#endif +#endif +#ifdef SYS_keyctl +#ifdef __NR_keyctl + {"keyctl", __NR_keyctl}, +#endif +#endif +#ifdef SYS_kill +#ifdef __NR_kill + {"kill", __NR_kill}, +#endif +#endif +#ifdef SYS_lchown +#ifdef __NR_lchown + {"lchown", __NR_lchown}, +#endif +#endif +#ifdef SYS_lgetxattr +#ifdef __NR_lgetxattr + {"lgetxattr", __NR_lgetxattr}, +#endif +#endif +#ifdef SYS_link +#ifdef __NR_link + {"link", __NR_link}, +#endif +#endif +#ifdef SYS_linkat +#ifdef __NR_linkat + {"linkat", __NR_linkat}, +#endif +#endif +#ifdef SYS_listen +#ifdef __NR_listen + {"listen", __NR_listen}, +#endif +#endif +#ifdef SYS_listxattr +#ifdef __NR_listxattr + {"listxattr", __NR_listxattr}, +#endif +#endif +#ifdef SYS_llistxattr +#ifdef __NR_llistxattr + {"llistxattr", __NR_llistxattr}, +#endif +#endif +#ifdef SYS_lookup_dcookie +#ifdef __NR_lookup_dcookie + {"lookup_dcookie", __NR_lookup_dcookie}, +#endif +#endif +#ifdef SYS_lremovexattr +#ifdef __NR_lremovexattr + {"lremovexattr", __NR_lremovexattr}, +#endif +#endif +#ifdef SYS_lseek +#ifdef __NR_lseek + {"lseek", __NR_lseek}, +#endif +#endif +#ifdef SYS_lsetxattr +#ifdef __NR_lsetxattr + {"lsetxattr", __NR_lsetxattr}, +#endif +#endif +#ifdef SYS_lstat +#ifdef __NR_lstat + {"lstat", __NR_lstat}, +#endif +#endif +#ifdef SYS_madvise +#ifdef __NR_madvise + {"madvise", __NR_madvise}, +#endif +#endif +#ifdef SYS_mbind +#ifdef __NR_mbind + {"mbind", __NR_mbind}, +#endif +#endif +#ifdef SYS_membarrier +#ifdef __NR_membarrier + {"membarrier", __NR_membarrier}, +#endif +#endif +#ifdef SYS_memfd_create +#ifdef __NR_memfd_create + {"memfd_create", __NR_memfd_create}, +#endif +#endif +#ifdef SYS_migrate_pages +#ifdef __NR_migrate_pages + {"migrate_pages", __NR_migrate_pages}, +#endif +#endif +#ifdef SYS_mincore +#ifdef __NR_mincore + {"mincore", __NR_mincore}, +#endif +#endif +#ifdef SYS_mkdir +#ifdef __NR_mkdir + {"mkdir", __NR_mkdir}, +#endif +#endif +#ifdef SYS_mkdirat +#ifdef __NR_mkdirat + {"mkdirat", __NR_mkdirat}, +#endif +#endif +#ifdef SYS_mknod +#ifdef __NR_mknod + {"mknod", __NR_mknod}, +#endif +#endif +#ifdef SYS_mknodat +#ifdef __NR_mknodat + {"mknodat", __NR_mknodat}, +#endif +#endif +#ifdef SYS_mlock +#ifdef __NR_mlock + {"mlock", __NR_mlock}, +#endif +#endif +#ifdef SYS_mlock2 +#ifdef __NR_mlock2 + {"mlock2", __NR_mlock2}, +#endif +#endif +#ifdef SYS_mlockall +#ifdef __NR_mlockall + {"mlockall", __NR_mlockall}, +#endif +#endif +#ifdef SYS_mmap +#ifdef __NR_mmap + {"mmap", __NR_mmap}, +#endif +#endif +#ifdef SYS_modify_ldt +#ifdef __NR_modify_ldt + {"modify_ldt", __NR_modify_ldt}, +#endif +#endif +#ifdef SYS_mount +#ifdef __NR_mount + {"mount", __NR_mount}, +#endif +#endif +#ifdef SYS_move_pages +#ifdef __NR_move_pages + {"move_pages", __NR_move_pages}, +#endif +#endif +#ifdef SYS_mprotect +#ifdef __NR_mprotect + {"mprotect", __NR_mprotect}, +#endif +#endif +#ifdef SYS_mq_getsetattr +#ifdef __NR_mq_getsetattr + {"mq_getsetattr", __NR_mq_getsetattr}, +#endif +#endif +#ifdef SYS_mq_notify +#ifdef __NR_mq_notify + {"mq_notify", __NR_mq_notify}, +#endif +#endif +#ifdef SYS_mq_open +#ifdef __NR_mq_open + {"mq_open", __NR_mq_open}, +#endif +#endif +#ifdef SYS_mq_timedreceive +#ifdef __NR_mq_timedreceive + {"mq_timedreceive", __NR_mq_timedreceive}, +#endif +#endif +#ifdef SYS_mq_timedsend +#ifdef __NR_mq_timedsend + {"mq_timedsend", __NR_mq_timedsend}, +#endif +#endif +#ifdef SYS_mq_unlink +#ifdef __NR_mq_unlink + {"mq_unlink", __NR_mq_unlink}, +#endif +#endif +#ifdef SYS_mremap +#ifdef __NR_mremap + {"mremap", __NR_mremap}, +#endif +#endif +#ifdef SYS_msgctl +#ifdef __NR_msgctl + {"msgctl", __NR_msgctl}, +#endif +#endif +#ifdef SYS_msgget +#ifdef __NR_msgget + {"msgget", __NR_msgget}, +#endif +#endif +#ifdef SYS_msgrcv +#ifdef __NR_msgrcv + {"msgrcv", __NR_msgrcv}, +#endif +#endif +#ifdef SYS_msgsnd +#ifdef __NR_msgsnd + {"msgsnd", __NR_msgsnd}, +#endif +#endif +#ifdef SYS_msync +#ifdef __NR_msync + {"msync", __NR_msync}, +#endif +#endif +#ifdef SYS_munlock +#ifdef __NR_munlock + {"munlock", __NR_munlock}, +#endif +#endif +#ifdef SYS_munlockall +#ifdef __NR_munlockall + {"munlockall", __NR_munlockall}, +#endif +#endif +#ifdef SYS_munmap +#ifdef __NR_munmap + {"munmap", __NR_munmap}, +#endif +#endif +#ifdef SYS_name_to_handle_at +#ifdef __NR_name_to_handle_at + {"name_to_handle_at", __NR_name_to_handle_at}, +#endif +#endif +#ifdef SYS_nanosleep +#ifdef __NR_nanosleep + {"nanosleep", __NR_nanosleep}, +#endif +#endif +#ifdef SYS_newfstatat +#ifdef __NR_newfstatat + {"newfstatat", __NR_newfstatat}, +#endif +#endif +#ifdef SYS_nfsservctl +#ifdef __NR_nfsservctl + {"nfsservctl", __NR_nfsservctl}, +#endif +#endif +#ifdef SYS_open +#ifdef __NR_open + {"open", __NR_open}, +#endif +#endif +#ifdef SYS_open_by_handle_at +#ifdef __NR_open_by_handle_at + {"open_by_handle_at", __NR_open_by_handle_at}, +#endif +#endif +#ifdef SYS_openat +#ifdef __NR_openat + {"openat", __NR_openat}, +#endif +#endif +#ifdef SYS_pause +#ifdef __NR_pause + {"pause", __NR_pause}, +#endif +#endif +#ifdef SYS_perf_event_open +#ifdef __NR_perf_event_open + {"perf_event_open", __NR_perf_event_open}, +#endif +#endif +#ifdef SYS_personality +#ifdef __NR_personality + {"personality", __NR_personality}, +#endif +#endif +#ifdef SYS_pipe +#ifdef __NR_pipe + {"pipe", __NR_pipe}, +#endif +#endif +#ifdef SYS_pipe2 +#ifdef __NR_pipe2 + {"pipe2", __NR_pipe2}, +#endif +#endif +#ifdef SYS_pivot_root +#ifdef __NR_pivot_root + {"pivot_root", __NR_pivot_root}, +#endif +#endif +#ifdef SYS_poll +#ifdef __NR_poll + {"poll", __NR_poll}, +#endif +#endif +#ifdef SYS_ppoll +#ifdef __NR_ppoll + {"ppoll", __NR_ppoll}, +#endif +#endif +#ifdef SYS_prctl +#ifdef __NR_prctl + {"prctl", __NR_prctl}, +#endif +#endif +#ifdef SYS_pread64 +#ifdef __NR_pread64 + {"pread64", __NR_pread64}, +#endif +#endif +#ifdef SYS_preadv +#ifdef __NR_preadv + {"preadv", __NR_preadv}, +#endif +#endif +#ifdef SYS_prlimit64 +#ifdef __NR_prlimit64 + {"prlimit64", __NR_prlimit64}, +#endif +#endif +#ifdef SYS_process_vm_readv +#ifdef __NR_process_vm_readv + {"process_vm_readv", __NR_process_vm_readv}, +#endif +#endif +#ifdef SYS_process_vm_writev +#ifdef __NR_process_vm_writev + {"process_vm_writev", __NR_process_vm_writev}, +#endif +#endif +#ifdef SYS_pselect6 +#ifdef __NR_pselect6 + {"pselect6", __NR_pselect6}, +#endif +#endif +#ifdef SYS_ptrace +#ifdef __NR_ptrace + {"ptrace", __NR_ptrace}, +#endif +#endif +#ifdef SYS_putpmsg +#ifdef __NR_putpmsg + {"putpmsg", __NR_putpmsg}, +#endif +#endif +#ifdef SYS_pwrite64 +#ifdef __NR_pwrite64 + {"pwrite64", __NR_pwrite64}, +#endif +#endif +#ifdef SYS_pwritev +#ifdef __NR_pwritev + {"pwritev", __NR_pwritev}, +#endif +#endif +#ifdef SYS_query_module +#ifdef __NR_query_module + {"query_module", __NR_query_module}, +#endif +#endif +#ifdef SYS_quotactl +#ifdef __NR_quotactl + {"quotactl", __NR_quotactl}, +#endif +#endif +#ifdef SYS_read +#ifdef __NR_read + {"read", __NR_read}, +#endif +#endif +#ifdef SYS_readahead +#ifdef __NR_readahead + {"readahead", __NR_readahead}, +#endif +#endif +#ifdef SYS_readlink +#ifdef __NR_readlink + {"readlink", __NR_readlink}, +#endif +#endif +#ifdef SYS_readlinkat +#ifdef __NR_readlinkat + {"readlinkat", __NR_readlinkat}, +#endif +#endif +#ifdef SYS_readv +#ifdef __NR_readv + {"readv", __NR_readv}, +#endif +#endif +#ifdef SYS_reboot +#ifdef __NR_reboot + {"reboot", __NR_reboot}, +#endif +#endif +#ifdef SYS_recvfrom +#ifdef __NR_recvfrom + {"recvfrom", __NR_recvfrom}, +#endif +#endif +#ifdef SYS_recvmmsg +#ifdef __NR_recvmmsg + {"recvmmsg", __NR_recvmmsg}, +#endif +#endif +#ifdef SYS_recvmsg +#ifdef __NR_recvmsg + {"recvmsg", __NR_recvmsg}, +#endif +#endif +#ifdef SYS_remap_file_pages +#ifdef __NR_remap_file_pages + {"remap_file_pages", __NR_remap_file_pages}, +#endif +#endif +#ifdef SYS_removexattr +#ifdef __NR_removexattr + {"removexattr", __NR_removexattr}, +#endif +#endif +#ifdef SYS_rename +#ifdef __NR_rename + {"rename", __NR_rename}, +#endif +#endif +#ifdef SYS_renameat +#ifdef __NR_renameat + {"renameat", __NR_renameat}, +#endif +#endif +#ifdef SYS_renameat2 +#ifdef __NR_renameat2 + {"renameat2", __NR_renameat2}, +#endif +#endif +#ifdef SYS_request_key +#ifdef __NR_request_key + {"request_key", __NR_request_key}, +#endif +#endif +#ifdef SYS_restart_syscall +#ifdef __NR_restart_syscall + {"restart_syscall", __NR_restart_syscall}, +#endif +#endif +#ifdef SYS_rmdir +#ifdef __NR_rmdir + {"rmdir", __NR_rmdir}, +#endif +#endif +#ifdef SYS_rt_sigaction +#ifdef __NR_rt_sigaction + {"rt_sigaction", __NR_rt_sigaction}, +#endif +#endif +#ifdef SYS_rt_sigpending +#ifdef __NR_rt_sigpending + {"rt_sigpending", __NR_rt_sigpending}, +#endif +#endif +#ifdef SYS_rt_sigprocmask +#ifdef __NR_rt_sigprocmask + {"rt_sigprocmask", __NR_rt_sigprocmask}, +#endif +#endif +#ifdef SYS_rt_sigqueueinfo +#ifdef __NR_rt_sigqueueinfo + {"rt_sigqueueinfo", __NR_rt_sigqueueinfo}, +#endif +#endif +#ifdef SYS_rt_sigreturn +#ifdef __NR_rt_sigreturn + {"rt_sigreturn", __NR_rt_sigreturn}, +#endif +#endif +#ifdef SYS_rt_sigsuspend +#ifdef __NR_rt_sigsuspend + {"rt_sigsuspend", __NR_rt_sigsuspend}, +#endif +#endif +#ifdef SYS_rt_sigtimedwait +#ifdef __NR_rt_sigtimedwait + {"rt_sigtimedwait", __NR_rt_sigtimedwait}, +#endif +#endif +#ifdef SYS_rt_tgsigqueueinfo +#ifdef __NR_rt_tgsigqueueinfo + {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo}, +#endif +#endif +#ifdef SYS_sched_get_priority_max +#ifdef __NR_sched_get_priority_max + {"sched_get_priority_max", __NR_sched_get_priority_max}, +#endif +#endif +#ifdef SYS_sched_get_priority_min +#ifdef __NR_sched_get_priority_min + {"sched_get_priority_min", __NR_sched_get_priority_min}, +#endif +#endif +#ifdef SYS_sched_getaffinity +#ifdef __NR_sched_getaffinity + {"sched_getaffinity", __NR_sched_getaffinity}, +#endif +#endif +#ifdef SYS_sched_getattr +#ifdef __NR_sched_getattr + {"sched_getattr", __NR_sched_getattr}, +#endif +#endif +#ifdef SYS_sched_getparam +#ifdef __NR_sched_getparam + {"sched_getparam", __NR_sched_getparam}, +#endif +#endif +#ifdef SYS_sched_getscheduler +#ifdef __NR_sched_getscheduler + {"sched_getscheduler", __NR_sched_getscheduler}, +#endif +#endif +#ifdef SYS_sched_rr_get_interval +#ifdef __NR_sched_rr_get_interval + {"sched_rr_get_interval", __NR_sched_rr_get_interval}, +#endif +#endif +#ifdef SYS_sched_setaffinity +#ifdef __NR_sched_setaffinity + {"sched_setaffinity", __NR_sched_setaffinity}, +#endif +#endif +#ifdef SYS_sched_setattr +#ifdef __NR_sched_setattr + {"sched_setattr", __NR_sched_setattr}, +#endif +#endif +#ifdef SYS_sched_setparam +#ifdef __NR_sched_setparam + {"sched_setparam", __NR_sched_setparam}, +#endif +#endif +#ifdef SYS_sched_setscheduler +#ifdef __NR_sched_setscheduler + {"sched_setscheduler", __NR_sched_setscheduler}, +#endif +#endif +#ifdef SYS_sched_yield +#ifdef __NR_sched_yield + {"sched_yield", __NR_sched_yield}, +#endif +#endif +#ifdef SYS_seccomp +#ifdef __NR_seccomp + {"seccomp", __NR_seccomp}, +#endif +#endif +#ifdef SYS_security +#ifdef __NR_security + {"security", __NR_security}, +#endif +#endif +#ifdef SYS_select +#ifdef __NR_select + {"select", __NR_select}, +#endif +#endif +#ifdef SYS_semctl +#ifdef __NR_semctl + {"semctl", __NR_semctl}, +#endif +#endif +#ifdef SYS_semget +#ifdef __NR_semget + {"semget", __NR_semget}, +#endif +#endif +#ifdef SYS_semop +#ifdef __NR_semop + {"semop", __NR_semop}, +#endif +#endif +#ifdef SYS_semtimedop +#ifdef __NR_semtimedop + {"semtimedop", __NR_semtimedop}, +#endif +#endif +#ifdef SYS_sendfile +#ifdef __NR_sendfile + {"sendfile", __NR_sendfile}, +#endif +#endif +#ifdef SYS_sendmmsg +#ifdef __NR_sendmmsg + {"sendmmsg", __NR_sendmmsg}, +#endif +#endif +#ifdef SYS_sendmsg +#ifdef __NR_sendmsg + {"sendmsg", __NR_sendmsg}, +#endif +#endif +#ifdef SYS_sendto +#ifdef __NR_sendto + {"sendto", __NR_sendto}, +#endif +#endif +#ifdef SYS_set_mempolicy +#ifdef __NR_set_mempolicy + {"set_mempolicy", __NR_set_mempolicy}, +#endif +#endif +#ifdef SYS_set_robust_list +#ifdef __NR_set_robust_list + {"set_robust_list", __NR_set_robust_list}, +#endif +#endif +#ifdef SYS_set_thread_area +#ifdef __NR_set_thread_area + {"set_thread_area", __NR_set_thread_area}, +#endif +#endif +#ifdef SYS_set_tid_address +#ifdef __NR_set_tid_address + {"set_tid_address", __NR_set_tid_address}, +#endif +#endif +#ifdef SYS_setdomainname +#ifdef __NR_setdomainname + {"setdomainname", __NR_setdomainname}, +#endif +#endif +#ifdef SYS_setfsgid +#ifdef __NR_setfsgid + {"setfsgid", __NR_setfsgid}, +#endif +#endif +#ifdef SYS_setfsuid +#ifdef __NR_setfsuid + {"setfsuid", __NR_setfsuid}, +#endif +#endif +#ifdef SYS_setgid +#ifdef __NR_setgid + {"setgid", __NR_setgid}, +#endif +#endif +#ifdef SYS_setgroups +#ifdef __NR_setgroups + {"setgroups", __NR_setgroups}, +#endif +#endif +#ifdef SYS_sethostname +#ifdef __NR_sethostname + {"sethostname", __NR_sethostname}, +#endif +#endif +#ifdef SYS_setitimer +#ifdef __NR_setitimer + {"setitimer", __NR_setitimer}, +#endif +#endif +#ifdef SYS_setns +#ifdef __NR_setns + {"setns", __NR_setns}, +#endif +#endif +#ifdef SYS_setpgid +#ifdef __NR_setpgid + {"setpgid", __NR_setpgid}, +#endif +#endif +#ifdef SYS_setpriority +#ifdef __NR_setpriority + {"setpriority", __NR_setpriority}, +#endif +#endif +#ifdef SYS_setregid +#ifdef __NR_setregid + {"setregid", __NR_setregid}, +#endif +#endif +#ifdef SYS_setresgid +#ifdef __NR_setresgid + {"setresgid", __NR_setresgid}, +#endif +#endif +#ifdef SYS_setresuid +#ifdef __NR_setresuid + {"setresuid", __NR_setresuid}, +#endif +#endif +#ifdef SYS_setreuid +#ifdef __NR_setreuid + {"setreuid", __NR_setreuid}, +#endif +#endif +#ifdef SYS_setrlimit +#ifdef __NR_setrlimit + {"setrlimit", __NR_setrlimit}, +#endif +#endif +#ifdef SYS_setsid +#ifdef __NR_setsid + {"setsid", __NR_setsid}, +#endif +#endif +#ifdef SYS_setsockopt +#ifdef __NR_setsockopt + {"setsockopt", __NR_setsockopt}, +#endif +#endif +#ifdef SYS_settimeofday +#ifdef __NR_settimeofday + {"settimeofday", __NR_settimeofday}, +#endif +#endif +#ifdef SYS_setuid +#ifdef __NR_setuid + {"setuid", __NR_setuid}, +#endif +#endif +#ifdef SYS_setxattr +#ifdef __NR_setxattr + {"setxattr", __NR_setxattr}, +#endif +#endif +#ifdef SYS_shmat +#ifdef __NR_shmat + {"shmat", __NR_shmat}, +#endif +#endif +#ifdef SYS_shmctl +#ifdef __NR_shmctl + {"shmctl", __NR_shmctl}, +#endif +#endif +#ifdef SYS_shmdt +#ifdef __NR_shmdt + {"shmdt", __NR_shmdt}, +#endif +#endif +#ifdef SYS_shmget +#ifdef __NR_shmget + {"shmget", __NR_shmget}, +#endif +#endif +#ifdef SYS_shutdown +#ifdef __NR_shutdown + {"shutdown", __NR_shutdown}, +#endif +#endif +#ifdef SYS_sigaltstack +#ifdef __NR_sigaltstack + {"sigaltstack", __NR_sigaltstack}, +#endif +#endif +#ifdef SYS_signalfd +#ifdef __NR_signalfd + {"signalfd", __NR_signalfd}, +#endif +#endif +#ifdef SYS_signalfd4 +#ifdef __NR_signalfd4 + {"signalfd4", __NR_signalfd4}, +#endif +#endif +#ifdef SYS_socket +#ifdef __NR_socket + {"socket", __NR_socket}, +#endif +#endif +#ifdef SYS_socketpair +#ifdef __NR_socketpair + {"socketpair", __NR_socketpair}, +#endif +#endif +#ifdef SYS_splice +#ifdef __NR_splice + {"splice", __NR_splice}, +#endif +#endif +#ifdef SYS_stat +#ifdef __NR_stat + {"stat", __NR_stat}, +#endif +#endif +#ifdef SYS_statfs +#ifdef __NR_statfs + {"statfs", __NR_statfs}, +#endif +#endif +#ifdef SYS_swapoff +#ifdef __NR_swapoff + {"swapoff", __NR_swapoff}, +#endif +#endif +#ifdef SYS_swapon +#ifdef __NR_swapon + {"swapon", __NR_swapon}, +#endif +#endif +#ifdef SYS_symlink +#ifdef __NR_symlink + {"symlink", __NR_symlink}, +#endif +#endif +#ifdef SYS_symlinkat +#ifdef __NR_symlinkat + {"symlinkat", __NR_symlinkat}, +#endif +#endif +#ifdef SYS_sync +#ifdef __NR_sync + {"sync", __NR_sync}, +#endif +#endif +#ifdef SYS_sync_file_range +#ifdef __NR_sync_file_range + {"sync_file_range", __NR_sync_file_range}, +#endif +#endif +#ifdef SYS_syncfs +#ifdef __NR_syncfs + {"syncfs", __NR_syncfs}, +#endif +#endif +#ifdef SYS_sysfs +#ifdef __NR_sysfs + {"sysfs", __NR_sysfs}, +#endif +#endif +#ifdef SYS_sysinfo +#ifdef __NR_sysinfo + {"sysinfo", __NR_sysinfo}, +#endif +#endif +#ifdef SYS_syslog +#ifdef __NR_syslog + {"syslog", __NR_syslog}, +#endif +#endif +#ifdef SYS_tee +#ifdef __NR_tee + {"tee", __NR_tee}, +#endif +#endif +#ifdef SYS_tgkill +#ifdef __NR_tgkill + {"tgkill", __NR_tgkill}, +#endif +#endif +#ifdef SYS_time +#ifdef __NR_time + {"time", __NR_time}, +#endif +#endif +#ifdef SYS_timer_create +#ifdef __NR_timer_create + {"timer_create", __NR_timer_create}, +#endif +#endif +#ifdef SYS_timer_delete +#ifdef __NR_timer_delete + {"timer_delete", __NR_timer_delete}, +#endif +#endif +#ifdef SYS_timer_getoverrun +#ifdef __NR_timer_getoverrun + {"timer_getoverrun", __NR_timer_getoverrun}, +#endif +#endif +#ifdef SYS_timer_gettime +#ifdef __NR_timer_gettime + {"timer_gettime", __NR_timer_gettime}, +#endif +#endif +#ifdef SYS_timer_settime +#ifdef __NR_timer_settime + {"timer_settime", __NR_timer_settime}, +#endif +#endif +#ifdef SYS_timerfd_create +#ifdef __NR_timerfd_create + {"timerfd_create", __NR_timerfd_create}, +#endif +#endif +#ifdef SYS_timerfd_gettime +#ifdef __NR_timerfd_gettime + {"timerfd_gettime", __NR_timerfd_gettime}, +#endif +#endif +#ifdef SYS_timerfd_settime +#ifdef __NR_timerfd_settime + {"timerfd_settime", __NR_timerfd_settime}, +#endif +#endif +#ifdef SYS_times +#ifdef __NR_times + {"times", __NR_times}, +#endif +#endif +#ifdef SYS_tkill +#ifdef __NR_tkill + {"tkill", __NR_tkill}, +#endif +#endif +#ifdef SYS_truncate +#ifdef __NR_truncate + {"truncate", __NR_truncate}, +#endif +#endif +#ifdef SYS_tuxcall +#ifdef __NR_tuxcall + {"tuxcall", __NR_tuxcall}, +#endif +#endif +#ifdef SYS_umask +#ifdef __NR_umask + {"umask", __NR_umask}, +#endif +#endif +#ifdef SYS_umount2 +#ifdef __NR_umount2 + {"umount2", __NR_umount2}, +#endif +#endif +#ifdef SYS_uname +#ifdef __NR_uname + {"uname", __NR_uname}, +#endif +#endif +#ifdef SYS_unlink +#ifdef __NR_unlink + {"unlink", __NR_unlink}, +#endif +#endif +#ifdef SYS_unlinkat +#ifdef __NR_unlinkat + {"unlinkat", __NR_unlinkat}, +#endif +#endif +#ifdef SYS_unshare +#ifdef __NR_unshare + {"unshare", __NR_unshare}, +#endif +#endif +#ifdef SYS_uselib +#ifdef __NR_uselib + {"uselib", __NR_uselib}, +#endif +#endif +#ifdef SYS_userfaultfd +#ifdef __NR_userfaultfd + {"userfaultfd", __NR_userfaultfd}, +#endif +#endif +#ifdef SYS_ustat +#ifdef __NR_ustat + {"ustat", __NR_ustat}, +#endif +#endif +#ifdef SYS_utime +#ifdef __NR_utime + {"utime", __NR_utime}, +#endif +#endif +#ifdef SYS_utimensat +#ifdef __NR_utimensat + {"utimensat", __NR_utimensat}, +#endif +#endif +#ifdef SYS_utimes +#ifdef __NR_utimes + {"utimes", __NR_utimes}, +#endif +#endif +#ifdef SYS_vfork +#ifdef __NR_vfork + {"vfork", __NR_vfork}, +#endif +#endif +#ifdef SYS_vhangup +#ifdef __NR_vhangup + {"vhangup", __NR_vhangup}, +#endif +#endif +#ifdef SYS_vmsplice +#ifdef __NR_vmsplice + {"vmsplice", __NR_vmsplice}, +#endif +#endif +#ifdef SYS_vserver +#ifdef __NR_vserver + {"vserver", __NR_vserver}, +#endif +#endif +#ifdef SYS_wait4 +#ifdef __NR_wait4 + {"wait4", __NR_wait4}, +#endif +#endif +#ifdef SYS_waitid +#ifdef __NR_waitid + {"waitid", __NR_waitid}, +#endif +#endif +#ifdef SYS_write +#ifdef __NR_write + {"write", __NR_write}, +#endif +#endif +#ifdef SYS_writev +#ifdef __NR_writev + {"writev", __NR_writev}, +#endif +#endif +#endif +#if defined __x86_64__ && defined __ILP32__ +#ifdef SYS_accept +#ifdef __NR_accept + {"accept", __NR_accept}, +#endif +#endif +#ifdef SYS_accept4 +#ifdef __NR_accept4 + {"accept4", __NR_accept4}, +#endif +#endif +#ifdef SYS_access +#ifdef __NR_access + {"access", __NR_access}, +#endif +#endif +#ifdef SYS_acct +#ifdef __NR_acct + {"acct", __NR_acct}, +#endif +#endif +#ifdef SYS_add_key +#ifdef __NR_add_key + {"add_key", __NR_add_key}, +#endif +#endif +#ifdef SYS_adjtimex +#ifdef __NR_adjtimex + {"adjtimex", __NR_adjtimex}, +#endif +#endif +#ifdef SYS_afs_syscall +#ifdef __NR_afs_syscall + {"afs_syscall", __NR_afs_syscall}, +#endif +#endif +#ifdef SYS_alarm +#ifdef __NR_alarm + {"alarm", __NR_alarm}, +#endif +#endif +#ifdef SYS_arch_prctl +#ifdef __NR_arch_prctl + {"arch_prctl", __NR_arch_prctl}, +#endif +#endif +#ifdef SYS_bind +#ifdef __NR_bind + {"bind", __NR_bind}, +#endif +#endif +#ifdef SYS_bpf +#ifdef __NR_bpf + {"bpf", __NR_bpf}, +#endif +#endif +#ifdef SYS_brk +#ifdef __NR_brk + {"brk", __NR_brk}, +#endif +#endif +#ifdef SYS_capget +#ifdef __NR_capget + {"capget", __NR_capget}, +#endif +#endif +#ifdef SYS_capset +#ifdef __NR_capset + {"capset", __NR_capset}, +#endif +#endif +#ifdef SYS_chdir +#ifdef __NR_chdir + {"chdir", __NR_chdir}, +#endif +#endif +#ifdef SYS_chmod +#ifdef __NR_chmod + {"chmod", __NR_chmod}, +#endif +#endif +#ifdef SYS_chown +#ifdef __NR_chown + {"chown", __NR_chown}, +#endif +#endif +#ifdef SYS_chroot +#ifdef __NR_chroot + {"chroot", __NR_chroot}, +#endif +#endif +#ifdef SYS_clock_adjtime +#ifdef __NR_clock_adjtime + {"clock_adjtime", __NR_clock_adjtime}, +#endif +#endif +#ifdef SYS_clock_getres +#ifdef __NR_clock_getres + {"clock_getres", __NR_clock_getres}, +#endif +#endif +#ifdef SYS_clock_gettime +#ifdef __NR_clock_gettime + {"clock_gettime", __NR_clock_gettime}, +#endif +#endif +#ifdef SYS_clock_nanosleep +#ifdef __NR_clock_nanosleep + {"clock_nanosleep", __NR_clock_nanosleep}, +#endif +#endif +#ifdef SYS_clock_settime +#ifdef __NR_clock_settime + {"clock_settime", __NR_clock_settime}, +#endif +#endif +#ifdef SYS_clone +#ifdef __NR_clone + {"clone", __NR_clone}, +#endif +#endif +#ifdef SYS_close +#ifdef __NR_close + {"close", __NR_close}, +#endif +#endif +#ifdef SYS_connect +#ifdef __NR_connect + {"connect", __NR_connect}, +#endif +#endif +#ifdef SYS_copy_file_range +#ifdef __NR_copy_file_range + {"copy_file_range", __NR_copy_file_range}, +#endif +#endif +#ifdef SYS_creat +#ifdef __NR_creat + {"creat", __NR_creat}, +#endif +#endif +#ifdef SYS_delete_module +#ifdef __NR_delete_module + {"delete_module", __NR_delete_module}, +#endif +#endif +#ifdef SYS_dup +#ifdef __NR_dup + {"dup", __NR_dup}, +#endif +#endif +#ifdef SYS_dup2 +#ifdef __NR_dup2 + {"dup2", __NR_dup2}, +#endif +#endif +#ifdef SYS_dup3 +#ifdef __NR_dup3 + {"dup3", __NR_dup3}, +#endif +#endif +#ifdef SYS_epoll_create +#ifdef __NR_epoll_create + {"epoll_create", __NR_epoll_create}, +#endif +#endif +#ifdef SYS_epoll_create1 +#ifdef __NR_epoll_create1 + {"epoll_create1", __NR_epoll_create1}, +#endif +#endif +#ifdef SYS_epoll_ctl +#ifdef __NR_epoll_ctl + {"epoll_ctl", __NR_epoll_ctl}, +#endif +#endif +#ifdef SYS_epoll_pwait +#ifdef __NR_epoll_pwait + {"epoll_pwait", __NR_epoll_pwait}, +#endif +#endif +#ifdef SYS_epoll_wait +#ifdef __NR_epoll_wait + {"epoll_wait", __NR_epoll_wait}, +#endif +#endif +#ifdef SYS_eventfd +#ifdef __NR_eventfd + {"eventfd", __NR_eventfd}, +#endif +#endif +#ifdef SYS_eventfd2 +#ifdef __NR_eventfd2 + {"eventfd2", __NR_eventfd2}, +#endif +#endif +#ifdef SYS_execve +#ifdef __NR_execve + {"execve", __NR_execve}, +#endif +#endif +#ifdef SYS_execveat +#ifdef __NR_execveat + {"execveat", __NR_execveat}, +#endif +#endif +#ifdef SYS_exit +#ifdef __NR_exit + {"exit", __NR_exit}, +#endif +#endif +#ifdef SYS_exit_group +#ifdef __NR_exit_group + {"exit_group", __NR_exit_group}, +#endif +#endif +#ifdef SYS_faccessat +#ifdef __NR_faccessat + {"faccessat", __NR_faccessat}, +#endif +#endif +#ifdef SYS_fadvise64 +#ifdef __NR_fadvise64 + {"fadvise64", __NR_fadvise64}, +#endif +#endif +#ifdef SYS_fallocate +#ifdef __NR_fallocate + {"fallocate", __NR_fallocate}, +#endif +#endif +#ifdef SYS_fanotify_init +#ifdef __NR_fanotify_init + {"fanotify_init", __NR_fanotify_init}, +#endif +#endif +#ifdef SYS_fanotify_mark +#ifdef __NR_fanotify_mark + {"fanotify_mark", __NR_fanotify_mark}, +#endif +#endif +#ifdef SYS_fchdir +#ifdef __NR_fchdir + {"fchdir", __NR_fchdir}, +#endif +#endif +#ifdef SYS_fchmod +#ifdef __NR_fchmod + {"fchmod", __NR_fchmod}, +#endif +#endif +#ifdef SYS_fchmodat +#ifdef __NR_fchmodat + {"fchmodat", __NR_fchmodat}, +#endif +#endif +#ifdef SYS_fchown +#ifdef __NR_fchown + {"fchown", __NR_fchown}, +#endif +#endif +#ifdef SYS_fchownat +#ifdef __NR_fchownat + {"fchownat", __NR_fchownat}, +#endif +#endif +#ifdef SYS_fcntl +#ifdef __NR_fcntl + {"fcntl", __NR_fcntl}, +#endif +#endif +#ifdef SYS_fdatasync +#ifdef __NR_fdatasync + {"fdatasync", __NR_fdatasync}, +#endif +#endif +#ifdef SYS_fgetxattr +#ifdef __NR_fgetxattr + {"fgetxattr", __NR_fgetxattr}, +#endif +#endif +#ifdef SYS_finit_module +#ifdef __NR_finit_module + {"finit_module", __NR_finit_module}, +#endif +#endif +#ifdef SYS_flistxattr +#ifdef __NR_flistxattr + {"flistxattr", __NR_flistxattr}, +#endif +#endif +#ifdef SYS_flock +#ifdef __NR_flock + {"flock", __NR_flock}, +#endif +#endif +#ifdef SYS_fork +#ifdef __NR_fork + {"fork", __NR_fork}, +#endif +#endif +#ifdef SYS_fremovexattr +#ifdef __NR_fremovexattr + {"fremovexattr", __NR_fremovexattr}, +#endif +#endif +#ifdef SYS_fsetxattr +#ifdef __NR_fsetxattr + {"fsetxattr", __NR_fsetxattr}, +#endif +#endif +#ifdef SYS_fstat +#ifdef __NR_fstat + {"fstat", __NR_fstat}, +#endif +#endif +#ifdef SYS_fstatfs +#ifdef __NR_fstatfs + {"fstatfs", __NR_fstatfs}, +#endif +#endif +#ifdef SYS_fsync +#ifdef __NR_fsync + {"fsync", __NR_fsync}, +#endif +#endif +#ifdef SYS_ftruncate +#ifdef __NR_ftruncate + {"ftruncate", __NR_ftruncate}, +#endif +#endif +#ifdef SYS_futex +#ifdef __NR_futex + {"futex", __NR_futex}, +#endif +#endif +#ifdef SYS_futimesat +#ifdef __NR_futimesat + {"futimesat", __NR_futimesat}, +#endif +#endif +#ifdef SYS_get_mempolicy +#ifdef __NR_get_mempolicy + {"get_mempolicy", __NR_get_mempolicy}, +#endif +#endif +#ifdef SYS_get_robust_list +#ifdef __NR_get_robust_list + {"get_robust_list", __NR_get_robust_list}, +#endif +#endif +#ifdef SYS_getcpu +#ifdef __NR_getcpu + {"getcpu", __NR_getcpu}, +#endif +#endif +#ifdef SYS_getcwd +#ifdef __NR_getcwd + {"getcwd", __NR_getcwd}, +#endif +#endif +#ifdef SYS_getdents +#ifdef __NR_getdents + {"getdents", __NR_getdents}, +#endif +#endif +#ifdef SYS_getdents64 +#ifdef __NR_getdents64 + {"getdents64", __NR_getdents64}, +#endif +#endif +#ifdef SYS_getegid +#ifdef __NR_getegid + {"getegid", __NR_getegid}, +#endif +#endif +#ifdef SYS_geteuid +#ifdef __NR_geteuid + {"geteuid", __NR_geteuid}, +#endif +#endif +#ifdef SYS_getgid +#ifdef __NR_getgid + {"getgid", __NR_getgid}, +#endif +#endif +#ifdef SYS_getgroups +#ifdef __NR_getgroups + {"getgroups", __NR_getgroups}, +#endif +#endif +#ifdef SYS_getitimer +#ifdef __NR_getitimer + {"getitimer", __NR_getitimer}, +#endif +#endif +#ifdef SYS_getpeername +#ifdef __NR_getpeername + {"getpeername", __NR_getpeername}, +#endif +#endif +#ifdef SYS_getpgid +#ifdef __NR_getpgid + {"getpgid", __NR_getpgid}, +#endif +#endif +#ifdef SYS_getpgrp +#ifdef __NR_getpgrp + {"getpgrp", __NR_getpgrp}, +#endif +#endif +#ifdef SYS_getpid +#ifdef __NR_getpid + {"getpid", __NR_getpid}, +#endif +#endif +#ifdef SYS_getpmsg +#ifdef __NR_getpmsg + {"getpmsg", __NR_getpmsg}, +#endif +#endif +#ifdef SYS_getppid +#ifdef __NR_getppid + {"getppid", __NR_getppid}, +#endif +#endif +#ifdef SYS_getpriority +#ifdef __NR_getpriority + {"getpriority", __NR_getpriority}, +#endif +#endif +#ifdef SYS_getrandom +#ifdef __NR_getrandom + {"getrandom", __NR_getrandom}, +#endif +#endif +#ifdef SYS_getresgid +#ifdef __NR_getresgid + {"getresgid", __NR_getresgid}, +#endif +#endif +#ifdef SYS_getresuid +#ifdef __NR_getresuid + {"getresuid", __NR_getresuid}, +#endif +#endif +#ifdef SYS_getrlimit +#ifdef __NR_getrlimit + {"getrlimit", __NR_getrlimit}, +#endif +#endif +#ifdef SYS_getrusage +#ifdef __NR_getrusage + {"getrusage", __NR_getrusage}, +#endif +#endif +#ifdef SYS_getsid +#ifdef __NR_getsid + {"getsid", __NR_getsid}, +#endif +#endif +#ifdef SYS_getsockname +#ifdef __NR_getsockname + {"getsockname", __NR_getsockname}, +#endif +#endif +#ifdef SYS_getsockopt +#ifdef __NR_getsockopt + {"getsockopt", __NR_getsockopt}, +#endif +#endif +#ifdef SYS_gettid +#ifdef __NR_gettid + {"gettid", __NR_gettid}, +#endif +#endif +#ifdef SYS_gettimeofday +#ifdef __NR_gettimeofday + {"gettimeofday", __NR_gettimeofday}, +#endif +#endif +#ifdef SYS_getuid +#ifdef __NR_getuid + {"getuid", __NR_getuid}, +#endif +#endif +#ifdef SYS_getxattr +#ifdef __NR_getxattr + {"getxattr", __NR_getxattr}, +#endif +#endif +#ifdef SYS_init_module +#ifdef __NR_init_module + {"init_module", __NR_init_module}, +#endif +#endif +#ifdef SYS_inotify_add_watch +#ifdef __NR_inotify_add_watch + {"inotify_add_watch", __NR_inotify_add_watch}, +#endif +#endif +#ifdef SYS_inotify_init +#ifdef __NR_inotify_init + {"inotify_init", __NR_inotify_init}, +#endif +#endif +#ifdef SYS_inotify_init1 +#ifdef __NR_inotify_init1 + {"inotify_init1", __NR_inotify_init1}, +#endif +#endif +#ifdef SYS_inotify_rm_watch +#ifdef __NR_inotify_rm_watch + {"inotify_rm_watch", __NR_inotify_rm_watch}, +#endif +#endif +#ifdef SYS_io_cancel +#ifdef __NR_io_cancel + {"io_cancel", __NR_io_cancel}, +#endif +#endif +#ifdef SYS_io_destroy +#ifdef __NR_io_destroy + {"io_destroy", __NR_io_destroy}, +#endif +#endif +#ifdef SYS_io_getevents +#ifdef __NR_io_getevents + {"io_getevents", __NR_io_getevents}, +#endif +#endif +#ifdef SYS_io_setup +#ifdef __NR_io_setup + {"io_setup", __NR_io_setup}, +#endif +#endif +#ifdef SYS_io_submit +#ifdef __NR_io_submit + {"io_submit", __NR_io_submit}, +#endif +#endif +#ifdef SYS_ioctl +#ifdef __NR_ioctl + {"ioctl", __NR_ioctl}, +#endif +#endif +#ifdef SYS_ioperm +#ifdef __NR_ioperm + {"ioperm", __NR_ioperm}, +#endif +#endif +#ifdef SYS_iopl +#ifdef __NR_iopl + {"iopl", __NR_iopl}, +#endif +#endif +#ifdef SYS_ioprio_get +#ifdef __NR_ioprio_get + {"ioprio_get", __NR_ioprio_get}, +#endif +#endif +#ifdef SYS_ioprio_set +#ifdef __NR_ioprio_set + {"ioprio_set", __NR_ioprio_set}, +#endif +#endif +#ifdef SYS_kcmp +#ifdef __NR_kcmp + {"kcmp", __NR_kcmp}, +#endif +#endif +#ifdef SYS_kexec_file_load +#ifdef __NR_kexec_file_load + {"kexec_file_load", __NR_kexec_file_load}, +#endif +#endif +#ifdef SYS_kexec_load +#ifdef __NR_kexec_load + {"kexec_load", __NR_kexec_load}, +#endif +#endif +#ifdef SYS_keyctl +#ifdef __NR_keyctl + {"keyctl", __NR_keyctl}, +#endif +#endif +#ifdef SYS_kill +#ifdef __NR_kill + {"kill", __NR_kill}, +#endif +#endif +#ifdef SYS_lchown +#ifdef __NR_lchown + {"lchown", __NR_lchown}, +#endif +#endif +#ifdef SYS_lgetxattr +#ifdef __NR_lgetxattr + {"lgetxattr", __NR_lgetxattr}, +#endif +#endif +#ifdef SYS_link +#ifdef __NR_link + {"link", __NR_link}, +#endif +#endif +#ifdef SYS_linkat +#ifdef __NR_linkat + {"linkat", __NR_linkat}, +#endif +#endif +#ifdef SYS_listen +#ifdef __NR_listen + {"listen", __NR_listen}, +#endif +#endif +#ifdef SYS_listxattr +#ifdef __NR_listxattr + {"listxattr", __NR_listxattr}, +#endif +#endif +#ifdef SYS_llistxattr +#ifdef __NR_llistxattr + {"llistxattr", __NR_llistxattr}, +#endif +#endif +#ifdef SYS_lookup_dcookie +#ifdef __NR_lookup_dcookie + {"lookup_dcookie", __NR_lookup_dcookie}, +#endif +#endif +#ifdef SYS_lremovexattr +#ifdef __NR_lremovexattr + {"lremovexattr", __NR_lremovexattr}, +#endif +#endif +#ifdef SYS_lseek +#ifdef __NR_lseek + {"lseek", __NR_lseek}, +#endif +#endif +#ifdef SYS_lsetxattr +#ifdef __NR_lsetxattr + {"lsetxattr", __NR_lsetxattr}, +#endif +#endif +#ifdef SYS_lstat +#ifdef __NR_lstat + {"lstat", __NR_lstat}, +#endif +#endif +#ifdef SYS_madvise +#ifdef __NR_madvise + {"madvise", __NR_madvise}, +#endif +#endif +#ifdef SYS_mbind +#ifdef __NR_mbind + {"mbind", __NR_mbind}, +#endif +#endif +#ifdef SYS_membarrier +#ifdef __NR_membarrier + {"membarrier", __NR_membarrier}, +#endif +#endif +#ifdef SYS_memfd_create +#ifdef __NR_memfd_create + {"memfd_create", __NR_memfd_create}, +#endif +#endif +#ifdef SYS_migrate_pages +#ifdef __NR_migrate_pages + {"migrate_pages", __NR_migrate_pages}, +#endif +#endif +#ifdef SYS_mincore +#ifdef __NR_mincore + {"mincore", __NR_mincore}, +#endif +#endif +#ifdef SYS_mkdir +#ifdef __NR_mkdir + {"mkdir", __NR_mkdir}, +#endif +#endif +#ifdef SYS_mkdirat +#ifdef __NR_mkdirat + {"mkdirat", __NR_mkdirat}, +#endif +#endif +#ifdef SYS_mknod +#ifdef __NR_mknod + {"mknod", __NR_mknod}, +#endif +#endif +#ifdef SYS_mknodat +#ifdef __NR_mknodat + {"mknodat", __NR_mknodat}, +#endif +#endif +#ifdef SYS_mlock +#ifdef __NR_mlock + {"mlock", __NR_mlock}, +#endif +#endif +#ifdef SYS_mlock2 +#ifdef __NR_mlock2 + {"mlock2", __NR_mlock2}, +#endif +#endif +#ifdef SYS_mlockall +#ifdef __NR_mlockall + {"mlockall", __NR_mlockall}, +#endif +#endif +#ifdef SYS_mmap +#ifdef __NR_mmap + {"mmap", __NR_mmap}, +#endif +#endif +#ifdef SYS_modify_ldt +#ifdef __NR_modify_ldt + {"modify_ldt", __NR_modify_ldt}, +#endif +#endif +#ifdef SYS_mount +#ifdef __NR_mount + {"mount", __NR_mount}, +#endif +#endif +#ifdef SYS_move_pages +#ifdef __NR_move_pages + {"move_pages", __NR_move_pages}, +#endif +#endif +#ifdef SYS_mprotect +#ifdef __NR_mprotect + {"mprotect", __NR_mprotect}, +#endif +#endif +#ifdef SYS_mq_getsetattr +#ifdef __NR_mq_getsetattr + {"mq_getsetattr", __NR_mq_getsetattr}, +#endif +#endif +#ifdef SYS_mq_notify +#ifdef __NR_mq_notify + {"mq_notify", __NR_mq_notify}, +#endif +#endif +#ifdef SYS_mq_open +#ifdef __NR_mq_open + {"mq_open", __NR_mq_open}, +#endif +#endif +#ifdef SYS_mq_timedreceive +#ifdef __NR_mq_timedreceive + {"mq_timedreceive", __NR_mq_timedreceive}, +#endif +#endif +#ifdef SYS_mq_timedsend +#ifdef __NR_mq_timedsend + {"mq_timedsend", __NR_mq_timedsend}, +#endif +#endif +#ifdef SYS_mq_unlink +#ifdef __NR_mq_unlink + {"mq_unlink", __NR_mq_unlink}, +#endif +#endif +#ifdef SYS_mremap +#ifdef __NR_mremap + {"mremap", __NR_mremap}, +#endif +#endif +#ifdef SYS_msgctl +#ifdef __NR_msgctl + {"msgctl", __NR_msgctl}, +#endif +#endif +#ifdef SYS_msgget +#ifdef __NR_msgget + {"msgget", __NR_msgget}, +#endif +#endif +#ifdef SYS_msgrcv +#ifdef __NR_msgrcv + {"msgrcv", __NR_msgrcv}, +#endif +#endif +#ifdef SYS_msgsnd +#ifdef __NR_msgsnd + {"msgsnd", __NR_msgsnd}, +#endif +#endif +#ifdef SYS_msync +#ifdef __NR_msync + {"msync", __NR_msync}, +#endif +#endif +#ifdef SYS_munlock +#ifdef __NR_munlock + {"munlock", __NR_munlock}, +#endif +#endif +#ifdef SYS_munlockall +#ifdef __NR_munlockall + {"munlockall", __NR_munlockall}, +#endif +#endif +#ifdef SYS_munmap +#ifdef __NR_munmap + {"munmap", __NR_munmap}, +#endif +#endif +#ifdef SYS_name_to_handle_at +#ifdef __NR_name_to_handle_at + {"name_to_handle_at", __NR_name_to_handle_at}, +#endif +#endif +#ifdef SYS_nanosleep +#ifdef __NR_nanosleep + {"nanosleep", __NR_nanosleep}, +#endif +#endif +#ifdef SYS_newfstatat +#ifdef __NR_newfstatat + {"newfstatat", __NR_newfstatat}, +#endif +#endif +#ifdef SYS_open +#ifdef __NR_open + {"open", __NR_open}, +#endif +#endif +#ifdef SYS_open_by_handle_at +#ifdef __NR_open_by_handle_at + {"open_by_handle_at", __NR_open_by_handle_at}, +#endif +#endif +#ifdef SYS_openat +#ifdef __NR_openat + {"openat", __NR_openat}, +#endif +#endif +#ifdef SYS_pause +#ifdef __NR_pause + {"pause", __NR_pause}, +#endif +#endif +#ifdef SYS_perf_event_open +#ifdef __NR_perf_event_open + {"perf_event_open", __NR_perf_event_open}, +#endif +#endif +#ifdef SYS_personality +#ifdef __NR_personality + {"personality", __NR_personality}, +#endif +#endif +#ifdef SYS_pipe +#ifdef __NR_pipe + {"pipe", __NR_pipe}, +#endif +#endif +#ifdef SYS_pipe2 +#ifdef __NR_pipe2 + {"pipe2", __NR_pipe2}, +#endif +#endif +#ifdef SYS_pivot_root +#ifdef __NR_pivot_root + {"pivot_root", __NR_pivot_root}, +#endif +#endif +#ifdef SYS_poll +#ifdef __NR_poll + {"poll", __NR_poll}, +#endif +#endif +#ifdef SYS_ppoll +#ifdef __NR_ppoll + {"ppoll", __NR_ppoll}, +#endif +#endif +#ifdef SYS_prctl +#ifdef __NR_prctl + {"prctl", __NR_prctl}, +#endif +#endif +#ifdef SYS_pread64 +#ifdef __NR_pread64 + {"pread64", __NR_pread64}, +#endif +#endif +#ifdef SYS_preadv +#ifdef __NR_preadv + {"preadv", __NR_preadv}, +#endif +#endif +#ifdef SYS_prlimit64 +#ifdef __NR_prlimit64 + {"prlimit64", __NR_prlimit64}, +#endif +#endif +#ifdef SYS_process_vm_readv +#ifdef __NR_process_vm_readv + {"process_vm_readv", __NR_process_vm_readv}, +#endif +#endif +#ifdef SYS_process_vm_writev +#ifdef __NR_process_vm_writev + {"process_vm_writev", __NR_process_vm_writev}, +#endif +#endif +#ifdef SYS_pselect6 +#ifdef __NR_pselect6 + {"pselect6", __NR_pselect6}, +#endif +#endif +#ifdef SYS_ptrace +#ifdef __NR_ptrace + {"ptrace", __NR_ptrace}, +#endif +#endif +#ifdef SYS_putpmsg +#ifdef __NR_putpmsg + {"putpmsg", __NR_putpmsg}, +#endif +#endif +#ifdef SYS_pwrite64 +#ifdef __NR_pwrite64 + {"pwrite64", __NR_pwrite64}, +#endif +#endif +#ifdef SYS_pwritev +#ifdef __NR_pwritev + {"pwritev", __NR_pwritev}, +#endif +#endif +#ifdef SYS_quotactl +#ifdef __NR_quotactl + {"quotactl", __NR_quotactl}, +#endif +#endif +#ifdef SYS_read +#ifdef __NR_read + {"read", __NR_read}, +#endif +#endif +#ifdef SYS_readahead +#ifdef __NR_readahead + {"readahead", __NR_readahead}, +#endif +#endif +#ifdef SYS_readlink +#ifdef __NR_readlink + {"readlink", __NR_readlink}, +#endif +#endif +#ifdef SYS_readlinkat +#ifdef __NR_readlinkat + {"readlinkat", __NR_readlinkat}, +#endif +#endif +#ifdef SYS_readv +#ifdef __NR_readv + {"readv", __NR_readv}, +#endif +#endif +#ifdef SYS_reboot +#ifdef __NR_reboot + {"reboot", __NR_reboot}, +#endif +#endif +#ifdef SYS_recvfrom +#ifdef __NR_recvfrom + {"recvfrom", __NR_recvfrom}, +#endif +#endif +#ifdef SYS_recvmmsg +#ifdef __NR_recvmmsg + {"recvmmsg", __NR_recvmmsg}, +#endif +#endif +#ifdef SYS_recvmsg +#ifdef __NR_recvmsg + {"recvmsg", __NR_recvmsg}, +#endif +#endif +#ifdef SYS_remap_file_pages +#ifdef __NR_remap_file_pages + {"remap_file_pages", __NR_remap_file_pages}, +#endif +#endif +#ifdef SYS_removexattr +#ifdef __NR_removexattr + {"removexattr", __NR_removexattr}, +#endif +#endif +#ifdef SYS_rename +#ifdef __NR_rename + {"rename", __NR_rename}, +#endif +#endif +#ifdef SYS_renameat +#ifdef __NR_renameat + {"renameat", __NR_renameat}, +#endif +#endif +#ifdef SYS_renameat2 +#ifdef __NR_renameat2 + {"renameat2", __NR_renameat2}, +#endif +#endif +#ifdef SYS_request_key +#ifdef __NR_request_key + {"request_key", __NR_request_key}, +#endif +#endif +#ifdef SYS_restart_syscall +#ifdef __NR_restart_syscall + {"restart_syscall", __NR_restart_syscall}, +#endif +#endif +#ifdef SYS_rmdir +#ifdef __NR_rmdir + {"rmdir", __NR_rmdir}, +#endif +#endif +#ifdef SYS_rt_sigaction +#ifdef __NR_rt_sigaction + {"rt_sigaction", __NR_rt_sigaction}, +#endif +#endif +#ifdef SYS_rt_sigpending +#ifdef __NR_rt_sigpending + {"rt_sigpending", __NR_rt_sigpending}, +#endif +#endif +#ifdef SYS_rt_sigprocmask +#ifdef __NR_rt_sigprocmask + {"rt_sigprocmask", __NR_rt_sigprocmask}, +#endif +#endif +#ifdef SYS_rt_sigqueueinfo +#ifdef __NR_rt_sigqueueinfo + {"rt_sigqueueinfo", __NR_rt_sigqueueinfo}, +#endif +#endif +#ifdef SYS_rt_sigreturn +#ifdef __NR_rt_sigreturn + {"rt_sigreturn", __NR_rt_sigreturn}, +#endif +#endif +#ifdef SYS_rt_sigsuspend +#ifdef __NR_rt_sigsuspend + {"rt_sigsuspend", __NR_rt_sigsuspend}, +#endif +#endif +#ifdef SYS_rt_sigtimedwait +#ifdef __NR_rt_sigtimedwait + {"rt_sigtimedwait", __NR_rt_sigtimedwait}, +#endif +#endif +#ifdef SYS_rt_tgsigqueueinfo +#ifdef __NR_rt_tgsigqueueinfo + {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo}, +#endif +#endif +#ifdef SYS_sched_get_priority_max +#ifdef __NR_sched_get_priority_max + {"sched_get_priority_max", __NR_sched_get_priority_max}, +#endif +#endif +#ifdef SYS_sched_get_priority_min +#ifdef __NR_sched_get_priority_min + {"sched_get_priority_min", __NR_sched_get_priority_min}, +#endif +#endif +#ifdef SYS_sched_getaffinity +#ifdef __NR_sched_getaffinity + {"sched_getaffinity", __NR_sched_getaffinity}, +#endif +#endif +#ifdef SYS_sched_getattr +#ifdef __NR_sched_getattr + {"sched_getattr", __NR_sched_getattr}, +#endif +#endif +#ifdef SYS_sched_getparam +#ifdef __NR_sched_getparam + {"sched_getparam", __NR_sched_getparam}, +#endif +#endif +#ifdef SYS_sched_getscheduler +#ifdef __NR_sched_getscheduler + {"sched_getscheduler", __NR_sched_getscheduler}, +#endif +#endif +#ifdef SYS_sched_rr_get_interval +#ifdef __NR_sched_rr_get_interval + {"sched_rr_get_interval", __NR_sched_rr_get_interval}, +#endif +#endif +#ifdef SYS_sched_setaffinity +#ifdef __NR_sched_setaffinity + {"sched_setaffinity", __NR_sched_setaffinity}, +#endif +#endif +#ifdef SYS_sched_setattr +#ifdef __NR_sched_setattr + {"sched_setattr", __NR_sched_setattr}, +#endif +#endif +#ifdef SYS_sched_setparam +#ifdef __NR_sched_setparam + {"sched_setparam", __NR_sched_setparam}, +#endif +#endif +#ifdef SYS_sched_setscheduler +#ifdef __NR_sched_setscheduler + {"sched_setscheduler", __NR_sched_setscheduler}, +#endif +#endif +#ifdef SYS_sched_yield +#ifdef __NR_sched_yield + {"sched_yield", __NR_sched_yield}, +#endif +#endif +#ifdef SYS_seccomp +#ifdef __NR_seccomp + {"seccomp", __NR_seccomp}, +#endif +#endif +#ifdef SYS_security +#ifdef __NR_security + {"security", __NR_security}, +#endif +#endif +#ifdef SYS_select +#ifdef __NR_select + {"select", __NR_select}, +#endif +#endif +#ifdef SYS_semctl +#ifdef __NR_semctl + {"semctl", __NR_semctl}, +#endif +#endif +#ifdef SYS_semget +#ifdef __NR_semget + {"semget", __NR_semget}, +#endif +#endif +#ifdef SYS_semop +#ifdef __NR_semop + {"semop", __NR_semop}, +#endif +#endif +#ifdef SYS_semtimedop +#ifdef __NR_semtimedop + {"semtimedop", __NR_semtimedop}, +#endif +#endif +#ifdef SYS_sendfile +#ifdef __NR_sendfile + {"sendfile", __NR_sendfile}, +#endif +#endif +#ifdef SYS_sendmmsg +#ifdef __NR_sendmmsg + {"sendmmsg", __NR_sendmmsg}, +#endif +#endif +#ifdef SYS_sendmsg +#ifdef __NR_sendmsg + {"sendmsg", __NR_sendmsg}, +#endif +#endif +#ifdef SYS_sendto +#ifdef __NR_sendto + {"sendto", __NR_sendto}, +#endif +#endif +#ifdef SYS_set_mempolicy +#ifdef __NR_set_mempolicy + {"set_mempolicy", __NR_set_mempolicy}, +#endif +#endif +#ifdef SYS_set_robust_list +#ifdef __NR_set_robust_list + {"set_robust_list", __NR_set_robust_list}, +#endif +#endif +#ifdef SYS_set_tid_address +#ifdef __NR_set_tid_address + {"set_tid_address", __NR_set_tid_address}, +#endif +#endif +#ifdef SYS_setdomainname +#ifdef __NR_setdomainname + {"setdomainname", __NR_setdomainname}, +#endif +#endif +#ifdef SYS_setfsgid +#ifdef __NR_setfsgid + {"setfsgid", __NR_setfsgid}, +#endif +#endif +#ifdef SYS_setfsuid +#ifdef __NR_setfsuid + {"setfsuid", __NR_setfsuid}, +#endif +#endif +#ifdef SYS_setgid +#ifdef __NR_setgid + {"setgid", __NR_setgid}, +#endif +#endif +#ifdef SYS_setgroups +#ifdef __NR_setgroups + {"setgroups", __NR_setgroups}, +#endif +#endif +#ifdef SYS_sethostname +#ifdef __NR_sethostname + {"sethostname", __NR_sethostname}, +#endif +#endif +#ifdef SYS_setitimer +#ifdef __NR_setitimer + {"setitimer", __NR_setitimer}, +#endif +#endif +#ifdef SYS_setns +#ifdef __NR_setns + {"setns", __NR_setns}, +#endif +#endif +#ifdef SYS_setpgid +#ifdef __NR_setpgid + {"setpgid", __NR_setpgid}, +#endif +#endif +#ifdef SYS_setpriority +#ifdef __NR_setpriority + {"setpriority", __NR_setpriority}, +#endif +#endif +#ifdef SYS_setregid +#ifdef __NR_setregid + {"setregid", __NR_setregid}, +#endif +#endif +#ifdef SYS_setresgid +#ifdef __NR_setresgid + {"setresgid", __NR_setresgid}, +#endif +#endif +#ifdef SYS_setresuid +#ifdef __NR_setresuid + {"setresuid", __NR_setresuid}, +#endif +#endif +#ifdef SYS_setreuid +#ifdef __NR_setreuid + {"setreuid", __NR_setreuid}, +#endif +#endif +#ifdef SYS_setrlimit +#ifdef __NR_setrlimit + {"setrlimit", __NR_setrlimit}, +#endif +#endif +#ifdef SYS_setsid +#ifdef __NR_setsid + {"setsid", __NR_setsid}, +#endif +#endif +#ifdef SYS_setsockopt +#ifdef __NR_setsockopt + {"setsockopt", __NR_setsockopt}, +#endif +#endif +#ifdef SYS_settimeofday +#ifdef __NR_settimeofday + {"settimeofday", __NR_settimeofday}, +#endif +#endif +#ifdef SYS_setuid +#ifdef __NR_setuid + {"setuid", __NR_setuid}, +#endif +#endif +#ifdef SYS_setxattr +#ifdef __NR_setxattr + {"setxattr", __NR_setxattr}, +#endif +#endif +#ifdef SYS_shmat +#ifdef __NR_shmat + {"shmat", __NR_shmat}, +#endif +#endif +#ifdef SYS_shmctl +#ifdef __NR_shmctl + {"shmctl", __NR_shmctl}, +#endif +#endif +#ifdef SYS_shmdt +#ifdef __NR_shmdt + {"shmdt", __NR_shmdt}, +#endif +#endif +#ifdef SYS_shmget +#ifdef __NR_shmget + {"shmget", __NR_shmget}, +#endif +#endif +#ifdef SYS_shutdown +#ifdef __NR_shutdown + {"shutdown", __NR_shutdown}, +#endif +#endif +#ifdef SYS_sigaltstack +#ifdef __NR_sigaltstack + {"sigaltstack", __NR_sigaltstack}, +#endif +#endif +#ifdef SYS_signalfd +#ifdef __NR_signalfd + {"signalfd", __NR_signalfd}, +#endif +#endif +#ifdef SYS_signalfd4 +#ifdef __NR_signalfd4 + {"signalfd4", __NR_signalfd4}, +#endif +#endif +#ifdef SYS_socket +#ifdef __NR_socket + {"socket", __NR_socket}, +#endif +#endif +#ifdef SYS_socketpair +#ifdef __NR_socketpair + {"socketpair", __NR_socketpair}, +#endif +#endif +#ifdef SYS_splice +#ifdef __NR_splice + {"splice", __NR_splice}, +#endif +#endif +#ifdef SYS_stat +#ifdef __NR_stat + {"stat", __NR_stat}, +#endif +#endif +#ifdef SYS_statfs +#ifdef __NR_statfs + {"statfs", __NR_statfs}, +#endif +#endif +#ifdef SYS_swapoff +#ifdef __NR_swapoff + {"swapoff", __NR_swapoff}, +#endif +#endif +#ifdef SYS_swapon +#ifdef __NR_swapon + {"swapon", __NR_swapon}, +#endif +#endif +#ifdef SYS_symlink +#ifdef __NR_symlink + {"symlink", __NR_symlink}, +#endif +#endif +#ifdef SYS_symlinkat +#ifdef __NR_symlinkat + {"symlinkat", __NR_symlinkat}, +#endif +#endif +#ifdef SYS_sync +#ifdef __NR_sync + {"sync", __NR_sync}, +#endif +#endif +#ifdef SYS_sync_file_range +#ifdef __NR_sync_file_range + {"sync_file_range", __NR_sync_file_range}, +#endif +#endif +#ifdef SYS_syncfs +#ifdef __NR_syncfs + {"syncfs", __NR_syncfs}, +#endif +#endif +#ifdef SYS_sysfs +#ifdef __NR_sysfs + {"sysfs", __NR_sysfs}, +#endif +#endif +#ifdef SYS_sysinfo +#ifdef __NR_sysinfo + {"sysinfo", __NR_sysinfo}, +#endif +#endif +#ifdef SYS_syslog +#ifdef __NR_syslog + {"syslog", __NR_syslog}, +#endif +#endif +#ifdef SYS_tee +#ifdef __NR_tee + {"tee", __NR_tee}, +#endif +#endif +#ifdef SYS_tgkill +#ifdef __NR_tgkill + {"tgkill", __NR_tgkill}, +#endif +#endif +#ifdef SYS_time +#ifdef __NR_time + {"time", __NR_time}, +#endif +#endif +#ifdef SYS_timer_create +#ifdef __NR_timer_create + {"timer_create", __NR_timer_create}, +#endif +#endif +#ifdef SYS_timer_delete +#ifdef __NR_timer_delete + {"timer_delete", __NR_timer_delete}, +#endif +#endif +#ifdef SYS_timer_getoverrun +#ifdef __NR_timer_getoverrun + {"timer_getoverrun", __NR_timer_getoverrun}, +#endif +#endif +#ifdef SYS_timer_gettime +#ifdef __NR_timer_gettime + {"timer_gettime", __NR_timer_gettime}, +#endif +#endif +#ifdef SYS_timer_settime +#ifdef __NR_timer_settime + {"timer_settime", __NR_timer_settime}, +#endif +#endif +#ifdef SYS_timerfd_create +#ifdef __NR_timerfd_create + {"timerfd_create", __NR_timerfd_create}, +#endif +#endif +#ifdef SYS_timerfd_gettime +#ifdef __NR_timerfd_gettime + {"timerfd_gettime", __NR_timerfd_gettime}, +#endif +#endif +#ifdef SYS_timerfd_settime +#ifdef __NR_timerfd_settime + {"timerfd_settime", __NR_timerfd_settime}, +#endif +#endif +#ifdef SYS_times +#ifdef __NR_times + {"times", __NR_times}, +#endif +#endif +#ifdef SYS_tkill +#ifdef __NR_tkill + {"tkill", __NR_tkill}, +#endif +#endif +#ifdef SYS_truncate +#ifdef __NR_truncate + {"truncate", __NR_truncate}, +#endif +#endif +#ifdef SYS_tuxcall +#ifdef __NR_tuxcall + {"tuxcall", __NR_tuxcall}, +#endif +#endif +#ifdef SYS_umask +#ifdef __NR_umask + {"umask", __NR_umask}, +#endif +#endif +#ifdef SYS_umount2 +#ifdef __NR_umount2 + {"umount2", __NR_umount2}, +#endif +#endif +#ifdef SYS_uname +#ifdef __NR_uname + {"uname", __NR_uname}, +#endif +#endif +#ifdef SYS_unlink +#ifdef __NR_unlink + {"unlink", __NR_unlink}, +#endif +#endif +#ifdef SYS_unlinkat +#ifdef __NR_unlinkat + {"unlinkat", __NR_unlinkat}, +#endif +#endif +#ifdef SYS_unshare +#ifdef __NR_unshare + {"unshare", __NR_unshare}, +#endif +#endif +#ifdef SYS_userfaultfd +#ifdef __NR_userfaultfd + {"userfaultfd", __NR_userfaultfd}, +#endif +#endif +#ifdef SYS_ustat +#ifdef __NR_ustat + {"ustat", __NR_ustat}, +#endif +#endif +#ifdef SYS_utime +#ifdef __NR_utime + {"utime", __NR_utime}, +#endif +#endif +#ifdef SYS_utimensat +#ifdef __NR_utimensat + {"utimensat", __NR_utimensat}, +#endif +#endif +#ifdef SYS_utimes +#ifdef __NR_utimes + {"utimes", __NR_utimes}, +#endif +#endif +#ifdef SYS_vfork +#ifdef __NR_vfork + {"vfork", __NR_vfork}, +#endif +#endif +#ifdef SYS_vhangup +#ifdef __NR_vhangup + {"vhangup", __NR_vhangup}, +#endif +#endif +#ifdef SYS_vmsplice +#ifdef __NR_vmsplice + {"vmsplice", __NR_vmsplice}, +#endif +#endif +#ifdef SYS_wait4 +#ifdef __NR_wait4 + {"wait4", __NR_wait4}, +#endif +#endif +#ifdef SYS_waitid +#ifdef __NR_waitid + {"waitid", __NR_waitid}, +#endif +#endif +#ifdef SYS_write +#ifdef __NR_write + {"write", __NR_write}, +#endif +#endif +#ifdef SYS_writev +#ifdef __NR_writev + {"writev", __NR_writev}, +#endif +#endif +#endif -- cgit v1.2.3-70-g09d2 From 0e0df4153e83910f61643b705ecc1e65824b0c0c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 28 Oct 2016 18:05:59 -0400 Subject: compile cleanup --- src/firejail/appimage_size.c | 5 ++--- src/firejail/sbox.c | 8 ++++++-- src/fnet/main.c | 6 +----- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 64fff6901..3f5c3150c 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c @@ -41,7 +41,6 @@ e_shoff + ( e_shentsize * e_shnum ) = 126584 typedef Elf32_Nhdr Elf_Nhdr; static Elf64_Ehdr ehdr; -static Elf64_Phdr *phdr; #if __BYTE_ORDER == __LITTLE_ENDIAN #define ELFDATANATIVE ELFDATA2LSB @@ -75,7 +74,7 @@ static uint64_t file64_to_cpu(uint64_t val) { // return 0 if error static long unsigned int read_elf32(int fd) { Elf32_Ehdr ehdr32; - ssize_t ret, i; + ssize_t ret; ret = pread(fd, &ehdr32, sizeof(ehdr32), 0); if (ret < 0 || (size_t)ret != sizeof(ehdr)) @@ -92,7 +91,7 @@ static long unsigned int read_elf32(int fd) { // return 0 if error static long unsigned int read_elf64(int fd) { Elf64_Ehdr ehdr64; - ssize_t ret, i; + ssize_t ret; ret = pread(fd, &ehdr64, sizeof(ehdr64), 0); if (ret < 0 || (size_t)ret != sizeof(ehdr)) diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index d3ef2578c..d1225c3bc 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -23,6 +23,7 @@ #include #include #include + #include #include "../include/seccomp.h" static struct sock_filter filter[] = { @@ -112,7 +113,7 @@ typedef struct sbox_config { int sbox_run(unsigned filter, int num, ...) { EUID_ROOT(); - char *path = NULL; + int i; va_list valist; va_start(valist, num); @@ -159,7 +160,10 @@ printf("\n"); else if (filter & SBOX_USER) drop_privs(1); - execvp(arg[0], arg); + if (arg[0]) // get rid of scan-build warning + execvp(arg[0], arg); + else + assert(0); perror("execl"); _exit(1); } diff --git a/src/fnet/main.c b/src/fnet/main.c index 88f71c4b3..f17287cb9 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -17,11 +17,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include -#include -#include -#include -#include +#include "fnet.h" static void usage(void) { printf("Usage:\n"); -- cgit v1.2.3-70-g09d2 From a4da83cae8c7542d0fa1c2733bcf230754425bbb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 29 Oct 2016 08:25:47 -0400 Subject: sbox/fseccomp --- src/fseccomp/Makefile.in | 43 ++++++++++ src/fseccomp/errno.c | 161 ++++++++++++++++++++++++++++++++++ src/fseccomp/fseccomp.h | 18 ++++ src/fseccomp/main.c | 42 +++++++++ src/fseccomp/protocol.c | 219 +++++++++++++++++++++++++++++++++++++++++++++++ src/fseccomp/syscall.c | 26 ++++++ 6 files changed, 509 insertions(+) create mode 100644 src/fseccomp/Makefile.in create mode 100644 src/fseccomp/errno.c create mode 100644 src/fseccomp/fseccomp.h create mode 100644 src/fseccomp/main.c create mode 100644 src/fseccomp/protocol.c create mode 100644 src/fseccomp/syscall.c diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in new file mode 100644 index 000000000..e7edd1b8f --- /dev/null +++ b/src/fseccomp/Makefile.in @@ -0,0 +1,43 @@ +all: fseccomp + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +sysconfdir=@sysconfdir@ + +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ +HAVE_SECCOMP=@HAVE_SECCOMP@ +HAVE_CHROOT=@HAVE_CHROOT@ +HAVE_BIND=@HAVE_BIND@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ +HAVE_X11=@HAVE_X11@ +HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h ../include/syscall.h + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + +clean:; rm -f *.o fseccomp + +distclean: clean + rm -fr Makefile + diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c new file mode 100644 index 000000000..625f484bd --- /dev/null +++ b/src/fseccomp/errno.c @@ -0,0 +1,161 @@ +#include "fseccomp.h" + +#include +//#include + +typedef struct { + char *name; + int nr; +} ErrnoEntry; + +static ErrnoEntry errnolist[] = { +// +// code generated using tools/extract-errnos +// + {"EPERM", EPERM}, + {"ENOENT", ENOENT}, + {"ESRCH", ESRCH}, + {"EINTR", EINTR}, + {"EIO", EIO}, + {"ENXIO", ENXIO}, + {"E2BIG", E2BIG}, + {"ENOEXEC", ENOEXEC}, + {"EBADF", EBADF}, + {"ECHILD", ECHILD}, + {"EAGAIN", EAGAIN}, + {"ENOMEM", ENOMEM}, + {"EACCES", EACCES}, + {"EFAULT", EFAULT}, + {"ENOTBLK", ENOTBLK}, + {"EBUSY", EBUSY}, + {"EEXIST", EEXIST}, + {"EXDEV", EXDEV}, + {"ENODEV", ENODEV}, + {"ENOTDIR", ENOTDIR}, + {"EISDIR", EISDIR}, + {"EINVAL", EINVAL}, + {"ENFILE", ENFILE}, + {"EMFILE", EMFILE}, + {"ENOTTY", ENOTTY}, + {"ETXTBSY", ETXTBSY}, + {"EFBIG", EFBIG}, + {"ENOSPC", ENOSPC}, + {"ESPIPE", ESPIPE}, + {"EROFS", EROFS}, + {"EMLINK", EMLINK}, + {"EPIPE", EPIPE}, + {"EDOM", EDOM}, + {"ERANGE", ERANGE}, + {"EDEADLK", EDEADLK}, + {"ENAMETOOLONG", ENAMETOOLONG}, + {"ENOLCK", ENOLCK}, + {"ENOSYS", ENOSYS}, + {"ENOTEMPTY", ENOTEMPTY}, + {"ELOOP", ELOOP}, + {"EWOULDBLOCK", EWOULDBLOCK}, + {"ENOMSG", ENOMSG}, + {"EIDRM", EIDRM}, + {"ECHRNG", ECHRNG}, + {"EL2NSYNC", EL2NSYNC}, + {"EL3HLT", EL3HLT}, + {"EL3RST", EL3RST}, + {"ELNRNG", ELNRNG}, + {"EUNATCH", EUNATCH}, + {"ENOCSI", ENOCSI}, + {"EL2HLT", EL2HLT}, + {"EBADE", EBADE}, + {"EBADR", EBADR}, + {"EXFULL", EXFULL}, + {"ENOANO", ENOANO}, + {"EBADRQC", EBADRQC}, + {"EBADSLT", EBADSLT}, + {"EDEADLOCK", EDEADLOCK}, + {"EBFONT", EBFONT}, + {"ENOSTR", ENOSTR}, + {"ENODATA", ENODATA}, + {"ETIME", ETIME}, + {"ENOSR", ENOSR}, + {"ENONET", ENONET}, + {"ENOPKG", ENOPKG}, + {"EREMOTE", EREMOTE}, + {"ENOLINK", ENOLINK}, + {"EADV", EADV}, + {"ESRMNT", ESRMNT}, + {"ECOMM", ECOMM}, + {"EPROTO", EPROTO}, + {"EMULTIHOP", EMULTIHOP}, + {"EDOTDOT", EDOTDOT}, + {"EBADMSG", EBADMSG}, + {"EOVERFLOW", EOVERFLOW}, + {"ENOTUNIQ", ENOTUNIQ}, + {"EBADFD", EBADFD}, + {"EREMCHG", EREMCHG}, + {"ELIBACC", ELIBACC}, + {"ELIBBAD", ELIBBAD}, + {"ELIBSCN", ELIBSCN}, + {"ELIBMAX", ELIBMAX}, + {"ELIBEXEC", ELIBEXEC}, + {"EILSEQ", EILSEQ}, + {"ERESTART", ERESTART}, + {"ESTRPIPE", ESTRPIPE}, + {"EUSERS", EUSERS}, + {"ENOTSOCK", ENOTSOCK}, + {"EDESTADDRREQ", EDESTADDRREQ}, + {"EMSGSIZE", EMSGSIZE}, + {"EPROTOTYPE", EPROTOTYPE}, + {"ENOPROTOOPT", ENOPROTOOPT}, + {"EPROTONOSUPPORT", EPROTONOSUPPORT}, + {"ESOCKTNOSUPPORT", ESOCKTNOSUPPORT}, + {"EOPNOTSUPP", EOPNOTSUPP}, + {"EPFNOSUPPORT", EPFNOSUPPORT}, + {"EAFNOSUPPORT", EAFNOSUPPORT}, + {"EADDRINUSE", EADDRINUSE}, + {"EADDRNOTAVAIL", EADDRNOTAVAIL}, + {"ENETDOWN", ENETDOWN}, + {"ENETUNREACH", ENETUNREACH}, + {"ENETRESET", ENETRESET}, + {"ECONNABORTED", ECONNABORTED}, + {"ECONNRESET", ECONNRESET}, + {"ENOBUFS", ENOBUFS}, + {"EISCONN", EISCONN}, + {"ENOTCONN", ENOTCONN}, + {"ESHUTDOWN", ESHUTDOWN}, + {"ETOOMANYREFS", ETOOMANYREFS}, + {"ETIMEDOUT", ETIMEDOUT}, + {"ECONNREFUSED", ECONNREFUSED}, + {"EHOSTDOWN", EHOSTDOWN}, + {"EHOSTUNREACH", EHOSTUNREACH}, + {"EALREADY", EALREADY}, + {"EINPROGRESS", EINPROGRESS}, + {"ESTALE", ESTALE}, + {"EUCLEAN", EUCLEAN}, + {"ENOTNAM", ENOTNAM}, + {"ENAVAIL", ENAVAIL}, + {"EISNAM", EISNAM}, + {"EREMOTEIO", EREMOTEIO}, + {"EDQUOT", EDQUOT}, + {"ENOMEDIUM", ENOMEDIUM}, + {"EMEDIUMTYPE", EMEDIUMTYPE}, + {"ECANCELED", ECANCELED}, + {"ENOKEY", ENOKEY}, + {"EKEYEXPIRED", EKEYEXPIRED}, + {"EKEYREVOKED", EKEYREVOKED}, + {"EKEYREJECTED", EKEYREJECTED}, + {"EOWNERDEAD", EOWNERDEAD}, + {"ENOTRECOVERABLE", ENOTRECOVERABLE}, + {"ERFKILL", ERFKILL}, + {"EHWPOISON", EHWPOISON}, + {"ENOTSUP", ENOTSUP}, +#ifdef ENOATTR + {"ENOATTR", ENOATTR}, +#endif +}; + +void errno_print(void) { + int i; + int elems = sizeof(errnolist) / sizeof(errnolist[0]); + for (i = 0; i < elems; i++) { + printf("%d\t- %s\n", errnolist[i].nr, errnolist[i].name); + } + printf("\n"); +} diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h new file mode 100644 index 000000000..57757ea6c --- /dev/null +++ b/src/fseccomp/fseccomp.h @@ -0,0 +1,18 @@ +#ifndef FSECCOMP_H +#define FSECCOMP_H +#include +#include +#include +#include +#include "../include/common.h" + +// syscall.c +void syscall_print(void); + +// errno.c +void errno_print(void); + +// protocol.c +void protocol_print(void); +void protocol_build_filter(const char *prlist, const char *fname); +#endif diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c new file mode 100644 index 000000000..59d426a78 --- /dev/null +++ b/src/fseccomp/main.c @@ -0,0 +1,42 @@ +#include "fseccomp.h" + +static void usage(void) { + printf("Usage:\n"); + printf("\tfseccomp debug-syscalls\n"); + printf("\tfseccomp debug-errnos\n"); + printf("\tfseccomp debug-protocols\n"); + printf("\tfseccomp protocol build list file\n"); +} + +int main(int argc, char **argv) { +//#if 0 +{ +//system("cat /proc/self/status"); +int i; +for (i = 0; i < argc; i++) + printf("*%s* ", argv[i]); +printf("\n"); +} +//#endif + if (argc < 2) + return 1; + + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + usage(); + return 0; + } + else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) + syscall_print(); + else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0) + errno_print(); + else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0) + protocol_print(); + else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) + protocol_build_filter(argv[3], argv[4]); + else { + fprintf(stderr, "Error fseccomp: invalid arguments\n"); + return 1; + } + + return 0; +} \ No newline at end of file diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c new file mode 100644 index 000000000..38c5f9d88 --- /dev/null +++ b/src/fseccomp/protocol.c @@ -0,0 +1,219 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +/* + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + ONLY(SYS_socket), + EXAMINE_ARGUMENT(0), // allow only AF_INET and AF_INET6, drop everything else + WHITELIST(AF_INET), + WHITELIST(AF_INET6), + WHITELIST(AF_PACKET), + RETURN_ERRNO(ENOTSUP) + }; + struct sock_fprog prog = { + .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), + .filter = filter, + }; + + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + return 1; + } + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { + perror("prctl"); + return 1; + } +*/ + +#include "fseccomp.h" +#include "../include/seccomp.h" +#include +#include +#include + +static char *protocol[] = { + "unix", + "inet", + "inet6", + "netlink", + "packet", + NULL +}; + +static struct sock_filter protocol_filter_command[] = { + WHITELIST(AF_UNIX), + WHITELIST(AF_INET), + WHITELIST(AF_INET6), + WHITELIST(AF_NETLINK), + WHITELIST(AF_PACKET) +}; +// Note: protocol[] and protocol_filter_command are synchronized + +// command length +struct sock_filter whitelist[] = { + WHITELIST(AF_UNIX) +}; +unsigned whitelist_len = sizeof(whitelist) / sizeof(struct sock_filter); + +static struct sock_filter *find_protocol_domain(const char *p) { + int i = 0; + while (protocol[i] != NULL) { + if (strcmp(protocol[i], p) == 0) + return &protocol_filter_command[i * whitelist_len]; + i++; + } + + return NULL; +} + + +void protocol_print(void) { +#ifndef SYS_socket + fprintf(stderr, "Warning fseccomp: firejail --protocol not supported on this platform\n"); + return; +#endif + + int i = 0; + while (protocol[i] != NULL) { + printf("%s, ", protocol[i]); + i++; + } + printf("\n"); +} + +// install protocol filter +void protocol_build_filter(const char *prlist, const char *fname) { + assert(prlist); + assert(fname); + +#ifndef SYS_socket + fprintf(stderr, "Warning: --protocol not supported on this platform\n"); + return; +#else + // build the filter + struct sock_filter filter[32]; // big enough + memset(&filter[0], 0, sizeof(filter)); + uint8_t *ptr = (uint8_t *) &filter[0]; + + // header + struct sock_filter filter_start[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + ONLY(SYS_socket), + EXAMINE_ARGUMENT(0) + }; + memcpy(ptr, &filter_start[0], sizeof(filter_start)); + ptr += sizeof(filter_start); + +#if 0 +printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter))); +{ + unsigned j; + unsigned char *ptr2 = (unsigned char *) &filter[0]; + for (j = 0; j < sizeof(filter); j++, ptr2++) { + if ((j % (sizeof(struct sock_filter))) == 0) + printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); + printf("%02x, ", (*ptr2) & 0xff); + } + printf("\n"); +} +printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter)); +#endif + + + // parse list and add commands + char *tmplist = strdup(prlist); + if (!tmplist) + errExit("strdup"); + char *token = strtok(tmplist, ","); + if (!token) + errExit("strtok"); + + while (token) { + struct sock_filter *domain = find_protocol_domain(token); + if (domain == NULL) { + fprintf(stderr, "Error fseccomp: %s is not a valid protocol\n", token); + exit(1); + } + memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); + ptr += whitelist_len * sizeof(struct sock_filter); + token = strtok(NULL, ","); + +#if 0 +printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); +{ + unsigned j; + unsigned char *ptr2 = (unsigned char *) &filter[0]; + for (j = 0; j < sizeof(filter); j++, ptr2++) { + if ((j % (sizeof(struct sock_filter))) == 0) + printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); + printf("%02x, ", (*ptr2) & 0xff); + } + printf("\n"); +} +#endif + + + } + free(tmplist); + + // add end of filter + struct sock_filter filter_end[] = { + RETURN_ERRNO(ENOTSUP) + }; + memcpy(ptr, &filter_end[0], sizeof(filter_end)); + ptr += sizeof(filter_end); + +#if 0 +printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); +{ + unsigned j; + unsigned char *ptr2 = (unsigned char *) &filter[0]; + for (j = 0; j < sizeof(filter); j++, ptr2++) { + if ((j % (sizeof(struct sock_filter))) == 0) + printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); + printf("%02x, ", (*ptr2) & 0xff); + } + printf("\n"); +} +#endif + // save filter to file + int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (dst < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter)); + int written = 0; + while (written < size) { + int rv = write(dst, (unsigned char *) filter + written, size - written); + if (rv == -1) { + fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname); + exit(1); + } + written += rv; + } + close(dst); +#endif // SYS_socket +} diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c new file mode 100644 index 000000000..c67d45598 --- /dev/null +++ b/src/fseccomp/syscall.c @@ -0,0 +1,26 @@ +#include "fseccomp.h" +#include + +typedef struct { + char *name; + int nr; +} SyscallEntry; + +static SyscallEntry syslist[] = { +// +// code generated using tools/extract-syscall +// +#include "../include/syscall.h" +// +// end of generated code +// +}; // end of syslist + +void syscall_print(void) { + int i; + int elems = sizeof(syslist) / sizeof(syslist[0]); + for (i = 0; i < elems; i++) { + printf("%d\t- %s\n", syslist[i].nr, syslist[i].name); + } + printf("\n"); +} -- cgit v1.2.3-70-g09d2 From 397b4e86f3e1581f8910efb0639c515d3420a21c Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 29 Oct 2016 17:22:51 +0200 Subject: added profile for display - imagemagick --- etc/display.profile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/display.profile diff --git a/etc/display.profile b/etc/display.profile new file mode 100644 index 000000000..ec041bff7 --- /dev/null +++ b/etc/display.profile @@ -0,0 +1,23 @@ +# display (ImageMagick tool) image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +net none +nonewprivs +noroot +nogroups +nosound +shell none +x11 xorg + +private-bin display +private-tmp +private-dev +private-etc none + -- cgit v1.2.3-70-g09d2 From 9fd22cec3ba42475c773b792105f70f4bf783d39 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 29 Oct 2016 19:10:06 +0200 Subject: added profile for wire --- etc/Wire.profile | 22 ++++++++++++++++++++++ etc/disable-programs.inc | 1 + 2 files changed, 23 insertions(+) create mode 100644 etc/Wire.profile diff --git a/etc/Wire.profile b/etc/Wire.profile new file mode 100644 index 000000000..b488d75e4 --- /dev/null +++ b/etc/Wire.profile @@ -0,0 +1,22 @@ +# wire messenger profile + +noblacklist ~/.config/Wire + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-tmp +private-dev + +# please note: the wire binary is currently identified with a capital W. This might change in future versions diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6e22fe04d..0d9bd1bb4 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -106,6 +106,7 @@ blacklist ${HOME}/.config/Slack blacklist ${HOME}/.cache/gajim blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.config/gajim +blacklist ${HOME}/.config/Wire # Games blacklist ${HOME}/.hedgewars -- cgit v1.2.3-70-g09d2 From f898290fd79e0e64d13ceef56fc5960da879d179 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 30 Oct 2016 15:54:05 -0400 Subject: major cleanup --- .gitignore | 1 + README | 2 + src/firejail/appimage.c | 5 - src/firejail/arp.c | 186 +------------------------- src/firejail/firejail.h | 31 +++-- src/firejail/fs.c | 198 ++++----------------------- src/firejail/fs_bin.c | 1 - src/firejail/fs_dev.c | 2 - src/firejail/fs_etc.c | 1 - src/firejail/fs_home.c | 6 - src/firejail/fs_hostname.c | 2 - src/firejail/fs_trace.c | 3 - src/firejail/fs_var.c | 3 - src/firejail/fs_whitelist.c | 4 - src/firejail/main.c | 50 ++----- src/firejail/network.c | 303 +++++------------------------------------- src/firejail/network_main.c | 27 ++-- src/firejail/preproc.c | 110 +++++++++++++++ src/firejail/protocol.c | 2 - src/firejail/pulseaudio.c | 1 - src/firejail/restrict_users.c | 3 - src/firejail/sandbox.c | 285 ++++++++++++++++++++------------------- src/firejail/sbox.c | 23 ++-- src/firejail/seccomp.c | 1 - src/firejail/util.c | 34 +++++ src/fnet/arp.c | 208 +++++++++++++++++++++++++++++ src/fnet/fnet.h | 9 ++ src/fnet/interface.c | 212 +++++++++++++++++++++++++++++ src/fnet/main.c | 39 +++++- src/fseccomp/main.c | 6 +- 30 files changed, 869 insertions(+), 889 deletions(-) create mode 100644 src/firejail/preproc.c create mode 100644 src/fnet/arp.c diff --git a/.gitignore b/.gitignore index 6acb6775c..db523da59 100644 --- a/.gitignore +++ b/.gitignore @@ -19,4 +19,5 @@ src/ftee/ftee src/tags src/faudit/faudit src/fnet/fnet +src/fseccomp/fseccomp uids.h diff --git a/README b/README index cbd15f02a..f0e2ea3e8 100644 --- a/README +++ b/README @@ -86,6 +86,8 @@ valoq (https://github.com/valoq) - added support for /srv in --whitelist feature - Eye of GNOME and Evolution profiles - blacklist suid binaries in disable-common.inc +Vadim A. Misbakh-Soloviov (https://github.com/msva) + - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 09b242964..322798ee5 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -60,11 +60,6 @@ void appimage_set(const char *appimage_path) { exit(1); } - // populate /run/firejail directory - EUID_ROOT(); - fs_build_firejail_dir(); - EUID_USER(); - // find or allocate a free loop device to use EUID_ROOT(); int cfd = open("/dev/loop-control", O_RDWR); diff --git a/src/firejail/arp.c b/src/firejail/arp.c index fb5e426b0..ddb75905f 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c @@ -40,6 +40,7 @@ typedef struct arp_hdr_t { uint8_t target_ip[4]; } ArpHdr; + // returns 0 if the address is not in use, -1 otherwise int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { if (strlen(dev) > IFNAMSIZ) { @@ -286,189 +287,4 @@ uint32_t arp_assign(const char *dev, Bridge *br) { return ip; } -// scan interface (--scan option) -void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { - assert(dev); - assert(ifip); - -// printf("Scanning interface %s (%d.%d.%d.%d/%d)\n", -// dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask)); - - if (strlen(dev) > IFNAMSIZ) { - fprintf(stderr, "Error: invalid network device name %s\n", dev); - exit(1); - } - - // find interface mac address - int sock; - if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) - errExit("socket"); - struct ifreq ifr; - memset(&ifr, 0, sizeof (ifr)); - strncpy(ifr.ifr_name, dev, IFNAMSIZ); - if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) - errExit("ioctl"); - close(sock); - uint8_t mac[6]; - memcpy (mac, ifr.ifr_hwaddr.sa_data, 6); - - // open layer2 socket - if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) - errExit("socket"); - - // try all possible ip addresses in ascending order - uint32_t range = ~ifmask + 1; // the number of potential addresses - // this software is not supported for /31 networks - if (range < 4) { - fprintf(stderr, "Warning: this option is not supported for /31 networks\n"); - close(sock); - return; - } - - uint32_t dest = (ifip & ifmask) + 1; - uint32_t last = dest + range - 1; - uint32_t src = htonl(ifip); - - // wait not more than one second for an answer - int header_printed = 0; - uint32_t last_ip = 0; - struct timeval ts; - ts.tv_sec = 2; // 2 seconds receive timeout - ts.tv_usec = 0; - - while (1) { - fd_set rfds; - FD_ZERO(&rfds); - FD_SET(sock, &rfds); - fd_set wfds; - FD_ZERO(&wfds); - FD_SET(sock, &wfds); - int maxfd = sock; - - uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc - memset(frame, 0, ETH_FRAME_LEN); - - int nready; - if (dest < last) - nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL); - else - nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts); - - if (nready < 0) - errExit("select"); - - if (nready == 0) { // timeout - break; - } - - if (FD_ISSET(sock, &wfds) && dest < last) { - // configure layer2 socket address information - struct sockaddr_ll addr; - memset(&addr, 0, sizeof(addr)); - if ((addr.sll_ifindex = if_nametoindex(dev)) == 0) - errExit("if_nametoindex"); - addr.sll_family = AF_PACKET; - memcpy (addr.sll_addr, mac, 6); - addr.sll_halen = htons(6); - - // build the arp packet header - ArpHdr hdr; - memset(&hdr, 0, sizeof(hdr)); - hdr.htype = htons(1); - hdr.ptype = htons(ETH_P_IP); - hdr.hlen = 6; - hdr.plen = 4; - hdr.opcode = htons(1); //ARPOP_REQUEST - memcpy(hdr.sender_mac, mac, 6); - memcpy(hdr.sender_ip, (uint8_t *)&src, 4); - uint32_t dst = htonl(dest); - memcpy(hdr.target_ip, (uint8_t *)&dst, 4); - - // build ethernet frame - uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc - memset(frame, 0, sizeof(frame)); - frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff; - memcpy(frame + 6, mac, 6); - frame[12] = ETH_P_ARP / 256; - frame[13] = ETH_P_ARP % 256; - memcpy (frame + 14, &hdr, sizeof(hdr)); - - // send packet - int len; - if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) - errExit("send"); -//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); - fflush(0); - dest++; - } - - if (FD_ISSET(sock, &rfds)) { - // read the incoming packet - int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL); - if (len < 0) { - perror("recvfrom"); - } - - // parse the incoming packet - if ((unsigned int) len < 14 + sizeof(ArpHdr)) - continue; - - // look only at ARP packets - if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256)) - continue; - - ArpHdr hdr; - memcpy(&hdr, frame + 14, sizeof(ArpHdr)); - - if (hdr.opcode == htons(2)) { - // check my mac and my address - if (memcmp(mac, hdr.target_mac, 6) != 0) - continue; - uint32_t ip; - memcpy(&ip, hdr.target_ip, 4); - if (ip != src) - continue; - memcpy(&ip, hdr.sender_ip, 4); - ip = ntohl(ip); - - if (ip == last_ip) // filter duplicates - continue; - last_ip = ip; - - // printing - if (header_printed == 0) { - printf(" Network scan:\n"); - - // print parent interface - if (cfg.bridge0.configured && cfg.bridge0.ip && cfg.bridge0.macvlan && - (cfg.bridge0.ip & cfg.bridge0.mask) == (ifip & cfg.bridge0.mask)) - printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", - PRINT_MAC(cfg.bridge0.mac), PRINT_IP(cfg.bridge0.ip)); - - if (cfg.bridge1.configured && cfg.bridge1.ip && cfg.bridge1.macvlan && - (cfg.bridge1.ip & cfg.bridge1.mask) == (ifip & cfg.bridge1.mask)) - printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", - PRINT_MAC(cfg.bridge1.mac), PRINT_IP(cfg.bridge1.ip)); - - if (cfg.bridge2.configured && cfg.bridge2.ip && cfg.bridge2.macvlan && - (cfg.bridge2.ip & cfg.bridge2.mask) == (ifip & cfg.bridge2.mask)) - printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", - PRINT_MAC(cfg.bridge2.mac), PRINT_IP(cfg.bridge2.ip)); - - if (cfg.bridge3.configured && cfg.bridge3.ip && cfg.bridge3.macvlan && - (cfg.bridge3.ip & cfg.bridge3.mask) == (ifip & cfg.bridge3.mask)) - printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", - PRINT_MAC(cfg.bridge3.mac), PRINT_IP(cfg.bridge3.ip)); - - header_printed = 1; - } - printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", - PRINT_MAC(hdr.sender_mac), PRINT_IP(ip)); - } - } - } - - close(sock); -} - diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 749656f8b..dcec160fb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -363,20 +363,19 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); void net_if_ip6(const char *ifname, const char *addr6); int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu); int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw); -void net_ifprint(void); uint32_t network_get_defaultgw(void); int net_config_mac(const char *ifname, const unsigned char mac[6]); int net_get_mac(const char *ifname, unsigned char mac[6]); +void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); + +// preproc.c +void preproc_build_firejail_dir(void); +void preproc_mount_mnt_dir(void); +void preproc_build_cp_command(void); +void preproc_delete_cp_command(void) ; +void preproc_remount_mnt_dir(void); // fs.c -// build /run/firejail directory -void fs_build_firejail_dir(void); -// build /run/firejail/mnt directory -void fs_build_mnt_dir(void); -// grab a copy of cp command -void fs_build_cp_command(void); -// delete the temporary cp command -void fs_delete_cp_command(void) ; // blacklist files or directoies by mounting empty files on top of them void fs_blacklist(void); // remount a directory read-only @@ -393,7 +392,6 @@ void fs_overlayfs(void); // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf void fs_chroot(const char *rootdir); int fs_check_chroot_dir(const char *rootdir); -void fs_private_tmp(void); // profile.c // find and read the profile specified by name from dir directory @@ -430,8 +428,6 @@ int restricted_shell(const char *user); int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr); // assign an IP address using arp scanning uint32_t arp_assign(const char *dev, Bridge *br); -// scan interface (--scan option) -void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask); // util.c void drop_privs(int nogroups); @@ -459,6 +455,8 @@ void invalid_filename(const char *fname); uid_t get_group_id(const char *group); int remove_directory(const char *path); void flush_stdin(void); +void create_empty_dir_as_root(const char *dir, mode_t mode); +void create_empty_file_as_root(const char *dir, mode_t mode); // fs_var.c void fs_var_log(void); // mounting /var/log @@ -687,10 +685,11 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar #define PATH_FIREMON (PREFIX "/bin/firemon") #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") // bitmapped filters for sbox_run -#define SBOX_ROOT 1 -#define SBOX_USER 2 -#define SBOX_CAPS 4 -#define SBOX_SECCOMP 8 +#define SBOX_ROOT (1 << 0) +#define SBOX_USER (1 << 1) +#define SBOX_SECCOMP (1 << 2) +#define SBOX_CAPS_NONE (1 << 3) // drop all capabilities +#define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs // run sbox int sbox_run(unsigned filter, int num, ...); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 572b08205..f7fc44c71 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -29,155 +29,8 @@ static void fs_rdwr(const char *dir); -static void create_dir_as_root(const char *dir, mode_t mode) { - assert(dir); - if (arg_debug) - printf("Creating %s directory\n", dir); - - if (mkdir(dir, mode) == -1) - errExit("mkdir"); - if (chmod(dir, mode) == -1) - errExit("chmod"); - - ASSERT_PERMS(dir, 0, 0, mode); -} - -static void create_empty_dir(void) { - struct stat s; - - if (stat(RUN_RO_DIR, &s)) { - /* coverity[toctou] */ - if (mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1) - errExit("mkdir"); - if (chmod(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1) - errExit("chmod"); - ASSERT_PERMS(RUN_RO_DIR, 0, 0, S_IRUSR | S_IXUSR); - } -} - -static void create_empty_file(void) { - struct stat s; - - if (stat(RUN_RO_FILE, &s)) { - /* coverity[toctou] */ - FILE *fp = fopen(RUN_RO_FILE, "w"); - if (!fp) - errExit("fopen"); - - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); - fclose(fp); - } -} - -// build /run/firejail directory -void fs_build_firejail_dir(void) { - struct stat s; - - // CentOS 6 doesn't have /run directory - if (stat(RUN_FIREJAIL_BASEDIR, &s)) { - create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); - } - - // check /run/firejail directory belongs to root end exit if doesn't! - if (stat(RUN_FIREJAIL_DIR, &s) == 0) { - if (s.st_uid != 0 || s.st_gid != 0) { - fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR); - exit(1); - } - } - else { - create_dir_as_root(RUN_FIREJAIL_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { - create_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { - create_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { - create_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_X11_DIR, &s)) { - create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); - } - - if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { - create_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); - } - - create_empty_dir(); - create_empty_file(); -} -// build /run/firejail/mnt directory -static int tmpfs_mounted = 0; -#ifdef HAVE_CHROOT -static void fs_build_remount_mnt_dir(void) { - tmpfs_mounted = 0; - fs_build_mnt_dir(); -} -#endif - -void fs_build_mnt_dir(void) { - struct stat s; - fs_build_firejail_dir(); - - // create /run/firejail/mnt directory - if (stat(RUN_MNT_DIR, &s)) { - create_dir_as_root(RUN_MNT_DIR, 0755); - } - - // ... and mount tmpfs on top of it - if (!tmpfs_mounted) { - // mount tmpfs on top of /run/firejail/mnt - if (arg_debug) - printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR); - if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting /run/firejail/mnt"); - tmpfs_mounted = 1; - fs_logger2("tmpfs", RUN_MNT_DIR); - } -} - -// grab a copy of cp command -void fs_build_cp_command(void) { - struct stat s; - fs_build_mnt_dir(); - if (stat(RUN_CP_COMMAND, &s)) { - char* fname = realpath("/bin/cp", NULL); - if (fname == NULL) { - fprintf(stderr, "Error: /bin/cp not found\n"); - exit(1); - } - if (stat(fname, &s)) { - fprintf(stderr, "Error: /bin/cp not found\n"); - exit(1); - } - if (is_link(fname)) { - fprintf(stderr, "Error: invalid /bin/cp file\n"); - exit(1); - } - int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); - if (rv) { - fprintf(stderr, "Error: cannot access /bin/cp\n"); - exit(1); - } - ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755); - - free(fname); - } -} - -// delete the temporary cp command -void fs_delete_cp_command(void) { - unlink(RUN_CP_COMMAND); -} - //*********************************************** // process profile file //*********************************************** @@ -202,9 +55,6 @@ static void disable_file(OPERATION op, const char *filename) { assert(op next; } - // create mount points - fs_build_mnt_dir(); - - // /home/user if (home_dir) { // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR diff --git a/src/firejail/main.c b/src/firejail/main.c index e210ceb31..fc86f9651 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -404,7 +404,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { #ifdef HAVE_SECCOMP else if (strcmp(argv[i], "--debug-syscalls") == 0) { if (checkcfg(CFG_SECCOMP)) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); exit(rv); } else { @@ -414,7 +414,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } else if (strcmp(argv[i], "--debug-errnos") == 0) { if (checkcfg(CFG_SECCOMP)) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); exit(rv); } else { @@ -439,7 +439,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--debug-protocols") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); exit(rv); } else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { @@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--list") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); exit(rv); } else if (strcmp(argv[i], "--tree") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); exit(rv); } else if (strcmp(argv[i], "--top") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); exit(rv); } #ifdef HAVE_NETWORK @@ -516,9 +516,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { struct stat s; int rv; if (stat("/proc/sys/kernel/grsecurity", &s) == 0) - rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); + rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); else - rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); exit(rv); } else { @@ -855,6 +855,9 @@ int main(int argc, char **argv) { int highest_errno = errno_highest_nr(); #endif + // build /run/firejail directory structure + preproc_build_firejail_dir(); + detect_quiet(argc, argv); detect_allow_debuggers(argc, argv); @@ -957,10 +960,8 @@ int main(int argc, char **argv) { // initialize globals init_cfg(argc, argv); - // check firejail directories EUID_ROOT(); - fs_build_firejail_dir(); bandwidth_del_run_file(sandbox_pid); network_del_run_file(sandbox_pid); delete_name_file(sandbox_pid); @@ -1462,35 +1463,6 @@ int main(int argc, char **argv) { } } -#if 0 // disabled for now, it could be used to overwrite system directories - else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { - if (checkcfg(CFG_OVERLAYFS)) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); - } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); - } - arg_overlay = 1; - arg_overlay_keep = 1; - arg_overlay_reuse = 1; - - char *dirname = argv[i] + 15; - if (dirname == '\0') { - fprintf(stderr, "Error: invalid overlay option\n"); - exit(1); - } - cfg.overlay_dir = expand_home(dirname, cfg.homedir); - } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } - } -#endif else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { if (checkcfg(CFG_OVERLAYFS)) { if (cfg.chrootdir) { diff --git a/src/firejail/network.c b/src/firejail/network.c index ac0d86559..6d09d770f 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -28,70 +28,6 @@ #include #include -// scan interfaces in current namespace and print IP address/mask for each interface -void net_ifprint(void) { - uint32_t ip; - uint32_t mask; - struct ifaddrs *ifaddr, *ifa; - - if (getifaddrs(&ifaddr) == -1) - errExit("getifaddrs"); - - printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", - "Interface", "MAC", "IP", "Mask", "Status"); - // walk through the linked list - for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { - if (ifa->ifa_addr == NULL) - continue; - - if (ifa->ifa_addr->sa_family == AF_INET) { - struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask; - mask = ntohl(si->sin_addr.s_addr); - si = (struct sockaddr_in *) ifa->ifa_addr; - ip = ntohl(si->sin_addr.s_addr); - - // interface status - char *status; - if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) - status = "UP"; - else - status = "DOWN"; - - // ip address and mask - char ipstr[30]; - sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip)); - char maskstr[30]; - sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask)); - - // mac address - unsigned char mac[6]; - net_get_mac(ifa->ifa_name, mac); - char macstr[30]; - if (strcmp(ifa->ifa_name, "lo") == 0) - macstr[0] = '\0'; - else - sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac)); - - // print - printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", - ifa->ifa_name, macstr, ipstr, maskstr, status); - - // network scanning - if (!arg_scan) // scanning disabled - continue; - if (strcmp(ifa->ifa_name, "lo") == 0) // no loopbabck scanning - continue; - if (mask2bits(mask) < 16) // not scanning large networks - continue; - if (!ip) // if not configured - continue; - // only if the interface is up and running - if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) - arp_scan(ifa->ifa_name, ip, mask); - } - } - freeifaddrs(ifaddr); -} int net_get_mtu(const char *ifname) { int mtu = 0; @@ -190,101 +126,11 @@ void net_if_up(const char *ifname) { fprintf(stderr, "Error: invalid network device name %s\n", ifname); exit(1); } - - int sock = socket(AF_INET,SOCK_DGRAM,0); - if (sock < 0) - errExit("socket"); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, + PATH_FNET, "ifup", ifname); +} - // get the existing interface flags - struct ifreq ifr; - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); - ifr.ifr_addr.sa_family = AF_INET; - // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error: cannot bring up interface %s\n", ifname); - errExit("ioctl"); - } - - ifr.ifr_flags |= IFF_UP; - - // set the new flags - if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error: cannot bring up interface %s\n", ifname); - errExit("ioctl"); - } - - // checking - // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error: cannot bring up interface %s\n", ifname); - errExit("ioctl"); - } - - // wait not more than 500ms for the interface to come up - int cnt = 0; - while (cnt < 50) { - usleep(10000); // sleep 10ms - - // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error: cannot bring up interface %s\n", ifname); - errExit("ioctl"); - } - if (ifr.ifr_flags & IFF_RUNNING) - break; - cnt++; - } - - close(sock); -} - -// bring interface up -void net_if_down(const char *ifname) { - if (strlen(ifname) > IFNAMSIZ) { - fprintf(stderr, "Error: invalid network device name %s\n", ifname); - exit(1); - } - - int sock = socket(AF_INET,SOCK_DGRAM,0); - if (sock < 0) - errExit("socket"); - - // get the existing interface flags - struct ifreq ifr; - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); - ifr.ifr_addr.sa_family = AF_INET; - - // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error: cannot shut down interface %s\n", ifname); - errExit("ioctl"); - } - - ifr.ifr_flags &= ~IFF_UP; - - // set the new flags - if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error: cannot shut down interface %s\n", ifname); - errExit("ioctl"); - } - - close(sock); -} - -struct ifreq6 { - struct in6_addr ifr6_addr; - uint32_t ifr6_prefixlen; - unsigned int ifr6_ifindex; -}; // configure interface ipv6 address // ex: firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 void net_if_ip6(const char *ifname, const char *addr6) { @@ -293,107 +139,11 @@ void net_if_ip6(const char *ifname, const char *addr6) { exit(1); } - // extract prefix - unsigned long prefix; - char *ptr; - if ((ptr = strchr(addr6, '/'))) { - prefix = atol(ptr + 1); - if (prefix > 128) { - fprintf(stderr, "Error: invalid prefix for IPv6 address %s\n", addr6); - exit(1); - } - *ptr = '\0'; // mark the end of the address - } - else - prefix = 128; - - // extract address - struct sockaddr_in6 sin6; - memset(&sin6, 0, sizeof(sin6)); - sin6.sin6_family = AF_INET6; - int rv = inet_pton(AF_INET6, addr6, sin6.sin6_addr.s6_addr); - if (rv <= 0) { - fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6); - exit(1); - } - - // open socket - int sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); - if (sock < 0) { - fprintf(stderr, "Error: IPv6 is not supported on this system\n"); - exit(1); - } - - // find interface index - struct ifreq ifr; - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); - ifr.ifr_addr.sa_family = AF_INET; - if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { - perror("ioctl SIOGIFINDEX"); - exit(1); - } - - // configure address - struct ifreq6 ifr6; - memset(&ifr6, 0, sizeof(ifr6)); - ifr6.ifr6_prefixlen = prefix; - ifr6.ifr6_ifindex = ifr.ifr_ifindex; - memcpy((char *) &ifr6.ifr6_addr, (char *) &sin6.sin6_addr, sizeof(struct in6_addr)); - if (ioctl(sock, SIOCSIFADDR, &ifr6) < 0) { - perror("ioctl SIOCSIFADDR"); - exit(1); - } - - close(sock); -} - -// configure interface ipv4 address -void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { - if (strlen(ifname) > IFNAMSIZ) { - fprintf(stderr, "Error: invalid network device name %s\n", ifname); - exit(1); - } - if (arg_debug) - printf("configure interface %s\n", ifname); - - int sock = socket(AF_INET,SOCK_DGRAM,0); - if (sock < 0) - errExit("socket"); - - struct ifreq ifr; - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); - ifr.ifr_addr.sa_family = AF_INET; - - ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); - if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { - close(sock); - errExit("ioctl"); - } - - if (ip != 0) { - ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(mask); - if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) { - close(sock); - errExit("ioctl"); - } - } - - // configure mtu - if (mtu > 0) { - ifr.ifr_mtu = mtu; - if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) { - close(sock); - errExit("ioctl"); - } - } + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, + PATH_FNET, "config", "ipv6", ifname, addr6); - close(sock); - usleep(10000); // sleep 10ms } - // add an IP route, return -1 if error, 0 if the route was added int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { int sock; @@ -464,20 +214,15 @@ uint32_t network_get_defaultgw(void) { } int net_config_mac(const char *ifname, const unsigned char mac[6]) { - struct ifreq ifr; - int sock; + char *macstr; + if (asprintf(&macstr, "%02x:%02x:%02x:%02x:%02x:%02x", + mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1) + errExit("asprintf"); - if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - errExit("socket"); - - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); - ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; - memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, + PATH_FNET, "config", "mac", ifname, macstr); - if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1) - errExit("ioctl"); - close(sock); + free(macstr); return 0; } @@ -500,3 +245,27 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { close(sock); return 0; } + +void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) { + assert(dev); + + char *ipstr; + if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1) + errExit("asprintf"); + + char *maskstr; + if (asprintf(&maskstr, "%llu", (long long unsigned) mask) == -1) + errExit("asprintf"); + + char *mtustr; + if (asprintf(&mtustr, "%d", mtu) == -1) + errExit("asprintf"); + + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, + PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr); + + free(ipstr); + free(maskstr); + free(mtustr); +} + diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 35d6dd214..8a9c47f0e 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -128,11 +128,10 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { else dev = br->veth_name; -// net_create_veth(dev, ifname, child); char *cstr; if (asprintf(&cstr, "%d", child) == -1) errExit("asprintf"); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr); free(cstr); char *msg; @@ -300,50 +299,42 @@ void network_main(pid_t child) { net_configure_veth_pair(&cfg.bridge0, "eth0", child); } else -// net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); } if (cfg.bridge1.configured) { if (cfg.bridge1.macvlan == 0) net_configure_veth_pair(&cfg.bridge1, "eth1", child); else -// net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); } if (cfg.bridge2.configured) { if (cfg.bridge2.macvlan == 0) net_configure_veth_pair(&cfg.bridge2, "eth2", child); else -// net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); } if (cfg.bridge3.configured) { if (cfg.bridge3.macvlan == 0) net_configure_veth_pair(&cfg.bridge3, "eth3", child); else -// net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr); } // move interfaces in sandbox if (cfg.interface0.configured) { -// net_move_interface(cfg.interface0.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr); } if (cfg.interface1.configured) { -// net_move_interface(cfg.interface1.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr); } if (cfg.interface2.configured) { -// net_move_interface(cfg.interface2.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); } if (cfg.interface3.configured) { -// net_move_interface(cfg.interface3.dev, child); - sbox_run(SBOX_ROOT | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr); } free(cstr); diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c new file mode 100644 index 000000000..6784ff5ac --- /dev/null +++ b/src/firejail/preproc.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "firejail.h" +#include +#include + +static int tmpfs_mounted = 0; + +// build /run/firejail directory +void preproc_build_firejail_dir(void) { + struct stat s; + + // CentOS 6 doesn't have /run directory + if (stat(RUN_FIREJAIL_BASEDIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); + } + + if (stat(RUN_FIREJAIL_DIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); + } + + if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); + } + + if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); + } + + if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); + } + + if (stat(RUN_FIREJAIL_X11_DIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); + } + + if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { + create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); + } + + create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); + create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); +} + +// build /run/firejail/mnt directory +void preproc_mount_mnt_dir(void) { + struct stat s; + + // mount tmpfs on top of /run/firejail/mnt + if (!tmpfs_mounted) { + if (arg_debug) + printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR); + if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mounting /run/firejail/mnt"); + tmpfs_mounted = 1; + fs_logger2("tmpfs", RUN_MNT_DIR); + } +} + +// grab a copy of cp command +void preproc_build_cp_command(void) { + struct stat s; + preproc_mount_mnt_dir(); + if (stat(RUN_CP_COMMAND, &s)) { + char* fname = realpath("/bin/cp", NULL); + if (fname == NULL) { + fprintf(stderr, "Error: /bin/cp not found\n"); + exit(1); + } + if (stat(fname, &s)) { + fprintf(stderr, "Error: /bin/cp not found\n"); + exit(1); + } + if (is_link(fname)) { + fprintf(stderr, "Error: invalid /bin/cp file\n"); + exit(1); + } + int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); + if (rv) { + fprintf(stderr, "Error: cannot access /bin/cp\n"); + exit(1); + } + ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755); + + free(fname); + } +} + +// delete the temporary cp command +void preproc_delete_cp_command(void) { + unlink(RUN_CP_COMMAND); +} diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 43f30e30a..db6c6cad9 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -70,8 +70,6 @@ void protocol_filter(const char *fname) { void protocol_filter_save(void) { // save protocol filter configuration in PROTOCOL_CFG - fs_build_mnt_dir(); - FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); if (!fp) errExit("fopen"); diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 90997f934..e1a58c1c8 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -104,7 +104,6 @@ void pulseaudio_init(void) { return; // create the new user pulseaudio directory - fs_build_mnt_dir(); int rv = mkdir(RUN_PULSE_DIR, 0700); (void) rv; // in --chroot mode the directory can already be there if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5ef9524d7..57e84e5cc 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -73,7 +73,6 @@ static void sanitize_home(void) { return; } - fs_build_mnt_dir(); if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) errExit("mkdir"); @@ -127,7 +126,6 @@ static void sanitize_passwd(void) { FILE *fpin = NULL; FILE *fpout = NULL; - fs_build_mnt_dir(); // open files /* coverity[toctou] */ @@ -261,7 +259,6 @@ static void sanitize_group(void) { FILE *fpin = NULL; FILE *fpout = NULL; - fs_build_mnt_dir(); // open files /* coverity[toctou] */ diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7a63461ef..a15003d03 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -122,7 +122,7 @@ static void sandbox_if_up(Bridge *br) { assert(br); if (!br->configured) return; - + char *dev = br->devsandbox; net_if_up(dev); @@ -137,8 +137,7 @@ static void sandbox_if_up(Bridge *br) { assert(br->ipsandbox); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(br->ipsandbox), dev); - net_if_ip(dev, br->ipsandbox, br->mask, br->mtu); - net_if_up(dev); + net_config_interface(dev, br->ipsandbox, br->mask, br->mtu); } else if (br->arg_ip_none == 0 && br->macvlan == 1) { // reassign the macvlan address @@ -160,8 +159,7 @@ static void sandbox_if_up(Bridge *br) { if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(br->ipsandbox), dev); - net_if_ip(dev, br->ipsandbox, br->mask, br->mtu); - net_if_up(dev); + net_config_interface(dev, br->ipsandbox, br->mask, br->mtu); } if (br->ip6sandbox) @@ -256,32 +254,6 @@ static int monitor_application(pid_t app_pid) { // return the latest exit status. return status; - -#if 0 -// todo: find a way to shut down interfaces before closing the namespace -// the problem is we don't have enough privileges to shutdown interfaces in this moment - // shut down bridge/macvlan interfaces - if (any_bridge_configured()) { - - if (cfg.bridge0.configured) { - printf("Shutting down %s\n", cfg.bridge0.devsandbox); - net_if_down( cfg.bridge0.devsandbox); - } - if (cfg.bridge1.configured) { - printf("Shutting down %s\n", cfg.bridge1.devsandbox); - net_if_down( cfg.bridge1.devsandbox); - } - if (cfg.bridge2.configured) { - printf("Shutting down %s\n", cfg.bridge2.devsandbox); - net_if_down( cfg.bridge2.devsandbox); - } - if (cfg.bridge3.configured) { - printf("Shutting down %s\n", cfg.bridge3.devsandbox); - net_if_down( cfg.bridge3.devsandbox); - } - usleep(20000); // 20 ms sleep - } -#endif } void start_audit(void) { @@ -442,7 +414,8 @@ int sandbox(void* sandbox_arg) { if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { chk_chroot(); } - + // ... and mount a tmpfs on top of /run/firejail/mnt directory + preproc_mount_mnt_dir(); //**************************** // log sandbox data @@ -459,7 +432,7 @@ int sandbox(void* sandbox_arg) { fs_logger("install mount namespace"); //**************************** - // netfilter etc. + // netfilter //**************************** if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter netfilter(arg_netfilter_file); @@ -468,6 +441,105 @@ int sandbox(void* sandbox_arg) { netfilter6(arg_netfilter6_file); } + //**************************** + // networking + //**************************** + int gw_cfg_failed = 0; // default gw configuration flag + if (arg_nonetwork) { + net_if_up("lo"); + if (arg_debug) + printf("Network namespace enabled, only loopback interface available\n"); + } + else if (any_bridge_configured() || any_interface_configured()) { + // configure lo and eth0...eth3 + net_if_up("lo"); + + if (mac_not_zero(cfg.bridge0.macsandbox)) + net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox); + sandbox_if_up(&cfg.bridge0); + + if (mac_not_zero(cfg.bridge1.macsandbox)) + net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox); + sandbox_if_up(&cfg.bridge1); + + if (mac_not_zero(cfg.bridge2.macsandbox)) + net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox); + sandbox_if_up(&cfg.bridge2); + + if (mac_not_zero(cfg.bridge3.macsandbox)) + net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); + sandbox_if_up(&cfg.bridge3); + + +// todo: this code seems to be dead!!! + // enable interfaces + if (cfg.interface0.configured && cfg.interface0.ip) { +assert(0); + if (arg_debug) + printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); + net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); + } + if (cfg.interface1.configured && cfg.interface1.ip) { +assert(0); + if (arg_debug) + printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); + net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); + } + if (cfg.interface2.configured && cfg.interface2.ip) { +assert(0); + if (arg_debug) + printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); + net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); + } + if (cfg.interface3.configured && cfg.interface3.ip) { +assert(0); + if (arg_debug) + printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); + net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); + } + + // add a default route + if (cfg.defaultgw) { + // set the default route + if (net_add_route(0, 0, cfg.defaultgw)) { + fprintf(stderr, "Warning: cannot configure default route\n"); + gw_cfg_failed = 1; + } + } + + if (arg_debug) + printf("Network namespace enabled\n"); + } + + + // print network configuration + if (!arg_quiet) { + if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) { + printf("\n"); + if (any_bridge_configured() || any_interface_configured()) { +// net_ifprint(); + if (arg_scan) + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, PATH_FNET, "printif", "scan"); + else + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET, "printif", "scan"); + + } + if (cfg.defaultgw != 0) { + if (gw_cfg_failed) + printf("Default gateway configuration failed\n"); + else + printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); + } + if (cfg.dns1 != 0) + printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); + if (cfg.dns2 != 0) + printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); + if (cfg.dns3 != 0) + printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); + printf("\n"); + } + } + // load IBUS env variables if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) { // do nothing - there are problems with ibus version 1.5.11 @@ -475,9 +547,34 @@ int sandbox(void* sandbox_arg) { else env_ibus_load(); - // grab a copy of cp command - fs_build_cp_command(); - + //**************************** + // fs pre-processing: + // - copy some commands under /run + // - build seccomp filters + // - create an empty /etc/ld.so.preload + //**************************** + preproc_build_cp_command(); + +#ifdef HAVE_SECCOMP + if (cfg.protocol) { + if (arg_debug) + printf("Build protocol filter: %s\n", cfg.protocol); + // as root, create RUN_SECCOMP_PROTOCOL file + // this is where fseccomp program will store the protocol filter + create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); + if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) + errExit("chmod"); + + // build the seccomp filter as a regular user + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, + PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL); + if (rv) + exit(rv); + } +#endif + // trace pre-install if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace_preload(); @@ -494,7 +591,7 @@ int sandbox(void* sandbox_arg) { enforce_seccomp = 1; #endif } - + #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); @@ -617,7 +714,6 @@ int sandbox(void* sandbox_arg) { EUID_USER(); profile_add("whitelist /tmp/.X11-unix"); EUID_ROOT(); -// fs_private_tmp(); } } @@ -664,102 +760,17 @@ int sandbox(void* sandbox_arg) { fs_dev_disable_3d(); //**************************** - // networking + // set dns //**************************** - int gw_cfg_failed = 0; // default gw configuration flag - if (arg_nonetwork) { - net_if_up("lo"); - if (arg_debug) - printf("Network namespace enabled, only loopback interface available\n"); - } - else if (any_bridge_configured() || any_interface_configured()) { - // configure lo and eth0...eth3 - net_if_up("lo"); - - if (mac_not_zero(cfg.bridge0.macsandbox)) - net_config_mac(cfg.bridge0.devsandbox, cfg.bridge0.macsandbox); - sandbox_if_up(&cfg.bridge0); - - if (mac_not_zero(cfg.bridge1.macsandbox)) - net_config_mac(cfg.bridge1.devsandbox, cfg.bridge1.macsandbox); - sandbox_if_up(&cfg.bridge1); - - if (mac_not_zero(cfg.bridge2.macsandbox)) - net_config_mac(cfg.bridge2.devsandbox, cfg.bridge2.macsandbox); - sandbox_if_up(&cfg.bridge2); - - if (mac_not_zero(cfg.bridge3.macsandbox)) - net_config_mac(cfg.bridge3.devsandbox, cfg.bridge3.macsandbox); - sandbox_if_up(&cfg.bridge3); - - // enable interfaces - if (cfg.interface0.configured && cfg.interface0.ip) { - if (arg_debug) - printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); - net_if_ip(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); - net_if_up(cfg.interface0.dev); - } - if (cfg.interface1.configured && cfg.interface1.ip) { - if (arg_debug) - printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); - net_if_ip(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); - net_if_up(cfg.interface1.dev); - } - if (cfg.interface2.configured && cfg.interface2.ip) { - if (arg_debug) - printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); - net_if_ip(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); - net_if_up(cfg.interface2.dev); - } - if (cfg.interface3.configured && cfg.interface3.ip) { - if (arg_debug) - printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); - net_if_ip(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); - net_if_up(cfg.interface3.dev); - } - - // add a default route - if (cfg.defaultgw) { - // set the default route - if (net_add_route(0, 0, cfg.defaultgw)) { - fprintf(stderr, "Warning: cannot configure default route\n"); - gw_cfg_failed = 1; - } - } - - if (arg_debug) - printf("Network namespace enabled\n"); - } - - // if any dns server is configured, it is time to set it now fs_resolvconf(); + + //**************************** + // fs post-processing + //**************************** + preproc_delete_cp_command(); fs_logger_print(); fs_logger_change_owner(); - // print network configuration - if (!arg_quiet) { - if (any_bridge_configured() || any_interface_configured() || cfg.defaultgw || cfg.dns1) { - printf("\n"); - if (any_bridge_configured() || any_interface_configured()) - net_ifprint(); - if (cfg.defaultgw != 0) { - if (gw_cfg_failed) - printf("Default gateway configuration failed\n"); - else - printf("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); - } - if (cfg.dns1 != 0) - printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); - if (cfg.dns2 != 0) - printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); - if (cfg.dns3 != 0) - printf("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); - printf("\n"); - } - } - - fs_delete_cp_command(); - //**************************** // set application environment //**************************** @@ -820,21 +831,7 @@ int sandbox(void* sandbox_arg) { // install protocol filter if (cfg.protocol) { if (arg_debug) - printf("Set protocol filter: %s\n", cfg.protocol); - // as root, create RUN_SECCOMP_PROTOCOL file - // this is where fseccomp program will store the protocol filter - int dst = open(RUN_SECCOMP_PROTOCOL, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); - if (dst == -1) - errExit("open"); - close(dst); - if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) - errExit("chown"); - - // build the seccomp filter as a regular user - int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 5, - PATH_FSECCOMP, "protocol", "build", cfg.protocol, RUN_SECCOMP_PROTOCOL); - if (rv) - exit(rv); + printf("Install protocol filter: %s\n", cfg.protocol); protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG } diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index d1225c3bc..6499b7005 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -125,21 +125,26 @@ int sbox_run(unsigned filter, int num, ...) { arg[i] = NULL; va_end(valist); -//#if 0 -{ -int i; -for (i = 0; i <= num; i++) - printf("#%s# ", arg[i]); -printf("\n"); -} -//#endif + if (arg_debug) { + printf("sbox run: "); + for (i = 0; i <= num; i++) + printf("%s ", arg[i]); + printf("\n"); + } + pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { // apply filters - if (filter & SBOX_CAPS) + if (filter & SBOX_CAPS_NONE) { caps_drop_all(); + } + else if (filter & SBOX_CAPS_NETWORK) { + uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; + set |= ((uint64_t) 1) << CAP_NET_RAW; + caps_set(set); + } if (filter & SBOX_SECCOMP) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 09862ec20..69be04a03 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -275,7 +275,6 @@ static void filter_end_whitelist(void) { // save seccomp filter in /run/firejail/mnt/seccomp static void write_seccomp_file(void) { - fs_build_mnt_dir(); assert(sfilter); int fd = open(RUN_SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); diff --git a/src/firejail/util.c b/src/firejail/util.c index 4b2e09953..4384c2b0b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -696,3 +696,37 @@ void flush_stdin(void) { } } +void create_empty_dir_as_root(const char *dir, mode_t mode) { + assert(dir); + + struct stat s; + if (stat(dir, &s)) { + if (arg_debug) + printf("Creating empty %s directory\n", dir); + if (mkdir(dir, mode) == -1) + errExit("mkdir"); + if (chmod(dir, mode) == -1) + errExit("chmod"); + ASSERT_PERMS(dir, 0, 0, mode); + } + +} + +void create_empty_file_as_root(const char *fname, mode_t mode) { + assert(fname); + struct stat s; + + if (stat(fname, &s)) { + if (arg_debug) + printf("Creating empty %s file\n", fname); + + /* coverity[toctou] */ + FILE *fp = fopen(fname, "w"); + if (!fp) + errExit("fopen"); + + SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); + fclose(fp); + } +} + diff --git a/src/fnet/arp.c b/src/fnet/arp.c new file mode 100644 index 000000000..96684fdf9 --- /dev/null +++ b/src/fnet/arp.c @@ -0,0 +1,208 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fnet.h" +#include +#include +#include //TCP/IP Protocol Suite for Linux +#include +#include +#include +#include +#include +#include + +typedef struct arp_hdr_t { + uint16_t htype; + uint16_t ptype; + uint8_t hlen; + uint8_t plen; + uint16_t opcode; + uint8_t sender_mac[6]; + uint8_t sender_ip[4]; + uint8_t target_mac[6]; + uint8_t target_ip[4]; +} ArpHdr; + + +// scan interface (--scan option) +void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { + assert(dev); + assert(ifip); + +// printf("Scanning interface %s (%d.%d.%d.%d/%d)\n", +// dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask)); + + if (strlen(dev) > IFNAMSIZ) { + fprintf(stderr, "Error: invalid network device name %s\n", dev); + exit(1); + } + + // find interface mac address + int sock; + if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) + errExit("socket"); + struct ifreq ifr; + memset(&ifr, 0, sizeof (ifr)); + strncpy(ifr.ifr_name, dev, IFNAMSIZ); + if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) + errExit("ioctl"); + close(sock); + uint8_t mac[6]; + memcpy (mac, ifr.ifr_hwaddr.sa_data, 6); + + // open layer2 socket + if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) + errExit("socket"); + + // try all possible ip addresses in ascending order + uint32_t range = ~ifmask + 1; // the number of potential addresses + // this software is not supported for /31 networks + if (range < 4) { + fprintf(stderr, "Warning: this option is not supported for /31 networks\n"); + close(sock); + return; + } + + uint32_t dest = (ifip & ifmask) + 1; + uint32_t last = dest + range - 1; + uint32_t src = htonl(ifip); + + // wait not more than one second for an answer + int header_printed = 0; + uint32_t last_ip = 0; + struct timeval ts; + ts.tv_sec = 2; // 2 seconds receive timeout + ts.tv_usec = 0; + + while (1) { + fd_set rfds; + FD_ZERO(&rfds); + FD_SET(sock, &rfds); + fd_set wfds; + FD_ZERO(&wfds); + FD_SET(sock, &wfds); + int maxfd = sock; + + uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc + memset(frame, 0, ETH_FRAME_LEN); + + int nready; + if (dest < last) + nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL); + else + nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts); + + if (nready < 0) + errExit("select"); + + if (nready == 0) { // timeout + break; + } + + if (FD_ISSET(sock, &wfds) && dest < last) { + // configure layer2 socket address information + struct sockaddr_ll addr; + memset(&addr, 0, sizeof(addr)); + if ((addr.sll_ifindex = if_nametoindex(dev)) == 0) + errExit("if_nametoindex"); + addr.sll_family = AF_PACKET; + memcpy (addr.sll_addr, mac, 6); + addr.sll_halen = htons(6); + + // build the arp packet header + ArpHdr hdr; + memset(&hdr, 0, sizeof(hdr)); + hdr.htype = htons(1); + hdr.ptype = htons(ETH_P_IP); + hdr.hlen = 6; + hdr.plen = 4; + hdr.opcode = htons(1); //ARPOP_REQUEST + memcpy(hdr.sender_mac, mac, 6); + memcpy(hdr.sender_ip, (uint8_t *)&src, 4); + uint32_t dst = htonl(dest); + memcpy(hdr.target_ip, (uint8_t *)&dst, 4); + + // build ethernet frame + uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc + memset(frame, 0, sizeof(frame)); + frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff; + memcpy(frame + 6, mac, 6); + frame[12] = ETH_P_ARP / 256; + frame[13] = ETH_P_ARP % 256; + memcpy (frame + 14, &hdr, sizeof(hdr)); + + // send packet + int len; + if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) + errExit("send"); +//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); + fflush(0); + dest++; + } + + if (FD_ISSET(sock, &rfds)) { + // read the incoming packet + int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL); + if (len < 0) { + perror("recvfrom"); + } + + // parse the incoming packet + if ((unsigned int) len < 14 + sizeof(ArpHdr)) + continue; + + // look only at ARP packets + if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256)) + continue; + + ArpHdr hdr; + memcpy(&hdr, frame + 14, sizeof(ArpHdr)); + + if (hdr.opcode == htons(2)) { + // check my mac and my address + if (memcmp(mac, hdr.target_mac, 6) != 0) + continue; + uint32_t ip; + memcpy(&ip, hdr.target_ip, 4); + if (ip != src) + continue; + memcpy(&ip, hdr.sender_ip, 4); + ip = ntohl(ip); + + if (ip == last_ip) // filter duplicates + continue; + last_ip = ip; + + // printing + if (header_printed == 0) { + printf(" Network scan:\n"); + header_printed = 1; + } + printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", + PRINT_MAC(hdr.sender_mac), PRINT_IP(ip)); + } + } + } + + close(sock); +} + + + diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index 58efbbed5..0c5e5baef 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h @@ -36,5 +36,14 @@ void net_bridge_add_interface(const char *bridge, const char *dev); void net_if_up(const char *ifname); int net_get_mtu(const char *ifname); void net_set_mtu(const char *ifname, int mtu); +void net_ifprint(int scan); +int net_get_mac(const char *ifname, unsigned char mac[6]); +void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); +int net_if_mac(const char *ifname, const unsigned char mac[6]); +void net_if_ip6(const char *ifname, const char *addr6); + + +// arp.c +void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask); #endif diff --git a/src/fnet/interface.c b/src/fnet/interface.c index b1903dd46..67af062bf 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -180,4 +180,216 @@ void net_set_mtu(const char *ifname, int mtu) { close(s); } +// scan interfaces in current namespace and print IP address/mask for each interface +void net_ifprint(int scan) { + uint32_t ip; + uint32_t mask; + struct ifaddrs *ifaddr, *ifa; + if (getifaddrs(&ifaddr) == -1) + errExit("getifaddrs"); + + printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", + "Interface", "MAC", "IP", "Mask", "Status"); + // walk through the linked list + for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { + if (ifa->ifa_addr == NULL) + continue; + + if (ifa->ifa_addr->sa_family == AF_INET) { + struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask; + mask = ntohl(si->sin_addr.s_addr); + si = (struct sockaddr_in *) ifa->ifa_addr; + ip = ntohl(si->sin_addr.s_addr); + + // interface status + char *status; + if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) + status = "UP"; + else + status = "DOWN"; + + // ip address and mask + char ipstr[30]; + sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip)); + char maskstr[30]; + sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask)); + + // mac address + unsigned char mac[6]; + net_get_mac(ifa->ifa_name, mac); + char macstr[30]; + if (strcmp(ifa->ifa_name, "lo") == 0) + macstr[0] = '\0'; + else + sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac)); + + // print + printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", + ifa->ifa_name, macstr, ipstr, maskstr, status); + + // network scanning + if (!scan) // scanning disabled + continue; + if (strcmp(ifa->ifa_name, "lo") == 0) // no loopbabck scanning + continue; + if (mask2bits(mask) < 16) // not scanning large networks + continue; + if (!ip) // if not configured + continue; + // only if the interface is up and running + if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) + arp_scan(ifa->ifa_name, ip, mask); + } + } + freeifaddrs(ifaddr); +} + +int net_get_mac(const char *ifname, unsigned char mac[6]) { + + struct ifreq ifr; + int sock; + + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + errExit("socket"); + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; + + if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) + errExit("ioctl"); + memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); + + close(sock); + return 0; +} + +// configure interface ipv4 address +void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { + if (strlen(ifname) > IFNAMSIZ) { + fprintf(stderr, "Error: invalid network device name %s\n", ifname); + exit(1); + } + + int sock = socket(AF_INET,SOCK_DGRAM,0); + if (sock < 0) + errExit("socket"); + + struct ifreq ifr; + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_addr.sa_family = AF_INET; + + ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); + if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { + close(sock); + errExit("ioctl"); + } + + if (ip != 0) { + ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(mask); + if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) { + close(sock); + errExit("ioctl"); + } + } + + // configure mtu + if (mtu > 0) { + ifr.ifr_mtu = mtu; + if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) { + close(sock); + errExit("ioctl"); + } + } + + close(sock); + usleep(10000); // sleep 10ms +} + +int net_if_mac(const char *ifname, const unsigned char mac[6]) { + struct ifreq ifr; + int sock; + + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + errExit("socket"); + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; + memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); + + if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1) + errExit("ioctl"); + close(sock); + return 0; +} + +// configure interface ipv6 address +// ex: firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 +struct ifreq6 { + struct in6_addr ifr6_addr; + uint32_t ifr6_prefixlen; + unsigned int ifr6_ifindex; +}; +void net_if_ip6(const char *ifname, const char *addr6) { + if (strchr(addr6, ':') == NULL) { + fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); + exit(1); + } + + // extract prefix + unsigned long prefix; + char *ptr; + if ((ptr = strchr(addr6, '/'))) { + prefix = atol(ptr + 1); + if (prefix > 128) { + fprintf(stderr, "Error fnet: invalid prefix for IPv6 address %s\n", addr6); + exit(1); + } + *ptr = '\0'; // mark the end of the address + } + else + prefix = 128; + + // extract address + struct sockaddr_in6 sin6; + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_family = AF_INET6; + int rv = inet_pton(AF_INET6, addr6, sin6.sin6_addr.s6_addr); + if (rv <= 0) { + fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); + exit(1); + } + + // open socket + int sock = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); + if (sock < 0) { + fprintf(stderr, "Error fnet: IPv6 is not supported on this system\n"); + exit(1); + } + + // find interface index + struct ifreq ifr; + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_addr.sa_family = AF_INET; + if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { + perror("ioctl SIOGIFINDEX"); + exit(1); + } + + // configure address + struct ifreq6 ifr6; + memset(&ifr6, 0, sizeof(ifr6)); + ifr6.ifr6_prefixlen = prefix; + ifr6.ifr6_ifindex = ifr.ifr_ifindex; + memcpy((char *) &ifr6.ifr6_addr, (char *) &sin6.sin6_addr, sizeof(struct in6_addr)); + if (ioctl(sock, SIOCSIFADDR, &ifr6) < 0) { + perror("ioctl SIOCSIFADDR"); + exit(1); + } + + close(sock); +} diff --git a/src/fnet/main.c b/src/fnet/main.c index f17287cb9..4ae9eb6e3 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -24,12 +24,18 @@ static void usage(void) { printf("\tfnet create veth dev1 dev2 bridge child\n"); printf("\tfnet create macvlan dev parent child\n"); printf("\tfnet moveif dev proc\n"); + printf("\tfnet printif\n"); + printf("\tfnet printif scan\n"); + printf("\tfnet config interface dev ip mask mtu\n"); + printf("\tfnet config mac addr\n"); + printf("\tfnet config ipv6 dev ipn"); + printf("\tfmet ifup dev\n"); } int main(int argc, char **argv) { #if 0 { -system("cat /proc/self/status"); +//system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); @@ -45,22 +51,49 @@ printf("\n"); usage(); return 0; } + else if (argc == 3 && strcmp(argv[1], "ifup") == 0) { + net_if_up(argv[2]); + } + else if (argc == 2 && strcmp(argv[1], "printif") == 0) { + net_ifprint(0); + } + else if (argc == 3 && strcmp(argv[1], "printif") == 0 && strcmp(argv[2], "scan") == 0) { + net_ifprint(1); + } else if (argc == 7 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "veth") == 0) { // create veth pair and move one end in the the namespace net_create_veth(argv[3], argv[4], atoi(argv[6])); - // connect the ohter veth end to the bridge ... net_bridge_add_interface(argv[5], argv[3]); - // ... and bring it up net_if_up(argv[3]); } else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) { net_create_macvlan(argv[3], argv[4], atoi(argv[5])); } + else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) { + char *dev = argv[3]; + uint32_t ip = (uint32_t) atoll(argv[4]); + uint32_t mask = (uint32_t) atoll(argv[5]); + int mtu = atoi(argv[6]); + // configure interface + net_if_ip(dev, ip, mask, mtu); + // ... and bring it up + net_if_up(dev); + } + else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "mac") == 0) { + unsigned char mac[6]; + if (atomac(argv[4], mac)) { + fprintf(stderr, "Error fnet: invalid mac address %s\n", argv[4]); + } + net_if_mac(argv[3], mac); + } else if (argc == 4 && strcmp(argv[1], "moveif") == 0) { net_move_interface(argv[2], atoi(argv[3])); } + else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) { + net_if_ip6(argv[3], argv[4]); + } else { fprintf(stderr, "Error fnet: invalid arguments\n"); return 1; diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 59d426a78..f53e2ef8b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -9,15 +9,15 @@ static void usage(void) { } int main(int argc, char **argv) { -//#if 0 +#if 0 { -//system("cat /proc/self/status"); +system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -//#endif +#endif if (argc < 2) return 1; -- cgit v1.2.3-70-g09d2 From a066bc93ed0bb9f32b3a175f4c531fbc8334c9d2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 30 Oct 2016 16:20:29 -0400 Subject: dispaly and Wire profiles --- README | 2 +- README.md | 2 +- RELNOTES | 2 +- platform/debian/conffiles | 2 ++ 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README b/README index f0e2ea3e8..c0f5ea8d4 100644 --- a/README +++ b/README @@ -84,7 +84,7 @@ valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes - added support for /srv in --whitelist feature - - Eye of GNOME and Evolution profiles + - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - blacklist suid binaries in disable-common.inc Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes diff --git a/README.md b/README.md index ff1b2e8ba..69ab1be07 100644 --- a/README.md +++ b/README.md @@ -52,5 +52,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle +xiphos, Tor Browser Bundle, display (imagemagik), Wire diff --git a/RELNOTES b/RELNOTES index 16c03fc23..44d313999 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,7 +3,7 @@ firejail (0.9.45) baseline; urgency=low * security: overwrite /etc/resolv.conf found by Martin Carpenter * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: split most of networking code in a separate executable - * new profiles: xiphos, Tor Browser Bundle + * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 0c2e85904..526143a0f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -168,3 +168,5 @@ /etc/firejail/evolution.profile /etc/firejail/start-tor-browser.profile /etc/firejail/xiphos.profile +/etc/firejail/display.profile +/etc/firejail/Wire.profile -- cgit v1.2.3-70-g09d2 From 5d71a091b27cfab5a159842f9a660ee09c61ebde Mon Sep 17 00:00:00 2001 From: Impyy Date: Mon, 31 Oct 2016 23:12:53 +0100 Subject: Added a profile for mumble --- etc/mumble.profile | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 etc/mumble.profile diff --git a/etc/mumble.profile b/etc/mumble.profile new file mode 100644 index 000000000..ddd70822d --- /dev/null +++ b/etc/mumble.profile @@ -0,0 +1,26 @@ +# mumble profile +noblacklist ${HOME}/.config/Mumble +noblacklist ${HOME}/.local/share/data/Mumble +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config/Mumble +mkdir ${HOME}/.local/share/data/Mumble +whitelist ${HOME}/.config/Mumble +whitelist ${HOME}/.local/share/data/Mumble +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin mumble +private-tmp -- cgit v1.2.3-70-g09d2 From ddc9f0fdd56488061022550821d849e66e5b4297 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 31 Oct 2016 21:17:29 -0400 Subject: fixed /run/firejail/mnt problem introduced recently --- src/firejail/preproc.c | 4 ++++ src/firejail/util.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 6784ff5ac..27e06b556 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -56,6 +56,10 @@ void preproc_build_firejail_dir(void) { create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); } + if (stat(RUN_MNT_DIR, &s)) { + create_empty_dir_as_root(RUN_MNT_DIR, 0755); + } + create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 4384c2b0b..8d3b9d3cd 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -698,8 +698,8 @@ void flush_stdin(void) { void create_empty_dir_as_root(const char *dir, mode_t mode) { assert(dir); - struct stat s; + if (stat(dir, &s)) { if (arg_debug) printf("Creating empty %s directory\n", dir); @@ -707,9 +707,10 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { errExit("mkdir"); if (chmod(dir, mode) == -1) errExit("chmod"); + if (chown(dir, 0, 0) == -1) + errExit("chown"); ASSERT_PERMS(dir, 0, 0, mode); } - } void create_empty_file_as_root(const char *fname, mode_t mode) { -- cgit v1.2.3-70-g09d2 From 72b93c5761b5e42c5742e192f46bac1696c36f4c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 2 Nov 2016 07:49:01 -0400 Subject: major cleanup --- src/firejail/errno.c | 2 - src/firejail/firejail.h | 24 +- src/firejail/join.c | 6 +- src/firejail/preproc.c | 31 +- src/firejail/protocol.c | 46 --- src/firejail/sandbox.c | 33 +- src/firejail/seccomp.c | 873 +++++++-------------------------------- src/firejail/syscall.c | 105 ----- src/firejail/util.c | 4 +- src/fnet/Makefile.in | 4 +- src/fseccomp/Makefile.in | 4 +- src/fseccomp/errno.c | 43 ++ src/fseccomp/fseccomp.h | 50 +++ src/fseccomp/main.c | 49 +++ src/fseccomp/seccomp.c | 292 +++++++++++++ src/fseccomp/seccomp_file.c | 108 +++++ src/fseccomp/seccomp_print.c | 116 ++++++ src/fseccomp/seccomp_secondary.c | 183 ++++++++ src/fseccomp/syscall.c | 84 ++++ test/filters/filters.sh | 15 +- test/filters/fseccomp.exp | 138 +++++++ 21 files changed, 1281 insertions(+), 929 deletions(-) delete mode 100644 src/firejail/syscall.c create mode 100644 src/fseccomp/seccomp.c create mode 100644 src/fseccomp/seccomp_file.c create mode 100644 src/fseccomp/seccomp_print.c create mode 100644 src/fseccomp/seccomp_secondary.c create mode 100755 test/filters/fseccomp.exp diff --git a/src/firejail/errno.c b/src/firejail/errno.c index 03f10bb14..8215c99a1 100644 --- a/src/firejail/errno.c +++ b/src/firejail/errno.c @@ -17,7 +17,6 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ - #ifdef HAVE_SECCOMP #include "firejail.h" #include @@ -205,5 +204,4 @@ char *errno_find_nr(int nr) { return "unknown"; } - #endif // HAVE_SECCOMP diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index dcec160fb..cf540ff91 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -25,7 +25,6 @@ // debug restricted shell //#define DEBUG_RESTRICTED_SHELL - // filesystem #define RUN_FIREJAIL_BASEDIR "/run" #define RUN_FIREJAIL_DIR "/run/firejail" @@ -38,8 +37,6 @@ #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" #define RUN_RO_FILE "/run/firejail/firejail.ro.file" #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created -#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" -#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" #define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup" #define RUN_CPU_CFG "/run/firejail/mnt/cpu" #define RUN_GROUPS_CFG "/run/firejail/mnt/groups" @@ -50,6 +47,12 @@ #define RUN_BIN_DIR "/run/firejail/mnt/bin" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" +#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter +#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter +#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures +#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures + + #define RUN_DEV_DIR "/run/firejail/mnt/dev" #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" @@ -76,6 +79,8 @@ #define RUN_GROUP_FILE "/run/firejail/mnt/group" #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" + + // profiles #define DEFAULT_USER_PROFILE "default" #define DEFAULT_ROOT_PROFILE "server" @@ -491,12 +496,14 @@ void fs_private_home_list(void); // seccomp.c +int seccomp_load(const char *fname); +void seccomp_filter_32(void); +void seccomp_filter_64(void); int seccomp_filter_drop(int enforce_seccomp); int seccomp_filter_keep(void); -void seccomp_set(void); +int seccomp_filter_errno(void); void seccomp_print_filter_name(const char *name); void seccomp_print_filter(pid_t pid); -int seccomp_filter_errno(void); // caps.c int caps_default_filter(void); @@ -591,13 +598,10 @@ void fs_check_bin_list(void); void fs_private_bin_list(void); // protocol.c -void protocol_list(); -void protocol_print_filter_name(const char *name); -void protocol_print_filter(pid_t pid); -void protocol_store(const char *prlist); -void protocol_filter(const char *fname); void protocol_filter_save(void); void protocol_filter_load(const char *fname); +void protocol_print_filter_name(const char *name); +void protocol_print_filter(pid_t pid); // restrict_users.c void restrict_users(void); diff --git a/src/firejail/join.c b/src/firejail/join.c index 9b5fba24d..6f1e9455c 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -292,16 +292,16 @@ void join(pid_t pid, int argc, char **argv, int index) { if (apply_caps == 1) // not available for uid 0 caps_set(caps); #ifdef HAVE_SECCOMP - // set protocol filter + // read cfg.protocol from file if (getuid() != 0) protocol_filter_load(RUN_PROTOCOL_CFG); if (cfg.protocol) { // not available for uid 0 - protocol_filter(RUN_SECCOMP_PROTOCOL); + seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter } // set seccomp filter if (apply_seccomp == 1) // not available for uid 0 - seccomp_set(); + seccomp_load(RUN_SECCOMP_CFG); #endif // fix qt 4.8 diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 27e06b556..2873571a9 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -66,8 +66,6 @@ void preproc_build_firejail_dir(void) { // build /run/firejail/mnt directory void preproc_mount_mnt_dir(void) { - struct stat s; - // mount tmpfs on top of /run/firejail/mnt if (!tmpfs_mounted) { if (arg_debug) @@ -76,6 +74,35 @@ void preproc_mount_mnt_dir(void) { errExit("mounting /run/firejail/mnt"); tmpfs_mounted = 1; fs_logger2("tmpfs", RUN_MNT_DIR); + + // create all seccomp files + // as root, create RUN_SECCOMP_I386 file + create_empty_file_as_root(RUN_SECCOMP_I386, 0644); + if (chown(RUN_SECCOMP_I386, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(RUN_SECCOMP_I386, 0644) == -1) + errExit("chmod"); + + // as root, create RUN_SECCOMP_AMD64 file + create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); + if (chown(RUN_SECCOMP_AMD64, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(RUN_SECCOMP_AMD64, 0644) == -1) + errExit("chmod"); + + // as root, create RUN_SECCOMP file + create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); + if (chown(RUN_SECCOMP_CFG, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(RUN_SECCOMP_CFG, 0644) == -1) + errExit("chmod"); + + // as root, create RUN_SECCOMP_PROTOCOL file + create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); + if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) + errExit("chmod"); } } diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index db6c6cad9..e8e88aee9 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -22,52 +22,6 @@ #include "firejail.h" #include "../include/seccomp.h" -// install protocol filter -void protocol_filter(const char *fname) { -#ifndef SYS_socket - if (arg_debug) - printf("No support for --protocol on this platform\n"); - return; -#else - assert(fname); - - // check file - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: cannot read protocol filter file\n"); - exit(1); - } - int size = s.st_size; - - // read filter - struct sock_filter filter[32]; // big enough - memset(&filter[0], 0, sizeof(filter)); - int src = open(fname, O_RDONLY); - int rd = 0; - while (rd < size) { - int rv = read(src, (unsigned char *) filter + rd, size - rd); - if (rv == -1) { - fprintf(stderr, "Error: cannot read %s file\n", fname); - exit(1); - } - rd += rv; - } - close(src); - - // install filter - unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); - struct sock_fprog prog = { - .len = entries, - .filter = filter, - }; - - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); - return; - } -#endif -} - void protocol_filter_save(void) { // save protocol filter configuration in PROTOCOL_CFG FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a15003d03..3942e4da6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -559,13 +559,6 @@ assert(0); if (cfg.protocol) { if (arg_debug) printf("Build protocol filter: %s\n", cfg.protocol); - // as root, create RUN_SECCOMP_PROTOCOL file - // this is where fseccomp program will store the protocol filter - create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); - if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) - errExit("chmod"); // build the seccomp filter as a regular user int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, @@ -826,13 +819,23 @@ assert(0); // set rlimits set_rlimits(); - // set seccomp + // set cpu affinity + if (cfg.cpus) { + save_cpu(); // save cpu affinity mask to CPU_CFG file + set_cpu_affinity(); + } + + // save cgroup in CGROUP_CFG file + if (cfg.cgroup) + save_cgroup(); + + // set seccomp //todo: push it down after drop_privs and/or configuring noroot #ifdef HAVE_SECCOMP // install protocol filter if (cfg.protocol) { if (arg_debug) printf("Install protocol filter: %s\n", cfg.protocol); - protocol_filter(RUN_SECCOMP_PROTOCOL); // install filter + seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter protocol_filter_save(); // save filter in RUN_PROTOCOL_CFG } @@ -847,16 +850,6 @@ assert(0); } #endif - // set cpu affinity - if (cfg.cpus) { - save_cpu(); // save cpu affinity mask to CPU_CFG file - set_cpu_affinity(); - } - - // save cgroup in CGROUP_CFG file - if (cfg.cgroup) - save_cgroup(); - //**************************************** // drop privileges or create a new user namespace //**************************************** @@ -929,8 +922,6 @@ assert(0); int status = monitor_application(app_pid); // monitor application flush_stdin(); - - if (WIFEXITED(status)) { // if we had a proper exit, return that exit status return WEXITSTATUS(status); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 69be04a03..74d29fc9d 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -22,760 +22,203 @@ #include "firejail.h" #include "../include/seccomp.h" -#define SECSIZE 128 // initial filter size -static struct sock_filter *sfilter = NULL; -static int sfilter_alloc_size = 0; -static int sfilter_index = 0; - -// debug filter -void filter_debug(void) { - // start filter - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL - }; +int seccomp_load(const char *fname) { + assert(fname); - // print sizes - printf("SECCOMP Filter:\n"); - if (sfilter == NULL) { - printf("SECCOMP filter not allocated\n"); - return; - } - if (sfilter_index < 4) - return; - - // test the start of the filter - if (memcmp(sfilter, filter, sizeof(filter)) == 0) { - printf(" VALIDATE_ARCHITECTURE\n"); - printf(" EXAMINE_SYSCAL\n"); + // check file + struct stat s; + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error: cannot read protocol filter file\n"); + exit(1); } - - // loop trough blacklists - int i = 4; - while (i < sfilter_index) { - // minimal parsing! - unsigned char *ptr = (unsigned char *) &sfilter[i]; - int *nr = (int *) (ptr + 4); - if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { - printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); - i += 2; - } - else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { - printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); - i += 2; - } - else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { - int err = *(ptr + 13) << 8 | *(ptr + 12); - printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); - i += 2; - } - else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { - printf(" KILL_PROCESS\n"); - i++; - } - else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { - printf(" RETURN_ALLOW\n"); - i++; - } - else { - printf(" UNKNOWN ENTRY!!!\n"); - i++; + int size = s.st_size; + unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); +//printf("size %d, entries %d\n", s.st_size, entries); + + // read filter + struct sock_filter filter[entries]; + memset(&filter[0], 0, sizeof(filter)); + int src = open(fname, O_RDONLY); + int rd = 0; + while (rd < size) { + int rv = read(src, (unsigned char *) filter + rd, size - rd); + if (rv == -1) { + fprintf(stderr, "Error: cannot read %s file\n", fname); + exit(1); } + rd += rv; } -} - -// initialize filter -static void filter_init(void) { - if (sfilter) { - assert(0); - return; - } - -// if (arg_debug) -// printf("Initialize seccomp filter\n"); - // allocate a filter of SECSIZE - sfilter = malloc(sizeof(struct sock_filter) * SECSIZE); - if (!sfilter) - errExit("malloc"); - memset(sfilter, 0, sizeof(struct sock_filter) * SECSIZE); - sfilter_alloc_size = SECSIZE; - - // copy the start entries -#if defined(__x86_64__) -#define X32_SYSCALL_BIT 0x40000000 - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL, - // handle X32 ABI - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), - RETURN_ERRNO(EPERM) - }; -#else - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE, - EXAMINE_SYSCALL - }; -#endif - sfilter_index = sizeof(filter) / sizeof(struct sock_filter); - memcpy(sfilter, filter, sizeof(filter)); -} - -static void filter_realloc(void) { - assert(sfilter); - assert(sfilter_alloc_size); - assert(sfilter_index); - if (arg_debug) - printf("Allocating more seccomp filter entries\n"); - - // allocate the new memory - struct sock_filter *old = sfilter; - sfilter = malloc(sizeof(struct sock_filter) * (sfilter_alloc_size + SECSIZE)); - if (!sfilter) - errExit("malloc"); - memset(sfilter, 0, sizeof(struct sock_filter) * (sfilter_alloc_size + SECSIZE)); - - // copy old filter - memcpy(sfilter, old, sizeof(struct sock_filter) * sfilter_alloc_size); - sfilter_alloc_size += SECSIZE; -} - -static void filter_add_whitelist(int syscall, int arg) { - (void) arg; - assert(sfilter); - assert(sfilter_alloc_size); - assert(sfilter_index); -// if (arg_debug) -// printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); - - if ((sfilter_index + 2) > sfilter_alloc_size) - filter_realloc(); - - struct sock_filter filter[] = { - WHITELIST(syscall) - }; -#if 0 -{ - int i; - unsigned char *ptr = (unsigned char *) &filter[0]; - for (i = 0; i < sizeof(filter); i++, ptr++) - printf("%x, ", (*ptr) & 0xff); - printf("\n"); -} -#endif - memcpy(&sfilter[sfilter_index], filter, sizeof(filter)); - sfilter_index += sizeof(filter) / sizeof(struct sock_filter); -} + close(src); -static void filter_add_blacklist(int syscall, int arg) { - (void) arg; - assert(sfilter); - assert(sfilter_alloc_size); - assert(sfilter_index); -// if (arg_debug) -// printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); - - if ((sfilter_index + 2) > sfilter_alloc_size) - filter_realloc(); - - struct sock_filter filter[] = { - BLACKLIST(syscall) - }; -#if 0 -{ - int i; - unsigned char *ptr = (unsigned char *) &filter[0]; - for (i = 0; i < sizeof(filter); i++, ptr++) - printf("%x, ", (*ptr) & 0xff); - printf("\n"); -} -#endif - memcpy(&sfilter[sfilter_index], filter, sizeof(filter)); - sfilter_index += sizeof(filter) / sizeof(struct sock_filter); -} - -static void filter_add_errno(int syscall, int arg) { - assert(sfilter); - assert(sfilter_alloc_size); - assert(sfilter_index); -// if (arg_debug) -// printf("Errno syscall %d %d %s\n", syscall, arg, syscall_find_nr(syscall)); - - if ((sfilter_index + 2) > sfilter_alloc_size) - filter_realloc(); - - struct sock_filter filter[] = { - BLACKLIST_ERRNO(syscall, arg) - }; -#if 0 -{ - int i; - unsigned char *ptr = (unsigned char *) &filter[0]; - for (i = 0; i < sizeof(filter); i++, ptr++) - printf("%x, ", (*ptr) & 0xff); - printf("\n"); -} -#endif - memcpy(&sfilter[sfilter_index], filter, sizeof(filter)); - sfilter_index += sizeof(filter) / sizeof(struct sock_filter); -} - -static void filter_end_blacklist(void) { - assert(sfilter); - assert(sfilter_alloc_size); - assert(sfilter_index); -// if (arg_debug) -// printf("Ending syscall filter\n"); - - if ((sfilter_index + 2) > sfilter_alloc_size) - filter_realloc(); - - struct sock_filter filter[] = { - RETURN_ALLOW - }; -#if 0 -{ - int i; - unsigned char *ptr = (unsigned char *) &filter[0]; - for (i = 0; i < sizeof(filter); i++, ptr++) - printf("%x, ", (*ptr) & 0xff); - printf("\n"); -} -#endif - memcpy(&sfilter[sfilter_index], filter, sizeof(filter)); - sfilter_index += sizeof(filter) / sizeof(struct sock_filter); -} - -static void filter_end_whitelist(void) { - assert(sfilter); - assert(sfilter_alloc_size); - assert(sfilter_index); - if (arg_debug) - printf("Ending syscall filter\n"); - - if ((sfilter_index + 2) > sfilter_alloc_size) - filter_realloc(); - - struct sock_filter filter[] = { - KILL_PROCESS + // install filter + struct sock_fprog prog = { + .len = entries, + .filter = filter, }; -#if 0 -{ - int i; - unsigned char *ptr = (unsigned char *) &filter[0]; - for (i = 0; i < sizeof(filter); i++, ptr++) - printf("%x, ", (*ptr) & 0xff); - printf("\n"); -} -#endif - memcpy(&sfilter[sfilter_index], filter, sizeof(filter)); - sfilter_index += sizeof(filter) / sizeof(struct sock_filter); -} - - -// save seccomp filter in /run/firejail/mnt/seccomp -static void write_seccomp_file(void) { - assert(sfilter); - - int fd = open(RUN_SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); - if (fd == -1) - errExit("open"); - if (arg_debug) - printf("Save seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter))); - errno = 0; - ssize_t sz = write(fd, sfilter, sfilter_index * sizeof(struct sock_filter)); - if (sz != (ssize_t)(sfilter_index * sizeof(struct sock_filter))) { - fprintf(stderr, "Error: cannot save seccomp filter\n"); - exit(1); + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); + return 1; } - SET_PERMS_FD(fd, 0, 0, S_IRUSR | S_IWUSR); - close(fd); + + return 0; } -// read seccomp filter from /run/firejail/mnt/seccomp -static void read_seccomp_file(const char *fname) { - assert(sfilter == NULL && sfilter_index == 0); - // check file - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Warning: seccomp file not found\n"); - return; - } - ssize_t sz = s.st_size; - if (sz == 0 || (sz % sizeof(struct sock_filter)) != 0) { - fprintf(stderr, "Error: invalid seccomp file\n"); - exit(1); - } - sfilter = malloc(sz); - if (!sfilter) - errExit("malloc"); - - // read file - /* coverity[toctou] */ - int fd = open(fname,O_RDONLY); - if (fd == -1) - errExit("open"); - errno = 0; - ssize_t size = read(fd, sfilter, sz); - if (size != sz) { - fprintf(stderr, "Error: invalid seccomp file\n"); - exit(1); - } - sfilter_index = sz / sizeof(struct sock_filter); - if (arg_debug) - printf("Read seccomp filter, size %u bytes\n", (unsigned) (sfilter_index * sizeof(struct sock_filter))); - - close(fd); - - if (arg_debug) - filter_debug(); -} // i386 filter installed on amd64 architectures void seccomp_filter_32(void) { - // hardcoded syscall values - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE_32, - EXAMINE_SYSCALL, - BLACKLIST(21), // mount - BLACKLIST(52), // umount2 -// todo: implement --allow-debuggers - BLACKLIST(26), // ptrace - BLACKLIST(283), // kexec_load - BLACKLIST(341), // name_to_handle_at - BLACKLIST(342), // open_by_handle_at - BLACKLIST(127), // create_module - BLACKLIST(128), // init_module - BLACKLIST(350), // finit_module - BLACKLIST(129), // delete_module - BLACKLIST(110), // iopl - BLACKLIST(101), // ioperm - BLACKLIST(289), // ioprio_set - BLACKLIST(87), // swapon - BLACKLIST(115), // swapoff - BLACKLIST(103), // syslog - BLACKLIST(347), // process_vm_readv - BLACKLIST(348), // process_vm_writev - BLACKLIST(135), // sysfs - BLACKLIST(149), // _sysctl - BLACKLIST(124), // adjtimex - BLACKLIST(343), // clock_adjtime - BLACKLIST(253), // lookup_dcookie - BLACKLIST(336), // perf_event_open - BLACKLIST(338), // fanotify_init - BLACKLIST(349), // kcmp - BLACKLIST(286), // add_key - BLACKLIST(287), // request_key - BLACKLIST(288), // keyctl - BLACKLIST(86), // uselib - BLACKLIST(51), // acct - BLACKLIST(123), // modify_ldt - BLACKLIST(217), // pivot_root - BLACKLIST(245), // io_setup - BLACKLIST(246), // io_destroy - BLACKLIST(247), // io_getevents - BLACKLIST(248), // io_submit - BLACKLIST(249), // io_cancel - BLACKLIST(257), // remap_file_pages - BLACKLIST(274), // mbind - BLACKLIST(275), // get_mempolicy - BLACKLIST(276), // set_mempolicy - BLACKLIST(294), // migrate_pages - BLACKLIST(317), // move_pages - BLACKLIST(316), // vmsplice - BLACKLIST(61), // chroot - BLACKLIST(88), // reboot - BLACKLIST(169), // nfsservctl - BLACKLIST(130), // get_kernel_syms - - RETURN_ALLOW - }; + if (arg_debug) + printf("Build secondary 32-bit filter\n"); - struct sock_fprog prog = { - .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), - .filter = filter, - }; + // build the seccomp filter as a regular user + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); + if (rv) + exit(rv); - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - ; - } - else if (arg_debug) { - printf("Dual i386/amd64 seccomp filter configured\n"); + if (seccomp_load(RUN_SECCOMP_I386) == 0) { + if (arg_debug) + printf("Dual i386/amd64 seccomp filter configured\n"); } } // amd64 filter installed on i386 architectures void seccomp_filter_64(void) { - // hardcoded syscall values - struct sock_filter filter[] = { - VALIDATE_ARCHITECTURE_64, - EXAMINE_SYSCALL, - BLACKLIST(165), // mount - BLACKLIST(166), // umount2 -// todo: implement --allow-debuggers - BLACKLIST(101), // ptrace - BLACKLIST(246), // kexec_load - BLACKLIST(304), // open_by_handle_at - BLACKLIST(303), // name_to_handle_at - BLACKLIST(174), // create_module - BLACKLIST(175), // init_module - BLACKLIST(313), // finit_module - BLACKLIST(176), // delete_module - BLACKLIST(172), // iopl - BLACKLIST(173), // ioperm - BLACKLIST(251), // ioprio_set - BLACKLIST(167), // swapon - BLACKLIST(168), // swapoff - BLACKLIST(103), // syslog - BLACKLIST(310), // process_vm_readv - BLACKLIST(311), // process_vm_writev - BLACKLIST(139), // sysfs - BLACKLIST(156), // _sysctl - BLACKLIST(159), // adjtimex - BLACKLIST(305), // clock_adjtime - BLACKLIST(212), // lookup_dcookie - BLACKLIST(298), // perf_event_open - BLACKLIST(300), // fanotify_init - BLACKLIST(312), // kcmp - BLACKLIST(248), // add_key - BLACKLIST(249), // request_key - BLACKLIST(250), // keyctl - BLACKLIST(134), // uselib - BLACKLIST(163), // acct - BLACKLIST(154), // modify_ldt - BLACKLIST(155), // pivot_root - BLACKLIST(206), // io_setup - BLACKLIST(207), // io_destroy - BLACKLIST(208), // io_getevents - BLACKLIST(209), // io_submit - BLACKLIST(210), // io_cancel - BLACKLIST(216), // remap_file_pages - BLACKLIST(237), // mbind - BLACKLIST(239), // get_mempolicy - BLACKLIST(238), // set_mempolicy - BLACKLIST(256), // migrate_pages - BLACKLIST(279), // move_pages - BLACKLIST(278), // vmsplice - BLACKLIST(161), // chroot - BLACKLIST(184), // tuxcall - BLACKLIST(169), // reboot - BLACKLIST(180), // nfsservctl - BLACKLIST(177), // get_kernel_syms - - RETURN_ALLOW - }; + if (arg_debug) + printf("Build secondary 64-bit filter\n"); - struct sock_fprog prog = { - .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])), - .filter = filter, - }; + // build the seccomp filter as a regular user + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); + if (rv) + exit(rv); - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - ; - } - else if (arg_debug) { - printf("Dual i386/amd64 seccomp filter configured\n"); + if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { + if (arg_debug) + printf("Dual i386/amd64 seccomp filter configured\n"); } } // drop filter for seccomp option int seccomp_filter_drop(int enforce_seccomp) { - filter_init(); - // default seccomp - if (cfg.seccomp_list_drop == NULL) { + if (cfg.seccomp_list_drop == NULL && cfg.seccomp_list == NULL) { #if defined(__x86_64__) seccomp_filter_32(); #endif #if defined(__i386__) seccomp_filter_64(); #endif - -#ifdef SYS_mount - filter_add_blacklist(SYS_mount, 0); -#endif -#ifdef SYS_umount2 - filter_add_blacklist(SYS_umount2, 0); -#endif - - if (!arg_allow_debuggers) { -#ifdef SYS_ptrace - filter_add_blacklist(SYS_ptrace, 0); -#endif - } - -#ifdef SYS_kexec_load - filter_add_blacklist(SYS_kexec_load, 0); -#endif -#ifdef SYS_kexec_file_load - filter_add_blacklist(SYS_kexec_file_load, 0); -#endif -#ifdef SYS_open_by_handle_at - filter_add_blacklist(SYS_open_by_handle_at, 0); -#endif -#ifdef SYS_name_to_handle_at - filter_add_blacklist(SYS_name_to_handle_at, 0); -#endif -#ifdef SYS_init_module - filter_add_blacklist(SYS_init_module, 0); -#endif -#ifdef SYS_finit_module // introduced in 2013 - filter_add_blacklist(SYS_finit_module, 0); -#endif -#ifdef SYS_create_module - filter_add_blacklist(SYS_create_module, 0); -#endif -#ifdef SYS_delete_module - filter_add_blacklist(SYS_delete_module, 0); -#endif -#ifdef SYS_iopl - filter_add_blacklist(SYS_iopl, 0); -#endif -#ifdef SYS_ioperm - filter_add_blacklist(SYS_ioperm, 0); -#endif -#ifdef SYS_ioprio_set - filter_add_blacklist(SYS_ioprio_set, 0); -#endif -#ifdef SYS_ni_syscall // new io permissions call on arm devices - filter_add_blacklist(SYS_ni_syscall, 0); -#endif -#ifdef SYS_swapon - filter_add_blacklist(SYS_swapon, 0); -#endif -#ifdef SYS_swapoff - filter_add_blacklist(SYS_swapoff, 0); -#endif -#ifdef SYS_syslog - filter_add_blacklist(SYS_syslog, 0); -#endif - if (!arg_allow_debuggers) { -#ifdef SYS_process_vm_readv - filter_add_blacklist(SYS_process_vm_readv, 0); -#endif - } - -#ifdef SYS_process_vm_writev - filter_add_blacklist(SYS_process_vm_writev, 0); -#endif - -// mknod removed in 0.9.29 - it brakes Zotero extension -//#ifdef SYS_mknod -// filter_add_blacklist(SYS_mknod, 0); -//#endif - - // new syscalls in 0.9,23 -#ifdef SYS_sysfs - filter_add_blacklist(SYS_sysfs, 0); -#endif -#ifdef SYS__sysctl - filter_add_blacklist(SYS__sysctl, 0); -#endif -#ifdef SYS_adjtimex - filter_add_blacklist(SYS_adjtimex, 0); -#endif -#ifdef SYS_clock_adjtime - filter_add_blacklist(SYS_clock_adjtime, 0); -#endif -#ifdef SYS_lookup_dcookie - filter_add_blacklist(SYS_lookup_dcookie, 0); -#endif -#ifdef SYS_perf_event_open - filter_add_blacklist(SYS_perf_event_open, 0); -#endif -#ifdef SYS_fanotify_init - filter_add_blacklist(SYS_fanotify_init, 0); -#endif -#ifdef SYS_kcmp - filter_add_blacklist(SYS_kcmp, 0); -#endif - -// 0.9.32 -#ifdef SYS_add_key - filter_add_blacklist(SYS_add_key, 0); -#endif -#ifdef SYS_request_key - filter_add_blacklist(SYS_request_key, 0); -#endif -#ifdef SYS_keyctl - filter_add_blacklist(SYS_keyctl, 0); -#endif -#ifdef SYS_uselib - filter_add_blacklist(SYS_uselib, 0); -#endif -#ifdef SYS_acct - filter_add_blacklist(SYS_acct, 0); -#endif -#ifdef SYS_modify_ldt - filter_add_blacklist(SYS_modify_ldt, 0); -#endif - //#ifdef SYS_unshare - // filter_add_blacklist(SYS_unshare, 0); - //#endif -#ifdef SYS_pivot_root - filter_add_blacklist(SYS_pivot_root, 0); -#endif - //#ifdef SYS_quotactl - // filter_add_blacklist(SYS_quotactl, 0); - //#endif -#ifdef SYS_io_setup - filter_add_blacklist(SYS_io_setup, 0); -#endif -#ifdef SYS_io_destroy - filter_add_blacklist(SYS_io_destroy, 0); -#endif -#ifdef SYS_io_getevents - filter_add_blacklist(SYS_io_getevents, 0); -#endif -#ifdef SYS_io_submit - filter_add_blacklist(SYS_io_submit, 0); -#endif -#ifdef SYS_io_cancel - filter_add_blacklist(SYS_io_cancel, 0); -#endif -#ifdef SYS_remap_file_pages - filter_add_blacklist(SYS_remap_file_pages, 0); -#endif -#ifdef SYS_mbind - filter_add_blacklist(SYS_mbind, 0); -#endif -#ifdef SYS_get_mempolicy - filter_add_blacklist(SYS_get_mempolicy, 0); -#endif -#ifdef SYS_set_mempolicy - filter_add_blacklist(SYS_set_mempolicy, 0); -#endif -#ifdef SYS_migrate_pages - filter_add_blacklist(SYS_migrate_pages, 0); -#endif -#ifdef SYS_move_pages - filter_add_blacklist(SYS_move_pages, 0); -#endif -#ifdef SYS_vmsplice - filter_add_blacklist(SYS_vmsplice, 0); -#endif -#ifdef SYS_chroot - filter_add_blacklist(SYS_chroot, 0); -#endif - //#ifdef SYS_set_robust_list - // filter_add_blacklist(SYS_set_robust_list, 0); - //#endif - //#ifdef SYS_get_robust_list - // filter_add_blacklist(SYS_get_robust_list, 0); - //#endif - - // CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(clone), 1, - // SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER))); - -// 0.9.39 -#ifdef SYS_tuxcall - filter_add_blacklist(SYS_tuxcall, 0); -#endif -#ifdef SYS_reboot - filter_add_blacklist(SYS_reboot, 0); -#endif -#ifdef SYS_nfsservctl - filter_add_blacklist(SYS_nfsservctl, 0); -#endif -#ifdef SYS_get_kernel_syms - filter_add_blacklist(SYS_get_kernel_syms, 0); -#endif - + if (arg_debug) + printf("Build default seccomp filter\n"); + // build the seccomp filter as a regular user + int rv; + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, + PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); + if (rv) + exit(rv); } // default seccomp filter with additional drop list - if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { - if (syscall_check_list(cfg.seccomp_list, filter_add_blacklist, 0)) { - fprintf(stderr, "Error: cannot load seccomp filter\n"); + else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { +#if defined(__x86_64__) + seccomp_filter_32(); +#endif +#if defined(__i386__) + seccomp_filter_64(); +#endif + if (arg_debug) + printf("Build default+drop seccomp filter\n"); + if (strlen(cfg.seccomp_list) == 0) { + fprintf(stderr, "Error: empty syscall lists are not allowed\n"); exit(1); } + + // build the seccomp filter as a regular user + int rv; + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, + PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, + PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, cfg.seccomp_list); + if (rv) + exit(rv); } - // drop list + + // drop list without defaults - secondary filters are not installed else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { - if (syscall_check_list(cfg.seccomp_list_drop, filter_add_blacklist, 0)) { - fprintf(stderr, "Error: cannot load seccomp filter\n"); + if (arg_debug) + printf("Build drop seccomp filter\n"); + if (strlen(cfg.seccomp_list_drop) == 0) { + fprintf(stderr, "Error: empty syscall lists are not allowed\n"); exit(1); } - } - - - filter_end_blacklist(); - if (arg_debug) - filter_debug(); - - // save seccomp filter in /run/firejail/mnt/seccomp - // in order to use it in --join operations - write_seccomp_file(); - - - struct sock_fprog prog = { - .len = sfilter_index, - .filter = sfilter, - }; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - if (enforce_seccomp) { - fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); - exit(1); - } + // build the seccomp filter as a regular user + int rv; + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5, + PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop, "allow-debuggers"); else - fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, cfg.seccomp_list_drop); - return 1; + if (rv) + exit(rv); + } + else { + assert(0); } - return 0; + // load the filter + if (seccomp_load(RUN_SECCOMP_CFG) == 0) { + if (arg_debug) + printf("seccomp filter configured\n"); + } + else if (enforce_seccomp) { + fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); + exit(1); + } + + if (arg_debug) + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, + PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); + + return seccomp_load(RUN_SECCOMP_CFG); } // keep filter for seccomp option int seccomp_filter_keep(void) { - filter_init(); - - // these 4 syscalls are used by firejail after the seccomp filter is initialized - filter_add_whitelist(SYS_setuid, 0); - filter_add_whitelist(SYS_setgid, 0); - filter_add_whitelist(SYS_setgroups, 0); - filter_add_whitelist(SYS_dup, 0); - - // apply keep list - if (cfg.seccomp_list_keep) { - if (syscall_check_list(cfg.seccomp_list_keep, filter_add_whitelist, 0)) { - fprintf(stderr, "Error: cannot load seccomp filter\n"); - exit(1); - } + if (arg_debug) + printf("Build drop seccomp filter\n"); + if (strlen(cfg.seccomp_list_keep) == 0) { + fprintf(stderr, "Error: empty syscall lists are not allowed\n"); + exit(1); } - filter_end_whitelist(); + // build the seccomp filter as a regular user + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep); + if (rv) + exit(rv); if (arg_debug) - filter_debug(); - - // save seccomp filter in /run/firejail/mnt/seccomp - // in order to use it in --join operations - write_seccomp_file(); - + printf("seccomp filter configured\n"); - struct sock_fprog prog = { - .len = sfilter_index, - .filter = sfilter, - }; - - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); - return 1; - } - else if (arg_debug) { - printf("seccomp enabled\n"); - } - - return 0; + + return seccomp_load(RUN_SECCOMP_CFG); } // errno filter for seccomp option int seccomp_filter_errno(void) { +#if 0 //todo: disabled temporarely, bring it back int i; int higest_errno = errno_highest_nr(); filter_init(); @@ -798,42 +241,11 @@ int seccomp_filter_errno(void) { // save seccomp filter in /run/firejail/mnt/seccomp // in order to use it in --join operations write_seccomp_file(); - - struct sock_fprog prog = { - .len = sfilter_index, - .filter = sfilter, - }; - - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); - return 1; - } - else if (arg_debug) { - printf("seccomp enabled\n"); - } - + return seccomp_load(RUN_SECCOMP_CFG); +#else +printf("*** --seccomp. is temporarily disabled, it will be brought back soon ***\n"); return 0; -} - - - -void seccomp_set(void) { - // read seccomp filter from /runp/firejail/mnt/seccomp - read_seccomp_file(RUN_SECCOMP_CFG); - - // apply filter - struct sock_fprog prog = { - .len = sfilter_index, - .filter = sfilter, - }; - - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); - return; - } - else if (arg_debug) { - printf("seccomp enabled\n"); - } +#endif } void seccomp_print_filter_name(const char *name) { @@ -890,10 +302,11 @@ void seccomp_print_filter(pid_t pid) { exit(1); } - // read and print the filter - read_seccomp_file(fname); - drop_privs(1); - filter_debug(); + // read and print the filter - run this as root, the user doesn't have access + int rv = sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, + PATH_FSECCOMP, "print", fname); + if (rv) + exit(rv); free(fname); exit(0); diff --git a/src/firejail/syscall.c b/src/firejail/syscall.c deleted file mode 100644 index f405f23c8..000000000 --- a/src/firejail/syscall.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#ifdef HAVE_SECCOMP -#include "firejail.h" -#include - -typedef struct { - char *name; - int nr; -} SyscallEntry; - -static SyscallEntry syslist[] = { -// -// code generated using tools/extract-syscall -// -#include "../include/syscall.h" -// -// end of generated code -// -}; // end of syslist - -const char *syscall_find_nr(int nr) { - int i; - int elems = sizeof(syslist) / sizeof(syslist[0]); - for (i = 0; i < elems; i++) { - if (nr == syslist[i].nr) - return syslist[i].name; - } - - return "unknown"; -} - -// return -1 if error, or syscall number -static int syscall_find_name(const char *name) { - int i; - int elems = sizeof(syslist) / sizeof(syslist[0]); - for (i = 0; i < elems; i++) { - if (strcmp(name, syslist[i].name) == 0) - return syslist[i].nr; - } - - return -1; -} - -// return 1 if error, 0 if OK -int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg) { - // don't allow empty lists - if (slist == NULL || *slist == '\0') { - fprintf(stderr, "Error: empty syscall lists are not allowed\n"); - return -1; - } - - // work on a copy of the string - char *str = strdup(slist); - if (!str) - errExit("strdup"); - - char *ptr = str; - char *start = str; - while (*ptr != '\0') { - if (islower(*ptr) || isdigit(*ptr) || *ptr == '_') - ; - else if (*ptr == ',') { - *ptr = '\0'; - int nr = syscall_find_name(start); - if (nr == -1) - fprintf(stderr, "Warning: syscall %s not found\n", start); - else if (callback != NULL) - callback(nr, arg); - - start = ptr + 1; - } - ptr++; - } - if (*start != '\0') { - int nr = syscall_find_name(start); - if (nr == -1) - fprintf(stderr, "Warning: syscall %s not found\n", start); - else if (callback != NULL) - callback(nr, arg); - } - - free(str); - return 0; -} - -#endif // HAVE_SECCOMP diff --git a/src/firejail/util.c b/src/firejail/util.c index 8d3b9d3cd..9752504e5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -721,13 +721,13 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { if (arg_debug) printf("Creating empty %s file\n", fname); - /* coverity[toctou] */ FILE *fp = fopen(fname, "w"); if (!fp) errExit("fopen"); - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); fclose(fp); + if (chmod(fname, mode) == -1) + errExit("chmod"); } } diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 1bfb4c68d..b515d2333 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in @@ -30,11 +30,11 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -f *.o fnet diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index e7edd1b8f..110d2c95f 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in @@ -30,11 +30,11 @@ BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h ../include/syscall.h +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -f *.o fseccomp diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c index 625f484bd..dbee916d4 100644 --- a/src/fseccomp/errno.c +++ b/src/fseccomp/errno.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "fseccomp.h" #include @@ -151,6 +170,30 @@ static ErrnoEntry errnolist[] = { #endif }; +int errno_find_name(const char *name) { + int i; + int elems = sizeof(errnolist) / sizeof(errnolist[0]); + for (i = 0; i < elems; i++) { + if (strcasecmp(name, errnolist[i].name) == 0) + return errnolist[i].nr; + } + + return -1; +} + +char *errno_find_nr(int nr) { + int i; + int elems = sizeof(errnolist) / sizeof(errnolist[0]); + for (i = 0; i < elems; i++) { + if (nr == errnolist[i].nr) + return errnolist[i].name; + } + + return "unknown"; +} + + + void errno_print(void) { int i; int elems = sizeof(errnolist) / sizeof(errnolist[0]); diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index 57757ea6c..504f1c23f 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #ifndef FSECCOMP_H #define FSECCOMP_H #include @@ -8,11 +27,42 @@ // syscall.c void syscall_print(void); +int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg); +int syscall_find_name(const char *name); +char *syscall_find_nr(int nr); // errno.c void errno_print(void); +int errno_find_name(const char *name); +char *errno_find_nr(int nr); // protocol.c void protocol_print(void); void protocol_build_filter(const char *prlist, const char *fname); + +// seccomp_secondary.c +void seccomp_secondary_64(const char *fname); +void seccomp_secondary_32(const char *fname); + +// seccomp_file.c +void filter_init(int fd); +void filter_add_whitelist(int fd, int syscall, int arg); +void filter_add_blacklist(int fd, int syscall, int arg); +void filter_add_errno(int fd, int syscall, int arg); +void filter_end_blacklist(int fd); +void filter_end_whitelist(int fd); + +// seccomp.c +// default list +void seccomp_default(const char *fname, int allow_debuggers); +// drop list +void seccomp_drop(const char *fname, char *list, int allow_debuggers); +// default+drop list +void seccomp_default_drop(const char *fname, char *list, int allow_debuggers); +// whitelisted filter +void seccomp_keep(const char *fname, char *list); + +// seccomp_print +void filter_print(const char *fname); + #endif diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index f53e2ef8b..22b13bcd9 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "fseccomp.h" static void usage(void) { @@ -6,6 +25,16 @@ static void usage(void) { printf("\tfseccomp debug-errnos\n"); printf("\tfseccomp debug-protocols\n"); printf("\tfseccomp protocol build list file\n"); + printf("\tfseccomp secondary 64 file\n"); + printf("\tfseccomp secondary 32 file\n"); + printf("\tfseccomp default file\n"); + printf("\tfseccomp default file allow-debuggers\n"); + printf("\tfseccomp drop file list\n"); + printf("\tfseccomp drop file list allow-debuggers\n"); + printf("\tfseccomp default drop file list\n"); + printf("\tfseccomp default drop file list allow-debuggers\n"); + printf("\tfseccomp keep file list\n"); + printf("\tfseccomp print file\n"); } int main(int argc, char **argv) { @@ -33,6 +62,26 @@ printf("\n"); protocol_print(); else if (argc == 5 && strcmp(argv[1], "protocol") == 0 && strcmp(argv[2], "build") == 0) protocol_build_filter(argv[3], argv[4]); + else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) + seccomp_secondary_64(argv[3]); + else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) + seccomp_secondary_32(argv[3]); + else if (argc == 3 && strcmp(argv[1], "default") == 0) + seccomp_default(argv[2], 0); + else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0) + seccomp_default(argv[2], 1); + else if (argc == 4 && strcmp(argv[1], "drop") == 0) + seccomp_drop(argv[2], argv[3], 0); + else if (argc == 5 && strcmp(argv[1], "drop") == 0 && strcmp(argv[4], "allow-debuggers") == 0) + seccomp_drop(argv[2], argv[3], 1); + else if (argc == 5 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0) + seccomp_default_drop(argv[3], argv[4], 0); + else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0) + seccomp_default_drop(argv[3], argv[4], 1); + else if (argc == 4 && strcmp(argv[1], "keep") == 0) + seccomp_keep(argv[2], argv[3]); + else if (argc == 3 && strcmp(argv[1], "print") == 0) + filter_print(argv[2]); else { fprintf(stderr, "Error fseccomp: invalid arguments\n"); return 1; diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c new file mode 100644 index 000000000..cc6edc8ca --- /dev/null +++ b/src/fseccomp/seccomp.c @@ -0,0 +1,292 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fseccomp.h" +#include "../include/seccomp.h" +#include + +static void add_default_list(int fd, int allow_debuggers) { +#ifdef SYS_mount + filter_add_blacklist(fd, SYS_mount, 0); +#endif +#ifdef SYS_umount2 + filter_add_blacklist(fd, SYS_umount2, 0); +#endif + + if (!allow_debuggers) { +#ifdef SYS_ptrace + filter_add_blacklist(fd, SYS_ptrace, 0); +#endif + } + +#ifdef SYS_kexec_load + filter_add_blacklist(fd, SYS_kexec_load, 0); +#endif +#ifdef SYS_kexec_file_load + filter_add_blacklist(fd, SYS_kexec_file_load, 0); +#endif +#ifdef SYS_open_by_handle_at + filter_add_blacklist(fd, SYS_open_by_handle_at, 0); +#endif +#ifdef SYS_name_to_handle_at + filter_add_blacklist(fd, SYS_name_to_handle_at, 0); +#endif +#ifdef SYS_init_module + filter_add_blacklist(fd, SYS_init_module, 0); +#endif +#ifdef SYS_finit_module + filter_add_blacklist(fd, SYS_finit_module, 0); +#endif +#ifdef SYS_create_module + filter_add_blacklist(fd, SYS_create_module, 0); +#endif +#ifdef SYS_delete_module + filter_add_blacklist(fd, SYS_delete_module, 0); +#endif +#ifdef SYS_iopl + filter_add_blacklist(fd, SYS_iopl, 0); +#endif +#ifdef SYS_ioperm + filter_add_blacklist(fd, SYS_ioperm, 0); +#endif +#ifdef SYS_ioprio_set + filter_add_blacklist(fd, SYS_ioprio_set, 0); +#endif +#ifdef SYS_ni_syscall + filter_add_blacklist(fd, SYS_ni_syscall, 0); +#endif +#ifdef SYS_swapon + filter_add_blacklist(fd, SYS_swapon, 0); +#endif +#ifdef SYS_swapoff + filter_add_blacklist(fd, SYS_swapoff, 0); +#endif +#ifdef SYS_syslog + filter_add_blacklist(fd, SYS_syslog, 0); +#endif + + if (!allow_debuggers) { +#ifdef SYS_process_vm_readv + filter_add_blacklist(fd, SYS_process_vm_readv, 0); +#endif + } + +#ifdef SYS_process_vm_writev + filter_add_blacklist(fd, SYS_process_vm_writev, 0); +#endif + + // mknod removed in 0.9.29 - it brakes Zotero extension + //#ifdef SYS_mknod + // filter_add_blacklist(SYS_mknod, 0); + //#endif + +#ifdef SYS_sysfs + filter_add_blacklist(fd, SYS_sysfs, 0); +#endif +#ifdef SYS__sysctl + filter_add_blacklist(fd, SYS__sysctl, 0); +#endif +#ifdef SYS_adjtimex + filter_add_blacklist(fd, SYS_adjtimex, 0); +#endif +#ifdef SYS_clock_adjtime + filter_add_blacklist(fd, SYS_clock_adjtime, 0); +#endif +#ifdef SYS_lookup_dcookie + filter_add_blacklist(fd, SYS_lookup_dcookie, 0); +#endif +#ifdef SYS_perf_event_open + filter_add_blacklist(fd, SYS_perf_event_open, 0); +#endif +#ifdef SYS_fanotify_init + filter_add_blacklist(fd, SYS_fanotify_init, 0); +#endif +#ifdef SYS_kcmp + filter_add_blacklist(fd, SYS_kcmp, 0); +#endif +#ifdef SYS_add_key + filter_add_blacklist(fd, SYS_add_key, 0); +#endif +#ifdef SYS_request_key + filter_add_blacklist(fd, SYS_request_key, 0); +#endif +#ifdef SYS_keyctl + filter_add_blacklist(fd, SYS_keyctl, 0); +#endif +#ifdef SYS_uselib + filter_add_blacklist(fd, SYS_uselib, 0); +#endif +#ifdef SYS_acct + filter_add_blacklist(fd, SYS_acct, 0); +#endif +#ifdef SYS_modify_ldt + filter_add_blacklist(fd, SYS_modify_ldt, 0); +#endif +#ifdef SYS_pivot_root + filter_add_blacklist(fd, SYS_pivot_root, 0); +#endif +#ifdef SYS_io_setup + filter_add_blacklist(fd, SYS_io_setup, 0); +#endif +#ifdef SYS_io_destroy + filter_add_blacklist(fd, SYS_io_destroy, 0); +#endif +#ifdef SYS_io_getevents + filter_add_blacklist(fd, SYS_io_getevents, 0); +#endif +#ifdef SYS_io_submit + filter_add_blacklist(fd, SYS_io_submit, 0); +#endif +#ifdef SYS_io_cancel + filter_add_blacklist(fd, SYS_io_cancel, 0); +#endif +#ifdef SYS_remap_file_pages + filter_add_blacklist(fd, SYS_remap_file_pages, 0); +#endif +#ifdef SYS_mbind + filter_add_blacklist(fd, SYS_mbind, 0); +#endif +#ifdef SYS_get_mempolicy + filter_add_blacklist(fd, SYS_get_mempolicy, 0); +#endif +#ifdef SYS_set_mempolicy + filter_add_blacklist(fd, SYS_set_mempolicy, 0); +#endif +#ifdef SYS_migrate_pages + filter_add_blacklist(fd, SYS_migrate_pages, 0); +#endif +#ifdef SYS_move_pages + filter_add_blacklist(fd, SYS_move_pages, 0); +#endif +#ifdef SYS_vmsplice + filter_add_blacklist(fd, SYS_vmsplice, 0); +#endif +#ifdef SYS_chroot + filter_add_blacklist(fd, SYS_chroot, 0); +#endif +#ifdef SYS_tuxcall + filter_add_blacklist(fd, SYS_tuxcall, 0); +#endif +#ifdef SYS_reboot + filter_add_blacklist(fd, SYS_reboot, 0); +#endif +#ifdef SYS_nfsservctl + filter_add_blacklist(fd, SYS_nfsservctl, 0); +#endif +#ifdef SYS_get_kernel_syms + filter_add_blacklist(fd, SYS_get_kernel_syms, 0); +#endif +} + +// default list +void seccomp_default(const char *fname, int allow_debuggers) { + assert(fname); + + // open file + int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (fd < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + // build filter + filter_init(fd); + add_default_list(fd, allow_debuggers); + filter_end_blacklist(fd); + + // close file + close(fd); +} + +// drop list +void seccomp_drop(const char *fname, char *list, int allow_debuggers) { + assert(fname); + (void) allow_debuggers; // todo: to implemnet it + + // open file + int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (fd < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + // build filter + filter_init(fd); + if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { + fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); + exit(1); + } + filter_end_blacklist(fd); + + // close file + close(fd); +} + +// default+drop +void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) { + assert(fname); + + // open file + int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (fd < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + // build filter + filter_init(fd); + add_default_list(fd, allow_debuggers); + if (syscall_check_list(list, filter_add_blacklist, fd, 0)) { + fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); + exit(1); + } + filter_end_blacklist(fd); + + // close file + close(fd); +} + +void seccomp_keep(const char *fname, char *list) { + // open file + int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (fd < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + // build filter + filter_init(fd); + // these 4 syscalls are used by firejail after the seccomp filter is initialized + filter_add_whitelist(fd, SYS_setuid, 0); + filter_add_whitelist(fd, SYS_setgid, 0); + filter_add_whitelist(fd, SYS_setgroups, 0); + filter_add_whitelist(fd, SYS_dup, 0); + filter_add_whitelist(fd, SYS_prctl, 0); + + if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { + fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); + exit(1); + } + + filter_end_whitelist(fd); + + // close file + close(fd); +} + diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c new file mode 100644 index 000000000..10ef9dd31 --- /dev/null +++ b/src/fseccomp/seccomp_file.c @@ -0,0 +1,108 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fseccomp.h" +#include "../include/seccomp.h" +#include + +static void write_to_file(int fd, void *data, int size) { + assert(data); + assert(size); + + int written = 0; + while (written < size) { + int rv = write(fd, (unsigned char *) data + written, size - written); + if (rv == -1) { + fprintf(stderr, "Error fseccomp: cannot write seccomp file\n"); + exit(1); + } + written += rv; + } +} + +void filter_init(int fd) { +#if defined(__x86_64__) +#define X32_SYSCALL_BIT 0x40000000 + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL, + // handle X32 ABI + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), + RETURN_ERRNO(EPERM) + }; +#else + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL + }; +#endif + +#if 0 +{ + int i; + unsigned char *ptr = (unsigned char *) &filter[0]; + for (i = 0; i < sizeof(filter); i++, ptr++) + printf("%x, ", (*ptr) & 0xff); + printf("\n"); +} +#endif + + write_to_file(fd, filter, sizeof(filter)); +} + +void filter_add_whitelist(int fd, int syscall, int arg) { + (void) arg; + + struct sock_filter filter[] = { + WHITELIST(syscall) + }; + write_to_file(fd, filter, sizeof(filter)); +} + +void filter_add_blacklist(int fd, int syscall, int arg) { + (void) arg; + + struct sock_filter filter[] = { + BLACKLIST(syscall) + }; + write_to_file(fd, filter, sizeof(filter)); +} + +void filter_add_errno(int fd, int syscall, int arg) { + struct sock_filter filter[] = { + BLACKLIST_ERRNO(syscall, arg) + }; + write_to_file(fd, filter, sizeof(filter)); +} + +void filter_end_blacklist(int fd) { + struct sock_filter filter[] = { + RETURN_ALLOW + }; + write_to_file(fd, filter, sizeof(filter)); +} + +void filter_end_whitelist(int fd) { + struct sock_filter filter[] = { + KILL_PROCESS + }; + write_to_file(fd, filter, sizeof(filter)); +} + diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c new file mode 100644 index 000000000..7dc983b12 --- /dev/null +++ b/src/fseccomp/seccomp_print.c @@ -0,0 +1,116 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fseccomp.h" +#include "../include/seccomp.h" +#include + +static struct sock_filter *filter = NULL; +static int filter_cnt = 0; + +static void load_seccomp(const char *fname) { + assert(fname); + + // check file + struct stat s; + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error fseccomp: cannot read protocol filter file\n"); + exit(1); + } + int size = s.st_size; + unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); + filter_cnt = entries; +//printf("size %d, entries %d\n", s.st_size, entries); + + filter = malloc(sizeof(struct sock_filter) * entries); + if (!filter) + errExit("malloc"); + + // read filter + memset(filter, 0, sizeof(struct sock_filter) * entries); + int src = open(fname, O_RDONLY); + int rd = 0; + while (rd < size) { + int rv = read(src, (unsigned char *) filter + rd, size - rd); + if (rv == -1) { + fprintf(stderr, "Error fseccomp: cannot read %s file\n", fname); + exit(1); + } + rd += rv; + } + close(src); +} + +// debug filter +void filter_print(const char *fname) { + assert(fname); + load_seccomp(fname); + + // start filter + struct sock_filter start[] = { + VALIDATE_ARCHITECTURE, + EXAMINE_SYSCALL + }; + + // print sizes + printf("SECCOMP Filter:\n"); + + // test the start of the filter + if (memcmp(&start[0], filter, sizeof(start)) == 0) { + printf(" VALIDATE_ARCHITECTURE\n"); + printf(" EXAMINE_SYSCAL\n"); + } + else { + printf("Invalid seccomp filter %s\n", fname); + return; + } + + // loop trough blacklists + int i = 4; + while (i < filter_cnt) { + // minimal parsing! + unsigned char *ptr = (unsigned char *) &filter[i]; + int *nr = (int *) (ptr + 4); + if (*ptr == 0x15 && *(ptr +14) == 0xff && *(ptr + 15) == 0x7f ) { + printf(" WHITELIST %d %s\n", *nr, syscall_find_nr(*nr)); + i += 2; + } + else if (*ptr == 0x15 && *(ptr +14) == 0 && *(ptr + 15) == 0) { + printf(" BLACKLIST %d %s\n", *nr, syscall_find_nr(*nr)); + i += 2; + } + else if (*ptr == 0x15 && *(ptr +14) == 0x5 && *(ptr + 15) == 0) { + int err = *(ptr + 13) << 8 | *(ptr + 12); + printf(" ERRNO %d %s %d %s\n", *nr, syscall_find_nr(*nr), err, errno_find_nr(err)); + i += 2; + } + else if (*ptr == 0x06 && *(ptr +6) == 0 && *(ptr + 7) == 0 ) { + printf(" KILL_PROCESS\n"); + i++; + } + else if (*ptr == 0x06 && *(ptr +6) == 0xff && *(ptr + 7) == 0x7f ) { + printf(" RETURN_ALLOW\n"); + i++; + } + else { + printf(" UNKNOWN ENTRY!!!\n"); + i++; + } + } +} diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c new file mode 100644 index 000000000..a856e5aef --- /dev/null +++ b/src/fseccomp/seccomp_secondary.c @@ -0,0 +1,183 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fseccomp.h" +#include "../include/seccomp.h" +#include + +void seccomp_secondary_64(const char *fname) { + // hardcoded syscall values + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE_64, + EXAMINE_SYSCALL, + BLACKLIST(165), // mount + BLACKLIST(166), // umount2 +// todo: implement --allow-debuggers + BLACKLIST(101), // ptrace + BLACKLIST(246), // kexec_load + BLACKLIST(304), // open_by_handle_at + BLACKLIST(303), // name_to_handle_at + BLACKLIST(174), // create_module + BLACKLIST(175), // init_module + BLACKLIST(313), // finit_module + BLACKLIST(176), // delete_module + BLACKLIST(172), // iopl + BLACKLIST(173), // ioperm + BLACKLIST(251), // ioprio_set + BLACKLIST(167), // swapon + BLACKLIST(168), // swapoff + BLACKLIST(103), // syslog + BLACKLIST(310), // process_vm_readv + BLACKLIST(311), // process_vm_writev + BLACKLIST(139), // sysfs + BLACKLIST(156), // _sysctl + BLACKLIST(159), // adjtimex + BLACKLIST(305), // clock_adjtime + BLACKLIST(212), // lookup_dcookie + BLACKLIST(298), // perf_event_open + BLACKLIST(300), // fanotify_init + BLACKLIST(312), // kcmp + BLACKLIST(248), // add_key + BLACKLIST(249), // request_key + BLACKLIST(250), // keyctl + BLACKLIST(134), // uselib + BLACKLIST(163), // acct + BLACKLIST(154), // modify_ldt + BLACKLIST(155), // pivot_root + BLACKLIST(206), // io_setup + BLACKLIST(207), // io_destroy + BLACKLIST(208), // io_getevents + BLACKLIST(209), // io_submit + BLACKLIST(210), // io_cancel + BLACKLIST(216), // remap_file_pages + BLACKLIST(237), // mbind + BLACKLIST(239), // get_mempolicy + BLACKLIST(238), // set_mempolicy + BLACKLIST(256), // migrate_pages + BLACKLIST(279), // move_pages + BLACKLIST(278), // vmsplice + BLACKLIST(161), // chroot + BLACKLIST(184), // tuxcall + BLACKLIST(169), // reboot + BLACKLIST(180), // nfsservctl + BLACKLIST(177), // get_kernel_syms + + RETURN_ALLOW + }; + + // save filter to file + int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (dst < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + int size = (int) sizeof(filter); + int written = 0; + while (written < size) { + int rv = write(dst, (unsigned char *) filter + written, size - written); + if (rv == -1) { + fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname); + exit(1); + } + written += rv; + } + close(dst); +} + +// i386 filter installed on amd64 architectures +void seccomp_secondary_32(const char *fname) { + // hardcoded syscall values + struct sock_filter filter[] = { + VALIDATE_ARCHITECTURE_32, + EXAMINE_SYSCALL, + BLACKLIST(21), // mount + BLACKLIST(52), // umount2 +// todo: implement --allow-debuggers + BLACKLIST(26), // ptrace + BLACKLIST(283), // kexec_load + BLACKLIST(341), // name_to_handle_at + BLACKLIST(342), // open_by_handle_at + BLACKLIST(127), // create_module + BLACKLIST(128), // init_module + BLACKLIST(350), // finit_module + BLACKLIST(129), // delete_module + BLACKLIST(110), // iopl + BLACKLIST(101), // ioperm + BLACKLIST(289), // ioprio_set + BLACKLIST(87), // swapon + BLACKLIST(115), // swapoff + BLACKLIST(103), // syslog + BLACKLIST(347), // process_vm_readv + BLACKLIST(348), // process_vm_writev + BLACKLIST(135), // sysfs + BLACKLIST(149), // _sysctl + BLACKLIST(124), // adjtimex + BLACKLIST(343), // clock_adjtime + BLACKLIST(253), // lookup_dcookie + BLACKLIST(336), // perf_event_open + BLACKLIST(338), // fanotify_init + BLACKLIST(349), // kcmp + BLACKLIST(286), // add_key + BLACKLIST(287), // request_key + BLACKLIST(288), // keyctl + BLACKLIST(86), // uselib + BLACKLIST(51), // acct + BLACKLIST(123), // modify_ldt + BLACKLIST(217), // pivot_root + BLACKLIST(245), // io_setup + BLACKLIST(246), // io_destroy + BLACKLIST(247), // io_getevents + BLACKLIST(248), // io_submit + BLACKLIST(249), // io_cancel + BLACKLIST(257), // remap_file_pages + BLACKLIST(274), // mbind + BLACKLIST(275), // get_mempolicy + BLACKLIST(276), // set_mempolicy + BLACKLIST(294), // migrate_pages + BLACKLIST(317), // move_pages + BLACKLIST(316), // vmsplice + BLACKLIST(61), // chroot + BLACKLIST(88), // reboot + BLACKLIST(169), // nfsservctl + BLACKLIST(130), // get_kernel_syms + + RETURN_ALLOW + }; + + // save filter to file + int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (dst < 0) { + fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); + exit(1); + } + + int size = (int) sizeof(filter); + int written = 0; + while (written < size) { + int rv = write(dst, (unsigned char *) filter + written, size - written); + if (rv == -1) { + fprintf(stderr, "Error fseccomp: cannot write %s file\n", fname); + exit(1); + } + written += rv; + } + close(dst); +} + diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index c67d45598..e2052efde 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "fseccomp.h" #include @@ -16,6 +35,29 @@ static SyscallEntry syslist[] = { // }; // end of syslist +// return -1 if error, or syscall number +int syscall_find_name(const char *name) { + int i; + int elems = sizeof(syslist) / sizeof(syslist[0]); + for (i = 0; i < elems; i++) { + if (strcmp(name, syslist[i].name) == 0) + return syslist[i].nr; + } + + return -1; +} + +char *syscall_find_nr(int nr) { + int i; + int elems = sizeof(syslist) / sizeof(syslist[0]); + for (i = 0; i < elems; i++) { + if (nr == syslist[i].nr) + return syslist[i].name; + } + + return "unknown"; +} + void syscall_print(void) { int i; int elems = sizeof(syslist) / sizeof(syslist[0]); @@ -24,3 +66,45 @@ void syscall_print(void) { } printf("\n"); } + +// return 1 if error, 0 if OK +int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) { + // don't allow empty lists + if (slist == NULL || *slist == '\0') { + fprintf(stderr, "Error: empty syscall lists are not allowed\n"); + return -1; + } + + // work on a copy of the string + char *str = strdup(slist); + if (!str) + errExit("strdup"); + + char *ptr = str; + char *start = str; + while (*ptr != '\0') { + if (islower(*ptr) || isdigit(*ptr) || *ptr == '_') + ; + else if (*ptr == ',') { + *ptr = '\0'; + int nr = syscall_find_name(start); + if (nr == -1) + fprintf(stderr, "Warning: syscall %s not found\n", start); + else if (callback != NULL) + callback(fd, nr, arg); + + start = ptr + 1; + } + ptr++; + } + if (*start != '\0') { + int nr = syscall_find_name(start); + if (nr == -1) + fprintf(stderr, "Warning: syscall %s not found\n", start); + else if (callback != NULL) + callback(fd, nr, arg); + } + + free(str); + return 0; +} diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 5093c8614..5c7c98b3e 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -12,11 +12,21 @@ echo "TESTING: noroot (test/filters/noroot.exp)" echo "TESTING: capabilities (test/filters/caps.exp)" ./caps.exp +rm -f seccomp-test-file +if [ "$(uname -m)" = "x86_64" ]; then + echo "TESTING: fseccomp (test/filters/fseccomp.exp)" + ./fseccomp.exp +else + echo "TESTING SKIP: fseccomp test implemented only for x86_64" +fi +rm -f seccomp-test-file + + if [ "$(uname -m)" = "x86_64" ]; then echo "TESTING: protocol (test/filters/protocol.exp)" ./protocol.exp else - echo "TESTING SKIP: protocol, not running on x86_64" + echo "TESTING SKIP: protocol, running only on x86_64" fi echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" @@ -50,9 +60,6 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" ./seccomp-empty.exp -echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" -./seccomp-bad-empty.exp - if [ "$(uname -m)" = "x86_64" ]; then echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" ./seccomp-dualfilter.exp diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp new file mode 100755 index 000000000..8a9a8f9dc --- /dev/null +++ b/test/filters/fseccomp.exp @@ -0,0 +1,138 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +after 100 +send -- "/usr/lib/firejail/fseccomp debug-syscalls\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "1 - write" +} + +after 100 +send -- "/usr/lib/firejail/fseccomp debug-errnos\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "1 - EPERM" +} + +after 100 +send -- "/usr/lib/firejail/fseccomp debug-protocols\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "unix, inet, inet6, netlink, packet," +} + +after 100 +send -- "/usr/lib/firejail/fseccomp protocol build unix,inet seccomp-test-file\r" +after 100 +send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "WHITELIST 41 socket" +} + +after 100 +send -- "/usr/lib/firejail/fseccomp secondary 64 seccomp-test-file\r" +after 100 +send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "BLACKLIST 165 mount" +} +expect { + timeout {puts "TESTING ERROR 5.2\n";exit} + "BLACKLIST 166 umount2" +} +expect { + timeout {puts "TESTING ERROR 5.3\n";exit} + "RETURN_ALLOW" +} + +after 100 +send -- "/usr/lib/firejail/fseccomp default seccomp-test-file\r" +after 100 +send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "BLACKLIST 165 mount" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "BLACKLIST 166 umount2" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "RETURN_ALLOW" +} + +after 100 +send -- "/usr/lib/firejail/fseccomp drop seccomp-test-file chmod,chown\r" +after 100 +send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 7.1\n";exit} + "BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit} + "BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit} + "BLACKLIST 90 chmod" +} +expect { + timeout {puts "TESTING ERROR 7.4\n";exit} + "BLACKLIST 92 chown" +} +expect { + timeout {puts "TESTING ERROR 7.5\n";exit} + "RETURN_ALLOW" +} + +after 100 +send -- "/usr/lib/firejail/fseccomp default drop seccomp-test-file chmod,chown\r" +after 100 +send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 8.1\n";exit} + "BLACKLIST 165 mount" +} +expect { + timeout {puts "TESTING ERROR 8.2\n";exit} + "BLACKLIST 166 umount2" +} +expect { + timeout {puts "TESTING ERROR 8.3\n";exit} + "BLACKLIST 90 chmod" +} +expect { + timeout {puts "TESTING ERROR 8.4\n";exit} + "BLACKLIST 92 chown" +} +expect { + timeout {puts "TESTING ERROR 8.5\n";exit} + "RETURN_ALLOW" +} +after 100 +send -- "/usr/lib/firejail/fseccomp keep seccomp-test-file chmod,chown\r" +after 100 +send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 9.1\n";exit} + "WHITELIST 90 chmod" +} +expect { + timeout {puts "TESTING ERROR 9.2\n";exit} + "WHITELIST 92 chown" +} +expect { + timeout {puts "TESTING ERROR 9.3\n";exit} + "KILL_PROCESS" +} + + + +after 100 +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From a5220fca9f6e6116afe684dd0cdcb614c250ca8d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 2 Nov 2016 07:54:57 -0400 Subject: mumble profile --- README | 2 ++ README.md | 2 +- platform/debian/conffiles | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README b/README index c0f5ea8d4..428f610f9 100644 --- a/README +++ b/README @@ -80,6 +80,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +Impyy (https://github.com/Impyy) + - added mumble profile valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/README.md b/README.md index 69ab1be07..c6484d3b7 100644 --- a/README.md +++ b/README.md @@ -52,5 +52,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 526143a0f..df660ab4f 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -170,3 +170,4 @@ /etc/firejail/xiphos.profile /etc/firejail/display.profile /etc/firejail/Wire.profile +/etc/firejail/mumble.profile -- cgit v1.2.3-70-g09d2 From 81467143ee9c47d9c90e97fb55baf2d47702d372 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 2 Nov 2016 07:59:15 -0400 Subject: removed warning if --quiet is enabled --- src/firejail/fs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f7fc44c71..dbd7eced7 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -106,9 +106,10 @@ static void disable_file(OPERATION op, const char *filename) { // some distros put all executables under /usr/bin and make /bin a symbolic link if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && is_link(filename) && - S_ISDIR(s.st_mode)) - fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); - + S_ISDIR(s.st_mode)) { + if (!arg_quiet) + fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); + } else { if (arg_debug) printf("Disable %s\n", fname); -- cgit v1.2.3-70-g09d2 From e152e2d067e17be33c7e82ce438c8ae740af6a66 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Nov 2016 09:30:30 -0400 Subject: fixed TOCTOU problem for --get and --put --- RELNOTES | 1 + src/firejail/ls.c | 192 ++++++++++++++++++++-------------------------------- src/firejail/util.c | 6 -- 3 files changed, 74 insertions(+), 125 deletions(-) diff --git a/RELNOTES b/RELNOTES index 44d313999..037f41a9b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress * security: overwrite /etc/resolv.conf found by Martin Carpenter + * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: split most of networking code in a separate executable * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire diff --git a/src/firejail/ls.c b/src/firejail/ls.c index dba82be0b..7c5585324 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -324,22 +324,24 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // get file from sandbox and store it in the current directory else if (op == SANDBOX_FS_GET) { - // check source file (sandbox) - char *src_fname; - if (asprintf(&src_fname, "%s%s", rootdir, fname1) == -1) - errExit("asprintf"); - EUID_ROOT(); - struct stat s; - if (stat(src_fname, &s) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); - exit(1); - } - if (is_dir(src_fname)) { - fprintf(stderr, "Error: source file name is a directory\n"); + char *src_fname =fname1; + char *dest_fname = strrchr(fname1, '/'); + if (!dest_fname || *(++dest_fname) == '\0') { + fprintf(stderr, "Error: invalid file name %s\n", fname1); exit(1); } - - // try to open the source file - we need to chroot + + EUID_ROOT(); + if (arg_debug) + printf("copy %s to %s\n", src_fname, dest_fname); + + // create a user-owned temporary file in /run/firejail directory + char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; + int fd = mkstemp(tmp_fname); + SET_PERMS_FD(fd, getuid(), getgid(), 0600); + close(fd); + + // copy the source file into the temporary file - we need to chroot pid_t child = fork(); if (child < 0) errExit("fork"); @@ -353,11 +355,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // drop privileges drop_privs(0); - // try to read the file - if (access(fname1, R_OK) == -1) { - fprintf(stderr, "Error: Cannot read %s\n", fname1); - exit(1); - } + // copy the file + if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) + _exit(1); _exit(0); } @@ -365,74 +365,54 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { int status = 0; waitpid(child, &status, 0); if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else - exit(1); - EUID_USER(); - - // check destination file (host) - char *dest_fname = strrchr(fname1, '/'); - if (!dest_fname || *(++dest_fname) == '\0') { - fprintf(stderr, "Error: invalid file name %s\n", fname1); + else { + unlink(tmp_fname); exit(1); } - if (access(dest_fname, F_OK) == -1) { - // try to create the file as a regular user - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - FILE *fp = fopen(dest_fname, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create %s\n", dest_fname); - exit(1); - } - fclose(fp); - _exit(0); - } - - // wait for the child to finish - int status = 0; - waitpid(child, &status, 0); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else - exit(1); + // copy the temporary file into the destionation file + child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + // drop privileges + drop_privs(0); + + // copy the file + if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) + _exit(1); + _exit(0); } + + // wait for the child to finish + status = 0; + waitpid(child, &status, 0); + if (WIFEXITED(status) && WEXITSTATUS(status) == 0); else { - if (access(dest_fname, W_OK) == -1) { - fprintf(stderr, "Error: cannot write %s\n", dest_fname); - exit(1); - } + unlink(tmp_fname); + exit(1); } - // copy file - if (arg_debug) - printf("copy %s to %s\n", src_fname, dest_fname); - EUID_ROOT(); - if (copy_file(src_fname, dest_fname, getuid(), getgid(), 0644)) - fprintf(stderr, "Error: transfer failed\n"); - else - printf("Transfer complete\n"); + // remove the temporary file + unlink(tmp_fname); EUID_USER(); } // get file from host and store it in the sandbox else if (op == SANDBOX_FS_PUT && path2) { - // verify the source file - const char *src_fname = path1; - struct stat s; - if (stat(src_fname, &s) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); - exit(1); - } - if (is_dir(src_fname)) { - fprintf(stderr, "Error: source file name is a directory\n"); - exit(1); - } - - // try to open the source file + char *src_fname =fname1; + char *dest_fname = fname2; + + EUID_ROOT(); + if (arg_debug) + printf("copy %s to %s\n", src_fname, dest_fname); + + // create a user-owned temporary file in /run/firejail directory + char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; + int fd = mkstemp(tmp_fname); + SET_PERMS_FD(fd, getuid(), getgid(), 0600); + close(fd); + + // copy the source file into the temporary file - we need to chroot pid_t child = fork(); if (child < 0) errExit("fork"); @@ -440,11 +420,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // drop privileges drop_privs(0); - // try to read the file - if (access(src_fname, R_OK) == -1) { - fprintf(stderr, "Error: Cannot read %s\n", src_fname); - exit(1); - } + // copy the file + if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) + _exit(1); _exit(0); } @@ -452,20 +430,12 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { int status = 0; waitpid(child, &status, 0); if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else - exit(1); - - // check destination file (sandbox) - char *dest_fname; - if (asprintf(&dest_fname, "%s%s", rootdir, fname2) == -1) - errExit("asprintf"); - EUID_ROOT(); - if (is_dir(dest_fname)) { - fprintf(stderr, "Error: destination file name is a directory inside the sandbox\n"); + else { + unlink(tmp_fname); exit(1); } - // check write access on destination + // copy the temporary file into the destionation file child = fork(); if (child < 0) errExit("fork"); @@ -475,25 +445,13 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { errExit("chroot"); if (chdir("/") < 0) errExit("chdir"); - + // drop privileges drop_privs(0); - - if (access(path2, F_OK) == -1) { - FILE *fp = fopen(path2, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create %s\n", path2); - exit(1); - } - fclose(fp); - } - else { - if (access(path2, W_OK) == -1) { - fprintf(stderr, "Error: cannot write %s\n", path2); - exit(1); - } - } - + + // copy the file + if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) + _exit(1); _exit(0); } @@ -501,17 +459,13 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { status = 0; waitpid(child, &status, 0); if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else + else { + unlink(tmp_fname); exit(1); - - // copy file - if (arg_debug) - printf("copy %s to %s\n", src_fname, dest_fname); - EUID_ROOT(); - if (copy_file(src_fname, dest_fname, getuid(), getgid(), 0644)) - fprintf(stderr, "Error: transfer failed\n"); - else - printf("Transfer complete\n"); + } + + // remove the temporary file + unlink(tmp_fname); EUID_USER(); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 9752504e5..a7712441e 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -176,12 +176,6 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m assert(srcname); assert(destname); - struct stat s; - if (stat(destname, &s) == 0) { - fprintf(stderr, "Error: file %s already exists\n", destname); - return -1; - } - // open source int src = open(srcname, O_RDONLY); if (src < 0) { -- cgit v1.2.3-70-g09d2 From ccfe7a291eaa83b6d4d3f799a3d9b942a27b085a Mon Sep 17 00:00:00 2001 From: vismir2 Date: Thu, 3 Nov 2016 14:59:24 +0100 Subject: Improvements for Zathura profile --- etc/zathura.profile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..d29762889 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -18,3 +18,8 @@ shell none private-bin zathura private-dev +private-etc fonts +whitelist /tmp/.X11-unix + +read-only ~/ +read-write ~/.local/share/zathura/ -- cgit v1.2.3-70-g09d2 From cc1027af614bd804b8ee77947bc14e4018b06cf7 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Thu, 3 Nov 2016 15:24:22 +0100 Subject: Fixed README --- README | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README b/README index 428f610f9..50bc00099 100644 --- a/README +++ b/README @@ -94,13 +94,12 @@ Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile -vismir2 (https://github.com/vismir2) - - claws-mail, mutt, git, emacs, vim profiles Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles + - claws-mail, mutt, git, emacs, vim profiles - lots of profile fixes graywolf (https://github.com/graywolf) - spelling fix -- cgit v1.2.3-70-g09d2 From 3b81e1f2c331644ced87d26a943b22eed6242b8f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Nov 2016 10:53:51 -0400 Subject: security: env variables --- RELNOTES | 4 +++- src/firejail/bandwidth.c | 1 + src/firejail/fs_bin.c | 1 + src/firejail/fs_etc.c | 1 + src/firejail/netfilter.c | 3 +++ src/firejail/run_symlink.c | 1 + src/firejail/sandbox.c | 16 ++++++++++------ src/firejail/sbox.c | 1 + src/firejail/x11.c | 13 ++++++++++--- 9 files changed, 31 insertions(+), 10 deletions(-) diff --git a/RELNOTES b/RELNOTES index 037f41a9b..3a9ccaa4b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,8 +2,10 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress * security: overwrite /etc/resolv.conf found by Martin Carpenter * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson + * security: invalid environment exploit found by Martin Carpener + * security: split most of networking code in a separate executable + * security: split seccomp filter code code in a separate executable * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) - * feature: split most of networking code in a separate executable * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 4a1df9c67..ab9714afe 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -462,6 +462,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; + assert(getenv("LD_PRELOAD") == NULL); execvp(arg[0], arg); // it will never get here diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index f59944735..d6fee0608 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -191,6 +191,7 @@ static void duplicate(char *fname) { char *f; if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) errExit("asprintf"); + assert(getenv("LD_PRELOAD") == NULL); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); perror("execlp"); _exit(1); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index b86d5eb74..4f3417236 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -105,6 +105,7 @@ static void duplicate(char *fname) { char *f; if (asprintf(&f, "/etc/%s", fname) == -1) errExit("asprintf"); + assert(getenv("LD_PRELOAD") == NULL); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); perror("execlp"); _exit(1); diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index c1f9a2c37..efef45d90 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -144,6 +144,7 @@ void netfilter(const char *fname) { // wipe out environment variables environ = NULL; + assert(getenv("LD_PRELOAD") == NULL); execl(iptables_restore, iptables_restore, NULL); perror("execl"); _exit(1); @@ -163,6 +164,7 @@ void netfilter(const char *fname) { if (setregid(0, 0)) errExit("setregid"); environ = NULL; + assert(getenv("LD_PRELOAD") == NULL); execl(iptables, iptables, "-vL", NULL); perror("execl"); _exit(1); @@ -257,6 +259,7 @@ void netfilter6(const char *fname) { // wipe out environment variables environ = NULL; + assert(getenv("LD_PRELOAD") == NULL); execl(ip6tables_restore, ip6tables_restore, NULL); perror("execl"); _exit(1); diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 020e70b80..8aa2fe53f 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -106,6 +106,7 @@ void run_symlink(int argc, char **argv) { a[i + 2] = argv[i + 1]; } a[i + 2] = NULL; + assert(getenv("LD_PRELOAD") == NULL); execvp(a[0], a); perror("execvp"); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3942e4da6..e3c95283d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -260,6 +260,7 @@ void start_audit(void) { char *audit_prog; if (asprintf(&audit_prog, "%s/firejail/faudit", LIBDIR) == -1) errExit("asprintf"); + assert(getenv("LD_PRELOAD") == NULL); execl(audit_prog, audit_prog, NULL); perror("execl"); exit(1); @@ -268,6 +269,15 @@ void start_audit(void) { void start_application(void) { //if (setsid() == -1) //errExit("setsid"); + + // set environment + env_defaults(); + env_apply(); + if (arg_debug) { + printf("starting application\n"); + printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); + } + //**************************************** // audit //**************************************** @@ -787,12 +797,6 @@ assert(0); } } - // set environment - env_defaults(); - - // set user-supplied environment variables - env_apply(); - // set nice if (arg_nice) { errno = 0; diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 6499b7005..a5a067090 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -165,6 +165,7 @@ int sbox_run(unsigned filter, int num, ...) { else if (filter & SBOX_USER) drop_privs(1); + assert(getenv("LD_PRELOAD") == NULL); if (arg[0]) // get rid of scan-build warning execvp(arg[0], arg); else diff --git a/src/firejail/x11.c b/src/firejail/x11.c index c79f1a74e..6cba95501 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -311,7 +311,8 @@ void x11_start_xephyr(int argc, char **argv) { if (server == 0) { if (arg_debug) printf("Starting xephyr...\n"); - + + assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -353,6 +354,7 @@ void x11_start_xephyr(int argc, char **argv) { if (!arg_quiet) printf("\n*** Attaching to Xephyr display %d ***\n\n", display); + assert(getenv("LD_PRELOAD") == NULL); execvp(jail_argv[0], jail_argv); perror("execvp"); _exit(1); @@ -432,6 +434,7 @@ void x11_start_xpra(int argc, char **argv) { dup2(fd_null,2); } + assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -478,6 +481,7 @@ void x11_start_xpra(int argc, char **argv) { if (!arg_quiet) printf("\n*** Attaching to xpra display %d ***\n\n", display); + assert(getenv("LD_PRELOAD") == NULL); execvp(attach_argv[0], attach_argv); perror("execvp"); _exit(1); @@ -508,6 +512,7 @@ void x11_start_xpra(int argc, char **argv) { if (jail < 0) errExit("fork"); if (jail == 0) { + assert(getenv("LD_PRELOAD") == NULL); if (firejail_argv[0]) // shut up llvm scan-build execvp(firejail_argv[0], firejail_argv); perror("execvp"); @@ -534,6 +539,7 @@ void x11_start_xpra(int argc, char **argv) { dup2(fd_null,1); dup2(fd_null,2); } + assert(getenv("LD_PRELOAD") == NULL); execvp(stop_argv[0], stop_argv); perror("execvp"); _exit(1); @@ -664,11 +670,12 @@ void x11_xorg(void) { errExit("setreuid"); if (setregid(0, 0) < 0) errExit("setregid"); - + char *display = getenv("DISPLAY"); if (!display) display = ":0.0"; - + + assert(getenv("LD_PRELOAD") == NULL); execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); -- cgit v1.2.3-70-g09d2 From ac64fc8fb04b85375675ac3f7c9ac637f040d02b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Nov 2016 10:59:13 -0400 Subject: small fix --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 3a9ccaa4b..3d629d320 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,7 +4,7 @@ firejail (0.9.45) baseline; urgency=low * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson * security: invalid environment exploit found by Martin Carpener * security: split most of networking code in a separate executable - * security: split seccomp filter code code in a separate executable + * security: split seccomp filter code configuration in a separate executable * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire * bugfixes -- cgit v1.2.3-70-g09d2 From a7ec081ca75b2291de71fea996e4c43b7e62e7cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Nov 2016 11:10:10 -0400 Subject: spelling fix --- RELNOTES | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index 3d629d320..922296fd7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -2,7 +2,7 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress * security: overwrite /etc/resolv.conf found by Martin Carpenter * secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson - * security: invalid environment exploit found by Martin Carpener + * security: invalid environment exploit found by Martin Carpenter * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) -- cgit v1.2.3-70-g09d2 From 69b38cfabeeaf7604d71bad6abb5b9d69d8f9318 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Nov 2016 11:20:14 -0400 Subject: testing fix --- test/utils/ls.exp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/test/utils/ls.exp b/test/utils/ls.exp index b83957a4f..cd2c2984c 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp @@ -24,11 +24,7 @@ expect { } sleep 1 send -- "firejail --get=test ~/lstesting\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Transfer complete" -} -sleep 1 +sleep 2 send -- "cat lstesting\r" expect { timeout {puts "TESTING ERROR 3\n";exit} -- cgit v1.2.3-70-g09d2 From 7d1fbcb6ab703562455883b17e345cbf8a4fdd69 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 3 Nov 2016 21:35:24 +0100 Subject: added nosound --- etc/eog.profile | 1 + etc/evolution.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/eog.profile b/etc/eog.profile index 7eb7fd127..68e950bd7 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -12,6 +12,7 @@ netfilter nogroups nonewprivs noroot +nosound protocol unix seccomp shell none diff --git a/etc/evolution.profile b/etc/evolution.profile index d097c0f34..d63eeed74 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -17,6 +17,7 @@ netfilter nogroups nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp shell none -- cgit v1.2.3-70-g09d2 From 08478335e5f49605c96beac6575715781b167724 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 3 Nov 2016 17:26:06 -0400 Subject: usage --- src/firejail/usage.c | 441 +++++++++++++++------------------------------------ 1 file changed, 125 insertions(+), 316 deletions(-) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 7db91b5a9..c8bed06e3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -23,381 +23,190 @@ void usage(void) { printf("firejail - version %s\n\n", VERSION); printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"); printf("restricting the running environment of untrusted applications using Linux\n"); - printf("namespaces. It includes a sandbox profile for Mozilla Firefox.\n\n"); + printf("namespaces.\n"); printf("\n"); - printf("Usage: firejail [options] [program and arguments]\n\n"); + printf("Usage: firejail [options] [program and arguments]\n"); printf("\n"); - printf("Without any options, the sandbox consists of a filesystem chroot build from the\n"); - printf("current system directories mounted read-only, and new PID and IPC\n"); - printf("namespaces. If no program is specified as an argument, /bin/bash is started by\n"); - printf("default in the sandbox.\n\n"); - printf("\n"); - printf("Options:\n\n"); - printf(" -- - signal the end of options and disables further option processing.\n\n"); - printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n\n"); - printf(" --allusers - all user home directories are visible inside the sandbox.\n\n"); - printf(" --apparmor - enable AppArmor confinement\n\n"); - printf(" --appimage - sandbox an AppImage application\n\n"); - printf(" --audit - audit the sandbox, see Audit section for more details\n\n"); - printf(" --audit=test-program - audit the sandbox, see Audit section for more details\n\n"); + printf("Options:\n"); + printf(" -- - signal the end of options and disables further option processing.\n"); + printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); + printf(" --allusers - all user home directories are visible inside the sandbox.\n"); + printf(" --apparmor - enable AppArmor confinement.\n"); + printf(" --appimage - sandbox an AppImage application.\n"); + printf(" --audit[=test-program] - audit the sandbox.\n"); #ifdef HAVE_NETWORK - printf(" --bandwidth=name|pid - set bandwidth limits for the sandbox identified\n"); - printf("\tby name or PID, see Traffic Shaping section fo more details.\n\n"); + printf(" --bandwidth=name|pid - set bandwidth limits\n"); #endif #ifdef HAVE_BIND - printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); - printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n\n"); + printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); + printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); #endif - printf(" --blacklist=dirname_or_filename - blacklist directory or file.\n\n"); - printf(" -c - execute command and exit.\n\n"); - printf(" --caps - enable default Linux capabilities filter.\n\n"); - printf(" --caps.drop=all - drop all capabilities.\n\n"); - printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n\n"); - printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n\n"); - printf(" --caps.print=name|pid - print the caps filter for the sandbox identified\n"); - printf("\tby name or PID.\n\n"); + printf(" --blacklist=filename - blacklist directory or file.\n"); + printf(" -c - execute command and exit.\n"); + printf(" --caps - enable default Linux capabilities filter.\n"); + printf(" --caps.drop=all - drop all capabilities.\n"); + printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n"); + printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n"); + printf(" --caps.print=name|pid - print the caps filter.\n"); printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); - printf("\ttasks-file is the full path of cgroup tasks file.\n\n"); #ifdef HAVE_CHROOT - printf(" --chroot=dirname - chroot into directory.\n\n"); + printf(" --chroot=dirname - chroot into directory.\n"); #endif - printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n\n"); - printf(" --cpu.print=name|pid - print the cup in use by the sandbox identified\n"); - printf("\tby name or PID.\n\n"); - printf(" --csh - use /bin/csh as default shell.\n\n"); - - printf(" --debug - print sandbox debug messages.\n\n"); - printf(" --debug-blacklists - debug blacklisting.\n\n"); - printf(" --debug-caps - print all recognized capabilities in the current Firejail\n"); - printf("\tsoftware build.\n\n"); - printf(" --debug-check-filename - debug filename checking.\n\n"); - printf(" --debug-errnos - print all recognized error numbers in the current Firejail\n"); - printf("\tsoftware build.\n\n"); - printf(" --debug-protocols - print all recognized protocols in the current Firejail\n"); - printf("\tsoftware build.\n\n"); - printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); - printf("\tsoftware build.\n\n"); + printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n"); + printf(" --cpu.print=name|pid - print the cpus in use.\n"); + printf(" --csh - use /bin/csh as default shell.\n"); + printf(" --debug - print sandbox debug messages.\n"); + printf(" --debug-blacklists - debug blacklisting.\n"); + printf(" --debug-caps - print all recognized capabilities.\n"); + printf(" --debug-check-filename - debug filename checking.\n"); + printf(" --debug-errnos - print all recognized error numbers.\n"); + printf(" --debug-protocols - print all recognized protocols.\n"); + printf(" --debug-syscalls - print all recognized system calls.\n"); #ifdef HAVE_WHITELIST - printf(" --debug-whitelists - debug whitelisting.\n\n"); + printf(" --debug-whitelists - debug whitelisting.\n"); #endif - - #ifdef HAVE_NETWORK - printf(" --defaultgw=address - use this address as default gateway in the new network\n"); - printf("\tnamespace.\n\n"); + printf(" --defaultgw=address - configure default gateway.\n"); #endif - printf(" --dns=address - set a DNS server for the sandbox. Up to three DNS servers\n"); - printf("\tcan be defined.\n\n"); - printf(" --dns.print=name|pid - print DNS configuration for the sandbox identified\n"); - printf("\tby name or PID.\n\n"); - - printf(" --env=name=value - set environment variable in the new sandbox.\n\n"); - printf(" --fs.print=name|pid - print the filesystem log for the sandbox identified\n"); - printf("\tby name or PID.\n\n"); - printf(" --get=name|pid filename - get a file from sandbox container.\n\n"); - printf(" --help, -? - this help screen.\n\n"); - printf(" --hostname=name - set sandbox hostname.\n\n"); - printf(" --ignore=command - ignore command in profile files.\n\n"); + printf(" --dns=address - set DNS server.\n"); + printf(" --dns.print=name|pid - print DNS configuration.\n"); + + printf(" --env=name=value - set environment variable.\n"); + printf(" --fs.print=name|pid - print the filesystem log.\n"); + printf(" --get=name|pid filename - get a file from sandbox container.\n"); + printf(" --help, -? - this help screen.\n"); + printf(" --hostname=name - set sandbox hostname.\n"); + printf(" --ignore=command - ignore command in profile files.\n"); #ifdef HAVE_NETWORK - printf(" --interface=name - move interface in a new network namespace. Up to four\n"); - printf("\t--interface options can be specified.\n\n"); - printf(" --ip=address - set interface IP address.\n\n"); - printf(" --ip=none - no IP address and no default gateway address are configured\n"); - printf("\tin the new network namespace. Use this option in case you intend to\n"); - printf("\tstart an external DHCP client in the sandbox.\n\n"); - printf(" --ip6=address - set interface IPv6 address.\n\n"); - printf(" --iprange=address,address - configure an IP address in this range.\n\n"); + printf(" --interface=name - move interface in sandbox.\n"); + printf(" --ip=address - set interface IP address.\n"); + printf(" --ip=none - no IP address and no default gateway are configured.\n"); + printf(" --ip6=address - set interface IPv6 address.\n"); + printf(" --iprange=address,address - configure an IP address in this range.\n"); #endif - printf(" --ipc-namespace - enable a new IPC namespace if the sandbox was started as\n"); - printf("\tregular user. IPC namespace is enabled by default only if the sandbox\n"); - printf("\tis started as root.\n\n"); - printf(" --join=name|pid - join the sandbox identified by name or PID.\n\n"); - printf(" --join-filesystem=name|pid - join the mount namespace of the sandbox\n"); - printf("\tidentified by name or PID.\n\n"); + printf(" --ipc-namespace - enable a new IPC namespace.\n"); + printf(" --join=name|pid - join the sandbox.\n"); + printf(" --join-filesystem=name|pid - join the mount namespace.\n"); #ifdef HAVE_NETWORK - printf(" --join-network=name|pid - join the network namespace of the sandbox\n"); - printf("\tidentified by name or PID.\n\n"); + printf(" --join-network=name|pid - join the network namespace.\n"); #endif - printf(" --list - list all sandboxes.\n\n"); - printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n\n"); + printf(" --list - list all sandboxes.\n"); + printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); #ifdef HAVE_NETWORK - printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); - printf(" --mtu=number - set interface MTU.\n\n"); + printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); + printf(" --mtu=number - set interface MTU.\n"); #endif - printf(" --name=name - set sandbox name.\n\n"); + printf(" --name=name - set sandbox name.\n"); #ifdef HAVE_NETWORK - printf(" --net=bridgename - enable network namespaces and connect to this bridge\n"); - printf("\tdevice. Up to four --net devices can be defined.\n\n"); - + printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n"); printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); - printf("\tEthernet interface using the standard Linux macvlan driver. Up to four\n"); - printf("\t--net devices can be defined.\n\n"); - - printf(" --net=none - enable a new, unconnected network namespace.\n\n"); - - printf(" --netfilter - enable the default client network filter in the new\n"); - printf("\tnetwork namespace.\n\n"); - printf(" --netfilter=filename - enable the network filter specified by\n"); - printf("\tfilename in the new network namespace. The filter file format\n"); - printf("\tis the format of iptables-save and iptable-restore commands.\n\n"); - printf(" --netfilter6=filename - enable the IPv6 network filter specified by\n"); - printf("\tfilename in the new network namespace. The filter file format\n"); - printf("\tis the format of ip6tables-save and ip6table-restore commands.\n\n"); - - printf(" --netstats - monitor network statistics for sandboxes creating a new\n"); - printf("\tnetwork namespace.\n\n"); + printf("\tEthernet interface.\n"); + printf(" --net=none - enable a new, unconnected network namespace.\n"); + printf(" --netfilter[=filename] - enable the default client network filter.\n"); + printf(" --netfilter6=filename - enable the IPv6 network filter.\n"); + printf(" --netstats - monitor network statistics.\n"); #endif - printf(" --nice=value - set nice value.\n\n"); - printf(" --no3d - disable 3D hardware acceleration.\n\n"); - printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); - printf("\tfile.\n\n"); - printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); - printf("\tnosuid and nodev\n\n"); - printf(" --nogroups - disable supplementary groups. Without this option,\n"); - printf("\tsupplementary groups are enabled for the user starting the sandbox.\n"); - printf("\tFor root, groups are always disabled.\n\n"); - - printf(" --noprofile - do not use a profile. Profile priority is use the one\n"); - printf("\tspecified on the command line, next try to find one that\n"); - printf("\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); - printf("\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); - printf("\troot.\n\n"); + printf(" --nice=value - set nice value.\n"); + printf(" --no3d - disable 3D hardware acceleration.\n"); + printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); + printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); + printf(" --nogroups - disable supplementary groups.\n"); + printf(" --noprofile - do not use a security profile.\n"); #ifdef HAVE_USERNS - printf(" --noroot - install a user namespace with a single user - the current\n"); - printf("\tuser. root user does not exist in the new namespace. This option\n"); - printf("\tis not supported for --chroot and --overlay configurations.\n\n"); + printf(" --noroot - install a user namespace with only the current user.\n"); #endif - printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl - the child processes\n"); - printf("\tcannot gain privileges using execve(2); in particular, this prevents\n"); - printf("\tgaining privileges by calling a suid binary\n\n"); - printf(" --nosound - disable sound system.\n\n"); - - printf(" --output=logfile - stdout logging and log rotation. Copy stdout and stderr\n"); - printf("\tto logfile, and keep the size of the file under 500KB using log\n"); - printf("\trotation. Five files with prefixes .1 to .5 are used in\n"); - printf("\trotation.\n\n"); - + printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); + printf(" --output=logfile - stdout logging and log rotation.\n"); printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); - printf("\tThe upper filesystem layer is persistent, and stored in\n"); - printf("\t$HOME/.firejail/ directory. (OverlayFS support is required in\n"); - printf("\tLinux kernel for this option to work). \n\n"); - printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); - printf("\tfilesystem. The upper filesystem layer is persistent, and stored in\n"); - printf("\t$HOME/.firejail/ directory. (OverlayFS support is required in\n"); - printf("\tLinux kernel for this option to work). \n\n"); - - printf(" --overlay-tmpfs - mount a filesystem overlay on top of the current\n"); - printf("\tfilesystem. The upper layer is stored in a tmpfs filesystem,\n"); - printf("\tand it is discarded when the sandbox is closed. (OverlayFS\n"); - printf("\tsupport is required in Linux kernel for this option to work).\n\n"); - - printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n\n"); - - printf(" --private - mount new /root and /home/user directories in temporary\n"); - printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); - printf("\tclosed.\n\n"); - printf(" --private=directory - use directory as user home.\n\n"); + printf("\tfilesystem, and store it in name directory.\n"); + printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the current\n"); + printf("\tfilesystem.\n"); + printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); + printf(" --private - temporary home directory.\n"); + printf(" --private=directory - use directory as user home.\n"); printf(" --private-home=file,directory - build a new user home in a temporary\n"); - printf("\t\tfilesystem, and copy the files and directories in the list in\n"); - printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); - printf("\t\tis closed.\n\n"); - + printf("\tfilesystem, and copy the files and directories in the list in\n"); + printf("\tthe new home.\n"); printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); - printf("\tand copy the programs in the list.\n\n"); - + printf("\tand copy the programs in the list.\n"); printf(" --private-dev - create a new /dev directory. Only dri, null, full, zero,\n"); - printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n\n"); - + printf("\ttty, pst, ptms, random, snd, urandom, log and shm devices are available.\n"); printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); printf("\tfilesystem, and copy the files and directories in the list.\n"); - printf("\tAll modifications are discarded when the sandbox is closed.\n\n"); - - printf(" --private-tmp - mount a tmpfs on top of /tmp directory\n\n"); - - printf(" --profile=filename - use a custom profile.\n\n"); - printf(" --profile-path=directory - use this directory to look for profile files.\n\n"); - + printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); + printf(" --profile=filename - use a custom profile.\n"); + printf(" --profile-path=directory - use this directory to look for profile files.\n"); printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); - printf("\tProtocol values: unix, inet, inet6, netlink, packet.\n\n"); - printf(" --protocol.print=name|pid - print the protocol filter for the sandbox\n"); - printf("\tidentified by name or PID.\n\n"); - - printf(" --put=name|pid src-filename dest-filename - put a file in sandbox container.\n\n"); - - printf(" --quiet - turn off Firejail's output.\n\n"); - printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); - printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); + printf(" --protocol.print=name|pid - print the protocol filter.\n"); + printf(" --put=name|pid src-filename dest-filename - put a file in sandbox container.\n"); + printf(" --quiet - turn off Firejail's output.\n"); + printf(" --read-only=filename - set directory or file read-only..\n"); + printf(" --read-write=filename - set directory or file read-write..\n"); printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); - printf("\tby a process.\n\n"); + printf("\tby a process.\n"); printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); - printf("\topened by a process.\n\n"); + printf("\topened by a process.\n"); printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n"); - printf("\tcreated for the real user ID of the calling process.\n\n"); + printf("\tcreated for the real user ID of the calling process.\n"); printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); - printf("\tfor a process.\n\n"); - printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n"); + printf("\tfor a process.\n"); + printf(" --rmenv=name - remove environment variable in the new sandbox.\n"); #ifdef HAVE_NETWORK printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); - printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); - printf("\trunning on the current host.\n\n"); #endif #ifdef HAVE_SECCOMP - printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n\n"); - + printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); - printf("\tdefault syscall list and the syscalls specified by the command.\n\n"); - + printf("\tdefault syscall list and the syscalls specified by the command.\n"); printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); - printf("\tblacklist the syscalls specified by the command.\n\n"); - + printf("\tblacklist the syscalls specified by the command.\n"); printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); - printf("\twhitelist the syscalls specified by the command.\n\n"); - + printf("\twhitelist the syscalls specified by the command.\n"); printf(" --seccomp.=syscall,syscall,syscall - enable seccomp filter, and\n"); - printf("\treturn errno for the syscalls specified by the command.\n\n"); - + printf("\treturn errno for the syscalls specified by the command.\n"); printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); - printf("\tidentified by name or PID.\n\n"); + printf("\tidentified by name or PID.\n"); #endif - - printf(" --shell=none - run the program directly without a user shell.\n\n"); - printf(" --shell=program - set default user shell.\n\n"); - printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n\n"); + printf(" --shell=none - run the program directly without a user shell.\n"); + printf(" --shell=program - set default user shell.\n"); + printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"); printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); - printf("\tThis option is available only when running the sandbox as root.\n\n"); - printf(" --top - monitor the most CPU-intensive sandboxes.\n\n"); - printf(" --trace - trace open, access and connect system calls.\n\n"); + printf(" --top - monitor the most CPU-intensive sandboxes.\n"); + printf(" --trace - trace open, access and connect system calls.\n"); printf(" --tracelog - add a syslog message for every access to files or\n"); - printf("\tdirectoires blacklisted by the security profile.\n\n"); - printf(" --tree - print a tree of all sandboxed processes.\n\n"); - printf(" --version - print program version and exit.\n\n"); + printf("\tdirectoires blacklisted by the security profile.\n"); + printf(" --tree - print a tree of all sandboxed processes.\n"); + printf(" --version - print program version and exit.\n"); #ifdef HAVE_NETWORK - printf(" --veth-name=name - use this name for the interface connected to the bridge\n"); - printf("\tfor --net=bridgename commands, instead of the default one.\n\n"); + printf(" --veth-name=name - use this name for the interface connected to the bridge.\n"); #endif #ifdef HAVE_WHITELIST - printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); + printf(" --whitelist=filename - whitelist directory or file.\n"); #endif - printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); - printf(" --writable-var - /var directory is mounted read-write.\n\n"); - + printf(" --writable-etc - /etc directory is mounted read-write.\n"); + printf(" --writable-var - /var directory is mounted read-write.\n"); printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); - printf("\tattempt to use X11 security extension.\n\n"); - printf(" --x11=none - disable access to X11 sockets.\n\n"); - printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n\n"); - printf(" --x11=xorg - enable X11 security extension.\n\n"); - printf(" --x11=xpra - enable Xpra X11 server.\n\n"); - printf(" --zsh - use /usr/bin/zsh as default shell.\n\n"); - printf("\n"); - printf("\n"); - - -#ifdef HAVE_NETWORK - printf("Traffic Shaping\n\n"); - - printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); - printf("running on a system. Traffic shaping allows the user to increase network\n"); - printf("performance by controlling the amount of data that flows into and out of the\n"); - printf("sandboxes. Firejail implements a simple rate-limiting shaper based on Linux\n"); - printf("command tc. The shaper works at sandbox level, and can be used only for\n"); - printf("sandboxes configured with new network namespaces.\n\n"); - - printf("Set rate-limits:\n"); - printf(" firejail --bandwidth={name|pid} set network-name down-speed up-speed\n\n"); - printf("Clear rate-limits:\n"); - printf(" firejail --bandwidth={name|pid} clear network-name\n\n"); - printf("Status:\n"); - printf(" firejail --bandwidth={name|pid} status\n\n"); - printf("where:\n"); - printf(" name - sandbox name\n"); - printf(" pid - sandbox pid\n"); - printf(" network-name - network name as used by --net option\n"); - printf(" down-speed - download speed in KB/s (decimal kilobyte per second)\n"); - printf(" up-speed - upload speed in KB/s (decimal kilobyte per second)\n"); - printf("\n"); - printf("Example:\n"); - printf(" $ firejail --name=mybrowser --net=eth0 firefox &\n"); - printf(" $ firejail --bandwidth=mybrowser set eth0 80 20\n"); - printf(" $ firejail --bandwidth=mybrowser status\n"); - printf(" $ firejail --bandwidth=mybrowser clear eth0\n"); - printf("\n"); - printf("\n"); -#endif - - printf("Audit\n\n"); - printf("Audit feature allows the user to point out gaps in security profiles. The\n"); - printf("implementation replaces the program to be sandboxed with a test program. By\n"); - printf("default, we use faudit program distributed with Firejail. A custom test program\n"); - printf("can also be supplied by the user. Examples:\n\n"); - printf("Running the default audit program:\n"); - printf(" $ firejail --audit transmission-gtk\n\n"); - printf("Running a custom audit program:\n"); - printf(" $ firejail --audit=~/sandbox-test transmission-gtk\n\n"); - printf("In the examples above, the sandbox configures transmission-gtk profile and\n"); - printf("starts the test program. The real program, transmission-gtk, will not be\n"); - printf("started.\n\n\n"); - - printf("Monitoring\n\n"); - - printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); - printf("follows:\n\n"); - printf(" PID:USER:Command\n\n"); - - printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); - printf("for each process entry is as follows:\n\n"); - printf(" PID:USER:Command\n\n"); - - printf("Option --top is similar to the UNIX top command, however it applies only to\n"); - printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); - printf("order:\n\n"); - printf(" Command - command used to start the sandbox.\n"); - printf(" CPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); - printf("\tlast screen update\n"); - printf(" PID - Unique process ID for the task controlling the sandbox.\n"); - printf(" Prcs - number of processes running in sandbox, including the controlling\n"); - printf("\tprocess.\n"); - printf(" RES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); - printf("\tIt is a sum of the RES values for all processes running in the\n"); - printf("\tsandbox.\n"); - printf(" SHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); - printf("\tprocesses. It is a sum of the SHR values for all processes running\n"); - printf("\tin the sandbox, including the controlling process.\n"); - printf(" Uptime - sandbox running time in hours:minutes:seconds format.\n"); - printf(" User - The owner of the sandbox.\n"); - printf("\n"); - printf("\n"); - printf("Profile files\n\n"); - printf("Several command line configuration options can be passed to the program using\n"); - printf("profile files. Default Firejail profile files are stored in /etc/firejail\n"); - printf("directory, user profile files are stored in ~/.config/firejail directory. See\n"); - printf("man 5 firejail-profile for more information.\n\n"); - printf("\n"); - printf("Restricted shell\n\n"); - printf("To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in\n"); - printf("/etc/passwd file for each user that needs to be restricted.\n"); - printf("Alternatively, you can specify /usr/bin/firejail in adduser command:\n\n"); - printf(" adduser --shell /usr/bin/firejail username\n\n"); - printf("Arguments to be passed to firejail executable upon login are declared in\n"); - printf("/etc/firejail/login.users file.\n\n"); + printf("\tattempt to use X11 security extension.\n"); + printf(" --x11=none - disable access to X11 sockets.\n"); + printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"); + printf(" --x11=xorg - enable X11 security extension.\n"); + printf(" --x11=xpra - enable Xpra X11 server.\n"); + printf(" --zsh - use /usr/bin/zsh as default shell.\n"); printf("\n"); - printf("Examples:\n\n"); - printf(" $ firejail\n"); - printf("\tstart a regular /bin/bash session in sandbox\n"); + printf("Examples:\n"); printf(" $ firejail firefox\n"); printf("\tstart Mozilla Firefox\n"); printf(" $ firejail --debug firefox\n"); printf("\tdebug Firefox sandbox\n"); - printf(" $ firejail --private firefox\n"); - printf("\tstart Firefox with a new, empty home directory\n"); - printf(" $ firejail --net=br0 ip=10.10.20.10\n"); - printf("\tstart a /bin/bash session in a new network namespace; the session is\n"); - printf("\tconnected to the main network using br0 bridge device, an IP address\n"); - printf("\tof 10.10.20.10 is assigned to the sandbox\n"); - printf(" $ firejail --net=br0 --net=br1 --net=br2\n"); - printf("\tstart a /bin/bash session in a new network namespace and connect it\n"); - printf("\tto br0, br1, and br2 host bridge devices\n"); + printf(" $ firejail --private --sna=8.8.8.8 firefox\n"); + printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); + printf("\tserver setting.\n"); + printf(" $ firejail --net=eth0 firefox\n"); + printf("\tstart Firefox in a new network namespace\n"); + printf(" $ firejail --x11=xorg firefox\n"); + printf("\tstart Firefox and sandbox X11\n"); printf(" $ firejail --list\n"); printf("\tlist all running sandboxes\n"); printf("\n"); -- cgit v1.2.3-70-g09d2 From 7165f68e3430ccce0bfa0618200310db19e69d30 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 3 Nov 2016 23:51:36 +0100 Subject: private-tmp changes --- etc/deluge.profile | 3 +-- etc/evince.profile | 4 ++++ etc/fbreader.profile | 3 +-- etc/feh.profile | 2 +- etc/filezilla.profile | 3 +-- etc/firefox.profile | 6 +++++- etc/gthumb.profile | 2 +- etc/mupdf.profile | 4 ++++ etc/pix.profile | 2 +- etc/qbittorrent.profile | 3 +-- etc/rtorrent.profile | 2 +- etc/transmission-gtk.profile | 3 +-- etc/transmission-qt.profile | 3 +-- etc/uget-gtk.profile | 2 +- etc/wesnoth.profile | 3 +-- etc/zathura.profile | 3 ++- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 18 files changed, 29 insertions(+), 23 deletions(-) diff --git a/etc/deluge.profile b/etc/deluge.profile index 8fde9acf9..b82bd4936 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,7 +15,6 @@ seccomp shell none private-bin deluge,sh,python,uname -whitelist /tmp/.X11-unix private-dev -nosound +private-tmp diff --git a/etc/evince.profile b/etc/evince.profile index 894c7c70d..9a9113c70 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +net none nogroups nonewprivs noroot @@ -16,3 +18,5 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev +private-etc fonts +private-tmp \ No newline at end of file diff --git a/etc/fbreader.profile b/etc/fbreader.profile index de31ce8de..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -16,6 +16,5 @@ seccomp shell none private-bin fbreader,FBReader -whitelist /tmp/.X11-unix private-dev -nosound +private-tmp diff --git a/etc/feh.profile b/etc/feh.profile index e3b1ec528..2812effc9 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -16,6 +16,6 @@ seccomp shell none private-bin feh -whitelist /tmp/.X11-unix private-dev private-etc feh +private-tmp \ No newline at end of file diff --git a/etc/filezilla.profile b/etc/filezilla.profile index fe1d9d20d..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -17,5 +17,4 @@ shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/firefox.profile b/etc/firefox.profile index 170d0fe10..7875ca6b9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + +private-bin firefox,which,sh,dbus-launch,dbus-send,env +private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3ffd10add..055d78935 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -17,5 +17,5 @@ shell none tracelog private-bin gthumb -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/mupdf.profile b/etc/mupdf.profile index d1a157c3c..65e6a8978 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -12,12 +12,16 @@ nosound protocol unix seccomp netfilter +net none shell none tracelog +seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev + private-bin mupdf private-tmp private-dev +private-etc fonts # mupdf will never write anything read-only ${HOME} diff --git a/etc/pix.profile b/etc/pix.profile index e21ddadc6..dc8192b01 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -18,5 +18,5 @@ shell none tracelog private-bin pix -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 67829c9ca..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -16,5 +16,4 @@ seccomp #shell none #private-bin qbittorrent private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,5 +14,5 @@ seccomp shell none private-bin rtorrent -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 316cdfec6..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,5 +19,4 @@ tracelog private-bin transmission-gtk private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 51c58e224..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,5 +19,4 @@ tracelog private-bin transmission-qt private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index f42e6c69a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -16,8 +16,8 @@ shell none private-bin uget-gtk private-dev +private-tmp -whitelist /tmp/.X11-unix whitelist ${DOWNLOADS} mkdir ~/.config/uGet whitelist ~/.config/uGet diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 2ddb59d11..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,8 +15,7 @@ protocol unix,inet,inet6 seccomp private-dev - -whitelist /tmp/.X11-unix +private-tmp mkdir ${HOME}/.local/share/wesnoth mkdir ${HOME}/.config/wesnoth diff --git a/etc/zathura.profile b/etc/zathura.profile index 99a8ea90d..6c93a2480 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nogroups nonewprivs noroot @@ -19,7 +20,7 @@ protocol unix private-bin zathura private-dev private-etc fonts -whitelist /tmp/.X11-unix +private-tmp read-only ~/ read-write ~/.local/share/zathura/ diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 09dc46bbc..d6113218c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. .TP \fBprivate-tmp -Mount an empty temporary filesystem on top of /tmp directory. +Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .TP \fBread-only file_or_directory Make directory or file read-only. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 666a6a8ef..74e8ef4fe 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf .TP \fB\-\-private-tmp -Mount an empty temporary filesystem on top of /tmp directory. +Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .br .br -- cgit v1.2.3-70-g09d2 From 5cf192650bd91e0afaee7a9f857159ba35bb37c8 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 4 Nov 2016 00:10:33 +0100 Subject: fixed typo --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 74e8ef4fe..bb9ae270c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf .TP \fB\-\-private-tmp -Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. +Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .br .br -- cgit v1.2.3-70-g09d2 From 72bc0e145c67da24e555d868086953148c52b5fc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 4 Nov 2016 09:12:52 -0400 Subject: execv fixes --- src/firejail/x11.c | 48 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 6cba95501..ecab8880a 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -312,6 +312,7 @@ void x11_start_xephyr(int argc, char **argv) { if (arg_debug) printf("Starting xephyr...\n"); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -354,6 +355,7 @@ void x11_start_xephyr(int argc, char **argv) { if (!arg_quiet) printf("\n*** Attaching to Xephyr display %d ***\n\n", display); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); execvp(jail_argv[0], jail_argv); perror("execvp"); @@ -434,6 +436,7 @@ void x11_start_xpra(int argc, char **argv) { dup2(fd_null,2); } + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -481,6 +484,7 @@ void x11_start_xpra(int argc, char **argv) { if (!arg_quiet) printf("\n*** Attaching to xpra display %d ***\n\n", display); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); execvp(attach_argv[0], attach_argv); perror("execvp"); @@ -512,6 +516,7 @@ void x11_start_xpra(int argc, char **argv) { if (jail < 0) errExit("fork"); if (jail == 0) { + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); if (firejail_argv[0]) // shut up llvm scan-build execvp(firejail_argv[0], firejail_argv); @@ -539,6 +544,7 @@ void x11_start_xpra(int argc, char **argv) { dup2(fd_null,1); dup2(fd_null,2); } + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); execvp(stop_argv[0], stop_argv); perror("execvp"); @@ -638,7 +644,7 @@ void x11_block(void) { void x11_xorg(void) { #ifdef HAVE_X11 - // destination + // destination - create an empty ~/.Xauthotrity file if it doesn't exist already, and use it as a mount point char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); @@ -652,47 +658,67 @@ void x11_xorg(void) { fclose(fp); } + // check xauth utility is present in the system if (stat("/usr/bin/xauth", &s) == -1) { fprintf(stderr, "Error: cannot find /usr/bin/xauth executable\n"); exit(1); } + // create a temporary .Xauthority file + char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; + int fd = mkstemp(tmpfname); + if (fd == -1) { + fprintf(stderr, "Error: cannot create .Xauthority file\n"); + exit(1); + } + close(fd); + if (chown(tmpfname, getuid(), getgid()) == -1) + errExit("chown"); + pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { - // generate a new .Xauthority file + // generate the new .Xauthority file using xauth utility if (arg_debug) printf("Generating a new .Xauthority file\n"); - - // elevate privileges - files in /run/firejail/mnt directory belong to root - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); + drop_privs(1); char *display = getenv("DISPLAY"); if (!display) display = ":0.0"; - assert(getenv("LD_PRELOAD") == NULL); - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE, + clearenv(); + execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); _exit(0); } + // wait for the child to finish waitpid(child, NULL, 0); // check the file was created and set mode and ownership - if (stat(RUN_XAUTHORITY_SEC_FILE, &s) == -1) { + if (stat(tmpfname, &s) == -1) { fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); exit(1); } + if (chown(tmpfname, getuid(), getgid()) == -1) + errExit("chown"); + if (chmod(tmpfname, 0600) == -1) + errExit("chmod"); + + // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted + // automatically when the sandbox is closed + if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { + fprintf(stderr, "asdfdsfError: cannot create the new .Xauthority file\n"); + exit(1); + } if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) errExit("chown"); if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1) errExit("chmod"); + unlink(tmpfname); // mount if (mount(RUN_XAUTHORITY_SEC_FILE, dest, "none", MS_BIND, "mode=0600") == -1) { -- cgit v1.2.3-70-g09d2 From 15298f20afeaff362c74e8ad7e66338f442cf441 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 4 Nov 2016 10:06:21 -0400 Subject: execv fixes --- src/firejail/bandwidth.c | 2 +- src/firejail/fs_bin.c | 2 +- src/firejail/fs_etc.c | 2 +- src/firejail/netfilter.c | 8 +++----- src/firejail/sbox.c | 2 +- 5 files changed, 7 insertions(+), 9 deletions(-) diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index ab9714afe..512cc0b05 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -462,7 +462,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; - assert(getenv("LD_PRELOAD") == NULL); + clearenv(); execvp(arg[0], arg); // it will never get here diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index d6fee0608..a3576e7c4 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -191,7 +191,7 @@ static void duplicate(char *fname) { char *f; if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) errExit("asprintf"); - assert(getenv("LD_PRELOAD") == NULL); + clearenv(); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); perror("execlp"); _exit(1); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 4f3417236..830de7c9f 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -105,7 +105,7 @@ static void duplicate(char *fname) { char *f; if (asprintf(&f, "/etc/%s", fname) == -1) errExit("asprintf"); - assert(getenv("LD_PRELOAD") == NULL); + clearenv(); execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); perror("execlp"); _exit(1); diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index efef45d90..1df4b7a0f 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -143,8 +143,7 @@ void netfilter(const char *fname) { dup2(fd,STDIN_FILENO); // wipe out environment variables - environ = NULL; - assert(getenv("LD_PRELOAD") == NULL); + clearenv(); execl(iptables_restore, iptables_restore, NULL); perror("execl"); _exit(1); @@ -258,8 +257,7 @@ void netfilter6(const char *fname) { dup2(fd,STDIN_FILENO); // wipe out environment variables - environ = NULL; - assert(getenv("LD_PRELOAD") == NULL); + clearenv(); execl(ip6tables_restore, ip6tables_restore, NULL); perror("execl"); _exit(1); @@ -273,7 +271,7 @@ void netfilter6(const char *fname) { if (child < 0) errExit("fork"); if (child == 0) { - environ = NULL; + clearenv(); execl(ip6tables, ip6tables, "-vL", NULL); perror("execl"); _exit(1); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a5a067090..65ca5c443 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -165,7 +165,7 @@ int sbox_run(unsigned filter, int num, ...) { else if (filter & SBOX_USER) drop_privs(1); - assert(getenv("LD_PRELOAD") == NULL); + clearenv(); if (arg[0]) // get rid of scan-build warning execvp(arg[0], arg); else -- cgit v1.2.3-70-g09d2 From 562c966460a554f16cded0294f41e42ad9226ff8 Mon Sep 17 00:00:00 2001 From: BogDan Vatra Date: Sat, 5 Nov 2016 08:04:19 +0200 Subject: Added profile for zoom.us messanger Check https://zoom.us for more info --- etc/zoom.profile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/zoom.profile diff --git a/etc/zoom.profile b/etc/zoom.profile new file mode 100644 index 000000000..f5831dd88 --- /dev/null +++ b/etc/zoom.profile @@ -0,0 +1,23 @@ +# Firejail profile for zoom.us + +noblacklist ~/.config/zoomus.conf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + + +# Whitelists + +mkdir ~/.zoom +whitelist ~/.zoom + + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-tmp -- cgit v1.2.3-70-g09d2 From d43eb028d90d3417a70e9a5eb5e44ea3e3faa5a0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 5 Nov 2016 09:44:50 -0400 Subject: profile fixes --- README | 4 ++++ README.md | 2 +- etc/evince.profile | 2 +- etc/firefox.profile | 3 +-- etc/mupdf.profile | 2 +- platform/debian/conffiles | 1 + 6 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README b/README index 50bc00099..7599f4cf1 100644 --- a/README +++ b/README @@ -80,6 +80,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +BogDan Vatra (https://github.com/bog-dan-ro) + - zoom profile Impyy (https://github.com/Impyy) - added mumble profile valoq (https://github.com/valoq) @@ -88,6 +90,8 @@ valoq (https://github.com/valoq) - added support for /srv in --whitelist feature - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - blacklist suid binaries in disable-common.inc + - fix man pages + - various profile improvements Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) diff --git a/README.md b/README.md index c6484d3b7..931b27ef3 100644 --- a/README.md +++ b/README.md @@ -52,5 +52,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom diff --git a/etc/evince.profile b/etc/evince.profile index 9a9113c70..cbb2083f4 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -net none +#net none - creates some problems on some distributions nogroups nonewprivs noroot diff --git a/etc/firefox.profile b/etc/firefox.profile index 7875ca6b9..3fb56fd0e 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -47,8 +47,7 @@ whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features - -private-bin firefox,which,sh,dbus-launch,dbus-send,env +#private-bin firefox,which,sh,dbus-launch,dbus-send,env private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-dev private-tmp diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 65e6a8978..e022866e8 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,7 +16,7 @@ net none shell none tracelog -seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev private-bin mupdf private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index df660ab4f..ae8db5a67 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -171,3 +171,4 @@ /etc/firejail/display.profile /etc/firejail/Wire.profile /etc/firejail/mumble.profile +/etc/firejail/zoom.profile -- cgit v1.2.3-70-g09d2 From 646d046c4c42004f007ad1bce1a94e1633e7c57f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 6 Nov 2016 08:13:44 -0500 Subject: cleanup --- etc/firefox.profile | 2 +- src/firejail/sbox.c | 15 +++++++++++++++ src/fnet/Makefile.in | 4 ++-- src/fseccomp/Makefile.in | 4 ++-- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/etc/firefox.profile b/etc/firefox.profile index 3fb56fd0e..7862bd010 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -48,6 +48,6 @@ include /etc/firejail/whitelist-common.inc # experimental features #private-bin firefox,which,sh,dbus-launch,dbus-send,env -private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-dev private-tmp diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65ca5c443..b16736dee 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) { if (child < 0) errExit("fork"); if (child == 0) { + // clean the new process + clearenv(); + int max = 20; // getdtablesize() is overkill for a firejail process + for (i = 3; i < max; i++) + close(i); // close open files + int fd = open("/dev/null",O_RDWR, 0); + if (fd != -1) { + dup2 (fd, STDIN_FILENO); + if (fd > 2) + close (fd); + } + else // the user could run the sandbox without /dev/null + close(STDIN_FILENO); + umask(027); + // apply filters if (filter & SBOX_CAPS_NONE) { caps_drop_all(); diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index b515d2333..bba4406d4 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) +fnet: $(OBJS) ../lib/libnetlink.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) clean:; rm -f *.o fnet diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 110d2c95f..1878ad2f3 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +fseccomp: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) clean:; rm -f *.o fseccomp -- cgit v1.2.3-70-g09d2 From 322ce2cdc98cf3eec22ebd0f83296ddde8347d09 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 6 Nov 2016 13:14:53 -0500 Subject: seccomp rework --- src/firejail/errno.c | 207 ----------------------------------------- src/firejail/firejail.h | 3 +- src/firejail/main.c | 56 +---------- src/firejail/profile.c | 16 +--- src/firejail/sandbox.c | 2 - src/firejail/seccomp.c | 72 ++++++-------- src/fseccomp/main.c | 2 +- src/fseccomp/protocol.c | 2 +- src/fseccomp/syscall.c | 87 ++++++++++++----- test/filters/seccomp-errno.exp | 44 +-------- 10 files changed, 106 insertions(+), 385 deletions(-) delete mode 100644 src/firejail/errno.c diff --git a/src/firejail/errno.c b/src/firejail/errno.c deleted file mode 100644 index 8215c99a1..000000000 --- a/src/firejail/errno.c +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#ifdef HAVE_SECCOMP -#include "firejail.h" -#include -//#include - -typedef struct { - char *name; - int nr; -} ErrnoEntry; - -static ErrnoEntry errnolist[] = { -// -// code generated using tools/extract-errnos -// - {"EPERM", EPERM}, - {"ENOENT", ENOENT}, - {"ESRCH", ESRCH}, - {"EINTR", EINTR}, - {"EIO", EIO}, - {"ENXIO", ENXIO}, - {"E2BIG", E2BIG}, - {"ENOEXEC", ENOEXEC}, - {"EBADF", EBADF}, - {"ECHILD", ECHILD}, - {"EAGAIN", EAGAIN}, - {"ENOMEM", ENOMEM}, - {"EACCES", EACCES}, - {"EFAULT", EFAULT}, - {"ENOTBLK", ENOTBLK}, - {"EBUSY", EBUSY}, - {"EEXIST", EEXIST}, - {"EXDEV", EXDEV}, - {"ENODEV", ENODEV}, - {"ENOTDIR", ENOTDIR}, - {"EISDIR", EISDIR}, - {"EINVAL", EINVAL}, - {"ENFILE", ENFILE}, - {"EMFILE", EMFILE}, - {"ENOTTY", ENOTTY}, - {"ETXTBSY", ETXTBSY}, - {"EFBIG", EFBIG}, - {"ENOSPC", ENOSPC}, - {"ESPIPE", ESPIPE}, - {"EROFS", EROFS}, - {"EMLINK", EMLINK}, - {"EPIPE", EPIPE}, - {"EDOM", EDOM}, - {"ERANGE", ERANGE}, - {"EDEADLK", EDEADLK}, - {"ENAMETOOLONG", ENAMETOOLONG}, - {"ENOLCK", ENOLCK}, - {"ENOSYS", ENOSYS}, - {"ENOTEMPTY", ENOTEMPTY}, - {"ELOOP", ELOOP}, - {"EWOULDBLOCK", EWOULDBLOCK}, - {"ENOMSG", ENOMSG}, - {"EIDRM", EIDRM}, - {"ECHRNG", ECHRNG}, - {"EL2NSYNC", EL2NSYNC}, - {"EL3HLT", EL3HLT}, - {"EL3RST", EL3RST}, - {"ELNRNG", ELNRNG}, - {"EUNATCH", EUNATCH}, - {"ENOCSI", ENOCSI}, - {"EL2HLT", EL2HLT}, - {"EBADE", EBADE}, - {"EBADR", EBADR}, - {"EXFULL", EXFULL}, - {"ENOANO", ENOANO}, - {"EBADRQC", EBADRQC}, - {"EBADSLT", EBADSLT}, - {"EDEADLOCK", EDEADLOCK}, - {"EBFONT", EBFONT}, - {"ENOSTR", ENOSTR}, - {"ENODATA", ENODATA}, - {"ETIME", ETIME}, - {"ENOSR", ENOSR}, - {"ENONET", ENONET}, - {"ENOPKG", ENOPKG}, - {"EREMOTE", EREMOTE}, - {"ENOLINK", ENOLINK}, - {"EADV", EADV}, - {"ESRMNT", ESRMNT}, - {"ECOMM", ECOMM}, - {"EPROTO", EPROTO}, - {"EMULTIHOP", EMULTIHOP}, - {"EDOTDOT", EDOTDOT}, - {"EBADMSG", EBADMSG}, - {"EOVERFLOW", EOVERFLOW}, - {"ENOTUNIQ", ENOTUNIQ}, - {"EBADFD", EBADFD}, - {"EREMCHG", EREMCHG}, - {"ELIBACC", ELIBACC}, - {"ELIBBAD", ELIBBAD}, - {"ELIBSCN", ELIBSCN}, - {"ELIBMAX", ELIBMAX}, - {"ELIBEXEC", ELIBEXEC}, - {"EILSEQ", EILSEQ}, - {"ERESTART", ERESTART}, - {"ESTRPIPE", ESTRPIPE}, - {"EUSERS", EUSERS}, - {"ENOTSOCK", ENOTSOCK}, - {"EDESTADDRREQ", EDESTADDRREQ}, - {"EMSGSIZE", EMSGSIZE}, - {"EPROTOTYPE", EPROTOTYPE}, - {"ENOPROTOOPT", ENOPROTOOPT}, - {"EPROTONOSUPPORT", EPROTONOSUPPORT}, - {"ESOCKTNOSUPPORT", ESOCKTNOSUPPORT}, - {"EOPNOTSUPP", EOPNOTSUPP}, - {"EPFNOSUPPORT", EPFNOSUPPORT}, - {"EAFNOSUPPORT", EAFNOSUPPORT}, - {"EADDRINUSE", EADDRINUSE}, - {"EADDRNOTAVAIL", EADDRNOTAVAIL}, - {"ENETDOWN", ENETDOWN}, - {"ENETUNREACH", ENETUNREACH}, - {"ENETRESET", ENETRESET}, - {"ECONNABORTED", ECONNABORTED}, - {"ECONNRESET", ECONNRESET}, - {"ENOBUFS", ENOBUFS}, - {"EISCONN", EISCONN}, - {"ENOTCONN", ENOTCONN}, - {"ESHUTDOWN", ESHUTDOWN}, - {"ETOOMANYREFS", ETOOMANYREFS}, - {"ETIMEDOUT", ETIMEDOUT}, - {"ECONNREFUSED", ECONNREFUSED}, - {"EHOSTDOWN", EHOSTDOWN}, - {"EHOSTUNREACH", EHOSTUNREACH}, - {"EALREADY", EALREADY}, - {"EINPROGRESS", EINPROGRESS}, - {"ESTALE", ESTALE}, - {"EUCLEAN", EUCLEAN}, - {"ENOTNAM", ENOTNAM}, - {"ENAVAIL", ENAVAIL}, - {"EISNAM", EISNAM}, - {"EREMOTEIO", EREMOTEIO}, - {"EDQUOT", EDQUOT}, - {"ENOMEDIUM", ENOMEDIUM}, - {"EMEDIUMTYPE", EMEDIUMTYPE}, - {"ECANCELED", ECANCELED}, - {"ENOKEY", ENOKEY}, - {"EKEYEXPIRED", EKEYEXPIRED}, - {"EKEYREVOKED", EKEYREVOKED}, - {"EKEYREJECTED", EKEYREJECTED}, - {"EOWNERDEAD", EOWNERDEAD}, - {"ENOTRECOVERABLE", ENOTRECOVERABLE}, - {"ERFKILL", ERFKILL}, - {"EHWPOISON", EHWPOISON}, - {"ENOTSUP", ENOTSUP}, -#ifdef ENOATTR - {"ENOATTR", ENOATTR}, -#endif -}; - -int errno_highest_nr(void) { - int i, max = 0; - int elems = sizeof(errnolist) / sizeof(errnolist[0]); - for (i = 0; i < elems; i++) { - if (errnolist[i].nr > max) - max = errnolist[i].nr; - } - - return max; -} - -int errno_find_name(const char *name) { - EUID_ASSERT(); - - int i; - int elems = sizeof(errnolist) / sizeof(errnolist[0]); - for (i = 0; i < elems; i++) { - if (strcasecmp(name, errnolist[i].name) == 0) - return errnolist[i].nr; - } - - return -1; -} - -char *errno_find_nr(int nr) { - int i; - int elems = sizeof(errnolist) / sizeof(errnolist[0]); - for (i = 0; i < elems; i++) { - if (nr == errnolist[i].nr) - return errnolist[i].name; - } - - return "unknown"; -} -#endif // HAVE_SECCOMP diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cf540ff91..56dbd6868 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -222,7 +222,6 @@ typedef struct config_t { char *seccomp_list;// optional seccomp list on top of default filter char *seccomp_list_drop; // seccomp drop list char *seccomp_list_keep; // seccomp keep list - char **seccomp_list_errno; // seccomp errno[nr] lists char *protocol; // protocol list // rlimits @@ -496,12 +495,12 @@ void fs_private_home_list(void); // seccomp.c +char *seccomp_check_list(const char *str); int seccomp_load(const char *fname); void seccomp_filter_32(void); void seccomp_filter_64(void); int seccomp_filter_drop(int enforce_seccomp); int seccomp_filter_keep(void); -int seccomp_filter_errno(void); void seccomp_print_filter_name(const char *name); void seccomp_print_filter(pid_t pid); diff --git a/src/firejail/main.c b/src/firejail/main.c index fc86f9651..b6f3a7f59 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -851,9 +851,6 @@ int main(int argc, char **argv) { int custom_profile = 0; // custom profile loaded char *custom_profile_dir = NULL; // custom profile directory int arg_noprofile = 0; // use default.profile if none other found/specified -#ifdef HAVE_SECCOMP - int highest_errno = errno_highest_nr(); -#endif // build /run/firejail directory structure preproc_build_firejail_dir(); @@ -1155,9 +1152,7 @@ int main(int argc, char **argv) { exit(1); } arg_seccomp = 1; - cfg.seccomp_list = strdup(argv[i] + 10); - if (!cfg.seccomp_list) - errExit("strdup"); + cfg.seccomp_list = seccomp_check_list(argv[i] + 10); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -1171,9 +1166,7 @@ int main(int argc, char **argv) { exit(1); } arg_seccomp = 1; - cfg.seccomp_list_drop = strdup(argv[i] + 15); - if (!cfg.seccomp_list_drop) - errExit("strdup"); + cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -1187,43 +1180,7 @@ int main(int argc, char **argv) { exit(1); } arg_seccomp = 1; - cfg.seccomp_list_keep = strdup(argv[i] + 15); - if (!cfg.seccomp_list_keep) - errExit("strdup"); - } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } - } - else if (strncmp(argv[i], "--seccomp.e", 11) == 0 && strchr(argv[i], '=')) { - if (checkcfg(CFG_SECCOMP)) { - if (arg_seccomp && !cfg.seccomp_list_errno) { - fprintf(stderr, "Error: seccomp already enabled\n"); - exit(1); - } - char *eq = strchr(argv[i], '='); - char *errnoname = strndup(argv[i] + 10, eq - (argv[i] + 10)); - int nr = errno_find_name(errnoname); - if (nr == -1) { - fprintf(stderr, "Error: unknown errno %s\n", errnoname); - free(errnoname); - exit(1); - } - - if (!cfg.seccomp_list_errno) - cfg.seccomp_list_errno = calloc(highest_errno+1, sizeof(cfg.seccomp_list_errno[0])); - - if (cfg.seccomp_list_errno[nr]) { - fprintf(stderr, "Error: errno %s already configured\n", errnoname); - free(errnoname); - exit(1); - } - arg_seccomp = 1; - cfg.seccomp_list_errno[nr] = strdup(eq+1); - if (!cfg.seccomp_list_errno[nr]) - errExit("strdup"); - free(errnoname); + cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -2606,13 +2563,6 @@ int main(int argc, char **argv) { waitpid(child, &status, 0); // free globals -#ifdef HAVE_SECCOMP - if (cfg.seccomp_list_errno) { - for (i = 0; i < highest_errno; i++) - free(cfg.seccomp_list_errno[i]); - free(cfg.seccomp_list_errno); - } -#endif if (cfg.profile) { ProfileEntry *prf = cfg.profile; while (prf != NULL) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f7d5e87e6..f3a7eb727 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -529,9 +529,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; - cfg.seccomp_list = strdup(ptr + 8); - if (!cfg.seccomp_list) - errExit("strdup"); + cfg.seccomp_list = seccomp_check_list(ptr + 8); } else fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); @@ -545,9 +543,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; - cfg.seccomp_list_drop = strdup(ptr + 13); - if (!cfg.seccomp_list_drop) - errExit("strdup"); + cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); } else fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); @@ -560,9 +556,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; - cfg.seccomp_list_keep= strdup(ptr + 13); - if (!cfg.seccomp_list_keep) - errExit("strdup"); + cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); } else fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); @@ -576,7 +570,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_caps_list = strdup(ptr + 10); if (!arg_caps_list) errExit("strdup"); - // verify seccomp list and exit if problems + // verify caps list and exit if problems if (caps_check_list(arg_caps_list, NULL)) exit(1); return 0; @@ -588,7 +582,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_caps_list = strdup(ptr + 10); if (!arg_caps_list) errExit("strdup"); - // verify seccomp list and exit if problems + // verify caps list and exit if problems if (caps_check_list(arg_caps_list, NULL)) exit(1); return 0; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e3c95283d..556cb1fca 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -847,8 +847,6 @@ assert(0); if (arg_seccomp == 1) { if (cfg.seccomp_list_keep) seccomp_filter_keep(); - else if (cfg.seccomp_list_errno) - seccomp_filter_errno(); else seccomp_filter_drop(enforce_seccomp); } diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 74d29fc9d..20807f5b1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -22,6 +22,34 @@ #include "firejail.h" #include "../include/seccomp.h" +char *seccomp_check_list(const char *str) { + assert(str); + if (strlen(str) == 0) { + fprintf(stderr, "Error: empty syscall lists are not allowed\n"); + exit(1); + } + + int len = strlen(str) + 1; + char *rv = malloc(len); + if (!rv) + errExit("malloc"); + memset(rv, 0, len); + + const char *ptr1 = str; + char *ptr2 = rv; + while (*ptr1 != '\0') { + if (isalnum(*ptr1) || *ptr1 == '_' || *ptr1 == ',' || *ptr1 == ':') + *ptr2++ = *ptr1++; + else { + fprintf(stderr, "Error: invalid syscall list\n"); + exit(1); + } + } + + return rv; +} + + int seccomp_load(const char *fname) { assert(fname); @@ -136,10 +164,6 @@ int seccomp_filter_drop(int enforce_seccomp) { #endif if (arg_debug) printf("Build default+drop seccomp filter\n"); - if (strlen(cfg.seccomp_list) == 0) { - fprintf(stderr, "Error: empty syscall lists are not allowed\n"); - exit(1); - } // build the seccomp filter as a regular user int rv; @@ -157,10 +181,6 @@ int seccomp_filter_drop(int enforce_seccomp) { else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { if (arg_debug) printf("Build drop seccomp filter\n"); - if (strlen(cfg.seccomp_list_drop) == 0) { - fprintf(stderr, "Error: empty syscall lists are not allowed\n"); - exit(1); - } // build the seccomp filter as a regular user int rv; @@ -199,10 +219,6 @@ int seccomp_filter_drop(int enforce_seccomp) { int seccomp_filter_keep(void) { if (arg_debug) printf("Build drop seccomp filter\n"); - if (strlen(cfg.seccomp_list_keep) == 0) { - fprintf(stderr, "Error: empty syscall lists are not allowed\n"); - exit(1); - } // build the seccomp filter as a regular user int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, @@ -216,38 +232,6 @@ int seccomp_filter_keep(void) { return seccomp_load(RUN_SECCOMP_CFG); } -// errno filter for seccomp option -int seccomp_filter_errno(void) { -#if 0 //todo: disabled temporarely, bring it back - int i; - int higest_errno = errno_highest_nr(); - filter_init(); - - // apply errno list - - for (i = 0; i < higest_errno; i++) { - if (cfg.seccomp_list_errno[i]) { - if (syscall_check_list(cfg.seccomp_list_errno[i], filter_add_errno, i)) { - fprintf(stderr, "Error: cannot load seccomp filter\n"); - exit(1); - } - } - } - - filter_end_blacklist(); - if (arg_debug) - filter_debug(); - - // save seccomp filter in /run/firejail/mnt/seccomp - // in order to use it in --join operations - write_seccomp_file(); - return seccomp_load(RUN_SECCOMP_CFG); -#else -printf("*** --seccomp. is temporarily disabled, it will be brought back soon ***\n"); - return 0; -#endif -} - void seccomp_print_filter_name(const char *name) { EUID_ASSERT(); if (!name || strlen(name) == 0) { diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 22b13bcd9..39e72fdf9 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -40,7 +40,7 @@ static void usage(void) { int main(int argc, char **argv) { #if 0 { -system("cat /proc/self/status"); +//system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 38c5f9d88..7bf560fe1 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c @@ -107,7 +107,7 @@ void protocol_build_filter(const char *prlist, const char *fname) { assert(fname); #ifndef SYS_socket - fprintf(stderr, "Warning: --protocol not supported on this platform\n"); + fprintf(stderr, "Warning fseccomp: --protocol not supported on this platform\n"); return; #else // build the filter diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index e2052efde..6696f2b11 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -67,12 +67,52 @@ void syscall_print(void) { printf("\n"); } +// allowed input: +// - syscall +// - syscall(error) +static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) { + assert(name); + if (strlen(name) == 0) + goto error; + *error_nr = -1; + + // syntax check + char *str = strdup(name); + if (!str) + errExit("strdup"); + + char *syscall_name = str; + char *error_name = strchr(str, ':'); + if (error_name) { + *error_name = '\0'; + error_name++; + } + if (strlen(syscall_name) == 0) { + free(str); + goto error; + } + + *syscall_nr = syscall_find_name(syscall_name); + if (error_name) { + *error_nr = errno_find_name(error_name); + if (*error_nr == -1) + *syscall_nr = -1; + } + + free(str); + return; + +error: + fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name); + exit(1); +} + // return 1 if error, 0 if OK int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg), int fd, int arg) { // don't allow empty lists if (slist == NULL || *slist == '\0') { - fprintf(stderr, "Error: empty syscall lists are not allowed\n"); - return -1; + fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); + exit(1); } // work on a copy of the string @@ -80,29 +120,28 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, if (!str) errExit("strdup"); - char *ptr = str; - char *start = str; - while (*ptr != '\0') { - if (islower(*ptr) || isdigit(*ptr) || *ptr == '_') - ; - else if (*ptr == ',') { - *ptr = '\0'; - int nr = syscall_find_name(start); - if (nr == -1) - fprintf(stderr, "Warning: syscall %s not found\n", start); - else if (callback != NULL) - callback(fd, nr, arg); - - start = ptr + 1; - } - ptr++; + char *ptr =strtok(str, ","); + if (ptr == NULL) { + fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n"); + exit(1); } - if (*start != '\0') { - int nr = syscall_find_name(start); - if (nr == -1) - fprintf(stderr, "Warning: syscall %s not found\n", start); - else if (callback != NULL) - callback(fd, nr, arg); + + while (ptr) { +printf("ptr %s\n", ptr); + + int syscall_nr; + int error_nr; + syscall_process_name(ptr, &syscall_nr, &error_nr); +printf("%d, %d\n", syscall_nr, error_nr); + if (syscall_nr == -1) + fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr); + else if (callback != NULL) { + if (error_nr != -1) + filter_add_errno(fd, syscall_nr, error_nr); + else + callback(fd, syscall_nr, arg); + } + ptr = strtok(NULL, ","); } free(str); diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index 4df1948be..c3af2fbe9 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp @@ -8,23 +8,23 @@ spawn $env(SHELL) match_max 100000 send -- "touch seccomp-test-file\r" -sleep 1 +after 100 -send -- "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r" +send -- "firejail --seccomp=unlinkat:ENOENT rm seccomp-test-file\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "No such file or directory" } sleep 1 -send -- "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r" +send -- "firejail --seccomp=unlinkat:ENOENT --debug rm seccomp-test-file\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "unlinkat 2 ENOENT" } sleep 1 -send -- "firejail --seccomp.enoent=unlinkat,mkdir\r" +send -- "firejail --seccomp=unlinkat:ENOENT,mkdir:ENOENT\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "Child process initialized" @@ -49,42 +49,6 @@ puts "\n" send -- "exit\r" sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "errno enoent already configured" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} -sleep 1 -send -- "rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "mkdir seccomp-test-dir\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Operation not permitted" -} -after 100 -puts "\n" - -send -- "exit\r" -sleep 1 - - - - send -- "rm seccomp-test-file\r" after 100 puts "all done\n" -- cgit v1.2.3-70-g09d2 From 9cccd6594cdee4e7230b1e18af4ae9db54fd8432 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 6 Nov 2016 19:50:29 +0100 Subject: adopted wire profile to recent changes --- etc/Wire.profile | 21 +-------------------- etc/wire.profile | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 20 deletions(-) create mode 100644 etc/wire.profile diff --git a/etc/Wire.profile b/etc/Wire.profile index b488d75e4..bd9645c7f 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile @@ -1,22 +1,3 @@ # wire messenger profile -noblacklist ~/.config/Wire - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc - -caps.drop all -netfilter -nonewprivs -nogroups -noroot -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-tmp -private-dev - -# please note: the wire binary is currently identified with a capital W. This might change in future versions +include /etc/firejail/wire.profile diff --git a/etc/wire.profile b/etc/wire.profile new file mode 100644 index 000000000..d3fd46b68 --- /dev/null +++ b/etc/wire.profile @@ -0,0 +1,23 @@ +# wire messenger profile + +noblacklist ~/.config/Wire + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-tmp +private-dev + +# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. +# To use wire with firejail run "firejail /opt/Wire/wire" -- cgit v1.2.3-70-g09d2 From 569c938cadbb7d9970794515f8b000f1d522fc03 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 6 Nov 2016 20:52:17 +0100 Subject: minor fix --- etc/wire.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/wire.profile b/etc/wire.profile index d3fd46b68..c84b4cc28 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,6 +1,7 @@ # wire messenger profile noblacklist ~/.config/Wire +noblacklist ~/.config/wire include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From 971218bd209081d7093fd0ed0f59a356239ebdd0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 6 Nov 2016 19:08:09 -0600 Subject: Blacklist ecryptfs files --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 38a8b86d6..e77f2d369 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -106,6 +106,8 @@ read-only ${HOME}/.xscreensaver read-only ${HOME}/bin # top secret +blacklist ${HOME}/.ecryptfs +blacklist ${HOME}/.Private blacklist ${HOME}/.ssh blacklist ${HOME}/.cert blacklist ${HOME}/.gnome2/keyrings -- cgit v1.2.3-70-g09d2 From de5b53608af7b120608ce89e63e46f5d689bc6d0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 7 Nov 2016 08:25:02 -0500 Subject: profiles --- etc/disable-common.inc | 9 ++++++++- etc/virtualbox.profile | 1 + platform/debian/conffiles | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index e77f2d369..071d217bb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -42,6 +42,7 @@ blacklist ${HOME}/.VeraCrypt # var blacklist /var/spool/cron blacklist /var/spool/anacron +blacklist /var/mail blacklist /var/run/acpid.socket blacklist /var/run/minissdpd.sock blacklist /var/run/rpcbind.sock @@ -52,7 +53,7 @@ blacklist /var/lib/mysql/mysql.sock blacklist /var/run/docker.sock # etc -blacklist /etc/cron.* +blacklist /etc/cron* blacklist /etc/profile.d blacklist /etc/rc.local blacklist /etc/anacrontab @@ -147,6 +148,8 @@ blacklist /usr/local/sbin blacklist ${PATH}/umount blacklist ${PATH}/mount blacklist ${PATH}/fusermount +blacklist ${PATH}/ntfs-3g +blacklist ${PATH}/at blacklist ${PATH}/su blacklist ${PATH}/sudo blacklist ${PATH}/xinput @@ -171,6 +174,10 @@ blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry blacklist ${PATH}/unix_chkpwd +blacklist ${PATH}/procmail + +# other SUID binaries +blacklist /usr/lib/virtualbox # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 148b7efc8..49f8f8b24 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -3,6 +3,7 @@ noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/VirtualBox VMs noblacklist ${HOME}/.config/VirtualBox +noblacklist /usr/bin/virtualbox include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ae8db5a67..ff3909c17 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -170,5 +170,6 @@ /etc/firejail/xiphos.profile /etc/firejail/display.profile /etc/firejail/Wire.profile +/etc/firejail/wire.profile /etc/firejail/mumble.profile /etc/firejail/zoom.profile -- cgit v1.2.3-70-g09d2 From b5c5d48e88bf24544ad65336df6cf713c65384ba Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 7 Nov 2016 18:27:23 +0100 Subject: completed ecryptfs blacklist --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 071d217bb..0dad8b385 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -138,6 +138,7 @@ blacklist /etc/shadow+ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +blacklist /home/.ecryptfs # system directories blacklist /sbin -- cgit v1.2.3-70-g09d2 From 66a476419d301ca7eb879d205e394a0a8c21e598 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 7 Nov 2016 12:44:08 -0500 Subject: gcov support --- Makefile.in | 8 ++++++++ configure | 23 +++++++++++++++++++++-- configure.ac | 15 +++++++++++++-- src/firejail/Makefile.in | 5 +++-- src/firemon/Makefile.in | 11 ++++++++--- src/fnet/Makefile.in | 8 +++++--- src/fseccomp/Makefile.in | 8 +++++--- src/ftee/Makefile.in | 8 +++++--- 8 files changed, 68 insertions(+), 18 deletions(-) diff --git a/Makefile.in b/Makefile.in index 86acc206c..bc9f20bd0 100644 --- a/Makefile.in +++ b/Makefile.in @@ -39,6 +39,7 @@ clean: for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir clean; \ done + rm -fr gcov-file gcov-dir rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm rm -f test/utils/index.html* rm -f test/utils/wget-log @@ -222,3 +223,10 @@ test-fs: test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" + +gcov:; + lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee --output-file gcov-file + rm -fr gcov-dir + genhtml gcov-file --output-directory gcov-dir + + \ No newline at end of file diff --git a/configure b/configure index a89fddbef..47413e5b8 100755 --- a/configure +++ b/configure @@ -625,6 +625,7 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H +HAVE_GCOV BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS HAVE_WHITELIST @@ -709,6 +710,7 @@ enable_file_transfer enable_whitelist enable_fatal_warnings enable_busybox_workaround +enable_gcov ' ac_precious_vars='build_alias host_alias @@ -1346,6 +1348,7 @@ Optional Features: --enable-fatal-warnings -W -Wall -Werror --enable-busybox-workaround enable busybox workaround + --enable-gcov Gcov instrumentation Some influential environment variables: CC C compiler command @@ -3508,7 +3511,7 @@ fi fi if test "x$enable_apparmor" = "xyes"; then : - EXTRA_LDFLAGS="-lapparmor" + EXTRA_LDFLAGS+="-lapparmor " fi @@ -3693,6 +3696,21 @@ if test "x$enable_busybox_workaround" = "xyes"; then : fi +HAVE_GCOV="" +# Check whether --enable-gcov was given. +if test "${enable_gcov+set}" = set; then : + enableval=$enable_gcov; +fi + +if test "x$enable_gcov" = "xyes"; then : + + HAVE_GCOV="--coverage " + EXTRA_LDFLAGS+="-lgcov --coverage " + + +fi + + # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 @@ -4954,7 +4972,8 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" -printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " Gcov instrumentation: $HAVE_GCOV" echo diff --git a/configure.ac b/configure.ac index 9e7680d7d..e05c023f7 100644 --- a/configure.ac +++ b/configure.ac @@ -22,7 +22,7 @@ AS_IF([test "x$enable_apparmor" = "xyes"], [ [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) ]) AS_IF([test "x$enable_apparmor" = "xyes"], [ - EXTRA_LDFLAGS="-lapparmor" + EXTRA_LDFLAGS+="-lapparmor " ]) AC_SUBST([EXTRA_LDFLAGS]) @@ -136,6 +136,16 @@ AS_IF([test "x$enable_busybox_workaround" = "xyes"], [ ]) +HAVE_GCOV="" +AC_ARG_ENABLE([gcov], + AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) +AS_IF([test "x$enable_gcov" = "xyes"], [ + HAVE_GCOV="--coverage " + EXTRA_LDFLAGS+="-lgcov --coverage " + AC_SUBST(HAVE_GCOV) +]) + + # checking pthread library AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) @@ -170,7 +180,8 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" -printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " Gcov instrumentation: $HAVE_GCOV" echo diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index c99b6c30c..6e5071925 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -21,13 +21,14 @@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +HAVE_GCOV=@HAVE_GCOV@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h @@ -36,7 +37,7 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o firejail firejail.1 firejail.1.gz +clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index 21888d354..efc48b212 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in @@ -4,21 +4,26 @@ PREFIX=@prefix@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firemon: $(OBJS) ../lib/common.o ../lib/pid.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o firemon +clean:; rm -f *.o firemon *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index bba4406d4..32f08882a 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in @@ -22,21 +22,23 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ fnet: $(OBJS) ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fnet +clean:; rm -f *.o fnet *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 1878ad2f3..04c46f128 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in @@ -22,21 +22,23 @@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ fseccomp: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o fseccomp +clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in index be159225f..ad508cadd 100644 --- a/src/ftee/Makefile.in +++ b/src/ftee/Makefile.in @@ -4,21 +4,23 @@ PREFIX=@prefix@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ ftee: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o ftee +clean:; rm -f *.o ftee *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile -- cgit v1.2.3-70-g09d2 From 6f1816ab52fc57579a4ac30dbfb885118f4ab56f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 7 Nov 2016 12:52:38 -0500 Subject: gcov support --- Makefile.in | 2 +- src/firecfg/Makefile.in | 8 +++++--- src/lib/Makefile.in | 6 ++++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Makefile.in b/Makefile.in index bc9f20bd0..1861fb7ca 100644 --- a/Makefile.in +++ b/Makefile.in @@ -225,7 +225,7 @@ test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 echo "TEST COMPLETE" gcov:; - lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee --output-file gcov-file + lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file rm -fr gcov-dir genhtml gcov-file --output-directory gcov-dir diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index 11f8b1e8d..f9fe08768 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in @@ -16,22 +16,24 @@ HAVE_NETWORK=@HAVE_NETWORK@ HAVE_USERNS=@HAVE_USERNS@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firecfg: $(OBJS) ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz +clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 71f96bab1..5549aca11 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -2,12 +2,14 @@ PREFIX=@prefix@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now all: $(OBJS) @@ -15,7 +17,7 @@ all: $(OBJS) %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -clean:; rm -f $(OBJS) +clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno distclean: clean rm -fr Makefile -- cgit v1.2.3-70-g09d2 From c0b5b9acf0324db45a8a60f490e1a29c4ccd0cb1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 7 Nov 2016 14:52:37 -0500 Subject: testing --- Makefile.in | 5 ++++- src/faudit/main.c | 13 +++++++++++++ test/arguments/Makefile | 13 ------------- test/arguments/arguments.sh | 4 ++++ test/arguments/bashrun.sh | 12 ++++++------ test/arguments/joinrun.sh | 12 ++++++------ test/arguments/main.c | 31 ------------------------------- test/arguments/outrun.sh | 12 ++++++------ test/arguments/readme | 9 --------- 9 files changed, 39 insertions(+), 72 deletions(-) delete mode 100644 test/arguments/Makefile delete mode 100644 test/arguments/main.c delete mode 100644 test/arguments/readme diff --git a/Makefile.in b/Makefile.in index 1861fb7ca..d93eee502 100644 --- a/Makefile.in +++ b/Makefile.in @@ -215,13 +215,16 @@ test-environment: test-filters: cd test/filters; ./filters.sh | grep TESTING +test-arguments: + cd test/arguments; ./arguments.sh | grep TESTING + test-network: echo "Please read test/network/README file and run the test manually" test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" gcov:; diff --git a/src/faudit/main.c b/src/faudit/main.c index 61005945d..7f47ccaf0 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -21,6 +21,19 @@ char *prog; int main(int argc, char **argv) { + // make test-arguments helper + if (getenv("FIREJAIL_TEST_ARGUMENTS")) { + printf("Arguments:\n"); + + int i; + for (i = 0; i < argc; i++) { + printf("#%s#\n", argv[i]); + } + + return 0; + } + + if (argc != 1) { int i; diff --git a/test/arguments/Makefile b/test/arguments/Makefile deleted file mode 100644 index 3ccab3702..000000000 --- a/test/arguments/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -all: argtest - -argtest: main.c - gcc -o argtest main.c - -clean:; rm -f argtest; rm -fr symtest; rm -f out out.* - -install:;install -c -m 0755 argtest /usr/local/bin/argtest - -uninstall:; rm -f /usr/local/bin/argtest - - -test:; ./arguments.sh | grep TESTING diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh index 2f53eb3fa..db4c9b472 100755 --- a/test/arguments/arguments.sh +++ b/test/arguments/arguments.sh @@ -4,12 +4,16 @@ echo "TESTING: 1. regular bash session" ./bashrun.exp +sleep 1 echo "TESTING: 2. symbolic link to firejail" ./symrun.exp +rm -fr symtest +sleep 1 echo "TESTING: 3. --join option" ./joinrun.exp +sleep 1 echo "TESTING: 4. --output option" ./outrun.exp diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh index c2f209548..0797c92c2 100755 --- a/test/arguments/bashrun.sh +++ b/test/arguments/bashrun.sh @@ -1,22 +1,22 @@ #!/bin/bash echo "TESTING: 1.1 - simple args" -firejail --quiet ./argtest arg1 arg2 +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1 arg2 # simple quotes, testing spaces in file names echo "TESTING: 1.2 - args with space and \"" -firejail --quiet ./argtest "arg1 tail" "arg2 tail" +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1 tail" "arg2 tail" echo "TESTING: 1.3 - args with space and '" -firejail --quiet ./argtest 'arg1 tail' 'arg2 tail' +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail' # escaped space in file names echo "TESTING: 1.4 - args with space and \\" -firejail --quiet ./argtest arg1\ tail arg2\ tail +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1\ tail arg2\ tail # & char appears in URLs - URLs should be quoted echo "TESTING: 1.5 - args with & and \"" -firejail --quiet ./argtest "arg1&tail" "arg2&tail" +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1&tail" "arg2&tail" echo "TESTING: 1.6 - args with & and '" -firejail --quiet ./argtest 'arg1&tail' 'arg2&tail' +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh index f6c2b2e22..2743d823e 100755 --- a/test/arguments/joinrun.sh +++ b/test/arguments/joinrun.sh @@ -1,22 +1,22 @@ #!/bin/bash echo "TESTING: 3.1 - simple args" -firejail --join=joinrun ./argtest arg1 arg2 +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun /usr/lib/firejail/faudit arg1 arg2 # simple quotes, testing spaces in file names echo "TESTING: 3.2 - args with space and \"" -firejail --quiet ./argtest "arg1 tail" "arg2 tail" +firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1 tail" "arg2 tail" echo "TESTING: 3.3 - args with space and '" -firejail --quiet ./argtest 'arg1 tail' 'arg2 tail' +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail' # escaped space in file names echo "TESTING: 3.4 - args with space and \\" -firejail --quiet ./argtest arg1\ tail arg2\ tail +firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit arg1\ tail arg2\ tail # & char appears in URLs - URLs should be quoted echo "TESTING: 3.5 - args with & and \"" -firejail --quiet ./argtest "arg1&tail" "arg2&tail" +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit "arg1&tail" "arg2&tail" echo "TESTING: 3.6 - args with & and '" -firejail --quiet ./argtest 'arg1&tail' 'arg2&tail' +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/main.c b/test/arguments/main.c deleted file mode 100644 index 75bdca715..000000000 --- a/test/arguments/main.c +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright (C) 2014-2016 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include - -int main(int argc, char **argv) { - printf("Arguments:\n"); - - int i; - for (i = 0; i < argc; i++) { - printf("#%s#\n", argv[i]); - } - - return 0; -} diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh index cfd8e684c..a21243873 100755 --- a/test/arguments/outrun.sh +++ b/test/arguments/outrun.sh @@ -1,22 +1,22 @@ #!/bin/bash echo "TESTING: 4.1 - simple args" -firejail --output=out ./argtest arg1 arg2 +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit arg1 arg2 # simple quotes, testing spaces in file names echo "TESTING: 4.2 - args with space and \"" -firejail --output=out ./argtest "arg1 tail" "arg2 tail" +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit "arg1 tail" "arg2 tail" echo "TESTING: 4.3 - args with space and '" -firejail --output=out ./argtest 'arg1 tail' 'arg2 tail' +firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit 'arg1 tail' 'arg2 tail' # escaped space in file names echo "TESTING: 4.4 - args with space and \\" -firejail --output=out ./argtest arg1\ tail arg2\ tail +firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit arg1\ tail arg2\ tail # & char appears in URLs - URLs should be quoted echo "TESTING: 4.5 - args with & and \"" -firejail --output=out ./argtest "arg1&tail" "arg2&tail" +firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit "arg1&tail" "arg2&tail" echo "TESTING: 4.6 - args with & and '" -firejail --output=out ./argtest 'arg1&tail' 'arg2&tail' +firejail--env=FIREJAIL_TEST_ARGUMENTS=yes --output=out /usr/lib/firejail/faudit 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/readme b/test/arguments/readme deleted file mode 100644 index c28461478..000000000 --- a/test/arguments/readme +++ /dev/null @@ -1,9 +0,0 @@ -Argument testing fremework for Firejail. - -A small test program, argtest, is compiled and installed in /usr/local/bin directory. -Run "make && sudo make install" to install it. - -Run "make test" to run the tests. - -Run "sudo make uninstall" to remove the test program. - -- cgit v1.2.3-70-g09d2 From a3ff32d628b3409ae30f189c2401b66859763cf8 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Mon, 7 Nov 2016 17:27:25 -0800 Subject: do not blacklist msmtprc in mutt I need to be able to send mail too! --- etc/mutt.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/mutt.profile b/etc/mutt.profile index b532ded67..54cf828b1 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -21,6 +21,7 @@ noblacklist ~/.emacs noblacklist ~/.emacs.d noblacklist ~/.signature noblacklist ~/.bogofilter +noblacklist ~/.msmtprc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From 62a19b0cac1646b0187e860f9edfb0843f572d1e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 8 Nov 2016 11:55:57 -0500 Subject: testing --- test/fs/fs.sh | 8 ++++- test/fs/private-home-dir.exp | 70 ++++++++++++++++++++++++++++++++++++++++++++ test/fs/private-home.exp | 45 ++++++++++++++++++++++++++++ test/fs/private.exp | 51 ++++++++++++++++---------------- 4 files changed, 147 insertions(+), 27 deletions(-) create mode 100755 test/fs/private-home-dir.exp create mode 100755 test/fs/private-home.exp diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 3139b8eae..812da02b0 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -22,7 +22,13 @@ echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" ./fs_dev_shm.exp echo "TESTING: private (test/fs/private.exp)" -./private.exp `whoami` +./private.exp + +echo "TESTING: private home (test/fs/private-home.exp)" +./private-home.exp + +echo "TESTING: private home dir (test/fs/private-home-dir.exp)" +./private-home-dir.exp echo "TESTING: private-etc (test/fs/private-etc.exp)" ./private-etc.exp diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp new file mode 100755 index 000000000..5491be834 --- /dev/null +++ b/test/fs/private-home-dir.exp @@ -0,0 +1,70 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +if {[file exists ~/.asoundrc]} { + puts "found .asoundrc file\n" +} else { + send -- "touch ~/.asoundrc\r" +} +after 100 + +if {[file exists ~/.Xauthority]} { + puts "found .Xauthority file\n" +} else { + send -- "touch ~/.Xauthority\r" +} +after 100 +send -- "mkdir ~/_firejail_test_dir_\r" +sleep 1 + +# testing profile and private +send -- "firejail --private=~/_firejail_test_dir_\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "total 0" +} +after 100 + +send -- "ls -al ~\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + ".asoundrc" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ".bashrc" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + ".Xauthority" +} +after 100 + +send -- "exit\r" +sleep 1 + + +# testing profile and private +send -- "firejail --private=/etc\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "private directory should be owned by the current user" +} +sleep 1 + + +puts "all done\n" diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp new file mode 100755 index 000000000..de5a88dea --- /dev/null +++ b/test/fs/private-home.exp @@ -0,0 +1,45 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# create some test files in user home directory +send -- "touch ~/_firejail_test_file1\r" +send -- "touch ~/_firejail_test_file2\r" +send -- "mkdir ~/_firejail_test_dir1\r" +send -- "mkdir ~/_firejail_test_dir1/_firejail_test_dir2\r" +send -- "touch ~/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3\r" +after 100 + +send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +after 100 + +send -- "find ~\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "_firejail_test_file3" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "_firejail_test_file2" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "_firejail_test_file1" +} +after 100 + +send -- "rm -f ~/_firejail_test_file*\r" +send -- "rm -fr ~/_firejail_test_dir*\r" +after 100 + +puts "\nall done\n" + diff --git a/test/fs/private.exp b/test/fs/private.exp index 67435b888..8114ee45d 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp @@ -7,53 +7,52 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -if { $argc != 1 } { - puts "TESTING ERROR: argument missing" - puts "Usage: private.exp username" - puts "where username is the name of the current user" - exit + +if {[file exists ~/.asoundrc]} { + puts "found .asoundrc file\n" +} else { + send -- "touch ~/.asoundrc\r" } +after 100 + +if {[file exists ~/.Xauthority]} { + puts "found .Xauthority file\n" +} else { + send -- "touch ~/.Xauthority\r" +} +after 100 # testing profile and private -send -- "firejail --private --profile=/etc/firejail/default.profile\r" +send -- "firejail --private\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } sleep 1 -send -- "exit\r" -sleep 1 -send -- "firejail --private --noprofile\r" +send -- "ls -l ~\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" + "total 0" } +after 100 -sleep 1 -send -- "cd ~; ls -al; echo done\r" +send -- "ls -al ~\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - ".bashrc" + ".asoundrc" } expect { timeout {puts "TESTING ERROR 3\n";exit} - done -} - -# owner /tmp -send -- "stat -c %U%a /tmp;echo done\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "root777" {puts "version 1\n";} - "root1777" {puts "version 2\n";} - "nobody777" {puts "version 3\n";} - "nobody1777" {puts "version 4\n";} + ".bashrc" } expect { - timeout {puts "TESTING ERROR 11\n";exit} - "done" + timeout {puts "TESTING ERROR 4\n";exit} + ".Xauthority" } after 100 +send -- "exit\r" +sleep 1 + puts "all done\n" -- cgit v1.2.3-70-g09d2 From e44f60a25011e388ae9f33ce8d16b9d8cb143502 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 09:43:31 -0500 Subject: testing --- configure | 4 +-- configure.ac | 4 +-- src/firejail/sandbox.c | 8 ++--- src/firejail/sbox.c | 2 ++ src/fnet/interface.c | 1 + test/network/interface.exp | 66 ++++++++++++++++++++++++++++++++++++++++ test/network/net_scan.exp | 75 ++++++++++++++++++++++++++++++++++++++++++++++ test/network/network.sh | 6 ++++ 8 files changed, 156 insertions(+), 10 deletions(-) create mode 100755 test/network/interface.exp create mode 100755 test/network/net_scan.exp diff --git a/configure b/configure index 47413e5b8..0aefb5c62 100755 --- a/configure +++ b/configure @@ -3704,7 +3704,7 @@ fi if test "x$enable_gcov" = "xyes"; then : - HAVE_GCOV="--coverage " + HAVE_GCOV="--coverage -DHAVE_GCOV " EXTRA_LDFLAGS+="-lgcov --coverage " @@ -4970,9 +4970,9 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " Gcov instrumentation: $HAVE_GCOV" echo diff --git a/configure.ac b/configure.ac index e05c023f7..74ba09f43 100644 --- a/configure.ac +++ b/configure.ac @@ -140,7 +140,7 @@ HAVE_GCOV="" AC_ARG_ENABLE([gcov], AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) AS_IF([test "x$enable_gcov" = "xyes"], [ - HAVE_GCOV="--coverage " + HAVE_GCOV="--coverage -DHAVE_GCOV " EXTRA_LDFLAGS+="-lgcov --coverage " AC_SUBST(HAVE_GCOV) ]) @@ -178,9 +178,9 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " Gcov instrumentation: $HAVE_GCOV" echo diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 556cb1fca..6b7f7f003 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -481,28 +481,24 @@ int sandbox(void* sandbox_arg) { sandbox_if_up(&cfg.bridge3); -// todo: this code seems to be dead!!! - // enable interfaces + // moving an interface in a namespace using --interface will reset the interface configuration; + // we need to put the configuration back if (cfg.interface0.configured && cfg.interface0.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); } if (cfg.interface1.configured && cfg.interface1.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); } if (cfg.interface2.configured && cfg.interface2.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); } if (cfg.interface3.configured && cfg.interface3.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index b16736dee..3d4eef3aa 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -156,9 +156,11 @@ int sbox_run(unsigned filter, int num, ...) { caps_drop_all(); } else if (filter & SBOX_CAPS_NETWORK) { +#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; set |= ((uint64_t) 1) << CAP_NET_RAW; caps_set(set); +#endif } if (filter & SBOX_SECCOMP) { diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 67af062bf..046b2c972 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -284,6 +284,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { close(sock); + fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname); errExit("ioctl"); } diff --git a/test/network/interface.exp b/test/network/interface.exp new file mode 100755 index 000000000..b15563eec --- /dev/null +++ b/test/network/interface.exp @@ -0,0 +1,66 @@ +#!/usr/bin/expect -f +# +# interface +# + +set timeout 10 +spawn $env(SHELL) +match_max 100000 +set overlay [lindex $argv 0] +set chroot [lindex $argv 1] + +# +# N +# +# todo: seems to be unable to find interface eth0.7 +#send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r" +send -- "firejail --noprofile --interface=eth0.7 --interface=eth0.6\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "eth0.5" +} +expect { + timeout {puts "TESTING ERROR 2n";exit} + "Link" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "10.10.205.10" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1" +} +after 100 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0.6" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Link" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "10.10.206.10" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1" +} +after 100 + +send -- "exit\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp new file mode 100755 index 000000000..5afbbeea6 --- /dev/null +++ b/test/network/net_scan.exp @@ -0,0 +1,75 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +send -- "firejail --net=br1 --ip=10.10.30.50\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --net=br1 --ip=10.10.30.51\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "10.10.30.51" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --net=br1 --scan\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "10.10.30.51" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Child process initialized" +} +sleep 1 + + + +after 100 + +puts "\nall done\n" + diff --git a/test/network/network.sh b/test/network/network.sh index 7b6d66e34..e0087411d 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -52,6 +52,12 @@ echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" ./net_defaultgw3.exp +echo "TESTING: scan (net_scan.exp)" +./net_scan.exp + +echo "TESTING: interface (interface.exp)" +./interface.exp + echo "TESTING: netfilter (net_netfilter.exp)" ./net_netfilter.exp -- cgit v1.2.3-70-g09d2 From 1609377f8fd912b8534d302b1fbe33390b79f77b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 10:03:59 -0500 Subject: whitelist kde icons --- README | 1 + etc/whitelist-common.inc | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README b/README index 7599f4cf1..2051f2901 100644 --- a/README +++ b/README @@ -136,6 +136,7 @@ Peter Hogg (https://github.com/pigmonkey) - WeeChat profile - rtorrent profile - bitlbee profile fixes + - mutt profile fixes Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index e533fe596..d4e69948e 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -31,5 +31,8 @@ whitelist ~/.kde/share/config/gtkrc-2.0 mkdir ~/.config/dconf whitelist ~/.config/dconf -# qt +# qt/kde whitelist ~/.config/kdeglobals +whitelist ~/.kde/share/config/oxygenrc +whitelist ~/.kde/share/config/kdeglobals +whitelist ~/.kde/share/icons -- cgit v1.2.3-70-g09d2 From 18eecb825caf94d2d1b69146821591027c67263d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 10:11:50 -0500 Subject: bugfix: crashing vlc when pressing Ctrl-O --- etc/vlc.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/vlc.profile b/etc/vlc.profile index 446e47864..2fd763f25 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -11,7 +11,7 @@ netfilter nogroups nonewprivs noroot -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp shell none -- cgit v1.2.3-70-g09d2 From 35004af7d8f6ff19908fb89e25e532113afa26f4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 19:17:06 -0500 Subject: testing --- .gitignore | 2 + Makefile.in | 11 ++-- gcov-test-init.sh | 11 ++++ src/ftee/main.c | 4 ++ test/firemon-arp.exp | 34 ----------- test/firemon-route.exp | 33 ----------- test/network/4bridges_arp.exp | 16 ++--- test/network/4bridges_ip.exp | 16 ++--- test/network/README | 1 - test/network/bandwidth.exp | 2 +- test/network/firemon-arp.exp | 50 ++++++++++++++++ test/network/firemon-route.exp | 49 ++++++++++++++++ test/network/interface.exp | 2 +- test/network/net_ip.exp | 4 +- test/network/net_local.exp | 4 +- test/network/net_netfilter.exp | 6 +- test/network/net_profile.exp | 2 +- test/network/net_veth.exp | 130 +++++++++++++++++++++++++++++++++++++++++ test/network/network.sh | 11 ++++ 19 files changed, 290 insertions(+), 98 deletions(-) create mode 100755 gcov-test-init.sh delete mode 100755 test/firemon-arp.exp delete mode 100755 test/firemon-route.exp create mode 100755 test/network/firemon-arp.exp create mode 100755 test/network/firemon-route.exp create mode 100755 test/network/net_veth.exp diff --git a/.gitignore b/.gitignore index db523da59..459119b14 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,8 @@ *~ *.swp *.rpm +*.gcda +*.gcno Makefile config.log config.status diff --git a/Makefile.in b/Makefile.in index d93eee502..41885ddcf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -39,7 +39,7 @@ clean: for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir clean; \ done - rm -fr gcov-file gcov-dir + rm -fr gcov-file gcov-dir gcov-test-initialized rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm rm -f test/utils/index.html* rm -f test/utils/wget-log @@ -146,7 +146,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: mv config.status config.status.old @@ -219,7 +219,7 @@ test-arguments: cd test/arguments; ./arguments.sh | grep TESTING test-network: - echo "Please read test/network/README file and run the test manually" + cd test/network; ./network.sh | grep TESTING test-fs: cd test/fs; ./fs.sh | grep TESTING @@ -227,7 +227,10 @@ test-fs: test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" -gcov:; +gcov-test-initialized: + ./gcov-test-init.sh + +gcov: gcov-test-initialized lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file rm -fr gcov-dir genhtml gcov-file --output-directory gcov-dir diff --git a/gcov-test-init.sh b/gcov-test-init.sh new file mode 100755 index 000000000..e98d9fa79 --- /dev/null +++ b/gcov-test-init.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +USER=`whoami` +firejail --help +firemon --help +/usr/lib/firejail/fnet --help +/usr/lib/firejail/fseccomp --help +/usr/lib/firejail/ftee --help +firecfg --help +sudo chown $USER:$USER `find .` +touch gcov-test-initialized diff --git a/src/ftee/main.c b/src/ftee/main.c index 8daea8487..e6aa5f567 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c @@ -193,6 +193,10 @@ int main(int argc, char **argv) { usage(); exit(1); } + if (strcmp(argv[1], "--help") == 0) { + usage(); + return 0; + } char *fname = argv[1]; diff --git a/test/firemon-arp.exp b/test/firemon-arp.exp deleted file mode 100755 index 3fc8c2aee..000000000 --- a/test/firemon-arp.exp +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "ping -c 3 192.168.1.1\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "3 packets transmitted" -} -sleep 1 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --arp\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";} - "192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";} -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "REACHABLE" -} -sleep 1 - -puts "\n" diff --git a/test/firemon-route.exp b/test/firemon-route.exp deleted file mode 100755 index a48116675..000000000 --- a/test/firemon-route.exp +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --route\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";} - "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";} - "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";} - "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";} -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "10.10.30.0/24, dev br1, scope link src 10.10.30.1" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "10.10.50.0/24, dev br3, scope link src 10.10.50.1" -} -sleep 1 - -puts "\n" diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index 4ffa715cc..6383aad5e 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp @@ -29,9 +29,9 @@ expect { timeout {puts "TESTING ERROR 0.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 # check eth1 send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" @@ -55,9 +55,9 @@ expect { timeout {puts "TESTING ERROR 1.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 # check eth2 @@ -82,9 +82,9 @@ expect { timeout {puts "TESTING ERROR 2.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 @@ -110,9 +110,9 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index 3cfd71be0..e762ac285 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp @@ -29,9 +29,9 @@ expect { timeout {puts "TESTING ERROR 0.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 # check eth1 send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" @@ -55,9 +55,9 @@ expect { timeout {puts "TESTING ERROR 1.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 # check eth2 @@ -82,9 +82,9 @@ expect { timeout {puts "TESTING ERROR 2.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 @@ -110,9 +110,9 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 diff --git a/test/network/README b/test/network/README index a715d8edf..4404c53b0 100644 --- a/test/network/README +++ b/test/network/README @@ -11,5 +11,4 @@ Limitations - to be investigated and fixed: - macvlan interfaces don't seem to work correctly under VirtualBox Run the test: - $ sudo ./configure $ ./network.sh | grep TESTING diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index 8f3a706a8..8a2e46e04 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 2 +sleep 1 spawn $env(SHELL) send -- "firejail --bandwidth=test status\r" diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp new file mode 100755 index 000000000..0a543c3b4 --- /dev/null +++ b/test/network/firemon-arp.exp @@ -0,0 +1,50 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "ping -c 3 192.168.1.1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "3 packets transmitted" +} +sleep 1 + +send -- "firejail --name=test1\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=test2\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --arp\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "name=test1" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";} + "192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";} +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "REACHABLE" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "name=test2" +} +after 100 + +puts "\nall done\n"" diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp new file mode 100755 index 000000000..19a705778 --- /dev/null +++ b/test/network/firemon-route.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=test2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --route\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "name=test1" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";} + "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";} + "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";} + "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";} +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "10.10.30.0/24, dev br1, scope link src 10.10.30.1" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "10.10.50.0/24, dev br3, scope link src 10.10.50.1" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "name=test2" +} +after 100 + +puts "\nalldone\n" diff --git a/test/network/interface.exp b/test/network/interface.exp index b15563eec..bd8777c33 100755 --- a/test/network/interface.exp +++ b/test/network/interface.exp @@ -14,7 +14,7 @@ set chroot [lindex $argv 1] # # todo: seems to be unable to find interface eth0.7 #send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r" -send -- "firejail --noprofile --interface=eth0.7 --interface=eth0.6\r" +send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 32103050d..0fa84243a 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -29,9 +29,9 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 # check loopback send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r" diff --git a/test/network/net_local.exp b/test/network/net_local.exp index b72b9adaf..d58135785 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp @@ -17,9 +17,9 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" -sleep 2 +sleep 1 # check loopback send -- "firejail --noprofile\r" diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index f011f3746..737485d07 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp @@ -29,7 +29,7 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" sleep 1 @@ -43,7 +43,7 @@ expect { "ACCEPT icmp -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "exit\r" sleep 1 @@ -57,7 +57,7 @@ expect { timeout {puts "TESTING ERROR 6.1\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "ping -c 1 -w 3 10.10.20.1\r" expect { timeout {puts "TESTING ERROR 6.2\n";exit} diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index dee0b2793..29008d811 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp @@ -33,7 +33,7 @@ expect { timeout {puts "TESTING ERROR 0.4\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "ip route show\r" expect { diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp new file mode 100755 index 000000000..89dedcb24 --- /dev/null +++ b/test/network/net_veth.exp @@ -0,0 +1,130 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=eth0\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "lo" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "127.0.0.1" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "255.0.0.0" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0-" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Default gateway" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "lo" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "127.0.0.1" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "255.0.0.0" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "eth0-" +} +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 18\n";exit} + "eth1-" +} +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth2-" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 22\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "eth3-" +} +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 26\n";exit} + "Default gateway" +} +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" + +after 100 + +puts "\n" + diff --git a/test/network/network.sh b/test/network/network.sh index e0087411d..28f707952 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -6,6 +6,14 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +sudo ./configure + +echo "TESTING: firemon arp (firemon-arp.exp)" +./firemon-arp.exp + +echo "TESTING: firemon route (firemon-route.exp)" +./firemon-route.exp + echo "TESTING: network profile (net_profile.exp)" ./net_profile.exp @@ -58,6 +66,9 @@ echo "TESTING: scan (net_scan.exp)" echo "TESTING: interface (interface.exp)" ./interface.exp +echo "TESTING: veth (net_veth.exp)" +./net_veth.exp + echo "TESTING: netfilter (net_netfilter.exp)" ./net_netfilter.exp -- cgit v1.2.3-70-g09d2 From 0939f26a4f2f5d090baadb7f2a47269e9e456fb5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 22:46:32 -0500 Subject: fixed --top --- src/firejail/firejail.h | 8 +++++--- src/firejail/main.c | 3 ++- src/firejail/sbox.c | 14 ++++++++------ 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 56dbd6868..b8126cfe7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -688,11 +688,13 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar #define PATH_FIREMON (PREFIX "/bin/firemon") #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") // bitmapped filters for sbox_run -#define SBOX_ROOT (1 << 0) -#define SBOX_USER (1 << 1) -#define SBOX_SECCOMP (1 << 2) +#define SBOX_ROOT (1 << 0) // run the sandbox as root +#define SBOX_USER (1 << 1) // run the sandbox as a regular user +#define SBOX_SECCOMP (1 << 2) // install seccomp #define SBOX_CAPS_NONE (1 << 3) // drop all capabilities #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs +#define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin + // run sbox int sbox_run(unsigned filter, int num, ...); diff --git a/src/firejail/main.c b/src/firejail/main.c index b6f3a7f59..f01094af9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -507,7 +507,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(rv); } else if (strcmp(argv[i], "--top") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); + int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + 2, PATH_FIREMON, "--top"); exit(rv); } #ifdef HAVE_NETWORK diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 3d4eef3aa..bca72c14a 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -141,14 +141,16 @@ int sbox_run(unsigned filter, int num, ...) { int max = 20; // getdtablesize() is overkill for a firejail process for (i = 3; i < max; i++) close(i); // close open files + if ((filter & SBOX_ALLOW_STDIN) == 0) { int fd = open("/dev/null",O_RDWR, 0); - if (fd != -1) { - dup2 (fd, STDIN_FILENO); - if (fd > 2) - close (fd); + if (fd != -1) { + dup2 (fd, STDIN_FILENO); + if (fd > 2) + close (fd); + } + else // the user could run the sandbox without /dev/null + close(STDIN_FILENO); } - else // the user could run the sandbox without /dev/null - close(STDIN_FILENO); umask(027); // apply filters -- cgit v1.2.3-70-g09d2 From 334c79edd83377a09c138800c0a2fefaf9c7981f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 10 Nov 2016 07:18:24 -0500 Subject: testing --- src/firejail/main.c | 6 ++-- src/fnet/veth.c | 6 ++++ test/network/firemon-arp.exp | 2 +- test/network/firemon-interfaces.exp | 67 +++++++++++++++++++++++++++++++++++++ test/network/netstats.exp | 39 +++++++++++++++++++++ test/network/network.sh | 6 ++++ test/utils/firemon-cpu.exp | 44 ++++++++++++++++++++++++ test/utils/top.exp | 40 ++++++++++++++++++++++ test/utils/utils.sh | 9 +++++ 9 files changed, 216 insertions(+), 3 deletions(-) create mode 100755 test/network/firemon-interfaces.exp create mode 100755 test/network/netstats.exp create mode 100755 test/utils/firemon-cpu.exp create mode 100755 test/utils/top.exp diff --git a/src/firejail/main.c b/src/firejail/main.c index f01094af9..4759e6a5f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -517,9 +517,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { struct stat s; int rv; if (stat("/proc/sys/kernel/grsecurity", &s) == 0) - rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); + rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + 2, PATH_FIREMON, "--netstats"); else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + 2, PATH_FIREMON, "--netstats"); exit(rv); } else { diff --git a/src/fnet/veth.c b/src/fnet/veth.c index d06bc9256..546fafcec 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c @@ -111,6 +111,8 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) { if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) exit(2); + rtnl_close(&rth); + return 0; } @@ -173,6 +175,8 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) exit(2); + rtnl_close(&rth); + return 0; } @@ -209,6 +213,8 @@ int net_move_interface(const char *dev, unsigned pid) { if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) exit(2); + rtnl_close(&rth); + return 0; } diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp index 0a543c3b4..e40ffb609 100755 --- a/test/network/firemon-arp.exp +++ b/test/network/firemon-arp.exp @@ -47,4 +47,4 @@ expect { } after 100 -puts "\nall done\n"" +puts "\nall done\n" diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp new file mode 100755 index 000000000..deb8594af --- /dev/null +++ b/test/network/firemon-interfaces.exp @@ -0,0 +1,67 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=eth0 --name=test1\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --net=eth0 --name=test2\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --interface\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Link status" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "lo UP" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "eth0-" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "IPv4 status" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "lo UP" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "eth0-" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "IPv6 status" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "lo UP" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "eth0-" +} + +after 100 + +puts "\n" + diff --git a/test/network/netstats.exp b/test/network/netstats.exp new file mode 100755 index 000000000..41232061d --- /dev/null +++ b/test/network/netstats.exp @@ -0,0 +1,39 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=eth0 --name=test1\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --net=eth0 --name=test2\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --netstats\r" +sleep 4 +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "name=test1" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "name=test2" +} +after 100 + +puts "\n" + diff --git a/test/network/network.sh b/test/network/network.sh index 28f707952..e1646d64a 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -8,9 +8,15 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) sudo ./configure +echo "TESTING: firemon interface (firemon-interfaces.exp)" +sudo ./firemon-interfaces.exp + echo "TESTING: firemon arp (firemon-arp.exp)" ./firemon-arp.exp +echo "TESTING: firemon netstats (netstats.exp)" +./netstats.exp + echo "TESTING: firemon route (firemon-route.exp)" ./firemon-route.exp diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp new file mode 100755 index 000000000..22e44512c --- /dev/null +++ b/test/utils/firemon-cpu.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=test2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --cpu\r" +sleep 4 +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "name=test1" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Cpus_allowed_list" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "name=test2" +} + +after 100 + +puts "\nall done\n" + diff --git a/test/utils/top.exp b/test/utils/top.exp new file mode 100755 index 000000000..d530e5a85 --- /dev/null +++ b/test/utils/top.exp @@ -0,0 +1,40 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=test2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --top\r" +sleep 4 +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "name=test1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "name=test2" +} + +after 100 + +puts "\nall done\n" + diff --git a/test/utils/utils.sh b/test/utils/utils.sh index ff4e5e086..557f2c961 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -88,6 +88,15 @@ echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)" echo "TESTING: firemon --caps (test/utils/caps.exp)" ./caps.exp +echo "TESTING: top (test/utils/top.exp)" +./top.exp + echo "TESTING: file transfer (test/utils/ls.exp)" ./ls.exp +echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" +./firemon-cpu.exp + +echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)" +./firemon-cgroup.exp + -- cgit v1.2.3-70-g09d2 From 9c9506f40b6e73e7ba9acbf676b1867c2b3e407f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 10 Nov 2016 08:12:32 -0500 Subject: bug: mkdir and mkfile are not applied to private directories --- src/firejail/fs.c | 14 ++++++++++++++ src/firejail/profile.c | 4 ++-- src/firejail/sandbox.c | 2 +- src/firejail/sbox.c | 2 +- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index dbd7eced7..4556f0a82 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -348,6 +348,20 @@ void fs_blacklist(void) { ptr = entry->data + 6; op = MOUNT_TMPFS; } + else if (strncmp(entry->data, "mkdir ", 6) == 0) { + EUID_USER(); + fs_mkdir(entry->data + 6); + EUID_ROOT(); + entry = entry->next; + continue; + } + else if (strncmp(entry->data, "mkfile ", 7) == 0) { + EUID_USER(); + fs_mkfile(entry->data + 7); + EUID_ROOT(); + entry = entry->next; + continue; + } else { fprintf(stderr, "Error: invalid profile line %s\n", entry->data); entry = entry->next; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f3a7eb727..0fd45d1ef 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -105,12 +105,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // mkdir if (strncmp(ptr, "mkdir ", 6) == 0) { fs_mkdir(ptr + 6); - return 0; + return 1; // process mkdir again while applying blacklists } // mkfile if (strncmp(ptr, "mkfile ", 7) == 0) { fs_mkfile(ptr + 7); - return 0; + return 1; // process mkfile again while applying blacklists } // sandbox name else if (strncmp(ptr, "name ", 5) == 0) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6b7f7f003..109daf552 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -734,7 +734,7 @@ int sandbox(void* sandbox_arg) { fs_whitelist(); // ... followed by blacklist commands - fs_blacklist(); + fs_blacklist(); // mkdir and mkfile are processed all over again //**************************** // install trace diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index bca72c14a..430ffb86e 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -142,7 +142,7 @@ int sbox_run(unsigned filter, int num, ...) { for (i = 3; i < max; i++) close(i); // close open files if ((filter & SBOX_ALLOW_STDIN) == 0) { - int fd = open("/dev/null",O_RDWR, 0); + int fd = open("/dev/null",O_RDWR, 0); if (fd != -1) { dup2 (fd, STDIN_FILENO); if (fd > 2) -- cgit v1.2.3-70-g09d2 From d8984ed12a0cb7cef4376f544ac19b6e71bb213c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 10 Nov 2016 08:23:58 -0500 Subject: testing --- test/fs/fs.sh | 7 +++++++ test/fs/mkdir_mkfile.exp | 46 ++++++++++++++++++++++++++++++++++++++++++++ test/fs/mkdir_mkfile.profile | 4 ++++ 3 files changed, 57 insertions(+) create mode 100755 test/fs/mkdir_mkfile.exp create mode 100644 test/fs/mkdir_mkfile.profile diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 812da02b0..8ad67141a 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -6,6 +6,10 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +rm -fr ~/_firejail_test_* +echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)" +rm -fr ~/_firejail_test_* + echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" ./sys_fs.exp @@ -69,12 +73,15 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" echo "TESTING: whitelist (test/fs/whitelist.exp)" ./whitelist.exp + +#cleanup rm -fr ~/fjtest-dir rm -fr ~/fjtest-dir-lnk rm -f ~/fjtest-file rm -f ~/fjtest-file-lnk rm -f /tmp/fjtest-file rm -fr /tmp/fjtest-dir +rm -fr ~/_firejail_test_* diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp new file mode 100755 index 000000000..98163bf77 --- /dev/null +++ b/test/fs/mkdir_mkfile.exp @@ -0,0 +1,46 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +# testing profile and private +send -- "firejail --private --profile=mkdir_mkfile.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find ~\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "_firejail_test_file" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "_firejail_test_dir" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "_firejail_test_dir/dir1" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "_firejail_test_dir/dir1/dir2" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "_firejail_test_dir/dir1/dir2/dir3" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "_firejail_test_dir/dir1/dir2/dir3/file1" +} +after 100 + +puts "all done\n" diff --git a/test/fs/mkdir_mkfile.profile b/test/fs/mkdir_mkfile.profile new file mode 100644 index 000000000..d179c62ac --- /dev/null +++ b/test/fs/mkdir_mkfile.profile @@ -0,0 +1,4 @@ +mkdir ~/_firejail_test_dir +mkfile ~/_firejail_test_file +mkdir ~/_firejail_test_dir/dir1/dir2/dir3 +mkfile ~/_firejail_test_dir/dir1/dir2/dir3/file1 -- cgit v1.2.3-70-g09d2 From fffce11c3da087172c069ec0ff4c788f5bcc522b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 10 Nov 2016 20:15:22 -0500 Subject: testing --- Makefile.in | 2 +- src/firejail/fs_bin.c | 3 ++ src/firejail/fs_etc.c | 3 ++ src/firejail/fs_mkdir.c | 6 +++ src/firejail/ls.c | 12 ++++++ src/firejail/main.c | 3 ++ src/firejail/x11.c | 3 ++ src/firemon/interface.c | 3 ++ src/firemon/procevent.c | 4 ++ test/fs/fs.sh | 9 ++++ test/fs/read-write.exp | 49 ++++++++++++++++++++++ test/root/configure | 27 ------------ test/root/firemon-events.exp | 72 +++++++++++++++++++++++++++++++ test/root/firemon-interface.exp | 34 --------------- test/root/net_interface.exp | 93 ----------------------------------------- test/root/option_tmpfs.exp | 8 +--- test/root/profile_tmpfs.exp | 37 ++++++++-------- test/root/root.sh | 31 ++------------ test/root/start.sh | 4 -- test/root/tmpfs-bad.profile | 1 + test/root/tmpfs.profile | 2 +- test/utils/firemon-cgroup.exp | 40 ++++++++++++++++++ 22 files changed, 235 insertions(+), 211 deletions(-) create mode 100755 test/fs/read-write.exp delete mode 100755 test/root/configure create mode 100755 test/root/firemon-events.exp delete mode 100755 test/root/firemon-interface.exp delete mode 100755 test/root/net_interface.exp delete mode 100755 test/root/start.sh create mode 100644 test/root/tmpfs-bad.profile create mode 100755 test/utils/firemon-cgroup.exp diff --git a/Makefile.in b/Makefile.in index 41885ddcf..64970d4a5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -174,7 +174,7 @@ test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) test-root: - cd test/root; su -c ./start.sh + cd test/root; su -c ./root.sh | grep TESTING .PHONY: rpms rpms: diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index a3576e7c4..c906e32c0 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -247,6 +247,9 @@ void fs_private_bin_list(void) { duplicate(ptr); free(dlist); fs_logger_print(); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } // wait for the child to finish diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 830de7c9f..ebcde29a3 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -171,6 +171,9 @@ void fs_private_etc_list(void) { duplicate(ptr); free(dlist); fs_logger_print(); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } // wait for the child to finish diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index cffe32a7a..6bcb3f33e 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -81,6 +81,9 @@ void fs_mkdir(const char *name) { // create directory mkdir_recursive(expanded); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } // wait for the child to finish @@ -126,6 +129,9 @@ void fs_mkfile(const char *name) { (void) rv; fclose(fp); } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } // wait for the child to finish diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 7c5585324..1b759d7a1 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -358,6 +358,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // copy the file if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) _exit(1); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } @@ -381,6 +384,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // copy the file if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) _exit(1); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } @@ -423,6 +429,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // copy the file if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) _exit(1); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } @@ -452,6 +461,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // copy the file if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) _exit(1); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } diff --git a/src/firejail/main.c b/src/firejail/main.c index 4759e6a5f..3f005b547 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2461,6 +2461,9 @@ int main(int argc, char **argv) { network_main(child); if (arg_debug) printf("Host network configured\n"); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ecab8880a..54f947c45 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -692,6 +692,9 @@ void x11_xorg(void) { execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } diff --git a/src/firemon/interface.c b/src/firemon/interface.c index bceed93d3..58990e6e5 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -146,6 +146,9 @@ static void print_sandbox(pid_t pid) { return; net_ifprint(); printf("\n"); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 78a3a4fb2..1940f4a34 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -192,6 +192,10 @@ static int procevent_monitor(const int sock, pid_t mypid) { tv.tv_usec = 0; while (1) { +#ifdef HAVE_GCOV + __gcov_flush(); +#endif + #define BUFFSIZE 4096 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 8ad67141a..0b9cf977e 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -8,6 +8,15 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) rm -fr ~/_firejail_test_* echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)" +./mkdir_mkfile.exp +rm -fr ~/_firejail_test_* + +mkdir ~/_firejail_test_dir +touch ~/_firejail_test_dir/a +mkdir ~/_firejail_test_dir/test1 +touch ~/_firejail_test_dir/test1/b +echo "TESTING: read/write (test/fs/read-write.exp)" +./read-write.exp rm -fr ~/_firejail_test_* echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp new file mode 100755 index 000000000..cfca15605 --- /dev/null +++ b/test/fs/read-write.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest >~/_firejail_test_dir/a;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} + +send -- "cat ~/_firejail_test_dir/a;echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "mytest" {puts "TESTING ERROR 4\n";exit} + "done" +} + + +send -- "cat ~/_firejail_test_dir/test1/b;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "done" +} + +after 100 +puts "\nall done\n" diff --git a/test/root/configure b/test/root/configure deleted file mode 100755 index 35d938340..000000000 --- a/test/root/configure +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -brctl addbr br0 -ifconfig br0 10.10.20.1/29 up -# NAT masquerade -iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/29 -j MASQUERADE -# port forwarding -# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.2:80 - -brctl addbr br1 -ifconfig br1 10.10.30.1/24 up -brctl addbr br2 -ifconfig br2 10.10.40.1/24 up -brctl addbr br3 -ifconfig br3 10.10.50.1/24 up -brctl addbr br4 -ifconfig br4 10.10.60.1/24 up -ip link add link eth0 name eth0.5 type vlan id 5 -/sbin/ifconfig eth0.5 10.10.205.10/24 up -ip link add link eth0 name eth0.6 type vlan id 6 -/sbin/ifconfig eth0.6 10.10.206.10/24 up -ip link add link eth0 name eth0.7 type vlan id 7 -/sbin/ifconfig eth0.7 10.10.207.10/24 up - diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp new file mode 100755 index 000000000..4f305e51d --- /dev/null +++ b/test/root/firemon-events.exp @@ -0,0 +1,72 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# start firemon +set firemon_id $spawn_id +send -- "firemon\r" +sleep 1 + +# start firejail +spawn $env(SHELL) +set firejail_id $spawn_id +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} + +# get messages on firemon +set spawn_id $firemon_id +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "exec" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash -c /bin/bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "exec" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "fork" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "child" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "/bin/bash" +} +after 100 + +# exit firejail +set spawn_id $firejail_id +send -- "exit\r" +sleep 1 + +# get messages on firemon +set spawn_id $firemon_id +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "exit" +} + +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "EXIT SANDBOX" +} + + +puts "\nall done\n" + diff --git a/test/root/firemon-interface.exp b/test/root/firemon-interface.exp deleted file mode 100755 index 6a82ae41e..000000000 --- a/test/root/firemon-interface.exp +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --interface\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "lo UP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "10.10.20.1/29" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "10.10.50.1/24" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "br3" -} -sleep 1 - -puts "\n" diff --git a/test/root/net_interface.exp b/test/root/net_interface.exp deleted file mode 100755 index 2f87024d8..000000000 --- a/test/root/net_interface.exp +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "ip link add link eth0 name eth0.100 type vlan id 100\r" -sleep 1 -send -- "ip link add link eth0 name eth0.101 type vlan id 101\r" -sleep 1 -send -- "ip link add link eth0 name eth0.102 type vlan id 102\r" -sleep 1 -send -- "ip link add link eth0 name eth0.103 type vlan id 103\r" -sleep 1 -send -- "ip link add link eth0 name eth0.104 type vlan id 104\r" -sleep 1 -puts "\n" - -send -- "/sbin/ifconfig eth0.100 10.200.0.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.101 10.200.1.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.102 10.200.2.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.103 10.200.3.1/24\r" -sleep 1 -send -- "/sbin/ifconfig eth0.104 10.200.4.1/24\r" -sleep 1 -puts "\n" - - - -send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103 --interface=eth0.104\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "maximum 4 interfaces are allowed" -} -sleep 1 - -send -- "firejail --noprofile --interface=eth0.100 --interface=eth0.101 --interface=eth0.102 --interface=eth0.103\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "eth0.100" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "eth0.101" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "eth0.102" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "UP" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "eth0.103" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "UP" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --noprofile --interface=eth0.104\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0.104" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "UP" -} -send -- "exit\r" -after 100 - -puts "all done\n" - diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp index 20e42a858..3d492dfdb 100755 --- a/test/root/option_tmpfs.exp +++ b/test/root/option_tmpfs.exp @@ -16,13 +16,9 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "total 0" } -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "/root" -} -sleep 1 +after 100 send -- "exit\r" -sleep 2 +sleep 1 send -- "firejail --debug-check-filename --tmpfs=\"bla&&bla\"\r" expect { diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp index da7c084a2..25f73b50b 100755 --- a/test/root/profile_tmpfs.exp +++ b/test/root/profile_tmpfs.exp @@ -4,34 +4,37 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "mkdir /tmp/firejailtestdir\r" -sleep 1 -send -- "ls > /tmp/firejailtestdir/tmpfile\r" -sleep 1 - send -- "firejail --profile=tmpfs.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } - -# testing private only -send -- "bash\r" sleep 1 -send -- "ls -l /tmp/firejailtestdir;pwd\r" +send -- "ls -l /var;pwd\r" expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "tmpfile" {puts "TESTING ERROR 1\n";exit} - "home" + timeout {puts "TESTING ERROR 1\n";exit} + "total 0" } -sleep 1 -send -- "exit\r" -sleep 1 +after 100 send -- "exit\r" sleep 1 -send -- "rm -fr /tmp/firejailtestdir\r" -sleep 1 +send -- "firejail --debug-check-filename --profile=tmpfs-bad.profile\r" +expect { + timeout {puts "TESTING ERROR 13.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 13.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 13.3\n";exit} + "is an invalid filename" +} +after 100 + puts "\nall done\n" + diff --git a/test/root/root.sh b/test/root/root.sh index 960071d45..5576faad6 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -1,7 +1,5 @@ #!/bin/bash -./configure 2 > /dev/null - #******************************** # servers #******************************** @@ -76,30 +74,7 @@ echo hello > tmpfile rm -f tmpfile #******************************** -# networking +# firemon #******************************** -echo "TESTING: network interfaces (test/root/net_interface.exp)" -./net_interface.exp - -echo "TESTING: firemon --interface (test/root/firemon-interface.exp)" -./firemon-interface.exp - -#if [ -f /sys/fs/cgroup/g1/tasks ] -#then -# echo "TESTING: firemon --cgroup (firemon-cgroup.exp)" -# ./firemon-cgroup.exp -#fi -# -#echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)" -#rm -f tmpfile -#touch tmpfile -#rm -f /tmp/chroot/etc/resolv.conf -#ln -s tmp /tmp/chroot/etc/resolv.conf -#./chroot-resolvconf.exp -#rm -f tmpfile -#rm /tmp/chroot/etc/resolv.conf - -#echo "TESTING: chroot (fs_chroot_asroot.exp)" -#./fs_chroot_asroot.exp - - +echo "TESTING: firemon events (test/root/firemon-events.exp)" +./firemon-events.exp diff --git a/test/root/start.sh b/test/root/start.sh deleted file mode 100755 index 8e7a869cd..000000000 --- a/test/root/start.sh +++ /dev/null @@ -1,4 +0,0 @@ -#/bin/bash - -./configure -./root.sh | grep TESTING \ No newline at end of file diff --git a/test/root/tmpfs-bad.profile b/test/root/tmpfs-bad.profile new file mode 100644 index 000000000..7264e18ff --- /dev/null +++ b/test/root/tmpfs-bad.profile @@ -0,0 +1 @@ +tmpfs bla&&bla diff --git a/test/root/tmpfs.profile b/test/root/tmpfs.profile index 0680f4d69..55a6f7ebc 100644 --- a/test/root/tmpfs.profile +++ b/test/root/tmpfs.profile @@ -1 +1 @@ -tmpfs /tmp/firejailtestdir \ No newline at end of file +tmpfs /var diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp new file mode 100755 index 000000000..3cd4f5a03 --- /dev/null +++ b/test/utils/firemon-cgroup.exp @@ -0,0 +1,40 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=test2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --cgroup\r" +sleep 4 +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "name=test1" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "name=test2" +} + +after 100 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From a8b23c83998c7964f8898c39784ac186a0216c3f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 07:47:46 -0500 Subject: testing --- Makefile.in | 45 ++++++++++++------ src/firejail/fs.c | 6 +++ src/fnet/interface.c | 76 ++++++++++-------------------- test/fs_overlay.exp | 66 -------------------------- test/overlay/firefox-x11-xorg.exp | 90 +++++++++++++++++++++++++++++++++++ test/overlay/firefox-x11.exp | 90 +++++++++++++++++++++++++++++++++++ test/overlay/firefox.exp | 99 +++++++++++++++++++++++++++++++++++++++ test/overlay/fs.exp | 46 ++++++++++++++++++ test/overlay/overlay.sh | 57 ++++++++++++++++++++++ 9 files changed, 443 insertions(+), 132 deletions(-) delete mode 100755 test/fs_overlay.exp create mode 100755 test/overlay/firefox-x11-xorg.exp create mode 100755 test/overlay/firefox-x11.exp create mode 100755 test/overlay/firefox.exp create mode 100755 test/overlay/fs.exp create mode 100755 test/overlay/overlay.sh diff --git a/Makefile.in b/Makefile.in index 64970d4a5..03b6befbe 100644 --- a/Makefile.in +++ b/Makefile.in @@ -161,6 +161,8 @@ dist: tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) +asc:; ./mkasc.sh $(VERSION) + deb: dist ./mkdeb.sh $(NAME) $(VERSION) @@ -173,9 +175,6 @@ install-snap: snap test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) -test-root: - cd test/root; su -c ./root.sh | grep TESTING - .PHONY: rpms rpms: ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) @@ -189,7 +188,19 @@ cppcheck: clean scan-build: clean scan-build make -asc:; ./mkasc.sh $(VERSION) +gcov-test-initialized: + ./gcov-test-init.sh + +gcov: gcov-test-initialized + lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file + rm -fr gcov-dir + genhtml gcov-file --output-directory gcov-dir + + +# +# make test +# + test-profiles: cd test/profiles; ./profiles.sh | grep TESTING @@ -218,21 +229,25 @@ test-filters: test-arguments: cd test/arguments; ./arguments.sh | grep TESTING -test-network: - cd test/network; ./network.sh | grep TESTING - test-fs: cd test/fs; ./fs.sh | grep TESTING test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" -gcov-test-initialized: - ./gcov-test-init.sh - -gcov: gcov-test-initialized - lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file - rm -fr gcov-dir - genhtml gcov-file --output-directory gcov-dir +# +# individual tests, some of them requiring root access +# + +# root access, network devices are created before the test +test-network: + cd test/network; ./network.sh | grep TESTING + +# all the tests are run as root +test-root: + cd test/root; su -c ./root.sh | grep TESTING - \ No newline at end of file +# runs as regular user +test-overlay: + cd test/overlay; ./overlay.sh | grep TESTING + diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4556f0a82..65b0773ca 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -919,6 +919,9 @@ void fs_overlayfs(void) { } // chroot in the new filesystem +#ifdef HAVE_GCOV + __gcov_flush(); +#endif if (chroot(oroot) == -1) errExit("chroot"); @@ -1102,6 +1105,9 @@ void fs_chroot(const char *rootdir) { } // chroot into the new directory +#ifdef HAVE_GCOV + __gcov_flush(); +#endif if (arg_debug) printf("Chrooting into %s\n", rootdir); if (chroot(rootdir) < 0) diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 046b2c972..3958efddd 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -29,13 +29,18 @@ #include #include -// add a veth device to a bridge -void net_bridge_add_interface(const char *bridge, const char *dev) { - if (strlen(bridge) > IFNAMSIZ) { - fprintf(stderr, "Error fnet: invalid network device name %s\n", bridge); +static void check_if_name(const char *ifname) { + if (strlen(ifname) > IFNAMSIZ) { + fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); exit(1); } +} +// add a veth device to a bridge +void net_bridge_add_interface(const char *bridge, const char *dev) { + check_if_name(bridge); + check_if_name(dev); + // somehow adding the interface to the bridge resets MTU on bridge device!!! // workaround: restore MTU on the bridge device // todo: put a real fix in @@ -69,18 +74,14 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { close(sock); int mtu2 = net_get_mtu(bridge); - if (mtu1 != mtu2) { + if (mtu1 != mtu2) net_set_mtu(bridge, mtu1); - } } // bring interface up void net_if_up(const char *ifname) { - if (strlen(ifname) > IFNAMSIZ) { - fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); - exit(1); - } + check_if_name(ifname); int sock = socket(AF_INET,SOCK_DGRAM,0); if (sock < 0) @@ -93,28 +94,19 @@ void net_if_up(const char *ifname) { ifr.ifr_addr.sa_family = AF_INET; // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error fnet: cannot bring up interface %s\n", ifname); + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) errExit("ioctl"); - } ifr.ifr_flags |= IFF_UP; // set the new flags - if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error fnet: cannot bring up interface %s\n", ifname); + if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) errExit("ioctl"); - } // checking // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error fnet: cannot bring up interface %s\n", ifname); + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) errExit("ioctl"); - } // wait not more than 500ms for the interface to come up int cnt = 0; @@ -122,11 +114,8 @@ void net_if_up(const char *ifname) { usleep(10000); // sleep 10ms // read the existing flags - if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { - close(sock); - printf("Error fnet: cannot bring up interface %s\n", ifname); + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) errExit("ioctl"); - } if (ifr.ifr_flags & IFF_RUNNING) break; cnt++; @@ -136,12 +125,8 @@ void net_if_up(const char *ifname) { } int net_get_mtu(const char *ifname) { + check_if_name(ifname); int mtu = 0; - if (strlen(ifname) > IFNAMSIZ) { - fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); - exit(1); - } - int s; struct ifreq ifr; @@ -160,11 +145,7 @@ int net_get_mtu(const char *ifname) { } void net_set_mtu(const char *ifname, int mtu) { - if (strlen(ifname) > IFNAMSIZ) { - fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); - exit(1); - } - + check_if_name(ifname); int s; struct ifreq ifr; @@ -246,6 +227,7 @@ void net_ifprint(int scan) { } int net_get_mac(const char *ifname, unsigned char mac[6]) { + check_if_name(ifname); struct ifreq ifr; int sock; @@ -267,11 +249,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { // configure interface ipv4 address void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { - if (strlen(ifname) > IFNAMSIZ) { - fprintf(stderr, "Error: invalid network device name %s\n", ifname); - exit(1); - } - + check_if_name(ifname); int sock = socket(AF_INET,SOCK_DGRAM,0); if (sock < 0) errExit("socket"); @@ -282,34 +260,29 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { ifr.ifr_addr.sa_family = AF_INET; ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); - if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { - close(sock); - fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname); + if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) errExit("ioctl"); - } if (ip != 0) { ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(mask); - if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) { - close(sock); + if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) errExit("ioctl"); - } } // configure mtu if (mtu > 0) { ifr.ifr_mtu = mtu; - if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) { - close(sock); + if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) errExit("ioctl"); - } } close(sock); usleep(10000); // sleep 10ms + return; } int net_if_mac(const char *ifname, const unsigned char mac[6]) { + check_if_name(ifname); struct ifreq ifr; int sock; @@ -335,6 +308,7 @@ struct ifreq6 { unsigned int ifr6_ifindex; }; void net_if_ip6(const char *ifname, const char *addr6) { + check_if_name(ifname); if (strchr(addr6, ':') == NULL) { fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); exit(1); diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp deleted file mode 100755 index b7eeba80f..000000000 --- a/test/fs_overlay.exp +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "rm -f /tmp/firejail-overlay-test;pwd\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "home" -} - -send -- "ls > /tmp/firejail-overlay-test;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "firejail --noprofile --overlay\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} - "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} -} -sleep 1 - -send -- "echo xyzxyzxyz > /tmp/firejail-overlay-test;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} -sleep 1 - -send -- "cat /tmp/firejail-overlay-test;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "xyzxyzxyz" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "home" -} -sleep 1 - -send -- "exit\r" -sleep 2 - -send -- "cat /tmp/firejail-overlay-test;pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} - "home" -} - -sleep 1 -send -- "rm -f /tmp/firejail-overlay-test;pwd\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "home" -} - - -sleep 1 -puts "all done \n" - diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp new file mode 100755 index 000000000..76c0e55fc --- /dev/null +++ b/test/overlay/firefox-x11-xorg.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "firefox" {puts "firefox detected\n";} + "iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} +sleep 1 +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} +send -- "firejail --overlay --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp new file mode 100755 index 000000000..aa248f328 --- /dev/null +++ b/test/overlay/firefox-x11.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --overlay --name=test --x11 firefox -no-remote www.gentoo.org\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "firefox" {puts "firefox detected\n";} + "iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} +sleep 1 +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} +send -- "firejail --name=blablabla --overlay\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp new file mode 100755 index 000000000..6ef23558d --- /dev/null +++ b/test/overlay/firefox.exp @@ -0,0 +1,99 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --overlay firefox -no-remote www.gentoo.org\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/firefox.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "firefox" {puts "firefox detected\n";} + "iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "no-remote" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + + +send -- "firejail --name=blablabla --overlay\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + " firefox" {puts "firefox detected\n";} + " iceweasel" {puts "iceweasel detected\n";} +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "no-remote" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" + diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp new file mode 100755 index 000000000..15ada9203 --- /dev/null +++ b/test/overlay/fs.exp @@ -0,0 +1,46 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --overlay\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} + "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} + "Child process initialized" {puts "found\n"} +} +sleep 1 + +send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} +after 100 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "xyzxyzxyz" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "done" +} +after 100 + +send -- "exit\r" +sleep 2 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} + "done" +} + +after 100 +puts "\nall done\n" + diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh new file mode 100755 index 000000000..971adddfe --- /dev/null +++ b/test/overlay/overlay.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: overlay fs (test/overlay/fs.exp)" +rm -fr ~/_firejail_test_* +./fs.exp +rm -fr ~/_firejail_test_* + +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: overlay firefox" + ./firefox.exp +else + echo "TESTING SKIP: firefox not found" +fi + +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: overlay firefox x11 xorg" + ./firefox.exp +else + echo "TESTING SKIP: firefox not found" +fi + + +# check xpra/xephyr +which xpra +if [ "$?" -eq 0 ]; +then + echo "xpra found" +else + echo "xpra not found" + which Xephyr + if [ "$?" -eq 0 ]; + then + echo "Xephyr found" + else + echo "TESTING SKIP: xpra and/or Xephyr not found" + exit + fi +fi + +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: overlay firefox x11" + ./firefox.exp +else + echo "TESTING SKIP: firefox not found" +fi -- cgit v1.2.3-70-g09d2 From 672fa03d65e8ffe0cca6e79d374caf0bf9988d20 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 08:57:44 -0500 Subject: hidepid part 1 --- src/firejail/main.c | 13 ++++--------- src/firemon/arp.c | 3 --- src/firemon/caps.c | 3 --- src/firemon/cgroup.c | 3 --- src/firemon/cpu.c | 3 --- src/firemon/firemon.c | 11 ----------- src/firemon/firemon.h | 1 - src/firemon/list.c | 3 --- src/firemon/netstats.c | 3 --- src/firemon/route.c | 3 --- src/firemon/seccomp.c | 3 --- src/firemon/top.c | 3 --- src/firemon/tree.c | 3 --- src/firemon/x11.c | 3 --- 14 files changed, 4 insertions(+), 54 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 3f005b547..e100e1f2c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--list") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); + int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); exit(rv); } else if (strcmp(argv[i], "--tree") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); + int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); exit(rv); } else if (strcmp(argv[i], "--top") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, 2, PATH_FIREMON, "--top"); exit(rv); } @@ -515,12 +515,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else if (strcmp(argv[i], "--netstats") == 0) { if (checkcfg(CFG_NETWORK)) { struct stat s; - int rv; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) - rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, - 2, PATH_FIREMON, "--netstats"); - else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, 2, PATH_FIREMON, "--netstats"); exit(rv); } diff --git a/src/firemon/arp.c b/src/firemon/arp.c index 7cb8ff4c3..d204a0c3a 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c @@ -73,9 +73,6 @@ static void print_arp(const char *fname) { } void arp(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 5cd9b5d0d..49c7b204b 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c @@ -49,9 +49,6 @@ static void print_caps(int pid) { } void caps(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // include all processes // print processes diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 0b93390ae..ec2d350af 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c @@ -45,9 +45,6 @@ static void print_cgroup(int pid) { } void cgroup(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 06658f58c..20fba33d6 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c @@ -49,9 +49,6 @@ static void print_cpu(int pid) { } void cpu(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 3140c5f70..950311c00 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -62,17 +62,6 @@ int find_child(int id) { return -1; } -// drop privileges -void firemon_drop_privs(void) { - // drop privileges - if (setgroups(0, NULL) < 0) - errExit("setgroups"); - if (setgid(getgid()) < 0) - errExit("setgid/getgid"); - if (setuid(getuid()) < 0) - errExit("setuid/getuid"); -} - // sleep and wait for a key to be pressed void firemon_sleep(int st) { if (terminal_set == 0) { diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 522ece077..a873430a3 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -38,7 +38,6 @@ static inline void firemon_clrscr(void) { // firemon.c extern int arg_nowrap; int find_child(int id); -void firemon_drop_privs(void); void firemon_sleep(int st); diff --git a/src/firemon/list.c b/src/firemon/list.c index 901627c2a..acff13a28 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c @@ -20,9 +20,6 @@ #include "firemon.h" void list(void) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(0); // include all processes // print processes diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 0ff0dd33d..3c020d630 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c @@ -170,9 +170,6 @@ static void print_proc(int index, int itv, int col) { } void netstats(void) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(0); // include all processes printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); diff --git a/src/firemon/route.c b/src/firemon/route.c index 398965671..ac8000b6a 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c @@ -182,9 +182,6 @@ static void print_route(const char *fname) { } void route(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index 71771c72d..d4c248f8b 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c @@ -49,9 +49,6 @@ static void print_seccomp(int pid) { } void seccomp(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // include all processes // print processes diff --git a/src/firemon/top.c b/src/firemon/top.c index a6da6f64e..b804761dd 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c @@ -232,9 +232,6 @@ void head_print(int col, int row) { } void top(void) { - if (getuid() == 0) - firemon_drop_privs(); - while (1) { // clear linked list head_clear(); diff --git a/src/firemon/tree.c b/src/firemon/tree.c index b05eb92f9..a4b92a11f 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c @@ -20,9 +20,6 @@ #include "firemon.h" void tree(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // include all processes // print processes diff --git a/src/firemon/x11.c b/src/firemon/x11.c index e30c2d78b..c7fe4c616 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c @@ -23,9 +23,6 @@ #include void x11(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes -- cgit v1.2.3-70-g09d2 From 3374e24eb39123170fe463c93d38e2f49918e655 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 09:22:07 -0500 Subject: hidepid part 2 --- src/firejail/main.c | 128 ++++++++++++++++++++------------------------------ test/apps/apps.sh | 9 ---- test/apps/weechat.exp | 83 -------------------------------- 3 files changed, 52 insertions(+), 168 deletions(-) delete mode 100755 test/apps/weechat.exp diff --git a/src/firejail/main.c b/src/firejail/main.c index e100e1f2c..3c061e607 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -158,21 +158,37 @@ static void my_handler(int s){ myexit(1); } -// return 1 if error, 0 if a valid pid was found -static inline int read_pid(char *str, pid_t *pid) { +static pid_t extract_pid(const char *name) { + EUID_ASSERT(); + if (!name || strlen(name) == 0) { + fprintf(stderr, "Error: invalid sandbox name\n"); + exit(1); + } + + pid_t pid; + EUID_ROOT(); + if (name2pid(name, &pid)) { + fprintf(stderr, "Error: cannot find sandbox %s\n", name); + exit(1); + } + EUID_USER(); + return pid; +} + + +static pid_t read_pid(const char *str) { char *endptr; errno = 0; long int pidtmp = strtol(str, &endptr, 10); if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) || (errno != 0 && pidtmp == 0)) { - return 1; + return extract_pid(str); } // endptr points to '\0' char in str if the entire string is valid if (endptr == NULL || endptr[0]!='\0') { - return 1; + return extract_pid(str); } - *pid = (pid_t)pidtmp; - return 0; + return (pid_t)pidtmp; } // init configuration @@ -385,11 +401,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } // extract pid or sandbox name - pid_t pid; - if (read_pid(argv[i] + 12, &pid) == 0) - bandwidth_pid(pid, cmd, dev, down, up); - else - bandwidth_name(argv[i] + 12, cmd, dev, down, up); + pid_t pid = read_pid(argv[i] + 12); + bandwidth_pid(pid, cmd, dev, down, up); } else { fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); @@ -426,11 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { if (checkcfg(CFG_SECCOMP)) { // print seccomp filter for a sandbox specified by pid or by name - pid_t pid; - if (read_pid(argv[i] + 16, &pid) == 0) - seccomp_print_filter(pid); - else - seccomp_print_filter_name(argv[i] + 16); + pid_t pid = read_pid(argv[i] + 16); + seccomp_print_filter(pid); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -445,11 +455,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { if (checkcfg(CFG_SECCOMP)) { // print seccomp filter for a sandbox specified by pid or by name - pid_t pid; - if (read_pid(argv[i] + 17, &pid) == 0) - protocol_print_filter(pid); - else - protocol_print_filter_name(argv[i] + 17); + pid_t pid = read_pid(argv[i] + 17); + protocol_print_filter(pid); } else { fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); @@ -460,38 +467,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { #endif else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 12, &pid) == 0) - cpu_print_filter(pid); - else - cpu_print_filter_name(argv[i] + 12); + pid_t pid = read_pid(argv[i] + 12); + cpu_print_filter(pid); exit(0); } else if (strncmp(argv[i], "--caps.print=", 13) == 0) { // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 13, &pid) == 0) - caps_print_filter(pid); - else - caps_print_filter_name(argv[i] + 13); + pid_t pid = read_pid(argv[i] + 13); + caps_print_filter(pid); exit(0); } else if (strncmp(argv[i], "--fs.print=", 11) == 0) { // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 11, &pid) == 0) - fs_logger_print_log(pid); - else - fs_logger_print_log_name(argv[i] + 11); + pid_t pid = read_pid(argv[i] + 11); + fs_logger_print_log(pid); exit(0); } else if (strncmp(argv[i], "--dns.print=", 12) == 0) { // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 12, &pid) == 0) - net_dns_print(pid); - else - net_dns_print_name(argv[i] + 12); + pid_t pid = read_pid(argv[i] + 12); + net_dns_print(pid); exit(0); } else if (strcmp(argv[i], "--debug-caps") == 0) { @@ -543,11 +538,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } // get file - pid_t pid; - if (read_pid(argv[i] + 6, &pid) == 0) - sandboxfs(SANDBOX_FS_GET, pid, path, NULL); - else - sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path, NULL); + pid_t pid = read_pid(argv[i] + 6); + sandboxfs(SANDBOX_FS_GET, pid, path, NULL); exit(0); } else { @@ -578,11 +570,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } // get file - pid_t pid; - if (read_pid(argv[i] + 6, &pid) == 0) - sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); - else - sandboxfs_name(SANDBOX_FS_PUT, argv[i] + 6, path1, path2); + pid_t pid = read_pid(argv[i] + 6); + sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); exit(0); } else { @@ -607,11 +596,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } // list directory contents - pid_t pid; - if (read_pid(argv[i] + 5, &pid) == 0) - sandboxfs(SANDBOX_FS_LS, pid, path, NULL); - else - sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path, NULL); + pid_t pid = read_pid(argv[i] + 5); + sandboxfs(SANDBOX_FS_LS, pid, path, NULL); exit(0); } else { @@ -635,11 +621,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { cfg.shell = guess_shell(); // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 7, &pid) == 0) - join(pid, argc, argv, i + 1); - else - join_name(argv[i] + 7, argc, argv, i + 1); + pid_t pid = read_pid(argv[i] + 7); + join(pid, argc, argv, i + 1); exit(0); } @@ -656,6 +639,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { cfg.original_program_index = i + 1; } +#if 0 // todo: redo it // try to join by name only pid_t pid; if (!name2pid(argv[i] + 16, &pid)) { @@ -665,6 +649,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { join(pid, argc, argv, i + 1); exit(0); } +#endif // if there no such sandbox continue argument processing } #ifdef HAVE_NETWORK @@ -681,11 +666,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { cfg.shell = guess_shell(); // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 15, &pid) == 0) - join(pid, argc, argv, i + 1); - else - join_name(argv[i] + 15, argc, argv, i + 1); + pid_t pid = read_pid(argv[i] + 15); + join(pid, argc, argv, i + 1); } else { fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); @@ -707,22 +689,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { cfg.shell = guess_shell(); // join sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 18, &pid) == 0) - join(pid, argc, argv, i + 1); - else - join_name(argv[i] + 18, argc, argv, i + 1); + pid_t pid = read_pid(argv[i] + 18); + join(pid, argc, argv, i + 1); exit(0); } else if (strncmp(argv[i], "--shutdown=", 11) == 0) { logargs(argc, argv); // shutdown sandbox by pid or by name - pid_t pid; - if (read_pid(argv[i] + 11, &pid) == 0) - shut(pid); - else - shut_name(argv[i] + 11); + pid_t pid = read_pid(argv[i] + 11); + shut(pid); exit(0); } diff --git a/test/apps/apps.sh b/test/apps/apps.sh index c329c57e5..38307b284 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -169,15 +169,6 @@ else echo "TESTING SKIP: hexchat not found" fi -which weechat-curses -if [ "$?" -eq 0 ]; -then - echo "TESTING: weechat" - ./weechat.exp -else - echo "TESTING SKIP: weechat not found" -fi - which wine if [ "$?" -eq 0 ]; then diff --git a/test/apps/weechat.exp b/test/apps/weechat.exp deleted file mode 100755 index b3e04da84..000000000 --- a/test/apps/weechat.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail weechat-curses\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/weechat.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "weechat-curses" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "weechat-curses" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "weechat-curses" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\n" - -- cgit v1.2.3-70-g09d2 From c8f8341c277acc6a424be0777681455e0d07fd72 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 09:44:45 -0500 Subject: hidepid part 3 --- src/firejail/bandwidth.c | 15 --------------- src/firejail/caps.c | 16 ---------------- src/firejail/cpu.c | 15 --------------- src/firejail/firejail.h | 12 ++---------- src/firejail/fs_logger.c | 16 ---------------- src/firejail/join.c | 15 --------------- src/firejail/ls.c | 16 ---------------- src/firejail/network_main.c | 17 ----------------- src/firejail/protocol.c | 23 ----------------------- src/firejail/seccomp.c | 15 --------------- src/firejail/shutdown.c | 16 ---------------- 11 files changed, 2 insertions(+), 174 deletions(-) diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 512cc0b05..5e9002f22 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -311,21 +311,6 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) { //*********************************** // command execution //*********************************** -void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - bandwidth_pid(pid, command, dev, down, up); -} - void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { EUID_ASSERT(); //************************ diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 2d42c7d8a..3fd8b576e 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -401,22 +401,6 @@ static uint64_t extract_caps(int pid) { exit(1); } - -void caps_print_filter_name(const char *name) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - caps_print_filter(pid); -} - void caps_print_filter(pid_t pid) { EUID_ASSERT(); diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index cfb03e5fc..7f53fed0f 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -168,21 +168,6 @@ static void print_cpu(int pid) { free(file); } -void cpu_print_filter_name(const char *name) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - cpu_print_filter(pid); -} - void cpu_print_filter(pid_t pid) { EUID_ASSERT(); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b8126cfe7..435405fd9 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -356,7 +356,6 @@ void net_configure_bridge(Bridge *br, char *dev_name); void net_configure_sandbox_ip(Bridge *br); void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); void net_check_cfg(void); -void net_dns_print_name(const char *name); void net_dns_print(pid_t pid); void network_main(pid_t child); @@ -420,9 +419,9 @@ void usage(void); // join.c void join(pid_t pid, int argc, char **argv, int index); -void join_name(const char *name, int argc, char **argv, int index); + +// shutdown.c void shut(pid_t pid); -void shut_name(const char *name); // restricted_shell.c int restricted_shell(const char *user); @@ -501,7 +500,6 @@ void seccomp_filter_32(void); void seccomp_filter_64(void); int seccomp_filter_drop(int enforce_seccomp); int seccomp_filter_keep(void); -void seccomp_print_filter_name(const char *name); void seccomp_print_filter(pid_t pid); // caps.c @@ -513,7 +511,6 @@ int caps_check_list(const char *clist, void (*callback)(int)); void caps_drop_list(const char *clist); void caps_keep_list(const char *clist); void caps_print_filter(pid_t pid); -void caps_print_filter_name(const char *name); // syscall.c const char *syscall_find_nr(int nr); @@ -536,7 +533,6 @@ void read_cpu_list(const char *str); void set_cpu_affinity(void); void load_cpu(const char *fname); void save_cpu(void); -void cpu_print_filter_name(const char *name); void cpu_print_filter(pid_t pid); // cgroup.c @@ -554,7 +550,6 @@ void netfilter6(const char *fname); // bandwidth.c void bandwidth_del_run_file(pid_t pid); -void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up); void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); void network_del_run_file(pid_t pid); void network_set_run_file(pid_t pid); @@ -599,7 +594,6 @@ void fs_private_bin_list(void); // protocol.c void protocol_filter_save(void); void protocol_filter_load(const char *fname); -void protocol_print_filter_name(const char *name); void protocol_print_filter(pid_t pid); // restrict_users.c @@ -612,7 +606,6 @@ void fs_logger2int(const char *msg1, int d); void fs_logger3(const char *msg1, const char *msg2, const char *msg3); void fs_logger_print(void); void fs_logger_change_owner(void); -void fs_logger_print_log_name(const char *name); void fs_logger_print_log(pid_t pid); // run_symlink.c @@ -641,7 +634,6 @@ enum { SANDBOX_FS_PUT, SANDBOX_FS_MAX // this should always be the last entry }; -void sandboxfs_name(int op, const char *name, const char *path1, const char *path2); void sandboxfs(int op, pid_t pid, const char *path1, const char *path2); // checkcfg.c diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 9f33b36d9..052a41457 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c @@ -117,22 +117,6 @@ void fs_logger_change_owner(void) { errExit("chown"); } -void fs_logger_print_log_name(const char *name) { - EUID_ASSERT(); - - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - fs_logger_print_log(pid); -} - void fs_logger_print_log(pid_t pid) { EUID_ASSERT(); diff --git a/src/firejail/join.c b/src/firejail/join.c index 6f1e9455c..899166447 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -173,21 +173,6 @@ static void extract_user_namespace(pid_t pid) { free(uidmap); } -void join_name(const char *name, int argc, char **argv, int index) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - join(pid, argc, argv, index); -} - void join(pid_t pid, int argc, char **argv, int index) { EUID_ASSERT(); char *homedir = cfg.homedir; diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 1b759d7a1..86c3a6079 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -185,22 +185,6 @@ static void print_directory(const char *path) { free(namelist); } -void sandboxfs_name(int op, const char *name, const char *path1, const char *path2) { - EUID_ASSERT(); - - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - sandboxfs(op, pid, path1, path2); -} - char *expand_path(const char *path) { char *fname = NULL; if (*path == '/') { diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 8a9c47f0e..9fbc09d2b 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -231,23 +231,6 @@ void net_check_cfg(void) { } } - - -void net_dns_print_name(const char *name) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - net_dns_print(pid); -} - #define MAXBUF 4096 void net_dns_print(pid_t pid) { EUID_ASSERT(); diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index e8e88aee9..2a09ed010 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -58,29 +58,6 @@ void protocol_filter_load(const char *fname) { } -// --protocol.print -void protocol_print_filter_name(const char *name) { - EUID_ASSERT(); - - (void) name; -#ifdef SYS_socket - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - protocol_print_filter(pid); -#else - fprintf(stderr, "Warning: --protocol not supported on this platform\n"); - return; -#endif -} - // --protocol.print void protocol_print_filter(pid_t pid) { EUID_ASSERT(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 20807f5b1..4a2221e98 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -232,21 +232,6 @@ int seccomp_filter_keep(void) { return seccomp_load(RUN_SECCOMP_CFG); } -void seccomp_print_filter_name(const char *name) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - seccomp_print_filter(pid); -} - void seccomp_print_filter(pid_t pid) { EUID_ASSERT(); diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 8d8035bfb..c23e87321 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c @@ -23,22 +23,6 @@ #include #include -void shut_name(const char *name) { - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - - pid_t pid; - if (name2pid(name, &pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - - shut(pid); -} - void shut(pid_t pid) { EUID_ASSERT(); -- cgit v1.2.3-70-g09d2 From cffa48d80ca5f93bb1e97fbfc96364e45166a399 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 12:00:57 -0500 Subject: hidepid part 4 --- src/firejail/main.c | 32 +++++++++++++++------- src/firemon/firemon.c | 73 +++++++++++++++++++++++++++++---------------------- src/firemon/firemon.h | 2 +- src/firemon/tree.c | 4 +-- src/include/common.h | 1 + src/lib/common.c | 21 +++++++++++++++ src/lib/pid.c | 1 - 7 files changed, 89 insertions(+), 45 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 3c061e607..65569ae5f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -494,25 +494,39 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--list") == 0) { - int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); - exit(rv); + if (pid_hidepid()) + sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); + else + sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); + exit(0); } else if (strcmp(argv[i], "--tree") == 0) { - int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); - exit(rv); + if (pid_hidepid()) + sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); + else + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); + exit(0); } else if (strcmp(argv[i], "--top") == 0) { - int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, - 2, PATH_FIREMON, "--top"); - exit(rv); + if (pid_hidepid()) + sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + 2, PATH_FIREMON, "--top"); + else + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + 2, PATH_FIREMON, "--top"); + exit(0); } #ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netstats") == 0) { if (checkcfg(CFG_NETWORK)) { struct stat s; - int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid()) + sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, 2, PATH_FIREMON, "--netstats"); - exit(rv); + else + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + 2, PATH_FIREMON, "--netstats"); + exit(0); } else { fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 950311c00..1ec64bea8 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -35,6 +35,9 @@ static int arg_caps = 0; static int arg_cpu = 0; static int arg_cgroup = 0; static int arg_x11 = 0; +static int arg_top = 0; +static int arg_list = 0; +static int arg_netstats = 0; int arg_nowrap = 0; static struct termios tlocal; // startup terminal setting @@ -118,53 +121,39 @@ int main(int argc, char **argv) { } // options without a pid argument - else if (strcmp(argv[i], "--top") == 0) { - top(); // never to return - } - else if (strcmp(argv[i], "--list") == 0) { - list(); - return 0; - } + else if (strcmp(argv[i], "--top") == 0) + arg_top = 1; + else if (strcmp(argv[i], "--list") == 0) + arg_list = 1; + else if (strcmp(argv[i], "--tree") == 0) + arg_tree = 1; else if (strcmp(argv[i], "--netstats") == 0) { struct stat s; if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); exit(1); } - - netstats(); - return 0; + arg_netstats = 1; } // cumulative options with or without a pid argument - else if (strcmp(argv[i], "--x11") == 0) { + else if (strcmp(argv[i], "--x11") == 0) arg_x11 = 1; - } - else if (strcmp(argv[i], "--cgroup") == 0) { + else if (strcmp(argv[i], "--cgroup") == 0) arg_cgroup = 1; - } - else if (strcmp(argv[i], "--cpu") == 0) { + else if (strcmp(argv[i], "--cpu") == 0) arg_cpu = 1; - } - else if (strcmp(argv[i], "--seccomp") == 0) { + else if (strcmp(argv[i], "--seccomp") == 0) arg_seccomp = 1; - } - else if (strcmp(argv[i], "--caps") == 0) { + else if (strcmp(argv[i], "--caps") == 0) arg_caps = 1; - } - else if (strcmp(argv[i], "--tree") == 0) { - arg_tree = 1; - } - else if (strcmp(argv[i], "--interface") == 0) { + else if (strcmp(argv[i], "--interface") == 0) arg_interface = 1; - } - else if (strcmp(argv[i], "--route") == 0) { + else if (strcmp(argv[i], "--route") == 0) arg_route = 1; - } - else if (strcmp(argv[i], "--arp") == 0) { + else if (strcmp(argv[i], "--arp") == 0) arg_arp = 1; - } else if (strncmp(argv[i], "--name=", 7) == 0) { char *name = argv[i] + 7; @@ -201,8 +190,28 @@ int main(int argc, char **argv) { } } - if (arg_tree) - tree((pid_t) pid); + // allow only root user if /proc is mounted hidepid + if (pid_hidepid() && getuid() != 0) { + fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n"); + exit(1); + } + + if (arg_top) + top(); // never to return + if (arg_tree) { + tree(); + return 0; + } + if (arg_list) { + list(); + return 0; + } + if (arg_netstats) { + netstats(); + return 0; + } + + // cumulative options if (arg_interface) interface((pid_t) pid); if (arg_route) @@ -220,7 +229,7 @@ int main(int argc, char **argv) { if (arg_x11) x11((pid_t) pid); - if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11) + if (!arg_interface && !arg_route && !arg_arp && !arg_seccomp && !arg_caps && !arg_cgroup && !arg_x11) procevent((pid_t) pid); // never to return return 0; diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index a873430a3..c5607a792 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -75,7 +75,7 @@ void cpu(pid_t pid); void cgroup(pid_t pid); // tree.c -void tree(pid_t pid); +void tree(void); // netstats.c void netstats(void); diff --git a/src/firemon/tree.c b/src/firemon/tree.c index a4b92a11f..f6d22b517 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c @@ -19,8 +19,8 @@ */ #include "firemon.h" -void tree(pid_t pid) { - pid_read(pid); // include all processes +void tree(void) { + pid_read(0); // include all processes // print processes int i; diff --git a/src/include/common.h b/src/include/common.h index f7c8ea725..108820290 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -114,4 +114,5 @@ int name2pid(const char *name, pid_t *pid); char *pid_proc_comm(const pid_t pid); char *pid_proc_cmdline(const pid_t pid); int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); +int pid_hidepid(void); #endif diff --git a/src/lib/common.c b/src/lib/common.c index fc4c167ba..ea0ab781a 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -260,5 +260,26 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { return 0; } +// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied +#define BUFLEN 4096 +int pid_hidepid(void) { + FILE *fp = fopen("/proc/mounts", "r"); + if (!fp) + return 1; + + char buf[BUFLEN]; + while (fgets(buf, BUFLEN, fp)) { + if (strstr(buf, "proc /proc proc")) { + fclose(fp); + // check hidepid + if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1")) + return 1; + return 0; + } + } + + return 0; +} + diff --git a/src/lib/pid.c b/src/lib/pid.c index ef1a428fb..ed583c51d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -29,7 +29,6 @@ //Process pids[max_pids]; Process *pids = NULL; int max_pids=32769; -#define PIDS_BUFLEN 4096 // get the memory associated with this pid void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { -- cgit v1.2.3-70-g09d2 From bb5b4077e6f3549b35e8b420d882717141c069b9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 12:52:05 -0500 Subject: hidepid part 5 --- Makefile.in | 1 + test/apps-x11-xorg/firefox.exp | 1 + test/apps-x11-xorg/icedove.exp | 1 + test/apps-x11-xorg/transmission-gtk.exp | 1 + test/apps-x11/chromium.exp | 1 + test/apps-x11/firefox.exp | 1 + test/apps-x11/icedove.exp | 1 + test/apps-x11/transmission-gtk.exp | 1 + test/apps-x11/xterm.exp | 1 + test/apps/chromium.exp | 1 + test/apps/deluge.exp | 1 + test/apps/evince.exp | 1 + test/apps/fbreader.exp | 1 + test/apps/filezilla.exp | 1 + test/apps/firefox.exp | 1 + test/apps/gnome-mplayer.exp | 1 + test/apps/gthumb.exp | 1 + test/apps/hexchat.exp | 1 + test/apps/icedove.exp | 1 + test/apps/midori.exp | 1 + test/apps/opera.exp | 1 + test/apps/qbittorrent.exp | 1 + test/apps/transmission-gtk.exp | 1 + test/apps/transmission-qt.exp | 1 + test/apps/uget-gtk.exp | 1 + test/apps/vlc.exp | 1 + test/apps/xchat.exp | 1 + test/utils/caps.exp | 129 ------------------------------- test/utils/firemon-caps.exp | 130 ++++++++++++++++++++++++++++++++ test/utils/firemon-cgroup.exp | 1 + test/utils/firemon-cpu.exp | 1 + test/utils/firemon-seccomp.exp | 49 ++++++++++++ test/utils/seccomp.exp | 48 ------------ test/utils/utils.sh | 12 +-- todo | 1 + 35 files changed, 215 insertions(+), 183 deletions(-) delete mode 100755 test/utils/caps.exp create mode 100755 test/utils/firemon-caps.exp create mode 100755 test/utils/firemon-seccomp.exp delete mode 100755 test/utils/seccomp.exp diff --git a/Makefile.in b/Makefile.in index 03b6befbe..6ea9e897f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -251,3 +251,4 @@ test-root: test-overlay: cd test/overlay; ./overlay.sh | grep TESTING +# mount -o remount,rw,hidepid=2 /proc diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index 5231bf8ed..66b82fe92 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp @@ -44,6 +44,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp index f676264ed..667c2259f 100755 --- a/test/apps-x11-xorg/icedove.exp +++ b/test/apps-x11-xorg/icedove.exp @@ -41,6 +41,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail" } expect { diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index a91a1be08..c52cb5b3a 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp @@ -41,6 +41,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail" } expect { diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 38c932aca..2505c0c37 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp @@ -40,6 +40,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail" } expect { diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp index e82fc6e72..6a50c8884 100755 --- a/test/apps-x11/firefox.exp +++ b/test/apps-x11/firefox.exp @@ -44,6 +44,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } diff --git a/test/apps-x11/icedove.exp b/test/apps-x11/icedove.exp index a07344f36..e306e33ce 100755 --- a/test/apps-x11/icedove.exp +++ b/test/apps-x11/icedove.exp @@ -41,6 +41,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail" } expect { diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp index 6391a3717..4083a121f 100755 --- a/test/apps-x11/transmission-gtk.exp +++ b/test/apps-x11/transmission-gtk.exp @@ -41,6 +41,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail" } expect { diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm.exp index 7d61da542..4fa5ddf0c 100755 --- a/test/apps-x11/xterm.exp +++ b/test/apps-x11/xterm.exp @@ -41,6 +41,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail" } expect { diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index c01f9a54d..d43f70f8e 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail chromium" } expect { diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index df7899b51..0bf1baae2 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail deluge" } expect { diff --git a/test/apps/evince.exp b/test/apps/evince.exp index 0c1efcf59..71f760a9c 100755 --- a/test/apps/evince.exp +++ b/test/apps/evince.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail evince" } expect { diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index 30fbb1a77..99c48d87c 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail fbreader" } expect { diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp index 1533eae69..2f7038184 100755 --- a/test/apps/filezilla.exp +++ b/test/apps/filezilla.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail filezilla" } expect { diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 64a733f98..5745d9270 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp @@ -55,6 +55,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} " firefox" {puts "firefox detected\n";} " iceweasel" {puts "iceweasel detected\n";} } diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index aa0ef44fb..6f0e5a312 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail gnome-mplayer" } expect { diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp index 8dcd2fcd0..13132cef6 100755 --- a/test/apps/gthumb.exp +++ b/test/apps/gthumb.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail gthumb" } expect { diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index a66cc52cc..5d0bc1093 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} "hexchat" } expect { diff --git a/test/apps/icedove.exp b/test/apps/icedove.exp index 667f6745d..c0fbd9fc8 100755 --- a/test/apps/icedove.exp +++ b/test/apps/icedove.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail icedove" } expect { diff --git a/test/apps/midori.exp b/test/apps/midori.exp index fdd47954c..45d70eda1 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail midori" } expect { diff --git a/test/apps/opera.exp b/test/apps/opera.exp index b94c9dbbd..036fc2e21 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail opera" } expect { diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp index ee4044a84..8bc6d8564 100755 --- a/test/apps/qbittorrent.exp +++ b/test/apps/qbittorrent.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail qbittorrent" } expect { diff --git a/test/apps/transmission-gtk.exp b/test/apps/transmission-gtk.exp index 33f4ef963..70700d523 100755 --- a/test/apps/transmission-gtk.exp +++ b/test/apps/transmission-gtk.exp @@ -44,6 +44,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail transmission-gtk" } expect { diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 991742106..3773b1dc2 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail transmission-qt" } expect { diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp index 1511a07af..22c2a0831 100755 --- a/test/apps/uget-gtk.exp +++ b/test/apps/uget-gtk.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail uget-gtk" } expect { diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index f0903c170..b94ef8e12 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} ":firejail vlc" } expect { diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index 206397f3e..f3284caf7 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp @@ -49,6 +49,7 @@ spawn $env(SHELL) send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} " xchat" } expect { diff --git a/test/utils/caps.exp b/test/utils/caps.exp deleted file mode 100755 index ab1067921..000000000 --- a/test/utils/caps.exp +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=bingo1 --noprofile --caps\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo2 --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo6 --profile=caps1.profile\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --name=bingo7 --profile=caps2.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 8.1\n";exit} - "bingo1" -} -expect { - timeout {puts "TESTING ERROR 8.2\n";exit} - "31cffff" -} -expect { - timeout {puts "TESTING ERROR 8.3\n";exit} - "bingo2" -} -expect { - timeout {puts "TESTING ERROR 8.4\n";exit} - "fffffff" -} -expect { - timeout {puts "TESTING ERROR 8.5\n";exit} - "bingo3" -} -expect { - timeout {puts "TESTING ERROR 8.6\n";exit} - "000000000000" -} - -expect { - timeout {puts "TESTING ERROR 8.7\n";exit} - "bingo4" -} -expect { - timeout {puts "TESTING ERROR 8.8\n";exit} - "ffffffde" -} -expect { - timeout {puts "TESTING ERROR 8.9\n";exit} - "bingo5" -} -expect { - timeout {puts "TESTING ERROR 8.10\n";exit} - "0000000000000021" -} - -expect { - timeout {puts "TESTING ERROR 8.11\n";exit} - "bingo6" -} -expect { - timeout {puts "TESTING ERROR 8.12\n";exit} - "ffffffde" -} -expect { - timeout {puts "TESTING ERROR 8.13\n";exit} - "bingo7" -} -expect { - timeout {puts "TESTING ERROR 8.14\n";exit} - "0000000000000021" -} - -after 100 - -puts "all done\n" - diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp new file mode 100755 index 000000000..76aa13725 --- /dev/null +++ b/test/utils/firemon-caps.exp @@ -0,0 +1,130 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=bingo1 --noprofile --caps\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo2 --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo6 --profile=caps1.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --name=bingo7 --profile=caps2.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 8.1\n";exit} + "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} + "bingo1" +} +expect { + timeout {puts "TESTING ERROR 8.2\n";exit} + "31cffff" +} +expect { + timeout {puts "TESTING ERROR 8.3\n";exit} + "bingo2" +} +expect { + timeout {puts "TESTING ERROR 8.4\n";exit} + "fffffff" +} +expect { + timeout {puts "TESTING ERROR 8.5\n";exit} + "bingo3" +} +expect { + timeout {puts "TESTING ERROR 8.6\n";exit} + "000000000000" +} + +expect { + timeout {puts "TESTING ERROR 8.7\n";exit} + "bingo4" +} +expect { + timeout {puts "TESTING ERROR 8.8\n";exit} + "ffffffde" +} +expect { + timeout {puts "TESTING ERROR 8.9\n";exit} + "bingo5" +} +expect { + timeout {puts "TESTING ERROR 8.10\n";exit} + "0000000000000021" +} + +expect { + timeout {puts "TESTING ERROR 8.11\n";exit} + "bingo6" +} +expect { + timeout {puts "TESTING ERROR 8.12\n";exit} + "ffffffde" +} +expect { + timeout {puts "TESTING ERROR 8.13\n";exit} + "bingo7" +} +expect { + timeout {puts "TESTING ERROR 8.14\n";exit} + "0000000000000021" +} + +after 100 + +puts "all done\n" + diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp index 3cd4f5a03..b1ab083ae 100755 --- a/test/utils/firemon-cgroup.exp +++ b/test/utils/firemon-cgroup.exp @@ -27,6 +27,7 @@ send -- "firemon --cgroup\r" sleep 4 expect { timeout {puts "TESTING ERROR 2\n";exit} + "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} "name=test1" } expect { diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp index 22e44512c..f2ecd4a5c 100755 --- a/test/utils/firemon-cpu.exp +++ b/test/utils/firemon-cpu.exp @@ -27,6 +27,7 @@ send -- "firemon --cpu\r" sleep 4 expect { timeout {puts "TESTING ERROR 2\n";exit} + "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} "name=test1" } expect { diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp new file mode 100755 index 000000000..26c478344 --- /dev/null +++ b/test/utils/firemon-seccomp.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --name=bingo1 --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --noprofile --name=bingo2\r" +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "Child process initialized" +} +sleep 1 + + + + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} + "bingo1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "bingo2" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Seccomp: 0" +} +after 100 + +puts "all done\n" diff --git a/test/utils/seccomp.exp b/test/utils/seccomp.exp deleted file mode 100755 index c9726ff21..000000000 --- a/test/utils/seccomp.exp +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --name=bingo1 --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --noprofile --name=bingo2\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" -} -sleep 1 - - - - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "bingo1" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "bingo2" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Seccomp: 0" -} -after 100 - -puts "all done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 557f2c961..7b0ab1096 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -82,18 +82,18 @@ rm -f index.html* ./trace.exp rm -f index.html* -echo "TESTING: firemon --seccomp (test/utils/seccomp.exp)" -./seccomp.exp - -echo "TESTING: firemon --caps (test/utils/caps.exp)" -./caps.exp - echo "TESTING: top (test/utils/top.exp)" ./top.exp echo "TESTING: file transfer (test/utils/ls.exp)" ./ls.exp +echo "TESTING: firemon --seccomp (test/utils/firemon-seccomp.exp)" +./firemon-seccomp.exp + +echo "TESTING: firemon --caps (test/utils/firemon-caps.exp)" +./firemon-caps.exp + echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" ./firemon-cpu.exp diff --git a/todo b/todo index ddf886fcd..253704fcf 100644 --- a/todo +++ b/todo @@ -284,5 +284,6 @@ removable media, partitions, software RAID volumes, logical volumes, and files. free(dbus_path); } +29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* -- cgit v1.2.3-70-g09d2 From c40736899fc621946246297e5b1a3964f6172fdb Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 13:14:13 -0500 Subject: appimage testing --- Makefile.in | 7 +- README | 6 +- test/appimage/Leafpad-0.8.17-x86_64.AppImage | Bin 0 -> 786432 bytes .../Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage | Bin 0 -> 231417 bytes test/appimage/appimage-v1.exp | 81 +++++++++++++++++++++ test/appimage/appimage-v2.exp | 81 +++++++++++++++++++++ test/appimage/appimage.sh | 14 ++++ 7 files changed, 185 insertions(+), 4 deletions(-) create mode 100644 test/appimage/Leafpad-0.8.17-x86_64.AppImage create mode 100644 test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage create mode 100755 test/appimage/appimage-v1.exp create mode 100755 test/appimage/appimage-v2.exp create mode 100755 test/appimage/appimage.sh diff --git a/Makefile.in b/Makefile.in index 6ea9e897f..83d44fb1c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -146,7 +146,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/appimage test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: mv config.status config.status.old @@ -232,7 +232,10 @@ test-arguments: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test-appimage: + cd test/appimage; ./appimage.sh | grep TESTING + +test: test-profiles test-fs test-utils test-environment test-appimage test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" # diff --git a/README b/README index 2051f2901..69e5e6337 100644 --- a/README +++ b/README @@ -80,6 +80,10 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +Simon Peter (https://github.com/probonopd) + - set $APPIMAGE and $APPDIR environment variables + - AppImage version detection + - Leafppad type v1 and v2 appimage packages in test/appimage BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Impyy (https://github.com/Impyy) @@ -158,8 +162,6 @@ Rahul Golam (https://github.com/technoLord) - strings profile geg2048 (https://github.com/geg2048) - kwallet profile fixes -Simon Peter (https://github.com/probonopd) - - set $APPIMAGE and $APPDIR environment variables maces (https://github.com/maces) - Franz messenger profile KellerFuchs (https://github.com/KellerFuchs) diff --git a/test/appimage/Leafpad-0.8.17-x86_64.AppImage b/test/appimage/Leafpad-0.8.17-x86_64.AppImage new file mode 100644 index 000000000..865f6b44c Binary files /dev/null and b/test/appimage/Leafpad-0.8.17-x86_64.AppImage differ diff --git a/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage new file mode 100644 index 000000000..d167431f3 Binary files /dev/null and b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage differ diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp new file mode 100755 index 000000000..88687ae2a --- /dev/null +++ b/test/appimage/appimage-v1.exp @@ -0,0 +1,81 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --appimage Leafpad-0.8.17-x86_64.AppImage\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "appimage Leafpad" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + "appimage Leafpad" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "appimage Leafpad" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" + diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp new file mode 100755 index 000000000..7b3bf4cbd --- /dev/null +++ b/test/appimage/appimage-v2.exp @@ -0,0 +1,81 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "appimage Leafpad" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + "appimage Leafpad" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "appimage Leafpad" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" + diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh new file mode 100755 index 000000000..6a73d0a7e --- /dev/null +++ b/test/appimage/appimage.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)" +./appimage-v1.exp + +echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" +./appimage-v1.exp + -- cgit v1.2.3-70-g09d2 From 19020c9b34d98e01b37bb25047951fde6f22c9d6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 14:41:06 -0500 Subject: testing --- src/firejail/appimage.c | 3 +++ test/root/root.sh | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 322798ee5..176326a2b 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -135,6 +135,9 @@ void appimage_set(const char *appimage_path) { errExit("asprintf"); free(mode); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif #else fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); exit(1); diff --git a/test/root/root.sh b/test/root/root.sh index 5576faad6..8c7437e49 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -78,3 +78,16 @@ rm -f tmpfile #******************************** echo "TESTING: firemon events (test/root/firemon-events.exp)" ./firemon-events.exp + +#******************************** +# firecfg +#******************************** +which firefox +if [ "$?" -eq 0 ]; +then + echo "TESTING: firecfg (test/root/firecfg.exp)" + ./firecfg.exp +else + echo "TESTING SKIP: firecfg, firefox not found" +fi + -- cgit v1.2.3-70-g09d2 From ca79ff961cc303670f1ccb8841495ddd7f17a76b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 07:36:41 -0500 Subject: testing --- src/firemon/arp.c | 7 +++-- src/firemon/caps.c | 5 ++-- src/firemon/cgroup.c | 6 ++-- src/firemon/cpu.c | 6 ++-- src/firemon/firemon.c | 71 +++++++++++++++++++++++++++++++---------------- src/firemon/firemon.h | 18 ++++++------ src/firemon/interface.c | 12 +++----- src/firemon/route.c | 7 +++-- src/firemon/seccomp.c | 5 ++-- src/firemon/tree.c | 4 +-- src/firemon/x11.c | 8 ++++-- src/fseccomp/syscall.c | 3 -- test/overlay/fs-named.exp | 66 +++++++++++++++++++++++++++++++++++++++++++ test/overlay/fs-tmpfs.exp | 62 +++++++++++++++++++++++++++++++++++++++++ test/overlay/overlay.sh | 12 +++++++- test/root/firecfg.exp | 46 ++++++++++++++++++++++++++++++ 16 files changed, 274 insertions(+), 64 deletions(-) create mode 100755 test/overlay/fs-named.exp create mode 100755 test/overlay/fs-tmpfs.exp create mode 100755 test/root/firecfg.exp diff --git a/src/firemon/arp.c b/src/firemon/arp.c index d204a0c3a..014f6a904 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c @@ -72,14 +72,15 @@ static void print_arp(const char *fname) { } -void arp(pid_t pid) { +void arp(pid_t pid, int print_procs) { pid_read(pid); // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) { char *fname; @@ -87,10 +88,10 @@ void arp(pid_t pid) { errExit("asprintf"); print_arp(fname); free(fname); - printf("\n"); } } } + printf("\n"); } diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 49c7b204b..81877ab87 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c @@ -48,14 +48,15 @@ static void print_caps(int pid) { free(file); } -void caps(pid_t pid) { +void caps(pid_t pid, int print_procs) { pid_read(pid); // include all processes // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) print_caps(child); diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index ec2d350af..e20e1d449 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c @@ -44,18 +44,20 @@ static void print_cgroup(int pid) { free(file); } -void cgroup(pid_t pid) { +void cgroup(pid_t pid, int print_procs) { pid_read(pid); // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) print_cgroup(child); } } + printf("\n"); } diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 20fba33d6..47c935686 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c @@ -48,18 +48,20 @@ static void print_cpu(int pid) { free(file); } -void cpu(pid_t pid) { +void cpu(pid_t pid, int print_procs) { pid_read(pid); // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) print_cpu(child); } } + printf("\n"); } diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 1ec64bea8..b63e37444 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -25,7 +25,6 @@ #include #include - static int arg_route = 0; static int arg_arp = 0; static int arg_tree = 0; @@ -148,8 +147,13 @@ int main(int argc, char **argv) { arg_seccomp = 1; else if (strcmp(argv[i], "--caps") == 0) arg_caps = 1; - else if (strcmp(argv[i], "--interface") == 0) + else if (strcmp(argv[i], "--interface") == 0) { + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root to run this command\n"); + exit(1); + } arg_interface = 1; + } else if (strcmp(argv[i], "--route") == 0) arg_route = 1; else if (strcmp(argv[i], "--arp") == 0) @@ -196,10 +200,8 @@ int main(int argc, char **argv) { exit(1); } - if (arg_top) - top(); // never to return - if (arg_tree) { - tree(); + if (arg_top) { + top(); return 0; } if (arg_list) { @@ -212,25 +214,46 @@ int main(int argc, char **argv) { } // cumulative options - if (arg_interface) - interface((pid_t) pid); - if (arg_route) - route((pid_t) pid); - if (arg_arp) - arp((pid_t) pid); - if (arg_seccomp) - seccomp((pid_t) pid); - if (arg_caps) - caps((pid_t) pid); - if (arg_cpu) - cpu((pid_t) pid); - if (arg_cgroup) - cgroup((pid_t) pid); - if (arg_x11) - x11((pid_t) pid); + int print_procs = 1; + if (arg_tree) { + tree((pid_t) pid); + print_procs = 0; + } + if (arg_cpu) { + cpu((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_seccomp) { + seccomp((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_caps) { + caps((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_cgroup) { + cgroup((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_x11) { + x11((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_interface) { + interface((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_route) { + route((pid_t) pid, print_procs); + print_procs = 0; + } + if (arg_arp) { + arp((pid_t) pid, print_procs); + print_procs = 0; + } - if (!arg_interface && !arg_route && !arg_arp && !arg_seccomp && !arg_caps && !arg_cgroup && !arg_x11) - procevent((pid_t) pid); // never to return + if (print_procs) + procevent((pid_t) pid); return 0; } diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index c5607a792..c78023888 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -54,33 +54,33 @@ void top(void); void list(void); // interface.c -void interface(pid_t pid); +void interface(pid_t pid, int print_procs); // arp.c -void arp(pid_t pid); +void arp(pid_t pid, int print_procs); // route.c -void route(pid_t pid); +void route(pid_t pid, int print_procs); // caps.c -void caps(pid_t pid); +void caps(pid_t pid, int print_procs); // seccomp.c -void seccomp(pid_t pid); +void seccomp(pid_t pid, int print_procs); // cpu.c -void cpu(pid_t pid); +void cpu(pid_t pid, int print_procs); // cgroup.c -void cgroup(pid_t pid); +void cgroup(pid_t pid, int print_procs); // tree.c -void tree(void); +void tree(pid_t pid); // netstats.c void netstats(void); // x11.c -void x11(pid_t pid); +void x11(pid_t pid, int print_procs); #endif diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 58990e6e5..def9cd5ac 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -145,7 +145,6 @@ static void print_sandbox(pid_t pid) { if (rv) return; net_ifprint(); - printf("\n"); #ifdef HAVE_GCOV __gcov_flush(); #endif @@ -156,24 +155,21 @@ static void print_sandbox(pid_t pid) { waitpid(child, NULL, 0); } -void interface(pid_t pid) { - if (getuid() != 0) { - fprintf(stderr, "Error: you need to be root to run this command\n"); - exit(1); - } - +void interface(pid_t pid, int print_procs) { pid_read(pid); // a pid of 0 will include all processes // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) { print_sandbox(child); } } } + printf("\n"); } diff --git a/src/firemon/route.c b/src/firemon/route.c index ac8000b6a..fb58b169d 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c @@ -181,14 +181,15 @@ static void print_route(const char *fname) { } -void route(pid_t pid) { +void route(pid_t pid, int print_procs) { pid_read(pid); // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) { char *fname; @@ -201,10 +202,10 @@ void route(pid_t pid) { errExit("asprintf"); print_route(fname); free(fname); - printf("\n"); } } } + printf("\n"); } diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index d4c248f8b..abc698bb8 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c @@ -48,14 +48,15 @@ static void print_seccomp(int pid) { free(file); } -void seccomp(pid_t pid) { +void seccomp(pid_t pid, int print_procs) { pid_read(pid); // include all processes // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); int child = find_child(i); if (child != -1) print_seccomp(child); diff --git a/src/firemon/tree.c b/src/firemon/tree.c index f6d22b517..6d8b37ecb 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c @@ -19,8 +19,8 @@ */ #include "firemon.h" -void tree(void) { - pid_read(0); // include all processes +void tree(pid_t pid) { + pid_read(pid); // print processes int i; diff --git a/src/firemon/x11.c b/src/firemon/x11.c index c7fe4c616..b0efb090a 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c @@ -22,14 +22,15 @@ #include #include -void x11(pid_t pid) { +void x11(pid_t pid, int print_procs) { pid_read(pid); // print processes int i; for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { - pid_print_list(i, 0); + if (print_procs || pid == 0) + pid_print_list(i, 0); char *x11file; // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory @@ -46,12 +47,13 @@ void x11(pid_t pid) { int display; int rv = fscanf(fp, "%d", &display); if (rv == 1) - printf(" DISPLAY :%d\n", display); + printf(" DISPLAY :%d\n", display); fclose(fp); } free(x11file); } } + printf("\n"); } diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 6696f2b11..7c2c4cbb2 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c @@ -127,12 +127,9 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, } while (ptr) { -printf("ptr %s\n", ptr); - int syscall_nr; int error_nr; syscall_process_name(ptr, &syscall_nr, &error_nr); -printf("%d, %d\n", syscall_nr, error_nr); if (syscall_nr == -1) fprintf(stderr, "Warning fseccomp: syscall %s not found\n", ptr); else if (callback != NULL) { diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp new file mode 100755 index 000000000..2ccb22bb1 --- /dev/null +++ b/test/overlay/fs-named.exp @@ -0,0 +1,66 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --overlay-named=firejail-test\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} + "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} + "Child process initialized" {puts "found\n"} +} +sleep 1 + +send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} +after 100 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "xyzxyzxyz" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "done" +} +after 100 + +send -- "exit\r" +sleep 2 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} + "done" +} +after 100 + +send -- "firejail --overlay-named=firejail-test\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} + "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} + "Child process initialized" {puts "found\n"} +} +sleep 1 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "xyzxyzxyz" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "done" +} +after 100 + +puts "\nall done\n" + diff --git a/test/overlay/fs-tmpfs.exp b/test/overlay/fs-tmpfs.exp new file mode 100755 index 000000000..658d16779 --- /dev/null +++ b/test/overlay/fs-tmpfs.exp @@ -0,0 +1,62 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --overlay-clean\r" +after 100 +send -- "file ~/.firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "cannot open" +} +after 100 + +send -- "firejail --overlay-tmpfs\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} + "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} + "Child process initialized" {puts "found\n"} +} +sleep 1 + +send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +after 100 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "xyzxyzxyz" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "cat ~/_firejail_test_file; echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "xyzxyzxyz" {puts "TESTING ERROR 6\n";exit} + "done" +} +after 100 + +send -- "file ~/.firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "cannot open" +} +after 100 + +puts "\nall done\n" + diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh index 971adddfe..4c9ebe5b0 100755 --- a/test/overlay/overlay.sh +++ b/test/overlay/overlay.sh @@ -11,6 +11,16 @@ rm -fr ~/_firejail_test_* ./fs.exp rm -fr ~/_firejail_test_* +echo "TESTING: overlay named fs (test/overlay/fs-named.exp)" +rm -fr ~/_firejail_test_* +./fs-named.exp +rm -fr ~/_firejail_test_* + +echo "TESTING: overlay tmpfs fs (test/overlay/fs-tmpfs.exp)" +rm -fr ~/_firejail_test_* +./fs-tmpfs.exp +rm -fr ~/_firejail_test_* + which firefox if [ "$?" -eq 0 ]; then @@ -51,7 +61,7 @@ which firefox if [ "$?" -eq 0 ]; then echo "TESTING: overlay firefox x11" - ./firefox.exp + ./firefox-x11.exp else echo "TESTING SKIP: firefox not found" fi diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp new file mode 100755 index 000000000..b4864988d --- /dev/null +++ b/test/root/firecfg.exp @@ -0,0 +1,46 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firecfg\r" +sleep 1 + +send -- "firecfg --clean\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "/usr/local/bin/firefox removed" +} +after 100 +send -- "file /usr/local/bin/firefox; echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "symbolic link to /usr/bin/firejail" {puts "TESTING ERROR 2\n";exit} + "done" +} +after 100 + +send -- "firecfg\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/usr/local/bin/firefox created" +} +after 100 +send -- "file /usr/local/bin/firefox\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "symbolic link to /usr/bin/firejail" +} +after 100 + +send -- "firecfg --list\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "/usr/local/bin/firefox" +} +after 100 +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 9a066fa40143f587db7c67ea027e98883d1179fa Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:06:49 -0500 Subject: fixes --- src/firejail/x11.c | 2 +- src/lib/common.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 54f947c45..2b1121958 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -714,7 +714,7 @@ void x11_xorg(void) { // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted // automatically when the sandbox is closed if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { - fprintf(stderr, "asdfdsfError: cannot create the new .Xauthority file\n"); + fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); exit(1); } if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) diff --git a/src/lib/common.c b/src/lib/common.c index ea0ab781a..2f2340963 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -278,6 +278,7 @@ int pid_hidepid(void) { } } + fclose(fp); return 0; } -- cgit v1.2.3-70-g09d2 From bce524f98f380ab7f47a75ebebf651bd8f1df515 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:13:25 -0500 Subject: support pdf viewers in firefox profile --- etc/firefox.profile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/firefox.profile b/etc/firefox.profile index 7862bd010..6bb581f4f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -2,6 +2,9 @@ noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.config/qpdfview +noblacklist ~/.local/share/qpdfview +noblacklist ~/.kde/share/apps/okular include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -29,6 +32,9 @@ whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.pki +whitelist ~/.config/qpdfview +whitelist ~/.local/share/qpdfview +whitelist ~/.kde/share/apps/okular # lastpass, keepassx whitelist ~/.keepassx -- cgit v1.2.3-70-g09d2 From f2b984eadf02909fe80c9a345c384dcc3cf2bb31 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:16:04 -0500 Subject: deluge profile fix --- etc/deluge.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/deluge.profile b/etc/deluge.profile index b82bd4936..c6ddec3ec 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -14,7 +14,7 @@ protocol unix,inet,inet6 seccomp shell none -private-bin deluge,sh,python,uname +#private-bin deluge,sh,python,uname private-dev private-tmp -- cgit v1.2.3-70-g09d2 From e75dfa59eb8e74b0f1bae2be6e4d981205edcda2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:43:09 -0500 Subject: bugfix: --private=dir where dir is the user home directory --- src/firejail/main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 65569ae5f..ec0c31285 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1583,6 +1583,12 @@ int main(int argc, char **argv) { exit(1); } fs_check_private_dir(); + + // downgrade to --private if the directory is the user home directory + if (strcmp(cfg.home_private, cfg.homedir) == 0) { + free(cfg.home_private); + cfg.home_private = NULL; + } arg_private = 1; } #ifdef HAVE_PRIVATE_HOME -- cgit v1.2.3-70-g09d2 From 5c495665ae5c8a258579111ea24229f1bde52b49 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:53:08 -0500 Subject: testing --- test/fs/fs.sh | 3 +++ test/fs/private-homedir.exp | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100755 test/fs/private-homedir.exp diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0b9cf977e..efbf505ee 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -43,6 +43,9 @@ echo "TESTING: private home (test/fs/private-home.exp)" echo "TESTING: private home dir (test/fs/private-home-dir.exp)" ./private-home-dir.exp +echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)" +./private-homedir.exp + echo "TESTING: private-etc (test/fs/private-etc.exp)" ./private-etc.exp diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp new file mode 100755 index 000000000..35085948a --- /dev/null +++ b/test/fs/private-homedir.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private=~\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +after 100 + +send -- "ls -l ~\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "total 0" +} +after 100 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 3ed5918832344db694d094eefbe2189fd847345d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 09:52:53 -0500 Subject: set_perms cleanup --- src/firejail/appimage.c | 6 ++--- src/firejail/firejail.h | 1 + src/firejail/fs.c | 29 +++++++---------------- src/firejail/fs_home.c | 17 ++++--------- src/firejail/fs_whitelist.c | 55 ++++++++++++++----------------------------- src/firejail/preproc.c | 24 +++++++------------ src/firejail/pulseaudio.c | 18 +++++--------- src/firejail/restrict_users.c | 6 ++--- src/firejail/util.c | 23 +++++++++++------- src/firejail/x11.c | 24 +++++++------------ 10 files changed, 73 insertions(+), 130 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 176326a2b..96c054048 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -98,10 +98,8 @@ void appimage_set(const char *appimage_path) { fprintf(stderr, "Error: cannot create appimage mount point\n"); exit(1); } - if (chmod(mntdir, 0700) == -1) - errExit("chmod"); - if (chown(mntdir, getuid(), getgid()) == -1) - errExit("chown"); + if (set_perms(mntdir, getuid(), getgid(), 0700)) + errExit("set_perms"); EUID_USER(); ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435405fd9..282271a64 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -460,6 +460,7 @@ int remove_directory(const char *path); void flush_stdin(void); void create_empty_dir_as_root(const char *dir, mode_t mode); void create_empty_file_as_root(const char *dir, mode_t mode); +int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); // fs_var.c void fs_var_log(void); // mounting /var/log diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 65b0773ca..3a2fd8c38 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -273,11 +273,8 @@ void fs_blacklist(void) { if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); /* coverity[toctou] */ - if (chown(dname2, s.st_uid, s.st_gid) == -1) - errExit("mount-bind chown"); - /* coverity[toctou] */ - if (chmod(dname2, s.st_mode) == -1) - errExit("mount-bind chmod"); + if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode)) + errExit("set_perms"); entry = entry->next; continue; @@ -773,10 +770,8 @@ void fs_overlayfs(void) { errExit("mkdir"); } - if (chown(odiff, 0, 0) < 0) - errExit("chown"); - if (chmod(odiff, 0755) < 0) - errExit("chmod"); + if (set_perms(odiff, 0, 0, 0755)) + errExit("set_perms"); char *owork; if(asprintf(&owork, "%s/owork", basedir) == -1) @@ -788,10 +783,8 @@ void fs_overlayfs(void) { errExit("mkdir"); } - if (chown(owork, 0, 0) < 0) + if (set_perms(owork, 0, 0, 0755)) errExit("chown"); - if (chmod(owork, 0755) < 0) - errExit("chmod"); // mount overlayfs if (arg_debug) @@ -850,10 +843,8 @@ void fs_overlayfs(void) { errExit("mkdir"); } - if (chown(hdiff, 0, 0) < 0) - errExit("chown"); - if (chmod(hdiff, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) - errExit("chmod"); + if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) + errExit("set_perms"); if(asprintf(&hwork, "%s/hwork", basedir) == -1) errExit("asprintf"); @@ -864,10 +855,8 @@ void fs_overlayfs(void) { errExit("mkdir"); } - if (chown(hwork, 0, 0) < 0) - errExit("chown"); - if (chmod(hwork, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) - errExit("chmod"); + if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) + errExit("set_perms"); // no homedir in overlay so now mount another overlay for /home if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index a2532c367..91fbe592a 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -398,15 +398,8 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s else if (ftype == FTW_D) { if (mkdir(dest, s.st_mode) == -1) errExit("mkdir"); - if (chmod(dest, s.st_mode) < 0) { - fprintf(stderr, "Error: cannot change mode for %s\n", path); - exit(1); - } - if (chown(dest, firejail_uid, firejail_gid) < 0) { - fprintf(stderr, "Error: cannot change ownership for %s\n", path); - exit(1); - } - + if (set_perms(dest, firejail_uid, firejail_gid, s.st_mode)) + errExit("set_perms"); #if 0 struct stat s2; if (stat(dest, &s2) == 0) { @@ -590,10 +583,8 @@ void fs_private_home_list(void) { int rv = mkdir(RUN_HOME_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_HOME_DIR, u, g) < 0) - errExit("chown"); - if (chmod(RUN_HOME_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_HOME_DIR, u, g, 0755)) + errExit("set_perms"); ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); fs_logger_print(); // save the current log diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9cd8f7681..9d8021219 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -157,10 +157,8 @@ static int mkpath(const char* path, mode_t mode) { } } else { - if (chmod(file_path, mode) == -1) - errExit("chmod"); - if (chown(file_path, uid, gid) == -1) - errExit("chown"); + if (set_perms(file_path, uid, gid, mode)) + errExit("set_perms"); done = 1; } @@ -535,11 +533,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0) - errExit("chmod"); - + if (set_perms(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid(), 0755)) + errExit("set_perms"); if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -553,10 +548,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_TMP_DIR, 0, 0, 1777)) + errExit("set_perms"); if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -578,10 +571,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_MEDIA_DIR, 0, 0, 0755)) + errExit("set_perms"); if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -606,10 +597,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_MNT_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_MNT_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_MNT_DIR, 0, 0, 0755)) + errExit("set_perms"); if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -632,10 +621,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_VAR_DIR, 0, 0, 0755)) + errExit("set_perms"); if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -654,10 +641,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_DEV_DIR, 0, 0, 0755)) + errExit("set_perms"); if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) errExit("mount bind"); @@ -676,10 +661,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_OPT_DIR, 0, 0, 0755)) + errExit("set_perms"); if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -701,10 +684,8 @@ void fs_whitelist(void) { int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_SRV_DIR, 0, 0, 0755)) + errExit("set_perms"); if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2873571a9..fe5f2eb44 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -78,31 +78,23 @@ void preproc_mount_mnt_dir(void) { // create all seccomp files // as root, create RUN_SECCOMP_I386 file create_empty_file_as_root(RUN_SECCOMP_I386, 0644); - if (chown(RUN_SECCOMP_I386, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(RUN_SECCOMP_I386, 0644) == -1) - errExit("chmod"); + if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644)) + errExit("set_perms"); // as root, create RUN_SECCOMP_AMD64 file create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); - if (chown(RUN_SECCOMP_AMD64, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(RUN_SECCOMP_AMD64, 0644) == -1) - errExit("chmod"); + if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644)) + errExit("set_perms"); // as root, create RUN_SECCOMP file create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); - if (chown(RUN_SECCOMP_CFG, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(RUN_SECCOMP_CFG, 0644) == -1) - errExit("chmod"); + if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644)) + errExit("set_perms"); // as root, create RUN_SECCOMP_PROTOCOL file create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); - if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) - errExit("chmod"); + if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) + errExit("set_perms"); } } diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index e1a58c1c8..c76505591 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -106,10 +106,8 @@ void pulseaudio_init(void) { // create the new user pulseaudio directory int rv = mkdir(RUN_PULSE_DIR, 0700); (void) rv; // in --chroot mode the directory can already be there - if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(RUN_PULSE_DIR, 0700) < 0) - errExit("chmod"); + if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700)) + errExit("set_perms"); // create the new client.conf file char *pulsecfg = NULL; @@ -131,10 +129,8 @@ void pulseaudio_init(void) { if (stat(dir1, &s) == -1) { int rv = mkdir(dir1, 0755); if (rv == 0) { - rv = chown(dir1, getuid(), getgid()); - (void) rv; - rv = chmod(dir1, 0755); - (void) rv; + if (set_perms(dir1, getuid(), getgid(), 0755)) + ; // do nothing } } free(dir1); @@ -143,10 +139,8 @@ void pulseaudio_init(void) { if (stat(dir1, &s) == -1) { int rv = mkdir(dir1, 0700); if (rv == 0) { - rv = chown(dir1, getuid(), getgid()); - (void) rv; - rv = chmod(dir1, 0700); - (void) rv; + if (set_perms(dir1, getuid(), getgid(), 0700)) + ; // do nothing } } free(dir1); diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 57e84e5cc..393851148 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -95,10 +95,8 @@ static void sanitize_home(void) { fs_logger2("mkdir", cfg.homedir); // set mode and ownership - if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) - errExit("chown"); - if (chmod(cfg.homedir, s.st_mode) == -1) - errExit("chmod"); + if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) + errExit("set_perms"); // mount user home directory if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) diff --git a/src/firejail/util.c b/src/firejail/util.c index a7712441e..3424d8ab6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -100,10 +100,8 @@ int mkpath_as_root(const char* path) { } } else { - if (chmod(file_path, 0755) == -1) - errExit("chmod"); - if (chown(file_path, 0, 0) == -1) - errExit("chown"); + if (set_perms(file_path, 0, 0, 0755)) + errExit("set_perms"); done = 1; } @@ -699,10 +697,8 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { printf("Creating empty %s directory\n", dir); if (mkdir(dir, mode) == -1) errExit("mkdir"); - if (chmod(dir, mode) == -1) - errExit("chmod"); - if (chown(dir, 0, 0) == -1) - errExit("chown"); + if (set_perms(dir, 0, 0, mode)) + errExit("set_perms"); ASSERT_PERMS(dir, 0, 0, mode); } } @@ -725,3 +721,14 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { } } +// return 1 if error +int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { + assert(fname); + if (chmod(fname, mode) == -1) + return 1; + if (chown(fname, uid, gid) == -1) + return 1; + return 0; +} + + diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2b1121958..9da6d3e30 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -137,10 +137,8 @@ void fs_x11(void) { int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); if (rv == -1) errExit("mkdir"); - if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0) - errExit("chown"); - if (chmod(RUN_WHITELIST_X11_DIR, 1777) < 0) - errExit("chmod"); + if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777)) + errExit("set_perms"); if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -706,10 +704,8 @@ void x11_xorg(void) { fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); exit(1); } - if (chown(tmpfname, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(tmpfname, 0600) == -1) - errExit("chmod"); + if (set_perms(tmpfname, getuid(), getgid(), 0600)) + errExit("set_perms"); // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted // automatically when the sandbox is closed @@ -717,10 +713,8 @@ void x11_xorg(void) { fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); exit(1); } - if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1) - errExit("chmod"); + if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) + errExit("set_perms"); unlink(tmpfname); // mount @@ -728,10 +722,8 @@ void x11_xorg(void) { fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); exit(1); } - if (chown(dest, getuid(), getgid()) == -1) - errExit("chown"); - if (chmod(dest, 0600) == -1) - errExit("chmod"); + if (set_perms(dest, getuid(), getgid(), 0600)) + errExit("set_perms"); free(dest); #endif } -- cgit v1.2.3-70-g09d2 From 63e16bfcd9f79c63f3801f51df4840f74fa6f41b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 13 Nov 2016 10:47:20 -0500 Subject: major cleanup and testing --- Makefile.in | 32 ++++++++----- src/firejail/appimage.c | 8 +--- src/firejail/firejail.h | 1 + src/firejail/fs.c | 101 +++++++++++------------------------------ src/firejail/fs_bin.c | 6 +-- src/firejail/fs_dev.c | 32 ++----------- src/firejail/fs_etc.c | 6 +-- src/firejail/fs_var.c | 23 ++-------- src/firejail/join.c | 14 ++---- src/firejail/util.c | 36 +++++++++++++++ test/appimage/appimage-v1.exp | 6 ++- test/appimage/appimage-v2.exp | 4 ++ test/apps-x11/apps-x11.sh | 36 +++++++++++---- test/apps-x11/x11-none.exp | 48 ++++++++++++++++++++ test/apps-x11/x11-xephyr.exp | 59 ++++++++++++++++++++++++ test/apps-x11/xterm-xephyr.exp | 86 +++++++++++++++++++++++++++++++++++ test/apps-x11/xterm-xorg.exp | 86 +++++++++++++++++++++++++++++++++++ test/apps-x11/xterm-xpra.exp | 86 +++++++++++++++++++++++++++++++++++ test/apps-x11/xterm.exp | 86 ----------------------------------- test/fs/read-write.exp | 4 +- test/network/firemon-arp.exp | 12 ++--- test/root/firejail.config | 20 ++++++++ test/root/root.sh | 6 +++ test/root/seccomp-umount.exp | 2 +- test/utils/join.exp | 2 +- test/utils/ls.exp | 42 +++++++++++++++-- test/utils/utils.sh | 4 +- todo | 1 + 28 files changed, 578 insertions(+), 271 deletions(-) create mode 100755 test/apps-x11/x11-none.exp create mode 100755 test/apps-x11/x11-xephyr.exp create mode 100755 test/apps-x11/xterm-xephyr.exp create mode 100755 test/apps-x11/xterm-xorg.exp create mode 100755 test/apps-x11/xterm-xpra.exp delete mode 100755 test/apps-x11/xterm.exp create mode 100644 test/root/firejail.config diff --git a/Makefile.in b/Makefile.in index 83d44fb1c..8649475dd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -146,7 +146,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/appimage test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: mv config.status config.status.old @@ -232,26 +232,34 @@ test-arguments: test-fs: cd test/fs; ./fs.sh | grep TESTING -test-appimage: - cd test/appimage; ./appimage.sh | grep TESTING - -test: test-profiles test-fs test-utils test-environment test-appimage test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" -# -# individual tests, some of them requiring root access -# +########################################## +# Individual tests, some of them require root access +# The tests are very intrussive, by the time you are done +# with them you will need to restart your computer. +########################################## -# root access, network devices are created before the test +# Huge appimage files, not included in "make dist" archive +test-appimage: + cd test/appimage; ./appimage.sh | grep TESTING + +# Root access, network devices are created before the test +# restart your computer to get rid of these devices test-network: cd test/network; ./network.sh | grep TESTING -# all the tests are run as root +# Tesets running a root user test-root: cd test/root; su -c ./root.sh | grep TESTING -# runs as regular user +# OverlayFS is not available on all platforms test-overlay: cd test/overlay; ./overlay.sh | grep TESTING -# mount -o remount,rw,hidepid=2 /proc +# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" + +test-all: test-root test-network test-appimage test-overlay test + echo "TEST COMPLETE" + \ No newline at end of file diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 96c054048..a658173eb 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -94,14 +94,8 @@ void appimage_set(const char *appimage_path) { if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) errExit("asprintf"); EUID_ROOT(); - if (mkdir(mntdir, 0700) == -1) { - fprintf(stderr, "Error: cannot create appimage mount point\n"); - exit(1); - } - if (set_perms(mntdir, getuid(), getgid(), 0700)) - errExit("set_perms"); + mkdir_attr(mntdir, 0700, getuid(), getgid()); EUID_USER(); - ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); // mount char *mode; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 282271a64..d7ba539e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -461,6 +461,7 @@ void flush_stdin(void); void create_empty_dir_as_root(const char *dir, mode_t mode); void create_empty_file_as_root(const char *dir, mode_t mode); int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); +void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); // fs_var.c void fs_var_log(void); // mounting /var/log diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3a2fd8c38..7ff7e3c59 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -247,21 +247,13 @@ void fs_blacklist(void) { // process bind command if (strncmp(entry->data, "bind ", 5) == 0) { + struct stat s; char *dname1 = entry->data + 5; char *dname2 = split_comma(dname1); - if (dname2 == NULL) { - fprintf(stderr, "Error: second directory missing in bind command\n"); - entry = entry->next; - continue; - } - struct stat s; - if (stat(dname1, &s) == -1) { - fprintf(stderr, "Error: cannot find %s for bind command\n", dname1); - entry = entry->next; - continue; - } - if (stat(dname2, &s) == -1) { - fprintf(stderr, "Error: cannot find %s for bind command\n", dname2); + if (dname2 == NULL || + stat(dname1, &s) == -1 || + stat(dname2, &s) == -1) { + fprintf(stderr, "Error: invalid bind command, directory missing\n"); entry = entry->next; continue; } @@ -410,10 +402,9 @@ void fs_rdonly(const char *dir) { int rv = stat(dir, &s); if (rv == 0) { // mount --bind /bin /bin - if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount read-only"); // mount --bind -o remount,ro /bin - if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) + if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || + mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) errExit("mount read-only"); fs_logger2("read-only", dir); } @@ -428,15 +419,15 @@ static void fs_rdwr(const char *dir) { // if the file is outside /home directory, allow only root user uid_t u = getuid(); if (u != 0 && s.st_uid != u) { - fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); + if (!arg_quiet) + fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); return; } // mount --bind /bin /bin - if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount read-write"); // mount --bind -o remount,rw /bin - if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) + if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || + mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) errExit("mount read-write"); fs_logger2("read-write", dir); } @@ -449,37 +440,16 @@ void fs_noexec(const char *dir) { int rv = stat(dir, &s); if (rv == 0) { // mount --bind /bin /bin - if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount noexec"); // mount --bind -o remount,ro /bin - if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) - errExit("mount read-only"); + if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || + mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) + errExit("mount noexec"); fs_logger2("noexec", dir); } } -void fs_rdonly_noexit(const char *dir) { - assert(dir); - // check directory exists - struct stat s; - int rv = stat(dir, &s); - if (rv == 0) { - int merr = 0; - // mount --bind /bin /bin - if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) - merr = 1; - // mount --bind -o remount,ro /bin - if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) - merr = 1; - if (merr) - fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); - else - fs_logger2("read-only", dir); - } -} - // mount /proc and /sys directories void fs_proc_sys_dev_boot(void) { if (arg_debug) @@ -489,10 +459,8 @@ void fs_proc_sys_dev_boot(void) { fs_logger("remount /proc"); // remount /proc/sys readonly - if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) - errExit("mounting /proc/sys"); - - if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) + if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || + mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); fs_logger("read-only /proc/sys"); @@ -646,12 +614,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); if (stat(dirname, &s) == -1) { - /* coverity[toctou] */ - if (mkdir(dirname, 0700)) - errExit("mkdir"); - if (chmod(dirname, 0700) == -1) - errExit("chmod"); - ASSERT_PERMS(dirname, getuid(), getgid(), 0700); + mkdir_attr(dirname, 0700, 0, 0); } else if (is_link(dirname)) { fprintf(stderr, "Error: invalid ~/.firejail directory\n"); @@ -733,11 +696,7 @@ void fs_overlayfs(void) { char *oroot; if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) errExit("asprintf"); - if (mkdir(oroot, 0755)) - errExit("mkdir"); - if (chmod(oroot, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(oroot, 0, 0, 0755); + mkdir_attr(oroot, 0755, 0, 0); struct stat s; char *basedir = RUN_MNT_DIR; @@ -766,11 +725,9 @@ void fs_overlayfs(void) { // no need to check arg_overlay_reuse if (stat(odiff, &s) != 0) { - if (mkdir(odiff, 0755)) - errExit("mkdir"); + mkdir_attr(odiff, 0755, 0, 0); } - - if (set_perms(odiff, 0, 0, 0755)) + else if (set_perms(odiff, 0, 0, 0755)) errExit("set_perms"); char *owork; @@ -779,11 +736,9 @@ void fs_overlayfs(void) { // no need to check arg_overlay_reuse if (stat(owork, &s) != 0) { - if (mkdir(owork, 0755)) - errExit("mkdir"); + mkdir_attr(owork, 0755, 0, 0); } - - if (set_perms(owork, 0, 0, 0755)) + else if (set_perms(owork, 0, 0, 0755)) errExit("chown"); // mount overlayfs @@ -839,11 +794,9 @@ void fs_overlayfs(void) { // no need to check arg_overlay_reuse if (stat(hdiff, &s) != 0) { - if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO)) - errExit("mkdir"); + mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0); } - - if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) + else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) errExit("set_perms"); if(asprintf(&hwork, "%s/hwork", basedir) == -1) @@ -851,11 +804,9 @@ void fs_overlayfs(void) { // no need to check arg_overlay_reuse if (stat(hwork, &s) != 0) { - if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO)) - errExit("mkdir"); + mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0); } - - if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) + else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) errExit("set_perms"); // no homedir in overlay so now mount another overlay for /home diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index c906e32c0..6cc1bf3ab 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -212,11 +212,7 @@ void fs_private_bin_list(void) { assert(private_list); // create /run/firejail/mnt/bin directory - if (mkdir(RUN_BIN_DIR, 0755) == -1) - errExit("mkdir"); - if (chmod(RUN_BIN_DIR, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755); + mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); // copy the list of files in the new etc directory // using a new child process without root privileges diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index ef5d67b55..d710e98f2 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -65,11 +65,7 @@ static void deventry_mount(void) { if (arg_debug) printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); if (dir) { - if (mkdir(dev[i].dev_fname, 0755) == -1) - errExit("mkdir"); - if (chmod(dev[i].dev_fname, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); + mkdir_attr(dev[i].dev_fname, 0755, 0, 0); } else { struct stat s; @@ -130,11 +126,7 @@ void fs_private_dev(void){ // create DRI_DIR // keep a copy of dev directory - if (mkdir(RUN_DEV_DIR, 0755) == -1) - errExit("mkdir"); - if (chmod(RUN_DEV_DIR, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755); + mkdir_attr(RUN_DEV_DIR, 0755, 0, 0); if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mounting /dev/dri"); @@ -179,12 +171,7 @@ void fs_private_dev(void){ // create /dev/shm if (arg_debug) printf("Create /dev/shm directory\n"); - if (mkdir("/dev/shm", 01777) == -1) - errExit("mkdir"); - // mkdir sets only the file permission bits - if (chmod("/dev/shm", 01777) < 0) - errExit("chmod"); - ASSERT_PERMS("/dev/shm", 0, 0, 01777); + mkdir_attr("/dev/shm", 01777, 0, 0); fs_logger("mkdir /dev/shm"); // create devices @@ -206,11 +193,7 @@ void fs_private_dev(void){ #endif // pseudo-terminal - if (mkdir("/dev/pts", 0755) == -1) - errExit("mkdir"); - if (chmod("/dev/pts", 0755) == -1) - errExit("chmod"); - ASSERT_PERMS("/dev/pts", 0, 0, 0755); + mkdir_attr("/dev/pts", 0755, 0, 0); fs_logger("mkdir /dev/pts"); create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); fs_logger("mknod /dev/pts/ptmx"); @@ -260,12 +243,7 @@ void fs_dev_shm(void) { if (lnk) { if (!is_dir(lnk)) { // create directory - if (mkdir(lnk, 01777)) - errExit("mkdir"); - // mkdir sets only the file permission bits - if (chmod(lnk, 01777)) - errExit("chmod"); - ASSERT_PERMS(lnk, 0, 0, 01777); + mkdir_attr(lnk, 01777, 0, 0); } if (arg_debug) printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index ebcde29a3..7e18840fd 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -132,11 +132,7 @@ void fs_private_etc_list(void) { } // create /run/firejail/mnt/etc directory - if (mkdir(RUN_ETC_DIR, 0755) == -1) - errExit("mkdir"); - if (chmod(RUN_ETC_DIR, 0755) == -1) - errExit("chmod"); - ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755); + mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); fs_logger("tmpfs /etc"); fs_logger_print(); // save the current log diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 4ff00f3ba..ca50685ad 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -98,10 +98,7 @@ static void build_dirs(void) { // create directories under /var/log DirData *ptr = dirlist; while (ptr) { - if (mkdir(ptr->name, ptr->st_mode)) - errExit("mkdir"); - if (chown(ptr->name, ptr->st_uid, ptr->st_gid)) - errExit("chown"); + mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid); fs_logger2("mkdir", ptr->name); ptr = ptr->next; } @@ -223,18 +220,10 @@ void fs_var_cache(void) { gid = p->pw_gid; } - int rv = mkdir("/var/cache/lighttpd/compress", 0755); - if (rv == -1) - errExit("mkdir"); - if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) - errExit("chown"); + mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); fs_logger("mkdir /var/cache/lighttpd/compress"); - rv = mkdir("/var/cache/lighttpd/uploads", 0755); - if (rv == -1) - errExit("mkdir"); - if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) - errExit("chown"); + mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); fs_logger("/var/cache/lighttpd/uploads"); } } @@ -268,11 +257,7 @@ void fs_var_lock(void) { if (lnk) { if (!is_dir(lnk)) { // create directory - if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) - errExit("mkdir"); - if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) - errExit("chmod"); - ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO); + mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0); } if (arg_debug) printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); diff --git a/src/firejail/join.c b/src/firejail/join.c index 899166447..628002d35 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -229,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) { exit(1); } else { - if (join_namespace(pid, "ipc")) - exit(1); - if (join_namespace(pid, "net")) - exit(1); - if (join_namespace(pid, "pid")) - exit(1); - if (join_namespace(pid, "uts")) - exit(1); - if (join_namespace(pid, "mnt")) + if (join_namespace(pid, "ipc") || + join_namespace(pid, "net") || + join_namespace(pid, "pid") || + join_namespace(pid, "uts") || + join_namespace(pid, "mnt")) exit(1); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 3424d8ab6..d928c6b42 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -731,4 +731,40 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { return 0; } +void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { + assert(fname); + mode &= 07777; +#if 0 + printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode); + if (S_ISLNK(mode)) + printf("l"); + else if (S_ISDIR(mode)) + printf("d"); + else if (S_ISCHR(mode)) + printf("c"); + else if (S_ISBLK(mode)) + printf("b"); + else if (S_ISSOCK(mode)) + printf("s"); + else + printf("-"); + printf( (mode & S_IRUSR) ? "r" : "-"); + printf( (mode & S_IWUSR) ? "w" : "-"); + printf( (mode & S_IXUSR) ? "x" : "-"); + printf( (mode & S_IRGRP) ? "r" : "-"); + printf( (mode & S_IWGRP) ? "w" : "-"); + printf( (mode & S_IXGRP) ? "x" : "-"); + printf( (mode & S_IROTH) ? "r" : "-"); + printf( (mode & S_IWOTH) ? "w" : "-"); + printf( (mode & S_IXOTH) ? "x" : "-"); + printf("\n"); +#endif + if (mkdir(fname, mode) == -1 || + chmod(fname, mode) == -1 || + chown(fname, uid, gid)) { + fprintf(stderr, "Error: failed to create %s directory\n", fname); + errExit("mkdir/chmod"); + } + ASSERT_PERMS(fname, uid, gid, mode); +} diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 88687ae2a..503da2b9b 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --appimage Leafpad-0.8.17-x86_64.AppImage\r" +send -- "firejail --name=appimage-test --appimage Leafpad-0.8.17-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" @@ -77,5 +77,9 @@ expect { } after 100 +spawn $env(SHELL) +send -- "firejail --shutdown=appimage-test\r" +sleep 3 + puts "\nall done\n" diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 7b3bf4cbd..5cb9d0849 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp @@ -77,5 +77,9 @@ expect { } after 100 +spawn $env(SHELL) +send -- "firejail --shutdown=appimage-test\r" +sleep 3 + puts "\nall done\n" diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 1b3494290..4a8671dbd 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -6,6 +6,33 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" +./x11-none.exp + + +which xterm +if [ "$?" -eq 0 ]; +then + echo "TESTING: xterm x11 xorg" + ./xterm-xorg.exp + + which xpra + if [ "$?" -eq 0 ]; + then + echo "TESTING: xterm x11 xpra" + ./xterm-xpra.exp + fi + + which Xephyr + if [ "$?" -eq 0 ]; + then + echo "TESTING: xterm x11 xephyr" + ./xterm-xephyr.exp + fi +else + echo "TESTING SKIP: xterm not found" +fi + # check xpra/xephyr which xpra if [ "$?" -eq 0 ]; @@ -23,15 +50,6 @@ else fi fi -which xterm -if [ "$?" -eq 0 ]; -then - echo "TESTING: xterm x11" - ./xterm.exp -else - echo "TESTING SKIP: xterm not found" -fi - which firefox if [ "$?" -eq 0 ]; then diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp new file mode 100755 index 000000000..e9908839b --- /dev/null +++ b/test/apps-x11/x11-none.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=none\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "use network namespace in firejail" +} +sleep 1 + +send -- "firejail --name=test --net=none --x11=none\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /tmp/.X11-unix\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "cannot open directory" +} +after 100 + +send -- "xterm\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "DISPLAY is not set" +} +after 100 + +send -- "export DISPLAY=:0.0\r" +after 100 +send -- "xterm\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Xt error" +} +after 100 + +puts "\nall done\n" + diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp new file mode 100755 index 000000000..41a413890 --- /dev/null +++ b/test/apps-x11/x11-xephyr.exp @@ -0,0 +1,59 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xephyr xterm\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} + +exit + + +sleep 5 + + +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "use network namespace in firejail" +} +sleep 1 + +send -- "firejail --name=test --net=none --x11=none\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /tmp/.X11-unix\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "cannot open directory" +} +after 100 + +send -- "xterm\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "DISPLAY is not set" +} +after 100 + +send -- "export DISPLAY=:0.0\r" +after 100 +send -- "xterm\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Xt error" +} +after 100 + +puts "\nall done\n" + diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp new file mode 100755 index 000000000..5b4299478 --- /dev/null +++ b/test/apps-x11/xterm-xephyr.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xephyr xterm\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "xterm" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp new file mode 100755 index 000000000..fbc88f196 --- /dev/null +++ b/test/apps-x11/xterm-xorg.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xorg xterm\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "xterm" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp new file mode 100755 index 000000000..379de131a --- /dev/null +++ b/test/apps-x11/xterm-xpra.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xpra xterm\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "xterm" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "xterm" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm.exp deleted file mode 100755 index 4fa5ddf0c..000000000 --- a/test/apps-x11/xterm.exp +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 xterm\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xterm" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" - diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index cfca15605..57986488e 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp @@ -20,12 +20,14 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "done" } +after 100 send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "done" } +after 100 send -- "cat ~/_firejail_test_dir/a;echo done\r" expect { @@ -33,7 +35,7 @@ expect { "mytest" {puts "TESTING ERROR 4\n";exit} "done" } - +after 100 send -- "cat ~/_firejail_test_dir/test1/b;echo done\r" expect { diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp index e40ffb609..71fa1660f 100755 --- a/test/network/firemon-arp.exp +++ b/test/network/firemon-arp.exp @@ -4,12 +4,12 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "ping -c 3 192.168.1.1\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "3 packets transmitted" -} -sleep 1 +#send -- "ping -c 3 192.168.1.1\r" +#expect { +# timeout {puts "TESTING ERROR 0\n";exit} +# "3 packets transmitted" +#} +#sleep 1 send -- "firejail --name=test1\r" expect { diff --git a/test/root/firejail.config b/test/root/firejail.config new file mode 100644 index 000000000..71ff2f4e9 --- /dev/null +++ b/test/root/firejail.config @@ -0,0 +1,20 @@ +bind yes +chroot yes +chroot-desktop yes +file-transfer yes +force-nonewprivs no +network yes +overlayfs yes +private-bin-no-local no +private-home yes +quiet-by-default no +remount-proc-sys yes +restricted-network no +# netfilter-default /etc/iptables.iptables.rules +seccomp yes +userns yes +whitelist yes +x11 yes +xephyr-screen 800x600 +xephyr-window-title yes +xephyr-extra-params -grayscale diff --git a/test/root/root.sh b/test/root/root.sh index 8c7437e49..471b7d535 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -1,5 +1,8 @@ #!/bin/bash +# set a new firejail config file +cp firejail.config /etc/firejail/firejail.config + #******************************** # servers #******************************** @@ -91,3 +94,6 @@ else echo "TESTING SKIP: firecfg, firefox not found" fi +# restore the default config file +cp ../../etc/firejail.config /etc/firejail/firejail.config + diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp index 04a9b7a3d..c441c5fc4 100755 --- a/test/root/seccomp-umount.exp +++ b/test/root/seccomp-umount.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" +send -- "firejail --seccomp --noprofile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" diff --git a/test/utils/join.exp b/test/utils/join.exp index 7f582e2e5..fc30bc6a4 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -8,7 +8,7 @@ cd /home spawn $env(SHELL) match_max 100000 -send -- "firejail --name=jointesting\r" +send -- "firejail --name=jointesting --cpu=0 --nice=2\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" diff --git a/test/utils/ls.exp b/test/utils/ls.exp index cd2c2984c..ff6867c51 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp @@ -3,6 +3,8 @@ set timeout 10 spawn $env(SHELL) match_max 100000 +set firstspawn $spawn_id + send -- "rm -f lstesting\r" sleep 1 @@ -11,11 +13,11 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } -sleep 2 +sleep 1 send -- "echo my_testing > ~/lstesting\r" -sleep 2 - +after 100 +# ls spawn $env(SHELL) send -- "firejail --ls=test ~/.\r" expect { @@ -23,14 +25,44 @@ expect { "lstesting" } sleep 1 + +# get send -- "firejail --get=test ~/lstesting\r" -sleep 2 +sleep 1 send -- "cat lstesting\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 2n";exit} "my_testing" } +after 100 + +# put +send -- "echo put_test > ~/lstesting\r" +after 100 +send -- "firejail --put=test ~/lstesting ~/lstesting_2\r" sleep 1 + +set spawn_id $firstspawn +send -- "ls -al ~\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "lstesting_2" +} + +after 100 +send -- "cat ~/lstesting_2\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "put_test" +} +after 100 +send -- "exit\r" +sleep 1 + + + + + send -- "rm -f lstesting\r" after 100 diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 7b0ab1096..bd91110f7 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -88,10 +88,10 @@ echo "TESTING: top (test/utils/top.exp)" echo "TESTING: file transfer (test/utils/ls.exp)" ./ls.exp -echo "TESTING: firemon --seccomp (test/utils/firemon-seccomp.exp)" +echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)" ./firemon-seccomp.exp -echo "TESTING: firemon --caps (test/utils/firemon-caps.exp)" +echo "TESTING: firemon caps (test/utils/firemon-caps.exp)" ./firemon-caps.exp echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" diff --git a/todo b/todo index 253704fcf..6bc73313f 100644 --- a/todo +++ b/todo @@ -286,4 +286,5 @@ removable media, partitions, software RAID volumes, logical volumes, and files. 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* +30. /* coverity[toctou] */ -- cgit v1.2.3-70-g09d2 From 2f8688a17eb9f20d15b1ac53cb58c2759987ed71 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 13 Nov 2016 20:35:12 -0500 Subject: testing --- Makefile.in | 16 +++++----------- gcov-test-init.sh | 11 ----------- src/firejail/fs_home.c | 3 +++ src/firejail/preproc.c | 12 ++---------- src/firejail/pulseaudio.c | 4 ++-- test/apps-x11/xterm-xpra.exp | 12 ++++++++++++ test/environment/environment.sh | 6 ------ test/environment/rlimit-profile.exp | 33 --------------------------------- test/environment/rlimit.exp | 37 ------------------------------------- test/environment/rlimit.profile | 4 ---- test/rlimit/rlimit-profile.exp | 33 +++++++++++++++++++++++++++++++++ test/rlimit/rlimit.exp | 37 +++++++++++++++++++++++++++++++++++++ test/rlimit/rlimit.profile | 4 ++++ test/root/apache2.exp | 4 ---- test/root/isc-dhcp.exp | 9 --------- test/root/nginx.exp | 4 ---- test/root/root.sh | 6 ++++++ test/root/snmpd.exp | 10 ---------- test/root/unbound.exp | 9 --------- 19 files changed, 104 insertions(+), 150 deletions(-) delete mode 100755 gcov-test-init.sh delete mode 100755 test/environment/rlimit-profile.exp delete mode 100755 test/environment/rlimit.exp delete mode 100644 test/environment/rlimit.profile create mode 100755 test/rlimit/rlimit-profile.exp create mode 100755 test/rlimit/rlimit.exp create mode 100644 test/rlimit/rlimit.profile diff --git a/Makefile.in b/Makefile.in index 8649475dd..86fd4f4b7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -39,7 +39,6 @@ clean: for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir clean; \ done - rm -fr gcov-file gcov-dir gcov-test-initialized rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm rm -f test/utils/index.html* rm -f test/utils/wget-log @@ -146,7 +145,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" +DISTFILES_TEST = "test/rlimit test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: mv config.status config.status.old @@ -188,14 +187,6 @@ cppcheck: clean scan-build: clean scan-build make -gcov-test-initialized: - ./gcov-test-init.sh - -gcov: gcov-test-initialized - lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file - rm -fr gcov-dir - genhtml gcov-file --output-directory gcov-dir - # # make test @@ -232,7 +223,10 @@ test-arguments: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test-rlimit: + cd test/rlimit; ./rlimit.sh | grep TESTING + +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments test-rlimit echo "TEST COMPLETE" ########################################## diff --git a/gcov-test-init.sh b/gcov-test-init.sh deleted file mode 100755 index e98d9fa79..000000000 --- a/gcov-test-init.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -USER=`whoami` -firejail --help -firemon --help -/usr/lib/firejail/fnet --help -/usr/lib/firejail/fseccomp --help -/usr/lib/firejail/ftee --help -firecfg --help -sudo chown $USER:$USER `find .` -touch gcov-test-initialized diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 91fbe592a..242482d26 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -626,6 +626,9 @@ void fs_private_home_list(void) { fs_logger_print(); // save the current log free(dlist); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif _exit(0); } // wait for the child to finish diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index fe5f2eb44..ea4e6743f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -104,16 +104,8 @@ void preproc_build_cp_command(void) { preproc_mount_mnt_dir(); if (stat(RUN_CP_COMMAND, &s)) { char* fname = realpath("/bin/cp", NULL); - if (fname == NULL) { - fprintf(stderr, "Error: /bin/cp not found\n"); - exit(1); - } - if (stat(fname, &s)) { - fprintf(stderr, "Error: /bin/cp not found\n"); - exit(1); - } - if (is_link(fname)) { - fprintf(stderr, "Error: invalid /bin/cp file\n"); + if (fname == NULL || stat(fname, &s) || is_link(fname)) { + fprintf(stderr, "Error: invalid /bin/cp\n"); exit(1); } int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index c76505591..6ec590eaa 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -130,7 +130,7 @@ void pulseaudio_init(void) { int rv = mkdir(dir1, 0755); if (rv == 0) { if (set_perms(dir1, getuid(), getgid(), 0755)) - ; // do nothing + {;} // do nothing } } free(dir1); @@ -140,7 +140,7 @@ void pulseaudio_init(void) { int rv = mkdir(dir1, 0700); if (rv == 0) { if (set_perms(dir1, getuid(), getgid(), 0700)) - ; // do nothing + {;} // do nothing } } free(dir1); diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp index 379de131a..1fb5df486 100755 --- a/test/apps-x11/xterm-xpra.exp +++ b/test/apps-x11/xterm-xpra.exp @@ -79,6 +79,18 @@ expect { "name=blablabla" } sleep 1 + +send -- "firemon --x11\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "name=test xterm" +} +expect { + timeout {puts "TESTING ERROR 7.1\n";exit} + "DISPLAY" +} +sleep 1 + send -- "firejail --shutdown=test\r" sleep 3 diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 04a1daaf6..5c4d49331 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -55,12 +55,6 @@ else echo "TESTING SKIP: zsh not found" fi -echo "TESTING: rlimit (test/environment/rlimit.exp)" -./rlimit.exp - -echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" -./rlimit-profile.exp - echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail-in-firejail.exp)" ./firejail-in-firejail.exp diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp deleted file mode 100755 index a9e54a405..000000000 --- a/test/environment/rlimit-profile.exp +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -#cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=rlimit.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/limits\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Max file size 1024 1024" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Max processes 1000 1000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "Max open files 500 500" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Max pending signals 200 200" -} -after 100 -puts "\nall done\n" diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp deleted file mode 100755 index 611f69821..000000000 --- a/test/environment/rlimit.exp +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/limits; pwd\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Max file size 1024 1024" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Max processes 1000 1000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "Max open files 500 500" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Max pending signals 200 200" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "home" -} -after 100 -puts "\n" diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile deleted file mode 100644 index 271891c03..000000000 --- a/test/environment/rlimit.profile +++ /dev/null @@ -1,4 +0,0 @@ - rlimit-fsize 1024 -rlimit-nproc 1000 - rlimit-nofile 500 -rlimit-sigpending 200 \ No newline at end of file diff --git a/test/rlimit/rlimit-profile.exp b/test/rlimit/rlimit-profile.exp new file mode 100755 index 000000000..a9e54a405 --- /dev/null +++ b/test/rlimit/rlimit-profile.exp @@ -0,0 +1,33 @@ +#!/usr/bin/expect -f + +set timeout 10 +#cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=rlimit.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/limits\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Max file size 1024 1024" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Max processes 1000 1000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "Max open files 500 500" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Max pending signals 200 200" +} +after 100 +puts "\nall done\n" diff --git a/test/rlimit/rlimit.exp b/test/rlimit/rlimit.exp new file mode 100755 index 000000000..611f69821 --- /dev/null +++ b/test/rlimit/rlimit.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/limits; pwd\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Max file size 1024 1024" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Max processes 1000 1000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "Max open files 500 500" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Max pending signals 200 200" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "home" +} +after 100 +puts "\n" diff --git a/test/rlimit/rlimit.profile b/test/rlimit/rlimit.profile new file mode 100644 index 000000000..271891c03 --- /dev/null +++ b/test/rlimit/rlimit.profile @@ -0,0 +1,4 @@ + rlimit-fsize 1024 +rlimit-nproc 1000 + rlimit-nofile 500 +rlimit-sigpending 200 \ No newline at end of file diff --git a/test/root/apache2.exp b/test/root/apache2.exp index 7f67f4706..0b102bad5 100755 --- a/test/root/apache2.exp +++ b/test/root/apache2.exp @@ -4,10 +4,6 @@ set timeout 5 spawn $env(SHELL) match_max 100000 -send -- "pkill apache\r" -sleep 2 - - send -- "firejail --name=apache /etc/init.d/apache2 start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} diff --git a/test/root/isc-dhcp.exp b/test/root/isc-dhcp.exp index 86500707a..5d9597e7c 100755 --- a/test/root/isc-dhcp.exp +++ b/test/root/isc-dhcp.exp @@ -4,15 +4,6 @@ set timeout 5 spawn $env(SHELL) match_max 100000 -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill dhcpd\r" -sleep 2 - send -- "firejail --name=dhcpd /etc/init.d/isc-dhcp-server start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} diff --git a/test/root/nginx.exp b/test/root/nginx.exp index 0b62fada9..82ebe0ee7 100755 --- a/test/root/nginx.exp +++ b/test/root/nginx.exp @@ -4,10 +4,6 @@ set timeout 5 spawn $env(SHELL) match_max 100000 -send -- "pkill nginx\r" -sleep 2 - - send -- "firejail --name=nginx /etc/init.d/nginx start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} diff --git a/test/root/root.sh b/test/root/root.sh index 471b7d535..494bd4fe7 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -47,6 +47,12 @@ else echo "TESTING SKIP: nginx not found" fi +#******************************** +# filesystem +#******************************** +echo "TESTING: fs private (test/root/private.exp)" +./private.exp + #******************************** # seccomp #******************************** diff --git a/test/root/snmpd.exp b/test/root/snmpd.exp index 90e34470f..610fdb13a 100755 --- a/test/root/snmpd.exp +++ b/test/root/snmpd.exp @@ -4,16 +4,6 @@ set timeout 5 spawn $env(SHELL) match_max 100000 -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill snmpd\r" -sleep 2 - - send -- "firejail --name=snmpd /etc/init.d/snmpd start\r" expect { timeout {puts "TESTING ERROR 0\n";exit} diff --git a/test/root/unbound.exp b/test/root/unbound.exp index 193e662ff..9c496306a 100755 --- a/test/root/unbound.exp +++ b/test/root/unbound.exp @@ -4,15 +4,6 @@ set timeout 5 spawn $env(SHELL) match_max 100000 -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "pkill unbound\r" -sleep 2 - send -- "firejail --name=unbound unbound\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -- cgit v1.2.3-70-g09d2 From 745742f17378cde52591c1aa8e112445022abb2d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 14 Nov 2016 07:53:22 -0500 Subject: cleanup --- gcov.sh | 71 +++++++++++++++++++++++++++++++++++++++++++++ src/firejail/caps.c | 13 +-------- src/firejail/fs_whitelist.c | 55 +++++------------------------------ test/rlimit/rlimit.sh | 14 +++++++++ test/root/private.exp | 33 +++++++++++++++++++++ 5 files changed, 127 insertions(+), 59 deletions(-) create mode 100755 gcov.sh create mode 100755 test/rlimit/rlimit.sh create mode 100755 test/root/private.exp diff --git a/gcov.sh b/gcov.sh new file mode 100755 index 000000000..ffacce6b5 --- /dev/null +++ b/gcov.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +generate() { + lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file + rm -fr gcov-dir + genhtml gcov-file --output-directory gcov-dir +} + +# init +USER=`whoami` +firejail --help +firemon --help +/usr/lib/firejail/fnet --help +/usr/lib/firejail/fseccomp --help +/usr/lib/firejail/ftee --help +firecfg --help +sudo chown $USER:$USER `find .` +generate + +# running tests +make test-root +generate +sleep 2 + +make test-network +generate +sleep 2 + +make test-appimage +generate +sleep 2 + +make test-overlay +generate +sleep 2 + +make test-profiles +generate +sleep 2 + +make test-fs +generate +sleep 2 + +make test-utils +generate +sleep 2 + +make test-environment +generate +sleep 2 + +make test-apps +generate +sleep 2 + +make test-apps-x11 +generate +sleep 2 + +make test-apps-x11-xorg +generate +sleep 2 + +make test-filters +generate +sleep 2 + +make test-arguments +generate +sleep 2 diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 3fd8b576e..ba811cada 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -168,17 +168,6 @@ static CapsEntry capslist[] = { // }; // end of capslist -const char *caps_find_nr(int nr) { - int i; - int elems = sizeof(capslist) / sizeof(capslist[0]); - for (i = 0; i < elems; i++) { - if (nr == capslist[i].nr) - return capslist[i].name; - } - - return "unknown"; -} - // return -1 if error, or syscall number static int caps_find_name(const char *name) { int i; @@ -397,7 +386,7 @@ static uint64_t extract_caps(int pid) { } fclose(fp); free(file); - printf("Error: cannot read caps configuration\n"); + fprintf(stderr, "Error: cannot read caps configuration\n"); exit(1); } diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9d8021219..564dc8290 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -530,11 +530,7 @@ void fs_whitelist(void) { // /home/user if (home_dir) { // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR - int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid(), 0755)) - errExit("set_perms"); + mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -545,12 +541,7 @@ void fs_whitelist(void) { // /tmp mountpoint if (tmp_dir) { // keep a copy of real /tmp directory in - int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_TMP_DIR, 0, 0, 1777)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -568,12 +559,7 @@ void fs_whitelist(void) { struct stat s; if (stat("/media", &s) == 0) { // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR - int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_MEDIA_DIR, 0, 0, 0755)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -594,12 +580,7 @@ void fs_whitelist(void) { struct stat s; if (stat("/mnt", &s) == 0) { // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR - int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_MNT_DIR, 0, 0, 0755)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0); if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -618,12 +599,7 @@ void fs_whitelist(void) { // /var mountpoint if (var_dir) { // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR - int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_VAR_DIR, 0, 0, 0755)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -638,12 +614,7 @@ void fs_whitelist(void) { // /dev mountpoint if (dev_dir) { // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR - int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_DEV_DIR, 0, 0, 0755)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) errExit("mount bind"); @@ -658,12 +629,7 @@ void fs_whitelist(void) { // /opt mountpoint if (opt_dir) { // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR - int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_OPT_DIR, 0, 0, 0755)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); @@ -681,12 +647,7 @@ void fs_whitelist(void) { struct stat s; if (stat("/srv", &s) == 0) { // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR - int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_SRV_DIR, 0, 0, 0755)) - errExit("set_perms"); - + mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0); if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); diff --git a/test/rlimit/rlimit.sh b/test/rlimit/rlimit.sh new file mode 100755 index 000000000..d85497176 --- /dev/null +++ b/test/rlimit/rlimit.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: rlimit (test/rlimit/rlimit.exp)" +./rlimit.exp + +echo "TESTING: rlimit profile (test/rlimit/rlimit-profile.exp)" +./rlimit-profile.exp + diff --git a/test/root/private.exp b/test/root/private.exp new file mode 100755 index 000000000..4040081ee --- /dev/null +++ b/test/root/private.exp @@ -0,0 +1,33 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "ls -l /home\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "total 0" +} +after 100 + +send -- "ls -l /root\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "total 0" +} +after 100 + +send -- "exit\r" +after 100 +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From a27f943aa7098d95c3b810278bfd607b7165d9e1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 14 Nov 2016 08:18:39 -0500 Subject: fix thunderbird profile --- etc/icedove.profile | 3 +++ etc/thunderbird.profile | 3 +++ 2 files changed, 6 insertions(+) diff --git a/etc/icedove.profile b/etc/icedove.profile index 23254751b..310684bdb 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -14,5 +14,8 @@ noblacklist ~/.cache/icedove mkdir ~/.cache/icedove whitelist ~/.cache/icedove +# allow browsers +ignore private-tmp include /etc/firejail/firefox.profile +#include /etc/firejail/chromium.profile - chromium runs as suid! diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 5db50da4d..54d9a3d4d 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -14,5 +14,8 @@ noblacklist ~/.cache/thunderbird mkdir ~/.cache/thunderbird whitelist ~/.cache/thunderbird +# allow browsers +ignore private-tmp include /etc/firejail/firefox.profile +include /etc/firejail/chromium.profile -- cgit v1.2.3-70-g09d2 From 547df291ba581825ac46b842aa5b05456d71c3d3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 14 Nov 2016 08:19:16 -0500 Subject: fix thunderbird profile --- etc/thunderbird.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 54d9a3d4d..568343ba6 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -17,5 +17,5 @@ whitelist ~/.cache/thunderbird # allow browsers ignore private-tmp include /etc/firejail/firefox.profile -include /etc/firejail/chromium.profile +#include /etc/firejail/chromium.profile - chromium runs as suid! -- cgit v1.2.3-70-g09d2 From 2509b0f8d740b9384d30aa95d3eaf64fbe27bf27 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 15 Nov 2016 10:01:54 -0500 Subject: added Guayadeque profile --- README | 13 +++++++------ README.md | 2 +- RELNOTES | 3 ++- etc/disable-programs.inc | 1 + etc/guayadeque.profile | 19 +++++++++++++++++++ platform/debian/conffiles | 1 + 6 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 etc/guayadeque.profile diff --git a/README b/README index 69e5e6337..e21e96bc7 100644 --- a/README +++ b/README @@ -80,6 +80,13 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +curiosity-seeker (https://github.com/curiosity-seeker) + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles + - cherrytree profile fixes + - added quiterss profile + - added guayadeque profile Simon Peter (https://github.com/probonopd) - set $APPIMAGE and $APPDIR environment variables - AppImage version detection @@ -194,12 +201,6 @@ Vasya Novikov (https://github.com/vn971) - manpage fixes - fixed firecfg clean/clear issue - found the ugliest bug so far -curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile - - okular and gwenview profiles - - cherrytree profile fixes - - added quiterss profile Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/README.md b/README.md index 931b27ef3..ad90639e2 100644 --- a/README.md +++ b/README.md @@ -52,5 +52,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque diff --git a/RELNOTES b/RELNOTES index 922296fd7..e726674ec 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,7 +6,8 @@ firejail (0.9.45) baseline; urgency=low * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) - * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire + * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, + * new profiles: mumble, zoom, Guayadeque * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d9bd1bb4..f4e66dc66 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -53,6 +53,7 @@ blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.guayadeque # HTTP / FTP / Mail blacklist ${HOME}/.icedove diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile new file mode 100644 index 000000000..0c6ad00be --- /dev/null +++ b/etc/guayadeque.profile @@ -0,0 +1,19 @@ +noblacklist ${HOME}/.guayadeque + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin guayadeque +private-dev +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ff3909c17..321a96f80 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -173,3 +173,4 @@ /etc/firejail/wire.profile /etc/firejail/mumble.profile /etc/firejail/zoom.profile +/etc/firejail/guayadeque.profile -- cgit v1.2.3-70-g09d2 From edcd62d7523365165e23695d7daabc94f1e9f48d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 16 Nov 2016 11:10:32 -0500 Subject: fcopy part 1 --- Makefile.in | 13 +- configure | 3 +- configure.ac | 5 +- gcov.sh | 5 + src/fcopy/Makefile.in | 45 ++++++ src/fcopy/main.c | 345 +++++++++++++++++++++++++++++++++++++++++++++ src/firejail/util.c | 1 + src/fnet/main.c | 6 +- src/fseccomp/main.c | 4 +- test/fcopy/cmdline.exp | 56 ++++++++ test/fcopy/dircopy.exp | 86 +++++++++++ test/fcopy/fcopy.sh | 23 +++ test/fcopy/filecopy.exp | 54 +++++++ test/fcopy/linkcopy.exp | 86 +++++++++++ test/fcopy/src/a/b/file4 | 11 ++ test/fcopy/src/a/file3 | 0 test/fcopy/src/dircopy.exp | 1 + test/fcopy/src/file1 | 0 test/fcopy/src/file2 | 0 19 files changed, 733 insertions(+), 11 deletions(-) create mode 100644 src/fcopy/Makefile.in create mode 100644 src/fcopy/main.c create mode 100755 test/fcopy/cmdline.exp create mode 100755 test/fcopy/dircopy.exp create mode 100755 test/fcopy/fcopy.sh create mode 100755 test/fcopy/filecopy.exp create mode 100755 test/fcopy/linkcopy.exp create mode 100644 test/fcopy/src/a/b/file4 create mode 100644 test/fcopy/src/a/file3 create mode 120000 test/fcopy/src/dircopy.exp create mode 100755 test/fcopy/src/file1 create mode 100644 test/fcopy/src/file2 diff --git a/Makefile.in b/Makefile.in index 86fd4f4b7..6501989a9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man MYLIBS = src/lib -APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp +APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 prefix=@prefix@ @@ -78,6 +78,7 @@ realinstall: install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. @@ -128,6 +129,7 @@ install-strip: all strip src/faudit/faudit strip src/fnet/fnet strip src/fseccomp/fseccomp + strip src/fcopy/fcopy $(MAKE) realinstall uninstall: @@ -145,7 +147,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/rlimit test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" +DISTFILES_TEST = "test/rlimit test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: mv config.status config.status.old @@ -226,7 +228,10 @@ test-fs: test-rlimit: cd test/rlimit; ./rlimit.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments test-rlimit +test-fcopy: + cd test/fcopy; ./fcopy.sh | grep TESTING + +test: test-profiles test-fcopy test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments test-rlimit echo "TEST COMPLETE" ########################################## @@ -254,6 +259,6 @@ test-overlay: # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" -test-all: test-root test-network test-appimage test-overlay test +test-all: test-root test-network test-appimage test-overlay test-fcopy test echo "TEST COMPLETE" \ No newline at end of file diff --git a/configure b/configure index 0aefb5c62..9efba1b1d 100755 --- a/configure +++ b/configure @@ -3777,7 +3777,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" +ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4488,6 +4488,7 @@ do case $ac_config_target in "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; + "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;; "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;; "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;; "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;; diff --git a/configure.ac b/configure.ac index 74ba09f43..f3076f2f8 100644 --- a/configure.ac +++ b/configure.ac @@ -158,8 +158,9 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile \ -src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) +AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \ +src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \ +src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile) echo echo "Configuration options:" diff --git a/gcov.sh b/gcov.sh index ffacce6b5..6f668d65f 100755 --- a/gcov.sh +++ b/gcov.sh @@ -13,6 +13,7 @@ firemon --help /usr/lib/firejail/fnet --help /usr/lib/firejail/fseccomp --help /usr/lib/firejail/ftee --help +/usr/lib/firejail/fcopy --help firecfg --help sudo chown $USER:$USER `find .` generate @@ -34,6 +35,10 @@ make test-overlay generate sleep 2 +make test-fcopy +generate +sleep 2 + make test-profiles generate sleep 2 diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in new file mode 100644 index 000000000..278957a4f --- /dev/null +++ b/src/fcopy/Makefile.in @@ -0,0 +1,45 @@ +all: fcopy + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +sysconfdir=@sysconfdir@ + +VERSION=@PACKAGE_VERSION@ +NAME=@PACKAGE_NAME@ +HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ +HAVE_SECCOMP=@HAVE_SECCOMP@ +HAVE_CHROOT=@HAVE_CHROOT@ +HAVE_BIND=@HAVE_BIND@ +HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ +HAVE_NETWORK=@HAVE_NETWORK@ +HAVE_USERNS=@HAVE_USERNS@ +HAVE_X11=@HAVE_X11@ +HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ +HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ +HAVE_GCOV=@HAVE_GCOV@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ + +H_FILE_LIST = $(sort $(wildcard *.[h])) +C_FILE_LIST = $(sort $(wildcard *.c)) +OBJS = $(C_FILE_LIST:.c=.o) +BINOBJS = $(foreach file, $(OBJS), $file) +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h + $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ + +fcopy: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) + +clean:; rm -f *.o fcopy *.gcov *.gcda *.gcno + +distclean: clean + rm -fr Makefile + diff --git a/src/fcopy/main.c b/src/fcopy/main.c new file mode 100644 index 000000000..4437b90e5 --- /dev/null +++ b/src/fcopy/main.c @@ -0,0 +1,345 @@ +/* + * Copyright (C) 2014-2016 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +#include "../include/common.h" +#include +#include + + +#define COPY_LIMIT (500 * 1024 *1024) +static int size_limit_reached = 0; +static unsigned file_cnt = 0; +static unsigned size_cnt = 0; + +static char *outpath = NULL; +static char *inpath = NULL; + + +// modified version of the function from util.c +static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) { + assert(srcname); + assert(destname); + mode &= 07777; + + // open source + int src = open(srcname, O_RDONLY); + if (src < 0) { + fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname); + return; + } + + // open destination + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); + if (dst < 0) { + fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); + close(src); + return; + } + + // copy + ssize_t len; + static const int BUFLEN = 1024; + unsigned char buf[BUFLEN]; + while ((len = read(src, buf, BUFLEN)) > 0) { + int done = 0; + while (done != len) { + int rv = write(dst, buf + done, len - done); + if (rv == -1) + goto errexit; + done += rv; + } + } + fflush(0); + + if (fchown(dst, uid, gid) == -1) + goto errexit; + if (fchmod(dst, mode) == -1) + goto errexit; + + close(src); + close(dst); + + return; + +errexit: + close(src); + close(dst); + unlink(destname); + fprintf(stderr, "Warning fcopy: cannot copy %s\n", destname); +} + + + +// modified version of the function in firejail/util.c +static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { + assert(fname); + mode &= 07777; + + if (mkdir(fname, mode) == -1 || + chmod(fname, mode) == -1) { + fprintf(stderr, "Error fcopy: failed to create %s directory\n", fname); + errExit("mkdir/chmod"); + } + if (chown(fname, uid, gid)) + fprintf(stderr, "Warning fcopy: failed to change ownership of %s\n", fname); +} + +void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { + char *rp = realpath(target, NULL); + if (rp) { + if (symlink(rp, linkpath) == -1) + goto errout; + free(rp); + } + else + goto errout; + + return; +errout: + fprintf(stderr, "Warning fcopy: cannot create symbolic link %s\n", target); +} + +static int first = 1; +static int fs_copydir(const char *infname, const struct stat *st, int ftype, struct FTW *sftw) { + (void) st; + (void) sftw; + assert(infname); + assert(*infname != '\0'); + assert(outpath); + assert(*outpath != '\0'); + assert(inpath); + + // check size limit + if (size_limit_reached) + return 0; + + char *outfname; + if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1) + errExit("asprintf"); + + // don't copy it if we already have the file + struct stat s; + if (stat(outfname, &s) == 0) { + if (first) + first = 0; + else + fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); + free(outfname); + return 0; + } + + // extract mode and ownership + if (stat(infname, &s) != 0) { + fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); + free(outfname); + return 0; + } + uid_t uid = s.st_uid; + gid_t gid = s.st_gid; + mode_t mode = s.st_mode; + + // recalculate size + if ((s.st_size + size_cnt) > COPY_LIMIT) { + fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024); + size_limit_reached = 1; + free(outfname); + return 0; + } + + file_cnt++; + size_cnt += s.st_size; + + if(ftype == FTW_F) { + copy_file(infname, outfname, mode, uid, gid); + } + else if (ftype == FTW_D) { + mkdir_attr(outfname, mode, uid, gid); + } + else if (ftype == FTW_SL) { + copy_link(infname, outfname, mode, uid, gid); + } + + return(0); +} + +static char *check(const char *src) { + struct stat s; + char *rsrc = realpath(src, NULL); + if (!rsrc || stat(rsrc, &s) == -1) { + fprintf(stderr, "Error fcopy: cannot find %s directory\n", src); + exit(1); + } + + // check uid + if (s.st_uid != getuid() || s.st_gid != getgid()) { + fprintf(stderr, "Error fcopy: uid/gid mismatch for %s\n", rsrc); + exit(1); + } + + // dir, link, regular file + if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) { + return rsrc; // normal exit from the function + } + fprintf(stderr, "Error fcopy: invalid directory %s\n", rsrc); + exit(1); +} + +static void duplicate_dir(const char *src, const char *dest, struct stat *s) { + (void) s; + char *rsrc = check(src); + char *rdest = check(dest); + inpath = rsrc; + outpath = rdest; + + // walk + if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) { + fprintf(stderr, "Error: unable to copy file\n"); + exit(1); + } + + free(rsrc); + free(rdest); +} + +static void duplicate_file(const char *src, const char *dest, struct stat *s) { + char *rsrc = check(src); + char *rdest = check(dest); + uid_t uid = s->st_uid; + gid_t gid = s->st_gid; + mode_t mode = s->st_mode; + + // build destination file name + char *name; + char *ptr = strrchr(rsrc, '/'); + ptr++; + if (asprintf(&name, "%s/%s", rdest, ptr) == -1) + errExit("asprintf"); + + // copy + copy_file(rsrc, name, mode, uid, gid); + + free(name); + free(rsrc); + free(rdest); +} + +static void duplicate_link(const char *src, const char *dest, struct stat *s) { + char *rsrc = check(src); + char *rdest = check(dest); + uid_t uid = s->st_uid; + gid_t gid = s->st_gid; + mode_t mode = s->st_mode; + + // build destination file name + char *name; + char *ptr = strrchr(rsrc, '/'); + ptr++; + if (asprintf(&name, "%s/%s", rdest, ptr) == -1) + errExit("asprintf"); + + // copy + copy_link(rsrc, name, mode, uid, gid); + + free(name); + free(rsrc); + free(rdest); +} + +static void usage(void) { + printf("Usage: fcopy src dest\n"); + printf("Copy src file in dest directory. If src is a directory, copy all the files in\n"); + printf("src recoursively\n"); +} + +int main(int argc, char **argv) { +#if 0 +{ +//system("cat /proc/self/status"); +int i; +for (i = 0; i < argc; i++) + printf("*%s* ", argv[i]); +printf("\n"); +} +#endif + if (argc != 3) { + fprintf(stderr, "Error fcopy: files missing\n"); + usage(); + exit(1); + } + + int i; + int index = 1; + for (i = 1; i < (argc - 2); i++) { + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + usage(); + return 0; + } + } + + // check the two files; remove ending / + char *src = argv[index]; + int len = strlen(src); + if (src[len - 1] == '/') + src[len - 1] = '\0'; + if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { + fprintf(stderr, "Error fcopy: invalid file name %s\n", src); + exit(1); + } + + char *dest = argv[index + 1]; + len = strlen(dest); + if (dest[len - 1] == '/') + dest[len - 1] = '\0'; + if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { + fprintf(stderr, "Error fcopy: invalid file name %s\n", dest); + exit(1); + } + + + // the destination should be a directory; remove ending / + struct stat s; + if (stat(dest, &s) == -1) { + fprintf(stderr, "Error fcopy: cannot find destination directory\n"); + exit(1); + } + if (S_ISDIR(s.st_mode) == -1) { + fprintf(stderr, "Error fcopy: the destination should be a directory\n"); + exit(1); + } + + // copy files + if (lstat(src, &s) == -1) { + fprintf(stderr, "Error fcopy: cannot find source file\n"); + exit(1); + } + + if (S_ISDIR(s.st_mode)) + duplicate_dir(src, dest, &s); + else if (S_ISREG(s.st_mode)) + duplicate_file(src, dest, &s); + else if (S_ISLNK(s.st_mode)) + duplicate_link(src, dest, &s); + else { + fprintf(stderr, "Error fcopy: source file unsupported\n"); + exit(1); + } + + return 0; +} diff --git a/src/firejail/util.c b/src/firejail/util.c index d928c6b42..027f1cd47 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -206,6 +206,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m done += rv; } } + fflush(0); if (fchown(dst, uid, gid) == -1) errExit("fchown"); diff --git a/src/fnet/main.c b/src/fnet/main.c index 4ae9eb6e3..4e7807d07 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -42,10 +42,10 @@ for (i = 0; i < argc; i++) printf("\n"); } #endif - if (argc < 2) + if (argc < 2) { + usage(); return 1; - - + } if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { usage(); diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 39e72fdf9..2f85a786b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -47,8 +47,10 @@ for (i = 0; i < argc; i++) printf("\n"); } #endif - if (argc < 2) + if (argc < 2) { + usage(); return 1; + } if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { usage(); diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp new file mode 100755 index 000000000..95e221321 --- /dev/null +++ b/test/fcopy/cmdline.exp @@ -0,0 +1,56 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/lib/firejail/fcopy\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "files missing" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Usage:" +} +after 100 + +send -- "/usr/lib/firejail/fcopy foo\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "files missing" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Usage:" +} +after 100 + +send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "invalid file name" +} +after 100 + +send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "invalid file name" +} +after 100 + +send -- "/usr/lib/firejail/fcopy foo1 foo2\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "cannot find destination directory" +} +after 100 + + + + +puts "\nall done\n" diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp new file mode 100755 index 000000000..b87f24a59 --- /dev/null +++ b/test/fcopy/dircopy.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +# +# copy directory src to dest +# +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -fr dest/*\r" +after 100 + +send -- "/usr/lib/firejail/fcopy src dest\r" +after 100 + +send -- "find dest\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "dest/" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "dest/a" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "dest/a/b" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "dest/a/b/file4" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "dest/a/file3" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "dest/dircopy.exp" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "dest/file2" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "dest/file1" +} +after 100 + + +send -- "ls -al dest\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "drwx--x--x" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "rwxrwxrwx" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "rw-r--r--" +} +after 100 + +send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "differ" {puts "TESTING ERROR 12\n";exit} + "done" +} + +send -- "file dest/dircopy.exp\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "symbolic link" +} + +send -- "rm -fr dest/*\r" +after 100 + +puts "\nall done\n" diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh new file mode 100755 index 000000000..9961d6317 --- /dev/null +++ b/test/fcopy/fcopy.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +rm -fr dest/* + +echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)" +./cmdline.exp + +echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)" +./dircopy.exp + +echo "TESTING: fcopy file (test/fcopy/filecopy.exp)" +./filecopy.exp + +echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)" +./linkcopy.exp + +rm -fr dest/* diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp new file mode 100755 index 000000000..9927e18fe --- /dev/null +++ b/test/fcopy/filecopy.exp @@ -0,0 +1,54 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +# +# copy directory src to dest +# +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -fr dest/*\r" +after 100 + +send -- "/usr/lib/firejail/fcopy src/dircopy.exp dest\r" +after 100 + +send -- "find dest\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "dest/" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "dest/dircopy.exp" +} +after 100 + + +send -- "ls -al dest\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "lrwxrwxrwx" +} +after 100 + +send -- "diff -q dircopy.exp dest/dircopy.exp; echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "differ" {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "file dest/dircopy.exp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "symbolic link" +} + +send -- "rm -fr dest/*\r" +after 100 + +puts "\nall done\n" diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp new file mode 100755 index 000000000..b87f24a59 --- /dev/null +++ b/test/fcopy/linkcopy.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +# +# copy directory src to dest +# +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -fr dest/*\r" +after 100 + +send -- "/usr/lib/firejail/fcopy src dest\r" +after 100 + +send -- "find dest\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "dest/" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "dest/a" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "dest/a/b" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "dest/a/b/file4" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "dest/a/file3" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "dest/dircopy.exp" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "dest/file2" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "dest/file1" +} +after 100 + + +send -- "ls -al dest\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "drwx--x--x" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "rwxrwxrwx" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "rw-r--r--" +} +after 100 + +send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "differ" {puts "TESTING ERROR 12\n";exit} + "done" +} + +send -- "file dest/dircopy.exp\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "symbolic link" +} + +send -- "rm -fr dest/*\r" +after 100 + +puts "\nall done\n" diff --git a/test/fcopy/src/a/b/file4 b/test/fcopy/src/a/b/file4 new file mode 100644 index 000000000..ac318d7ab --- /dev/null +++ b/test/fcopy/src/a/b/file4 @@ -0,0 +1,11 @@ + + +Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam interdum at massa non aliquam. Maecenas molestie id orci volutpat porta. Praesent aliquam nunc quis mi tristique, ac feugiat enim rutrum. Nulla vitae metus sodales, pellentesque risus sit amet, volutpat nisl. Curabitur accumsan arcu congue lacus porta laoreet. Nulla facilisi. Integer nec augue id magna gravida tincidunt id vitae lorem. Curabitur facilisis, tellus vel pellentesque pretium, odio dolor efficitur lorem, et tincidunt dui enim cursus lacus. Cras a orci ac magna semper dapibus nec et velit. Nullam aliquam sollicitudin auctor. + +Mauris ac quam vel purus volutpat semper eget a ante. Curabitur arcu nisl, dapibus ac lectus ac, porttitor fermentum metus. Aliquam et sem aliquam magna interdum ultricies at eu orci. Aenean tortor augue, volutpat nec magna nec, rutrum bibendum justo. Vivamus ex quam, auctor ut pellentesque mattis, aliquet a eros. Etiam ac lacus ac ante ullamcorper sollicitudin a quis orci. Suspendisse quis justo ac mauris cursus finibus quis at elit. Vestibulum elementum finibus diam, eget convallis purus aliquet et. Fusce fermentum ornare urna, non ornare nisl tincidunt consectetur. Donec et lacus vitae ex eleifend porttitor id ut odio. Quisque luctus eget lorem et sollicitudin. + +Aliquam libero elit, finibus a nisl a, commodo viverra turpis. Nam pulvinar in est sit amet fermentum. Praesent scelerisque tempus lectus, ac porta elit sodales rutrum. Duis faucibus faucibus urna eget accumsan. Vivamus in turpis ut massa rhoncus pretium nec et lorem. Aenean at tellus eget metus porta ornare. Aliquam erat volutpat. Donec hendrerit a massa vel malesuada. Integer varius sapien et orci viverra pretium. In at velit aliquet, vulputate nisi lobortis, aliquam augue. + +Ut aliquam turpis ut lorem aliquam, in faucibus elit pulvinar. Vivamus viverra tortor ornare, lacinia leo sit amet, auctor arcu. Sed erat leo, pellentesque vel nibh a, malesuada vehicula purus. Vivamus est dolor, aliquet quis facilisis fermentum, varius in dolor. Nunc quis libero feugiat, imperdiet est vitae, mollis risus. Vestibulum elementum mattis lorem vitae gravida. Nullam id tellus interdum, aliquam erat eu, laoreet nunc. Aliquam ut felis vel mauris maximus pellentesque. + +Vestibulum tempus mauris eget ex interdum, vitae vehicula tortor sollicitudin. Pellentesque et dolor cursus dui vulputate laoreet. Morbi eu bibendum quam, at ultrices elit. Vestibulum dictum enim sit amet ultricies imperdiet. Praesent congue magna ac mauris mattis, a iaculis ante aliquet. Vivamus at egestas ex. Suspendisse orci dolor, pharetra at aliquam a, faucibus facilisis leo. Quisque semper lorem eget elit commodo pretium. Aenean posuere augue quis arcu finibus, sit amet fringilla risus congue. Pellentesque rutrum nunc leo, aliquam lobortis lacus molestie nec. Donec convallis congue diam, ullamcorper vestibulum dui varius nec. Praesent pellentesque nisi risus. In aliquam molestie malesuada. Nulla facilisis a risus eu tristique. Morbi molestie et arcu quis efficitur. Curabitur cursus vestibulum luctus. diff --git a/test/fcopy/src/a/file3 b/test/fcopy/src/a/file3 new file mode 100644 index 000000000..e69de29bb diff --git a/test/fcopy/src/dircopy.exp b/test/fcopy/src/dircopy.exp new file mode 120000 index 000000000..2acf88f7b --- /dev/null +++ b/test/fcopy/src/dircopy.exp @@ -0,0 +1 @@ +../dircopy.exp \ No newline at end of file diff --git a/test/fcopy/src/file1 b/test/fcopy/src/file1 new file mode 100755 index 000000000..e69de29bb diff --git a/test/fcopy/src/file2 b/test/fcopy/src/file2 new file mode 100644 index 000000000..e69de29bb -- cgit v1.2.3-70-g09d2 From 5e41e11d454d6a4523fb3f6ff56e553f177e8b85 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 16 Nov 2016 20:55:56 +0100 Subject: added missing profiles --- src/firecfg/firecfg.config | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e3e333497..f18bf8c86 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -21,6 +21,7 @@ abrowser brave chromium chromium-browser +claws-mail conkeror cyberfox firefox @@ -37,6 +38,7 @@ icecat icedove kmail midori +mutt netsurf opera-beta opera @@ -67,6 +69,7 @@ skype telegram weechat weechat-curses +wire xchat # dns @@ -94,6 +97,7 @@ audacity clementine cmus deadbeef +display feh gnome-mplayer google-play-music-desktop-player -- cgit v1.2.3-70-g09d2 From 5421ef54d076ef0f844c211d06804fd2945549e5 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 16 Nov 2016 21:04:28 +0100 Subject: fixed order and missing profiles --- platform/debian/conffiles | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 321a96f80..c6187628c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -1,7 +1,9 @@ /etc/firejail/0ad.profile +/etc/firejail/7z.profile /etc/firejail/Cyberfox.profile /etc/firejail/Mathematica.profile /etc/firejail/Telegram.profile +/etc/firejail/Wire.profile /etc/firejail/abrowser.profile /etc/firejail/atom-beta.profile /etc/firejail/atom.profile @@ -14,6 +16,7 @@ /etc/firejail/cherrytree.profile /etc/firejail/chromium-browser.profile /etc/firejail/chromium.profile +/etc/firejail/claws-mail.profile /etc/firejail/clementine.profile /etc/firejail/cmus.profile /etc/firejail/conkeror.profile @@ -28,14 +31,18 @@ /etc/firejail/disable-devel.inc /etc/firejail/disable-passwdmgr.inc /etc/firejail/disable-programs.inc +/etc/firejail/display.profile /etc/firejail/dnscrypt-proxy.profile /etc/firejail/dnsmasq.profile /etc/firejail/dosbox.profile /etc/firejail/dropbox.profile +/etc/firejail/emacs.profile /etc/firejail/empathy.profile +/etc/firejail/eog.profile /etc/firejail/eom.profile /etc/firejail/epiphany.profile /etc/firejail/evince.profile +/etc/firejail/evolution.profile /etc/firejail/fbreader.profile /etc/firejail/feh.profile /etc/firejail/file.profile @@ -44,9 +51,11 @@ /etc/firejail/firefox.profile /etc/firejail/firejail.config /etc/firejail/flashpeak-slimjet.profile +/etc/firejail/flowblade.profile /etc/firejail/franz.profile /etc/firejail/gajim.profile /etc/firejail/gimp.profile +/etc/firejail/git.profile /etc/firejail/gitter.profile /etc/firejail/gnome-chess.profile /etc/firejail/gnome-mplayer.profile @@ -58,6 +67,7 @@ /etc/firejail/gpredict.profile /etc/firejail/gtar.profile /etc/firejail/gthumb.profile +/etc/firejail/guayadeque.profile /etc/firejail/gwenview.profile /etc/firejail/gzip.profile /etc/firejail/hedgewars.profile @@ -68,6 +78,8 @@ /etc/firejail/inkscape.profile /etc/firejail/inox.profile /etc/firejail/jitsi.profile +/etc/firejail/keepass.profile +/etc/firejail/keepassx.profile /etc/firejail/kmail.profile /etc/firejail/konversation.profile /etc/firejail/less.profile @@ -87,12 +99,15 @@ /etc/firejail/mcabber.profile /etc/firejail/midori.profile /etc/firejail/mpv.profile +/etc/firejail/mumble.profile /etc/firejail/mupdf.profile /etc/firejail/mupen64plus.profile +/etc/firejail/mutt.profile /etc/firejail/netsurf.profile /etc/firejail/nolocal.net /etc/firejail/okular.profile /etc/firejail/openbox.profile +/etc/firejail/openshot.profile /etc/firejail/opera-beta.profile /etc/firejail/opera.profile /etc/firejail/palemoon.profile @@ -120,6 +135,7 @@ /etc/firejail/soffice.profile /etc/firejail/spotify.profile /etc/firejail/ssh.profile +/etc/firejail/start-tor-browser.profile /etc/firejail/steam.profile /etc/firejail/stellarium.profile /etc/firejail/strings.profile @@ -135,6 +151,8 @@ /etc/firejail/unrar.profile /etc/firejail/unzip.profile /etc/firejail/uudeview.profile +/etc/firejail/vim.profile +/etc/firejail/virtualbox.profile /etc/firejail/vivaldi-beta.profile /etc/firejail/vivaldi.profile /etc/firejail/vlc.profile @@ -145,32 +163,14 @@ /etc/firejail/wesnoth.profile /etc/firejail/whitelist-common.inc /etc/firejail/wine.profile +/etc/firejail/wire.profile /etc/firejail/xchat.profile +/etc/firejail/xiphos.profile +/etc/firejail/xpdf.profile /etc/firejail/xplayer.profile /etc/firejail/xreader.profile /etc/firejail/xviewer.profile /etc/firejail/xz.profile /etc/firejail/xzdec.profile /etc/firejail/zathura.profile -/etc/firejail/7z.profile -/etc/firejail/keepass.profile -/etc/firejail/keepassx.profile -/etc/firejail/claws-mail.profile -/etc/firejail/mutt.profile -/etc/firejail/git.profile -/etc/firejail/emacs.profile -/etc/firejail/vim.profile -/etc/firejail/xpdf.profile -/etc/firejail/virtualbox.profile -/etc/firejail/openshot.profile -/etc/firejail/flowblade.profile -/etc/firejail/eog.profile -/etc/firejail/evolution.profile -/etc/firejail/start-tor-browser.profile -/etc/firejail/xiphos.profile -/etc/firejail/display.profile -/etc/firejail/Wire.profile -/etc/firejail/wire.profile -/etc/firejail/mumble.profile /etc/firejail/zoom.profile -/etc/firejail/guayadeque.profile -- cgit v1.2.3-70-g09d2 From 98159c098b6afedfed20eecdc80719dae1f914ff Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 16 Nov 2016 16:40:12 -0500 Subject: fcopy part 2 --- gcov.sh | 28 +++-- src/fcopy/main.c | 36 +++---- src/firejail/firejail.h | 4 +- src/firejail/fs_etc.c | 31 ------ src/firejail/fs_home.c | 269 ++++++++++-------------------------------------- src/firejail/main.c | 2 - src/firejail/profile.c | 2 - src/firejail/util.c | 7 +- test/fcopy/cmdline.exp | 10 -- test/fcopy/filecopy.exp | 6 +- test/fcopy/linkcopy.exp | 46 ++------- 11 files changed, 101 insertions(+), 340 deletions(-) diff --git a/gcov.sh b/gcov.sh index 6f668d65f..900b7ca41 100755 --- a/gcov.sh +++ b/gcov.sh @@ -1,22 +1,28 @@ #!/bin/bash +gcov_init() { + USER=`whoami` + firejail --help + firemon --help + /usr/lib/firejail/fnet --help + /usr/lib/firejail/fseccomp --help + /usr/lib/firejail/ftee --help + /usr/lib/firejail/fcopy --help + firecfg --help + sudo chown $USER:$USER `find .` +} + generate() { - lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file + lcov --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file rm -fr gcov-dir genhtml gcov-file --output-directory gcov-dir } -# init -USER=`whoami` -firejail --help -firemon --help -/usr/lib/firejail/fnet --help -/usr/lib/firejail/fseccomp --help -/usr/lib/firejail/ftee --help -/usr/lib/firejail/fcopy --help -firecfg --help -sudo chown $USER:$USER `find .` +gcov_init generate +echo "press any key to continue, or Ctrl-C to exit" +read text + # running tests make test-root diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 4437b90e5..82d829bba 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -130,10 +130,16 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str if (size_limit_reached) return 0; + char *outfname; if (asprintf(&outfname, "%s%s", outpath, infname + strlen(inpath)) == -1) errExit("asprintf"); +//printf("outpaht %s\n", outpath); +//printf("inpath %s\n", inpath); +//printf("infname %s\n", infname); +//printf("outfname %s\n\n", outfname); + // don't copy it if we already have the file struct stat s; if (stat(outfname, &s) == 0) { @@ -265,7 +271,7 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { static void usage(void) { printf("Usage: fcopy src dest\n"); printf("Copy src file in dest directory. If src is a directory, copy all the files in\n"); - printf("src recoursively\n"); + printf("src recoursively. If the destination directory does not exist, it will be created.\n"); } int main(int argc, char **argv) { @@ -276,25 +282,16 @@ int i; for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); -} -#endif +} +#endif if (argc != 3) { fprintf(stderr, "Error fcopy: files missing\n"); usage(); exit(1); } - int i; - int index = 1; - for (i = 1; i < (argc - 2); i++) { - if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { - usage(); - return 0; - } - } - // check the two files; remove ending / - char *src = argv[index]; + char *src = argv[1]; int len = strlen(src); if (src[len - 1] == '/') src[len - 1] = '\0'; @@ -303,7 +300,7 @@ printf("\n"); exit(1); } - char *dest = argv[index + 1]; + char *dest = argv[2]; len = strlen(dest); if (dest[len - 1] == '/') dest[len - 1] = '\0'; @@ -313,14 +310,11 @@ printf("\n"); } - // the destination should be a directory; remove ending / + // the destination should be a directory; struct stat s; - if (stat(dest, &s) == -1) { - fprintf(stderr, "Error fcopy: cannot find destination directory\n"); - exit(1); - } - if (S_ISDIR(s.st_mode) == -1) { - fprintf(stderr, "Error fcopy: the destination should be a directory\n"); + if (stat(dest, &s) == -1 || + !S_ISDIR(s.st_mode)) { + fprintf(stderr, "Error fcopy: invalid destination directory\n"); exit(1); } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d7ba539e6..80627fda8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -490,8 +490,6 @@ void fs_private_template(void); void fs_check_private_dir(void); // check new private template home directory (--private-template= option) exit if it fails void fs_check_private_template(void); -// check directory list specified by user (--private-home option) - exit if it fails -void fs_check_home_list(void); void fs_private_home_list(void); @@ -557,7 +555,6 @@ void network_del_run_file(pid_t pid); void network_set_run_file(pid_t pid); // fs_etc.c -void fs_check_etc_list(void); void fs_private_etc_list(void); // no_sandbox.c @@ -681,6 +678,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar #define PATH_FNET (LIBDIR "/firejail/fnet") #define PATH_FIREMON (PREFIX "/bin/firemon") #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") +#define PATH_FCOPY (LIBDIR "/firejail/fcopy") // bitmapped filters for sbox_run #define SBOX_ROOT (1 << 0) // run the sandbox as root #define SBOX_USER (1 << 1) // run the sandbox as a regular user diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 7e18840fd..6a70d482c 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -62,37 +62,6 @@ errexit: exit(1); } -void fs_check_etc_list(void) { - EUID_ASSERT(); - if (strstr(cfg.etc_private_keep, "..")) { - fprintf(stderr, "Error: invalid private etc list\n"); - exit(1); - } - - char *dlist = strdup(cfg.etc_private_keep); - if (!dlist) - errExit("strdup"); - - // build a new list only with the files found - char *newlist = malloc(strlen(cfg.etc_private_keep) + 1); - if (!newlist) - errExit("malloc"); - *newlist = '\0'; - - char *ptr = strtok(dlist, ","); - if (check_dir_or_file(ptr)) - strcat(newlist, ptr); - while ((ptr = strtok(NULL, ",")) != NULL) { - if (check_dir_or_file(ptr)) { - strcat(newlist, ","); - strcat(newlist, ptr); - } - } - cfg.etc_private_keep = newlist; - - free(dlist); -} - static void duplicate(char *fname) { // copy the file if (arg_debug) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 242482d26..d8cd9ce4d 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -28,7 +28,7 @@ #include #include #include -#include +//#include static void skel(const char *homedir, uid_t u, gid_t g) { char *fname; @@ -349,106 +349,6 @@ void fs_check_private_dir(void) { //*********************************************************************************** // --private-home //*********************************************************************************** -#define PRIVATE_COPY_LIMIT (500 * 1024 *1024) -static int size_limit_reached = 0; -static unsigned file_cnt = 0; -static unsigned size_cnt = 0; -static char *check_dir_or_file(const char *name); - -int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) { - (void) st; - (void) sftw; - if (size_limit_reached) - return 0; - - struct stat s; - char *dest; - if (asprintf(&dest, "%s%s", RUN_HOME_DIR, path + strlen(cfg.homedir)) == -1) - errExit("asprintf"); - - // don't copy it if we already have the file - if (stat(dest, &s) == 0) { - free(dest); - return 0; - } - - // extract mode and ownership - if (stat(path, &s) != 0) { - free(dest); - return 0; - } - - // check uid - if (s.st_uid != firejail_uid || s.st_gid != firejail_gid) { - free(dest); - return 0; - } - - if ((s.st_size + size_cnt) > PRIVATE_COPY_LIMIT) { - size_limit_reached = 1; - free(dest); - return 0; - } - - file_cnt++; - size_cnt += s.st_size; - - if(ftype == FTW_F) - copy_file(path, dest, firejail_uid, firejail_gid, s.st_mode); - else if (ftype == FTW_D) { - if (mkdir(dest, s.st_mode) == -1) - errExit("mkdir"); - if (set_perms(dest, firejail_uid, firejail_gid, s.st_mode)) - errExit("set_perms"); -#if 0 -struct stat s2; -if (stat(dest, &s2) == 0) { - printf("%s\t", dest); - printf((S_ISDIR(s.st_mode)) ? "d" : "-"); - printf((s.st_mode & S_IRUSR) ? "r" : "-"); - printf((s.st_mode & S_IWUSR) ? "w" : "-"); - printf((s.st_mode & S_IXUSR) ? "x" : "-"); - printf((s.st_mode & S_IRGRP) ? "r" : "-"); - printf((s.st_mode & S_IWGRP) ? "w" : "-"); - printf((s.st_mode & S_IXGRP) ? "x" : "-"); - printf((s.st_mode & S_IROTH) ? "r" : "-"); - printf((s.st_mode & S_IWOTH) ? "w" : "-"); - printf((s.st_mode & S_IXOTH) ? "x" : "-"); - printf("\n"); -} -#endif - - fs_logger2("clone", path); - } - - free(dest); - return(0); -} - -static void duplicate(char *name) { - char *fname = check_dir_or_file(name); - - if (arg_debug) - printf("Private home: duplicating %s\n", fname); - assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0); - - struct stat s; - if (stat(fname, &s) == -1) { - free(fname); - return; - } - - if(nftw(fname, fs_copydir, 1, FTW_PHYS) != 0) { - fprintf(stderr, "Error: unable to copy template dir\n"); - exit(1); - } - fs_logger_print(); // save the current log - - free(fname); -} - - - static char *check_dir_or_file(const char *name) { assert(name); struct stat s; @@ -461,10 +361,7 @@ static char *check_dir_or_file(const char *name) { // expand home directory char *fname = expand_home(name, cfg.homedir); - if (!fname) { - fprintf(stderr, "Error: file %s not found.\n", name); - exit(1); - } + assert(fname); // If it doesn't start with '/', it must be relative to homedir if (fname[0] != '/') { @@ -475,31 +372,19 @@ static char *check_dir_or_file(const char *name) { fname = tmp; } - // check the file is in user home directory + // check the file is in user home directory, a full home directory is not allowed char *rname = realpath(fname, NULL); - if (!rname) { + if (!rname || + strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || + strcmp(rname, cfg.homedir) == 0) { fprintf(stderr, "Error: invalid file %s\n", name); exit(1); } - if (strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0) { - fprintf(stderr, "Error: file %s is not in user home directory\n", name); - exit(1); - } - - // a full home directory is not allowed - if (strcmp(rname, cfg.homedir) == 0) { - fprintf(stderr, "Error: invalid directory %s\n", rname); - exit(1); - } // only top files and directories in user home are allowed char *ptr = rname + strlen(cfg.homedir); - if (*ptr == '\0') { - fprintf(stderr, "Error: invalid file %s\n", name); - exit(1); - } - ptr++; - ptr = strchr(ptr, '/'); + assert(*ptr != '\0'); + ptr = strchr(++ptr, '/'); if (ptr) { if (*ptr != '\0') { fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); @@ -507,55 +392,42 @@ static char *check_dir_or_file(const char *name) { } } - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: file %s not found.\n", fname); - exit(1); - } - - // check uid - uid_t uid = getuid(); - gid_t gid = getgid(); - if (s.st_uid != uid || s.st_gid != gid) { - fprintf(stderr, "Error: only files or directories created by the current user are allowed.\n"); - exit(1); - } - - // dir or regular file - if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { - free(fname); - return rname; // regular exit from the function - } - - fprintf(stderr, "Error: invalid file type, %s.\n", fname); - exit(1); + free(fname); + return rname; } +static void duplicate(char *name) { + char *fname = check_dir_or_file(name); + char *dest = RUN_HOME_DIR; -// check directory list specified by user (--private-home option) - exit if it fails -void fs_check_home_list(void) { - if (strstr(cfg.home_private_keep, "..")) { - fprintf(stderr, "Error: invalid private-home list\n"); - exit(1); - } - - char *dlist = strdup(cfg.home_private_keep); - if (!dlist) - errExit("strdup"); - - char *ptr = strtok(dlist, ","); - char *tmp = check_dir_or_file(ptr); - free(tmp); + if (arg_debug) + printf("Private home: duplicating %s\n", fname); + assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0); - while ((ptr = strtok(NULL, ",")) != NULL) { - tmp = check_dir_or_file(ptr); - free(tmp); + struct stat s; + if (stat(fname, &s) == -1) { + free(fname); + return; + } + else if (S_ISDIR(s.st_mode)) { + // create the directory in RUN_HOME_DIR + char *name; + char *ptr = strrchr(fname, '/'); + ptr++; + if (asprintf(&name, "%s/%s", RUN_HOME_DIR, ptr) == -1) + errExit("asprintf"); + mkdir_attr(name, 0755, getuid(), getgid()); + sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, name); + free(name); } + else + sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR); + fs_logger2("clone", fname); + fs_logger_print(); // save the current log - free(dlist); + free(fname); } - - // private mode (--private-home=list): // mount homedir on top of /home/user, // tmpfs on top of /root in nonroot mode, @@ -571,8 +443,8 @@ void fs_private_home_list(void) { int xflag = store_xauthority(); int aflag = store_asoundrc(); - uid_t u = firejail_uid; - gid_t g = firejail_gid; + uid_t uid = getuid(); + gid_t gid = getgid(); struct stat s; if (stat(homedir, &s) == -1) { fprintf(stderr, "Error: cannot find user home directory\n"); @@ -580,59 +452,24 @@ void fs_private_home_list(void) { } // create /run/firejail/mnt/home directory - int rv = mkdir(RUN_HOME_DIR, 0755); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_HOME_DIR, u, g, 0755)) - errExit("set_perms"); - ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); - + mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); fs_logger_print(); // save the current log + if (arg_debug) + printf("Copying files in the new home:\n"); + // copy the list of files in the new home directory - // using a new child process without root privileges - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Copying files in the new home:\n"); - - // drop privileges - if (setgroups(0, NULL) < 0) - errExit("setgroups"); - if (setgid(getgid()) < 0) - errExit("setgid/getgid"); - if (setuid(getuid()) < 0) - errExit("setuid/getuid"); - - // copy the list of files in the new home directory - char *dlist = strdup(cfg.home_private_keep); - if (!dlist) - errExit("strdup"); - - char *ptr = strtok(dlist, ","); + char *dlist = strdup(cfg.home_private_keep); + if (!dlist) + errExit("strdup"); + + char *ptr = strtok(dlist, ","); + duplicate(ptr); + while ((ptr = strtok(NULL, ",")) != NULL) duplicate(ptr); - while ((ptr = strtok(NULL, ",")) != NULL) - duplicate(ptr); - - if (!arg_quiet) { - if (size_limit_reached) - fprintf(stderr, "Warning: private-home copy limit of %u MB reached, not all the files were copied\n", - PRIVATE_COPY_LIMIT / (1024 *1024)); - else - printf("Private home: %u files, total size %u bytes\n", file_cnt, size_cnt); - } - fs_logger_print(); // save the current log - free(dlist); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); + fs_logger_print(); // save the current log + free(dlist); if (arg_debug) printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir); @@ -640,7 +477,7 @@ void fs_private_home_list(void) { if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); - if (u != 0) { + if (uid != 0) { // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); @@ -655,7 +492,7 @@ void fs_private_home_list(void) { errExit("mounting home directory"); } - skel(homedir, u, g); + skel(homedir, uid, gid); if (xflag) copy_xauthority(); if (aflag) diff --git a/src/firejail/main.c b/src/firejail/main.c index ec0c31285..5bfa04cc9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1601,7 +1601,6 @@ int main(int argc, char **argv) { // extract private home dirname cfg.home_private_keep = argv[i] + 15; - fs_check_home_list(); arg_private = 1; } else { @@ -1625,7 +1624,6 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-etc option\n"); exit(1); } - fs_check_etc_list(); arg_private_etc = 1; } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 0fd45d1ef..693b1dc30 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -173,7 +173,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_PRIVATE_HOME if (checkcfg(CFG_PRIVATE_HOME)) { cfg.home_private_keep = ptr + 13; - fs_check_home_list(); arg_private = 1; } else @@ -737,7 +736,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } cfg.etc_private_keep = ptr + 12; - fs_check_etc_list(); arg_private_etc = 1; return 0; diff --git a/src/firejail/util.c b/src/firejail/util.c index 027f1cd47..c56380ca1 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -562,7 +562,10 @@ char *expand_home(const char *path, const char* homedir) { return new_name; } - return strdup(path); + char *rv = strdup(path); + if (!rv) + errExit("strdup"); + return rv; } @@ -625,7 +628,7 @@ uid_t pid_get_uid(pid_t pid) { void invalid_filename(const char *fname) { - EUID_ASSERT(); +// EUID_ASSERT(); assert(fname); const char *ptr = fname; diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index 95e221321..24bb19351 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp @@ -43,14 +43,4 @@ expect { } after 100 -send -- "/usr/lib/firejail/fcopy foo1 foo2\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "cannot find destination directory" -} -after 100 - - - - puts "\nall done\n" diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp index 9927e18fe..d1f0a4424 100755 --- a/test/fcopy/filecopy.exp +++ b/test/fcopy/filecopy.exp @@ -13,7 +13,7 @@ match_max 100000 send -- "rm -fr dest/*\r" after 100 -send -- "/usr/lib/firejail/fcopy src/dircopy.exp dest\r" +send -- "/usr/lib/firejail/fcopy dircopy.exp dest\r" after 100 send -- "find dest\r" @@ -31,7 +31,7 @@ after 100 send -- "ls -al dest\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "lrwxrwxrwx" + "rwxr-xr-x" } after 100 @@ -45,7 +45,7 @@ expect { send -- "file dest/dircopy.exp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "symbolic link" + "ASCII text" } send -- "rm -fr dest/*\r" diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp index b87f24a59..9927e18fe 100755 --- a/test/fcopy/linkcopy.exp +++ b/test/fcopy/linkcopy.exp @@ -13,7 +13,7 @@ match_max 100000 send -- "rm -fr dest/*\r" after 100 -send -- "/usr/lib/firejail/fcopy src dest\r" +send -- "/usr/lib/firejail/fcopy src/dircopy.exp dest\r" after 100 send -- "find dest\r" @@ -23,60 +23,28 @@ expect { } expect { timeout {puts "TESTING ERROR 1\n";exit} - "dest/a" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "dest/a/b" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "dest/a/b/file4" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "dest/a/file3" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} "dest/dircopy.exp" } -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "dest/file2" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "dest/file1" -} after 100 send -- "ls -al dest\r" expect { - timeout {puts "TESTING ERROR 8\n";exit} - "drwx--x--x" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "rwxrwxrwx" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "rw-r--r--" + timeout {puts "TESTING ERROR 2\n";exit} + "lrwxrwxrwx" } after 100 -send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r" +send -- "diff -q dircopy.exp dest/dircopy.exp; echo done\r" expect { - timeout {puts "TESTING ERROR 11\n";exit} - "differ" {puts "TESTING ERROR 12\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} + "differ" {puts "TESTING ERROR 4\n";exit} "done" } send -- "file dest/dircopy.exp\r" expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "symbolic link" } -- cgit v1.2.3-70-g09d2 From f233eee37465218ff2b8a7b8806f1d85ea757c70 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 16 Nov 2016 20:11:29 -0500 Subject: testing --- .gitignore | 1 + test/fs/fs.sh | 13 +++++++- test/fs/fscheck-bindnoroot.exp | 17 ++++++++++ test/fs/fscheck-private.exp | 50 ++++++++++++++++++++++++++++++ test/fs/fscheck-readonly.exp | 15 +++++++++ test/fs/fscheck-tmpfs.exp | 14 +++++++++ test/fs/read-write.exp | 28 ++++------------- test/fs/testfile1 | 0 test/fscheck-bindnoroot.exp | 14 --------- test/fscheck-private.exp | 70 ------------------------------------------ test/fscheck-readonly.exp | 14 --------- test/fscheck-tmpfs.exp | 14 --------- 12 files changed, 115 insertions(+), 135 deletions(-) create mode 100755 test/fs/fscheck-bindnoroot.exp create mode 100755 test/fs/fscheck-private.exp create mode 100755 test/fs/fscheck-readonly.exp create mode 100755 test/fs/fscheck-tmpfs.exp create mode 100644 test/fs/testfile1 delete mode 100755 test/fscheck-bindnoroot.exp delete mode 100755 test/fscheck-private.exp delete mode 100755 test/fscheck-readonly.exp delete mode 100755 test/fscheck-tmpfs.exp diff --git a/.gitignore b/.gitignore index 459119b14..9b9935b93 100644 --- a/.gitignore +++ b/.gitignore @@ -22,4 +22,5 @@ src/tags src/faudit/faudit src/fnet/fnet src/fseccomp/fseccomp +src/fcopy/fcopy uids.h diff --git a/test/fs/fs.sh b/test/fs/fs.sh index efbf505ee..1c5473f79 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -82,10 +82,21 @@ echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" ./whitelist-double.exp - echo "TESTING: whitelist (test/fs/whitelist.exp)" ./whitelist.exp +echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" +./fscheck-bindnoroot.exp + +echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)" +./fscheck-tmpfs.exp + +echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)" +./fscheck-private.exp + +echo "TESTING: fscheck --read-only= (test/fs/fscheck-readonly.exp)" +./fscheck-readonly.exp + #cleanup rm -fr ~/fjtest-dir rm -fr ~/fjtest-dir-lnk diff --git a/test/fs/fscheck-bindnoroot.exp b/test/fs/fscheck-bindnoroot.exp new file mode 100755 index 000000000..8cbe2b8af --- /dev/null +++ b/test/fs/fscheck-bindnoroot.exp @@ -0,0 +1,17 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# dir +send -- "firejail --net=br0 --bind=testdir1,/etc\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error" +} +after 100 + +puts "\nall done\n" + + diff --git a/test/fs/fscheck-private.exp b/test/fs/fscheck-private.exp new file mode 100755 index 000000000..28c921538 --- /dev/null +++ b/test/fs/fscheck-private.exp @@ -0,0 +1,50 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + + +# file link +#send -- "firejail --private=fscheck-file-link\r" +#expect { +# timeout {puts "TESTING ERROR 2\n";exit} +# "Error" +#} +#after 100 + +# file +send -- "firejail --private=testfile1\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "Error" +} +after 100 + +# .. +send -- "firejail --private=../fs/testfile1\r" +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "Error" +} +after 100 + +# no file +send -- "firejail --private=../test/nodir\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Error" +} +after 100 + +# same owner +send -- "firejail --private=/etc\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Error" +} +after 100 + +puts "\nall done\n" + diff --git a/test/fs/fscheck-readonly.exp b/test/fs/fscheck-readonly.exp new file mode 100755 index 000000000..4d7528e50 --- /dev/null +++ b/test/fs/fscheck-readonly.exp @@ -0,0 +1,15 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# dir +send -- "firejail --read-only=../test/testdir1\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error" +} +after 100 + +puts "\nall done\n" diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp new file mode 100755 index 000000000..deac5a631 --- /dev/null +++ b/test/fs/fscheck-tmpfs.exp @@ -0,0 +1,14 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# .. +send -- "firejail --tmpfs=fscheck-dir\r" +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "Error" +} +after 100 + diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index 57986488e..19a915f66 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp @@ -15,37 +15,21 @@ expect { } sleep 1 -send -- "echo mytest >~/_firejail_test_dir/a;echo done\r" +send -- "echo mytest > ~/_firejail_test_dir/a\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} - "done" -} -after 100 - -send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "done" + timeout {puts "TESTING ERROR 5\n";exit} + "Read-only file system" } after 100 -send -- "cat ~/_firejail_test_dir/a;echo done\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "mytest" {puts "TESTING ERROR 4\n";exit} - "done" -} -after 100 +send -- "echo mytest > ~/_firejail_test_dir/test1/b\r" +sleep 1 -send -- "cat ~/_firejail_test_dir/test1/b;echo done\r" +send -- "cat ~/_firejail_test_dir/test1/b\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "mytest" } -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "done" -} after 100 puts "\nall done\n" diff --git a/test/fs/testfile1 b/test/fs/testfile1 new file mode 100644 index 000000000..e69de29bb diff --git a/test/fscheck-bindnoroot.exp b/test/fscheck-bindnoroot.exp deleted file mode 100755 index 796a7d975..000000000 --- a/test/fscheck-bindnoroot.exp +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# dir -send -- "firejail --net=br0 --bind=fscheck-dir,/etc\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error" -} -after 100 - diff --git a/test/fscheck-private.exp b/test/fscheck-private.exp deleted file mode 100755 index 8e485cc03..000000000 --- a/test/fscheck-private.exp +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - - -# .. -#send -- "firejail --net=br0 --private=../test/fscheck-dir\r" -#expect { -# timeout {puts "TESTING ERROR 0.1\n";exit} -# "Error" -#} -#after 100 - -# dir link -#send -- "firejail --net=br0 --private=fscheck-dir-link\r" -#expect { -# timeout {puts "TESTING ERROR 1\n";exit} -# "Error" -#} -#after 100 - -# .. -#send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r" -#expect { -# timeout {puts "TESTING ERROR 1.1\n";exit} -# "Error" -#} -#after 100 - -# file link -send -- "firejail --net=br0 --private=fscheck-file-link\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Error" -} -after 100 - -# file -send -- "firejail --net=br0 --private=fscheck-file\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "Error" -} -after 100 - -# .. -send -- "firejail --net=br0 --private=../test/fscheck-file\r" -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Error" -} -after 100 - -# no file -send -- "firejail --net=br0 --private=../test/nodir\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Error" -} -after 100 - -# same owner -send -- "firejail --net=br0 --private=/etc\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Error" -} -after 100 diff --git a/test/fscheck-readonly.exp b/test/fscheck-readonly.exp deleted file mode 100755 index e0f0a8a1d..000000000 --- a/test/fscheck-readonly.exp +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# dir -send -- "firejail --net=br0 --read-only=../test/fscheck-dir\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error" -} -after 100 - diff --git a/test/fscheck-tmpfs.exp b/test/fscheck-tmpfs.exp deleted file mode 100755 index d5bbccd96..000000000 --- a/test/fscheck-tmpfs.exp +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# .. -send -- "firejail --net=br0 --tmpfs=../test/fscheck-dir\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Error" -} -after 100 - -- cgit v1.2.3-70-g09d2 From cee0a4d375092f5c9e1097ce056dd10435b33e49 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Nov 2016 08:04:52 -0500 Subject: testing --- src/fcopy/main.c | 19 ++++++++----------- src/firemon/caps.c | 1 - src/firemon/procevent.c | 6 ++---- src/firemon/seccomp.c | 4 +--- src/ftee/main.c | 32 ++++++++++++-------------------- test/utils/firemon-cpu.exp | 1 - test/utils/firemon-interface.exp | 18 ++++++++++++++++++ test/utils/firemon-name.exp | 28 ++++++++++++++++++++++++++++ test/utils/firemon-version.exp | 18 ++++++++++++++++++ test/utils/utils.sh | 9 +++++++++ 10 files changed, 96 insertions(+), 40 deletions(-) create mode 100755 test/utils/firemon-interface.exp create mode 100755 test/utils/firemon-name.exp create mode 100755 test/utils/firemon-version.exp diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 82d829bba..ca2643e7d 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -188,22 +188,19 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str static char *check(const char *src) { struct stat s; char *rsrc = realpath(src, NULL); - if (!rsrc || stat(rsrc, &s) == -1) { - fprintf(stderr, "Error fcopy: cannot find %s directory\n", src); - exit(1); - } + if (!rsrc || stat(rsrc, &s) == -1) + goto errexit; // check uid - if (s.st_uid != getuid() || s.st_gid != getgid()) { - fprintf(stderr, "Error fcopy: uid/gid mismatch for %s\n", rsrc); - exit(1); - } + if (s.st_uid != getuid() || s.st_gid != getgid()) + goto errexit; // dir, link, regular file - if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) { + if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) return rsrc; // normal exit from the function - } - fprintf(stderr, "Error fcopy: invalid directory %s\n", rsrc); + +errexit: + fprintf(stderr, "Error fcopy: invalid file %s\n", src); exit(1); } diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 81877ab87..3f8a139ae 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c @@ -24,7 +24,6 @@ static void print_caps(int pid) { char *file; if (asprintf(&file, "/proc/%d/status", pid) == -1) { errExit("asprintf"); - exit(1); } FILE *fp = fopen(file, "r"); diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 1940f4a34..edae21951 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -43,10 +43,8 @@ static int pid_is_firejail(pid_t pid) { // open /proc/self/comm char *file; - if (asprintf(&file, "/proc/%u/comm", pid) == -1) { - perror("asprintf"); - exit(1); - } + if (asprintf(&file, "/proc/%u/comm", pid) == -1) + errExit("asprintf"); FILE *fp = fopen(file, "r"); if (!fp) { diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index abc698bb8..f11c624ea 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c @@ -22,10 +22,8 @@ #define MAXBUF 4098 static void print_seccomp(int pid) { char *file; - if (asprintf(&file, "/proc/%d/status", pid) == -1) { + if (asprintf(&file, "/proc/%d/status", pid) == -1) errExit("asprintf"); - exit(1); - } FILE *fp = fopen(file, "r"); if (!fp) { diff --git a/src/ftee/main.c b/src/ftee/main.c index e6aa5f567..2b27baa5a 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c @@ -179,10 +179,6 @@ static int is_link(const char *fname) { return 0; } - - - - static void usage(void) { printf("Usage: ftee filename\n"); } @@ -201,33 +197,25 @@ int main(int argc, char **argv) { // do not accept directories, links, and files with ".." - if (strstr(fname, "..") || is_link(fname) || is_dir(fname)) { - fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); - exit(1); - } + if (strstr(fname, "..") || is_link(fname) || is_dir(fname)) + goto errexit; struct stat s; if (stat(fname, &s) == 0) { // check permissions - if (s.st_uid != getuid() || s.st_gid != getgid()) { - fprintf(stderr, "Error: the output file needs to be owned by the current user.\n"); - exit(1); - } + if (s.st_uid != getuid() || s.st_gid != getgid()) + goto errexit; // check hard links - if (s.st_nlink != 1) { - fprintf(stderr, "Error: no hard links allowed.\n"); - exit(1); - } + if (s.st_nlink != 1) + goto errexit; } // check if we can append to this file /* coverity[toctou] */ FILE *fp = fopen(fname, "a"); - if (!fp) { - fprintf(stderr, "Error: cannot open output file %s\n", fname); - exit(1); - } + if (!fp) + goto errexit; fclose(fp); @@ -248,4 +236,8 @@ int main(int argc, char **argv) { log_close(); return 0; + +errexit: + fprintf(stderr, "Error ftee: invalid output file.\n"); + return 1; } diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp index f2ecd4a5c..00156c909 100755 --- a/test/utils/firemon-cpu.exp +++ b/test/utils/firemon-cpu.exp @@ -24,7 +24,6 @@ sleep 1 spawn $env(SHELL) send -- "firemon --cpu\r" -sleep 4 expect { timeout {puts "TESTING ERROR 2\n";exit} "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp new file mode 100755 index 000000000..edafd1639 --- /dev/null +++ b/test/utils/firemon-interface.exp @@ -0,0 +1,18 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firemon --interface\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "you need to be root" +} +after 100 + +puts "\nall done\n" + diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp new file mode 100755 index 000000000..c5dbfabab --- /dev/null +++ b/test/utils/firemon-name.exp @@ -0,0 +1,28 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firemon --cpu --name=test\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} + "Cpus_allowed_list" +} + +after 100 + +puts "\nall done\n" + diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp new file mode 100755 index 000000000..639c15c29 --- /dev/null +++ b/test/utils/firemon-version.exp @@ -0,0 +1,18 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firemon --version\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "firemon version" +} +after 100 + +puts "\nall done\n" + diff --git a/test/utils/utils.sh b/test/utils/utils.sh index bd91110f7..804e5ae0f 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -100,3 +100,12 @@ echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" echo "TESTING: firemon cgroup (test/utils/firemon-cgroup.exp)" ./firemon-cgroup.exp +echo "TESTING: firemon version (test/utils/firemon-version.exp)" +./firemon-version.exp + +echo "TESTING: firemon interface (test/utils/firemon-interface.exp)" +./firemon-interface.exp + +echo "TESTING: firemon name (test/utils/firemon-name.exp)" +./firemon-name.exp + -- cgit v1.2.3-70-g09d2 From 478a290aefdbf64596a1dafe0ad4420afac28200 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Nov 2016 08:21:09 -0500 Subject: cleanup --- src/firejail/appimage.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index a658173eb..01a78c324 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -31,10 +31,6 @@ static char *devloop = NULL; // device file static char *mntdir = NULL; // mount point in /tmp directory -const char *appimage_getdir(void) { - return mntdir; -} - void appimage_set(const char *appimage_path) { assert(appimage_path); assert(devloop == NULL); // don't call this twice! -- cgit v1.2.3-70-g09d2 From 4c2ed4eeafcacb380cba143d216811501ad57f33 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Nov 2016 09:59:15 -0500 Subject: fcopy part 3 --- src/fcopy/main.c | 4 +- src/firejail/fs_etc.c | 109 +++++++++++++++++++------------------------------- src/firejail/util.c | 2 + 3 files changed, 45 insertions(+), 70 deletions(-) diff --git a/src/fcopy/main.c b/src/fcopy/main.c index ca2643e7d..56d297c9a 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -272,7 +272,7 @@ static void usage(void) { } int main(int argc, char **argv) { -#if 0 +//#if 0 { //system("cat /proc/self/status"); int i; @@ -280,7 +280,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -#endif +//#endif if (argc != 3) { fprintf(stderr, "Error fcopy: files missing\n"); usage(); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 6a70d482c..7d4ffa938 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -21,18 +21,14 @@ #include #include #include -#include #include // return 0 if file not found, 1 if found -static int check_dir_or_file(const char *name) { - assert(name); - invalid_filename(name); +static int check_dir_or_file(const char *fname) { + assert(fname); + invalid_filename(fname); struct stat s; - char *fname; - if (asprintf(&fname, "/etc/%s", name) == -1) - errExit("asprintf"); if (arg_debug) printf("Checking %s\n", fname); if (stat(fname, &s) == -1) { @@ -46,16 +42,8 @@ static int check_dir_or_file(const char *name) { goto errexit; // dir or regular file - if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { - free(fname); - return 1; - } - - if (!is_link(fname)) { - free(fname); - return 1; - } - + if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || !is_link(fname)) + return 1; // normal exit errexit: fprintf(stderr, "Error: invalid file type, %s.\n", fname); @@ -63,30 +51,32 @@ errexit: } static void duplicate(char *fname) { - // copy the file - if (arg_debug) - printf("running: %s -a --parents /etc/%s %s\n", RUN_CP_COMMAND, fname, RUN_MNT_DIR); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - char *f; - if (asprintf(&f, "/etc/%s", fname) == -1) + char *src; + if (asprintf(&src, "/etc/%s", fname) == -1) + errExit("asprintf"); + if (check_dir_or_file(src) == 0) { + if (!arg_quiet) + fprintf(stderr, "Warning: skipping %s for private bin\n", fname); + free(src); + return; + } + + + struct stat s; + if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { + // create the directory in RUN_ETC_DIR + char *dirname; + if (asprintf(&dirname, "%s/%s", RUN_ETC_DIR, fname) == -1) errExit("asprintf"); - clearenv(); - execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL); - perror("execlp"); - _exit(1); + create_empty_dir_as_root(dirname, s.st_mode); + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); + free(dirname); } - // wait for the child to finish - waitpid(child, NULL, 0); + else + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, RUN_ETC_DIR); - char *name; - if (asprintf(&name, "/etc/%s", fname) == -1) - errExit("asprintf"); - fs_logger2("clone", name); - free(name); + fs_logger2("clone", src); + free(src); } @@ -110,39 +100,22 @@ void fs_private_etc_list(void) { // copy the list of files in the new etc directory // using a new child process with root privileges if (*private_list != '\0') { - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Copying files in the new etc directory:\n"); + if (arg_debug) + printf("Copying files in the new etc directory:\n"); + + // copy the list of files in the new home directory + char *dlist = strdup(private_list); + if (!dlist) + errExit("strdup"); - // elevate privileges - files in the new /etc directory belong to root - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); - - // copy the list of files in the new home directory - char *dlist = strdup(private_list); - if (!dlist) - errExit("strdup"); - + + char *ptr = strtok(dlist, ","); + duplicate(ptr); - char *ptr = strtok(dlist, ","); + while ((ptr = strtok(NULL, ",")) != NULL) duplicate(ptr); - - while ((ptr = strtok(NULL, ",")) != NULL) - duplicate(ptr); - free(dlist); - fs_logger_print(); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); + free(dlist); + fs_logger_print(); } if (arg_debug) diff --git a/src/firejail/util.c b/src/firejail/util.c index c56380ca1..03f52fabb 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -694,6 +694,7 @@ void flush_stdin(void) { void create_empty_dir_as_root(const char *dir, mode_t mode) { assert(dir); + mode &= 07777; struct stat s; if (stat(dir, &s)) { @@ -709,6 +710,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { void create_empty_file_as_root(const char *fname, mode_t mode) { assert(fname); + mode &= 07777; struct stat s; if (stat(fname, &s)) { -- cgit v1.2.3-70-g09d2 From 94ad4edd5e41a26161fdf0c44f8a0dea77e3d120 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Nov 2016 13:12:15 -0500 Subject: testing appimage --- src/firejail/appimage.c | 23 ++++++++++++++--------- test/appimage/appimage-v1.exp | 2 +- test/appimage/appimage.sh | 4 +++- test/appimage/filename.exp | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 11 deletions(-) create mode 100755 test/appimage/filename.exp diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 01a78c324..6a9ca1679 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -31,34 +31,39 @@ static char *devloop = NULL; // device file static char *mntdir = NULL; // mount point in /tmp directory -void appimage_set(const char *appimage_path) { - assert(appimage_path); +void appimage_set(const char *appimage) { + assert(appimage); assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h - // check appimage_path - if (access(appimage_path, R_OK) == -1) { + // check appimage file + invalid_filename(appimage); + if (access(appimage, R_OK) == -1) { fprintf(stderr, "Error: cannot access AppImage file\n"); exit(1); } // get appimage type and ELF size // a value of 0 means we are dealing with a type1 appimage - long unsigned int size = appimage2_size(appimage_path); + long unsigned int size = appimage2_size(appimage); if (arg_debug) printf("AppImage ELF size %lu\n", size); - // open as user to prevent race condition - int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC); + // open appimage file + int ffd = open(appimage, O_RDONLY|O_CLOEXEC); if (ffd == -1) { - fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); + fprintf(stderr, "Error: cannot open AppImage file\n"); exit(1); } // find or allocate a free loop device to use EUID_ROOT(); int cfd = open("/dev/loop-control", O_RDWR); + if (cfd == -1) { + fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); + exit(1); + } int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); if (devnr == -1) { fprintf(stderr, "Error: cannot allocate a new loopback device\n"); @@ -113,7 +118,7 @@ void appimage_set(const char *appimage_path) { EUID_USER(); // set environment - if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0) + if (appimage && setenv("APPIMAGE", appimage, 1) < 0) errExit("setenv"); if (mntdir && setenv("APPDIR", mntdir, 1) < 0) errExit("setenv"); diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 503da2b9b..f1c1c10f5 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=appimage-test --appimage Leafpad-0.8.17-x86_64.AppImage\r" +send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index 6a73d0a7e..db221ec8a 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh @@ -10,5 +10,7 @@ echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)" ./appimage-v1.exp echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" -./appimage-v1.exp +./appimage-v2.exp +echo "TESTING: AppImage file name (test/appimage/filename.exp)"; +./filename.exp \ No newline at end of file diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp new file mode 100755 index 000000000..ce8d70464 --- /dev/null +++ b/test/appimage/filename.exp @@ -0,0 +1,35 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --appimage \"bla;bla\"\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --appimage /etc/shadow\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "cannot access" +} +after 100 + +send -- "firejail --appimage appimage.sh\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Error mounting appimage" +} +after 100 + + + + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 8c2b460d143d8dda4a86b826c0920918aa15f1f7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 18 Nov 2016 09:11:30 -0500 Subject: fcopy part 4 --- src/fcopy/main.c | 9 ++- src/firejail/firejail.h | 1 - src/firejail/fs_bin.c | 171 +++++-------------------------------------- src/firejail/fs_etc.c | 16 ++-- src/firejail/fs_home.c | 67 +++++++++-------- src/firejail/fs_hostname.c | 28 +++---- src/firejail/main.c | 1 - src/firejail/profile.c | 1 - src/firejail/sandbox.c | 1 - src/firemon/netstats.c | 3 + src/firemon/top.c | 3 + test/environment/dns.exp | 26 ++++++- test/fs/invalid_filename.exp | 15 ++++ test/fs/private-etc.exp | 34 ++++++++- test/fs/private-home.exp | 62 +++++++++++++++- 15 files changed, 211 insertions(+), 227 deletions(-) diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 56d297c9a..e3a04a515 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -244,7 +244,7 @@ static void duplicate_file(const char *src, const char *dest, struct stat *s) { } static void duplicate_link(const char *src, const char *dest, struct stat *s) { - char *rsrc = check(src); + char *rsrc = check(src); // we drop the result and use the original name char *rdest = check(dest); uid_t uid = s->st_uid; gid_t gid = s->st_gid; @@ -252,7 +252,8 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { // build destination file name char *name; - char *ptr = strrchr(rsrc, '/'); +// char *ptr = strrchr(rsrc, '/'); + char *ptr = strrchr(src, '/'); ptr++; if (asprintf(&name, "%s/%s", rdest, ptr) == -1) errExit("asprintf"); @@ -272,7 +273,7 @@ static void usage(void) { } int main(int argc, char **argv) { -//#if 0 +#if 0 { //system("cat /proc/self/status"); int i; @@ -280,7 +281,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -//#endif +#endif if (argc != 3) { fprintf(stderr, "Error fcopy: files missing\n"); usage(); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 80627fda8..2562094d3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -587,7 +587,6 @@ void pulseaudio_init(void); void pulseaudio_disable(void); // fs_bin.c -void fs_check_bin_list(void); void fs_private_bin_list(void); // protocol.c diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6cc1bf3ab..421df717d 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -39,7 +39,6 @@ static char *paths[] = { // return 1 if found, 0 if not found static char *check_dir_or_file(const char *name) { assert(name); - invalid_filename(name); struct stat s; char *fname = NULL; @@ -94,68 +93,13 @@ static char *check_dir_or_file(const char *name) { return paths[i]; } -void fs_check_bin_list(void) { - EUID_ASSERT(); - if (strstr(cfg.bin_private_keep, "..")) { - fprintf(stderr, "Error: invalid private bin list\n"); +static void duplicate(char *fname) { + if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { + fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); exit(1); } - - char *dlist = strdup(cfg.bin_private_keep); - if (!dlist) - errExit("strdup"); - - // create a new list removing files not found - char *newlist = malloc(strlen(dlist) + 1 + 1); // +',' + '\0' - if (!newlist) - errExit("malloc"); - *newlist = '\0'; - char *newlistptr = newlist; - - // check the first file - char *ptr = strtok(dlist, ","); - int notfound = 0; - if (check_dir_or_file(ptr)) { - // file found, copy the name in the new list - strcpy(newlistptr, ptr); - strcat(newlistptr, ","); - newlistptr += strlen(newlistptr); - } - else - notfound = 1; - - // check the rest of the list - while ((ptr = strtok(NULL, ",")) != NULL) { - if (check_dir_or_file(ptr)) { - // file found, copy the name in the new list - strcpy(newlistptr, ptr); - strcat(newlistptr, ","); - newlistptr += strlen(newlistptr); - } - else - notfound = 1; - } - - if (*newlist == '\0') { -// fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); -// cfg.bin_private_keep = NULL; -// arg_private_bin = 0; - free(newlist); - } - else { - ptr = strrchr(newlist, ','); - assert(ptr); - *ptr = '\0'; - if (notfound && !arg_quiet) - fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist); - - cfg.bin_private_keep = newlist; - } - - free(dlist); -} + invalid_filename(fname); -static void duplicate(char *fname) { char *path = check_dir_or_file(fname); if (!path) return; @@ -165,44 +109,9 @@ static void duplicate(char *fname) { if (asprintf(&full_path, "%s/%s", path, fname) == -1) errExit("asprintf"); - char *actual_path = realpath(full_path, NULL); - if (actual_path) { - // if the file is a symbolic link not under path, make a symbolic link - if (is_link(full_path) && strncmp(actual_path, path, strlen(path))) { - char *lnkname; - if (asprintf(&lnkname, "%s/%s", RUN_BIN_DIR, fname) == -1) - errExit("asprintf"); - int rv = symlink(actual_path, lnkname); - if (rv) - fprintf(stderr, "Warning cannot create symbolic link %s\n", lnkname); - else if (arg_debug) - printf("Created symbolic link %s -> %s\n", lnkname, actual_path); - free(lnkname); - } - else { - // copy the file - if (arg_debug) - printf("running: %s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - char *f; - if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1) - errExit("asprintf"); - clearenv(); - execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL); - perror("execlp"); - _exit(1); - } - // wait for the child to finish - waitpid(child, NULL, 0); - - } - free(actual_path); - } - + // copy the file + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); + fs_logger2("clone", fname); free(full_path); } @@ -214,42 +123,20 @@ void fs_private_bin_list(void) { // create /run/firejail/mnt/bin directory mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); - // copy the list of files in the new etc directory - // using a new child process without root privileges - fs_logger_print(); // save the current log - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Copying files in the new home:\n"); + if (arg_debug) + printf("Copying files in the new bin directory\n"); - // elevate privileges - files in the new /bin directory belong to root - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); - - // copy the list of files in the new home directory - char *dlist = strdup(private_list); - if (!dlist) - errExit("strdup"); - + // copy the list of files in the new home directory + char *dlist = strdup(private_list); + if (!dlist) + errExit("strdup"); - char *ptr = strtok(dlist, ","); + char *ptr = strtok(dlist, ","); + duplicate(ptr); + while ((ptr = strtok(NULL, ",")) != NULL) duplicate(ptr); - - while ((ptr = strtok(NULL, ",")) != NULL) - duplicate(ptr); - free(dlist); + free(dlist); fs_logger_print(); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - // wait for the child to finish - waitpid(child, NULL, 0); // mount-bind int i = 0; @@ -265,29 +152,5 @@ void fs_private_bin_list(void) { } i++; } - - // log cloned files - char *dlist = strdup(private_list); - if (!dlist) - errExit("strdup"); - - - char *ptr = strtok(dlist, ","); - while (ptr) { - i = 0; - while (paths[i]) { - struct stat s; - if (stat(paths[i], &s) == 0) { - char *fname; - if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1) - errExit("asprintf"); - fs_logger2("clone", fname); - free(fname); - } - i++; - } - ptr = strtok(NULL, ","); - } - free(dlist); } diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 7d4ffa938..80329d5ba 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -26,11 +26,8 @@ // return 0 if file not found, 1 if found static int check_dir_or_file(const char *fname) { assert(fname); - invalid_filename(fname); struct stat s; - if (arg_debug) - printf("Checking %s\n", fname); if (stat(fname, &s) == -1) { if (arg_debug) printf("Warning: file %s not found.\n", fname); @@ -51,6 +48,12 @@ errexit: } static void duplicate(char *fname) { + if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { + fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); + exit(1); + } + invalid_filename(fname); + char *src; if (asprintf(&src, "/etc/%s", fname) == -1) errExit("asprintf"); @@ -61,7 +64,6 @@ static void duplicate(char *fname) { return; } - struct stat s; if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { // create the directory in RUN_ETC_DIR @@ -84,12 +86,6 @@ void fs_private_etc_list(void) { char *private_list = cfg.etc_private_keep; assert(private_list); - struct stat s; - if (stat("/etc", &s) == -1) { - fprintf(stderr, "Error: cannot find user /etc directory\n"); - exit(1); - } - // create /run/firejail/mnt/etc directory mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); fs_logger("tmpfs /etc"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index d8cd9ce4d..1612da5d3 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -212,12 +212,6 @@ void fs_private_homedir(void) { uid_t u = getuid(); gid_t g = getgid(); - struct stat s; - if (stat(homedir, &s) == -1) { - fprintf(stderr, "Error: cannot find user home directory\n"); - exit(1); - } - // mount bind private_homedir on top of homedir if (arg_debug) @@ -351,11 +345,9 @@ void fs_check_private_dir(void) { //*********************************************************************************** static char *check_dir_or_file(const char *name) { assert(name); - struct stat s; // basic checks invalid_filename(name); - if (arg_debug) printf("Private home: checking %s\n", name); @@ -372,28 +364,44 @@ static char *check_dir_or_file(const char *name) { fname = tmp; } - // check the file is in user home directory, a full home directory is not allowed - char *rname = realpath(fname, NULL); - if (!rname || - strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || - strcmp(rname, cfg.homedir) == 0) { - fprintf(stderr, "Error: invalid file %s\n", name); - exit(1); + // we allow only files in user home directory or symbolic links to files or directories owned by the user + struct stat s; + if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) { + if (stat(fname, &s) == 0) { + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname); + exit(1); + } + return fname; + } + else { + fprintf(stderr, "Error: invalid file %s\n", name); + exit(1); + } } - - // only top files and directories in user home are allowed - char *ptr = rname + strlen(cfg.homedir); - assert(*ptr != '\0'); - ptr = strchr(++ptr, '/'); - if (ptr) { - if (*ptr != '\0') { - fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); + else { + // check the file is in user home directory, a full home directory is not allowed + char *rname = realpath(fname, NULL); + if (!rname || + strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0 || + strcmp(rname, cfg.homedir) == 0) { + fprintf(stderr, "Error: invalid file %s\n", name); exit(1); } + + // only top files and directories in user home are allowed + char *ptr = rname + strlen(cfg.homedir); + assert(*ptr != '\0'); + ptr = strchr(++ptr, '/'); + if (ptr) { + if (*ptr != '\0') { + fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); + exit(1); + } + } + free(fname); + return rname; } - - free(fname); - return rname; } static void duplicate(char *name) { @@ -405,7 +413,7 @@ static void duplicate(char *name) { assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0); struct stat s; - if (stat(fname, &s) == -1) { + if (lstat(fname, &s) == -1) { free(fname); return; } @@ -445,11 +453,6 @@ void fs_private_home_list(void) { uid_t uid = getuid(); gid_t gid = getgid(); - struct stat s; - if (stat(homedir, &s) == -1) { - fprintf(stderr, "Error: cannot find user home directory\n"); - exit(1); - } // create /run/firejail/mnt/home directory mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 04197eb8f..dcf06fc6f 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -33,15 +33,7 @@ void fs_hostname(const char *hostname) { if (arg_debug) printf("Creating a new /etc/hostname file\n"); - FILE *fp = fopen(RUN_HOSTNAME_FILE, "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTNAME_FILE); - exit(1); - } - fprintf(fp, "%s\n", hostname); - // mode and owner - SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); - fclose(fp); + create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); // bind-mount the file on top of /etc/hostname if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) @@ -56,15 +48,12 @@ void fs_hostname(const char *hostname) { // copy /etc/host into our new file, and modify it on the fly /* coverity[toctou] */ FILE *fp1 = fopen("/etc/hosts", "r"); - if (!fp1) { - fprintf(stderr, "Error: cannot open /etc/hosts\n"); - exit(1); - } + if (!fp1) + goto errexit; + FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); - if (!fp2) { - fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTS_FILE); - exit(1); - } + if (!fp2) + goto errexit; char buf[4096]; int done = 0; @@ -92,6 +81,11 @@ void fs_hostname(const char *hostname) { errExit("mount bind /etc/hosts"); fs_logger("create /etc/hosts"); } + return; + +errexit: + fprintf(stderr, "Error: cannot create hostname file\n"); + exit(1); } void fs_resolvconf(void) { diff --git a/src/firejail/main.c b/src/firejail/main.c index 5bfa04cc9..ff7b762cd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1634,7 +1634,6 @@ int main(int argc, char **argv) { exit(1); } arg_private_bin = 1; - fs_check_bin_list(); } else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 693b1dc30..688fa9609 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -745,7 +745,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strncmp(ptr, "private-bin ", 12) == 0) { cfg.bin_private_keep = ptr + 12; arg_private_bin = 1; - fs_check_bin_list(); return 0; } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 109daf552..c2e053b0c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -696,7 +696,6 @@ int sandbox(void* sandbox_arg) { if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) errExit("asprintf"); cfg.bin_private_keep = tmp; - fs_check_bin_list(); EUID_ROOT(); } fs_private_bin_list(); diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 3c020d630..534d783cb 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c @@ -216,6 +216,9 @@ void netstats(void) { print_proc(i, itv, col); } } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif } } diff --git a/src/firemon/top.c b/src/firemon/top.c index b804761dd..94271523c 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c @@ -292,6 +292,9 @@ void top(void) { } } head_print(col, row); +#ifdef HAVE_GCOV + __gcov_flush(); +#endif } } diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 6ffb124cf..a6a7171eb 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -22,9 +22,33 @@ expect { timeout {puts "TESTING ERROR 1.2\n";exit} "53" } - after 100 send -- "rm index.html\r" after 100 +send -- "exit\r" +sleep 1 + +send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/resolv.conf\r" +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "nameserver 8.8.4.4" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "nameserver 8.8.8.8" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "nameserver 4.2.2.1" +} +after 100 + puts "\nall done\n" diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp index 1acc85491..a6efc24b6 100755 --- a/test/fs/invalid_filename.exp +++ b/test/fs/invalid_filename.exp @@ -109,6 +109,21 @@ expect { } after 100 +send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 8.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 8.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 8.3\n";exit} + "is an invalid filename" +} +after 100 + send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" expect { timeout {puts "TESTING ERROR 9.1\n";exit} diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index e692f7382..36b5d247c 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp @@ -33,12 +33,40 @@ expect { "resolv.conf" } -send -- "ls -al /etc; echo done\r" + +send -- "file /etc/shadow\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "shadow" {puts "TESTING ERROR 8\n";exit} - "done" + "No such file or directory" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "firejail --private-etc=shadow\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "invalid file type" +} +after 100 + +send -- "firejail --private-etc=\"bla;bla\"\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "is an invalid filename" } +after 100 + +send -- "firejail --private-etc=../bin/ls\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "is an invalid filename" +} +after 100 + + + + after 100 puts "\nall done\n" diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index de5a88dea..3840d1cb8 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp @@ -9,11 +9,19 @@ match_max 100000 # create some test files in user home directory send -- "touch ~/_firejail_test_file1\r" +after 100 send -- "touch ~/_firejail_test_file2\r" +after 100 send -- "mkdir ~/_firejail_test_dir1\r" +after 100 send -- "mkdir ~/_firejail_test_dir1/_firejail_test_dir2\r" +after 100 send -- "touch ~/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3\r" after 100 +send -- "ln -s /etc ~/_firejail_test_link1\r" +after 100 +send -- "ln -s ~/_firejail_test_dir1 ~/_firejail_test_link2\r" +after 100 send -- "firejail --private-home=_firejail_test_file1,_firejail_test_file2,_firejail_test_dir1\r" expect { @@ -37,8 +45,58 @@ expect { } after 100 -send -- "rm -f ~/_firejail_test_file*\r" -send -- "rm -fr ~/_firejail_test_dir*\r" +send -- "exit\r" +sleep 1 + +send -- "firejail --private-home=\"bla;bla\"\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --private-home=/etc/shadow\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "invalid file" +} +after 100 + +send -- "firejail --private-home=/etc/passwd\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "invalid file" +} +after 100 + +send -- "firejail --private-home=../../etc/passwd\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "invalid file" +} +after 100 + +send -- "firejail --private-home=_firejail_test_link1\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "to file or directory not owned by the user" +} +after 100 + +send -- "firejail --private-home=_firejail_test_link2\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Child process initialized" +} +after 100 +send -- "file file ~/_firejail_test_link2\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "broken symbolic link" +} +send -- "exit\r" + +send -- "rm -f ~/_firejail_test*\r" after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 4840712323d034e7452f63d6f747cc6a78d364c0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 18 Nov 2016 10:09:26 -0500 Subject: cleanup --- README.md | 4 ++++ RELNOTES | 3 +++ src/fcopy/main.c | 3 +++ src/firejail/fs_home.c | 1 - 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ad90639e2..b29ad476e 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,10 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is # Current development version: 0.9.45 ````` +````` +## AppImage type 2 support +````` + ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque diff --git a/RELNOTES b/RELNOTES index e726674ec..38da86b6e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -5,7 +5,10 @@ firejail (0.9.45) baseline; urgency=low * security: invalid environment exploit found by Martin Carpenter * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable + * security: split file copying in private option in a separate executable * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) + * feature: AppImage type 2 support + * feature: test coverage (gcov) support * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque * bugfixes diff --git a/src/fcopy/main.c b/src/fcopy/main.c index e3a04a515..b1e2813db 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -102,6 +102,9 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { } void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { + (void) mode; + (void) uid; + (void) gid; char *rp = realpath(target, NULL); if (rp) { if (symlink(rp, linkpath) == -1) diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 1612da5d3..1f8da398e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -406,7 +406,6 @@ static char *check_dir_or_file(const char *name) { static void duplicate(char *name) { char *fname = check_dir_or_file(name); - char *dest = RUN_HOME_DIR; if (arg_debug) printf("Private home: duplicating %s\n", fname); -- cgit v1.2.3-70-g09d2 From 4d2059df3b50b8eb8897ef66f702f55f0d54eabc Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Nov 2016 21:23:04 +0100 Subject: various fixes --- etc/empathy.profile | 2 ++ etc/keepass2.profile | 6 ++++++ etc/kmail.profile | 2 +- etc/mupdf.profile | 2 +- etc/qemu-launcher.profile | 20 ++++++++++++++++++++ etc/qemu-system-x86_64.profile | 18 ++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 3 +++ 8 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 etc/keepass2.profile create mode 100644 etc/qemu-launcher.profile create mode 100644 etc/qemu-system-x86_64.profile diff --git a/etc/empathy.profile b/etc/empathy.profile index 371100814..2a0a6389c 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -6,5 +6,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs +nogroups +noroot protocol unix,inet,inet6 seccomp diff --git a/etc/keepass2.profile b/etc/keepass2.profile new file mode 100644 index 000000000..fd390f7ed --- /dev/null +++ b/etc/keepass2.profile @@ -0,0 +1,6 @@ +# keepass password manager profile + +#noblacklist ${HOME}/.config/KeePass +#noblacklist ${HOME}/.keepass + +include /etc/firejail/keepass.profile diff --git a/etc/kmail.profile b/etc/kmail.profile index bc21ba604..410ff36c6 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -16,4 +16,4 @@ seccomp tracelog private-dev -private-tmp +# private-tmp diff --git a/etc/mupdf.profile b/etc/mupdf.profile index e022866e8..dc23d5840 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,7 +16,7 @@ net none shell none tracelog -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev private-bin mupdf private-tmp diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile new file mode 100644 index 000000000..9fa8a91d4 --- /dev/null +++ b/etc/qemu-launcher.profile @@ -0,0 +1,20 @@ +# qemu-launcher profile + +noblacklist ~/.qemu-launcher + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp + diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile new file mode 100644 index 000000000..3d4587fb1 --- /dev/null +++ b/etc/qemu-system-x86_64.profile @@ -0,0 +1,18 @@ +# qemu profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c6187628c..6377c7426 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -79,6 +79,7 @@ /etc/firejail/inox.profile /etc/firejail/jitsi.profile /etc/firejail/keepass.profile +/etc/firejail/keepass2.profile /etc/firejail/keepassx.profile /etc/firejail/kmail.profile /etc/firejail/konversation.profile @@ -117,6 +118,8 @@ /etc/firejail/polari.profile /etc/firejail/psi-plus.profile /etc/firejail/qbittorrent.profile +/etc/firejail/qemu-launcher.profile +/etc/firejail/qemu-system-x86_64.profile /etc/firejail/qpdfview.profile /etc/firejail/qtox.profile /etc/firejail/quassel.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f18bf8c86..d10d59657 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -82,6 +82,8 @@ mupen64plus wine dosbox virtualbox +qemu-launcher +qemu-system-x86_64 # games 0ad @@ -154,6 +156,7 @@ atom-beta atom ranger keepass +keepass2 keepassx xiphos -- cgit v1.2.3-70-g09d2 From 1c539a83dd277a7627af995f90565dadc73872a2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 19 Nov 2016 07:10:51 -0500 Subject: testing --- test/environment/environment.sh | 11 +++++++++++ test/environment/ibus.exp | 28 ++++++++++++++++++++++++++++ test/fs/private-bin.exp | 22 ++++++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100755 test/environment/ibus.exp diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 5c4d49331..c2a6c435a 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -6,6 +6,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + echo "TESTING: DNS (test/environment/dns.exp)" ./dns.exp @@ -85,3 +86,13 @@ else echo "TESTING SKIP: strace not found" fi +# to install ibus: +# $ sudo apt-get install ibus-table-array30 +# $ ibus-setup + +find ~/.config/ibus/bus | grep unix-0 +if [ "$?" -eq 0 ]; +then + echo "TESTING: ibus (test/environment/ibus.exp)" + ./ibus.exp +fi diff --git a/test/environment/ibus.exp b/test/environment/ibus.exp new file mode 100755 index 000000000..4344011a6 --- /dev/null +++ b/test/environment/ibus.exp @@ -0,0 +1,28 @@ +#!/usr/bin/expect -f + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +after 100 + +send -- "env | grep IBUS\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "IBUS_ADDRESS" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "IBUS_DAEMON_PID" +} +after 100 + + +puts "\nall done\n" + diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index fe9468be9..f7181d218 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -65,6 +65,28 @@ expect { "sh" } send -- "exit\r" +after 100 + + +send -- "firejail --private-bin=/etc/shadow\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "invalid filename" +} +after 100 + +send -- "firejail --private-bin=\"bla;bla\"\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --private-etc=../bin/ls\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "is an invalid filename" +} after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From d30ae468d925199359aa7c6d4cdec7e9e15587dd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 19 Nov 2016 09:49:09 -0500 Subject: testing --- Makefile.in | 7 +--- test/chroot-resolvconf.exp | 14 ------- test/chroot/chroot-resolvconf.exp | 14 +++++++ test/chroot/fs_chroot.exp | 68 +++++++++++++++++++++++++++++++++ test/environment/environment.sh | 15 ++++++++ test/environment/rlimit-bad-profile.exp | 35 +++++++++++++++++ test/environment/rlimit-bad.exp | 34 +++++++++++++++++ test/environment/rlimit-bad1.profile | 1 + test/environment/rlimit-bad2.profile | 1 + test/environment/rlimit-bad3.profile | 1 + test/environment/rlimit-bad4.profile | 1 + test/environment/rlimit-profile.exp | 33 ++++++++++++++++ test/environment/rlimit.exp | 37 ++++++++++++++++++ test/environment/rlimit.profile | 4 ++ test/fs_chroot.exp | 68 --------------------------------- test/rlimit/rlimit-profile.exp | 33 ---------------- test/rlimit/rlimit.exp | 37 ------------------ test/rlimit/rlimit.profile | 4 -- test/rlimit/rlimit.sh | 14 ------- 19 files changed, 246 insertions(+), 175 deletions(-) delete mode 100755 test/chroot-resolvconf.exp create mode 100755 test/chroot/chroot-resolvconf.exp create mode 100755 test/chroot/fs_chroot.exp create mode 100755 test/environment/rlimit-bad-profile.exp create mode 100755 test/environment/rlimit-bad.exp create mode 100644 test/environment/rlimit-bad1.profile create mode 100644 test/environment/rlimit-bad2.profile create mode 100644 test/environment/rlimit-bad3.profile create mode 100644 test/environment/rlimit-bad4.profile create mode 100755 test/environment/rlimit-profile.exp create mode 100755 test/environment/rlimit.exp create mode 100644 test/environment/rlimit.profile delete mode 100755 test/fs_chroot.exp delete mode 100755 test/rlimit/rlimit-profile.exp delete mode 100755 test/rlimit/rlimit.exp delete mode 100644 test/rlimit/rlimit.profile delete mode 100755 test/rlimit/rlimit.sh diff --git a/Makefile.in b/Makefile.in index 6501989a9..772dc8c06 100644 --- a/Makefile.in +++ b/Makefile.in @@ -147,7 +147,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/rlimit test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" +DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" dist: mv config.status config.status.old @@ -225,13 +225,10 @@ test-arguments: test-fs: cd test/fs; ./fs.sh | grep TESTING -test-rlimit: - cd test/rlimit; ./rlimit.sh | grep TESTING - test-fcopy: cd test/fcopy; ./fcopy.sh | grep TESTING -test: test-profiles test-fcopy test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments test-rlimit +test: test-profiles test-fcopy test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" ########################################## diff --git a/test/chroot-resolvconf.exp b/test/chroot-resolvconf.exp deleted file mode 100755 index 2d0da2fb0..000000000 --- a/test/chroot-resolvconf.exp +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --chroot=/tmp/chroot /bin/bash\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "invalid /tmp/chroot/etc/resolv.conf file" -} - -puts "\nall done\n" - diff --git a/test/chroot/chroot-resolvconf.exp b/test/chroot/chroot-resolvconf.exp new file mode 100755 index 000000000..2d0da2fb0 --- /dev/null +++ b/test/chroot/chroot-resolvconf.exp @@ -0,0 +1,14 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --chroot=/tmp/chroot /bin/bash\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "invalid /tmp/chroot/etc/resolv.conf file" +} + +puts "\nall done\n" + diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp new file mode 100755 index 000000000..aeb5669e1 --- /dev/null +++ b/test/chroot/fs_chroot.exp @@ -0,0 +1,68 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --chroot=/tmp/chroot\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} + "Child process initialized" {puts "chroot available\n"}; +} +sleep 1 + +send -- "cd /home;pwd\r" +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "home" +} +sleep 1 +send -- "bash\r" +sleep 1 +send -- "ls /; pwd\r" +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "this-is-my-chroot" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "home" +} + + + +send -- "ps aux; pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "ps aux" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "home" +} +sleep 1 + + +send -- "ps aux |wc -l; pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "6" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "home" +} +sleep 1 + + +puts "all done\n" + diff --git a/test/environment/environment.sh b/test/environment/environment.sh index c2a6c435a..2bb5a249e 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -95,4 +95,19 @@ if [ "$?" -eq 0 ]; then echo "TESTING: ibus (test/environment/ibus.exp)" ./ibus.exp +else + echo "TESTING SKIP: ibus not configured" fi + +echo "TESTING: rlimit (test/rlimit/rlimit.exp)" +./rlimit.exp + +echo "TESTING: rlimit profile (test/rlimit/rlimit-profile.exp)" +./rlimit-profile.exp + +echo "TESTING: rlimit errors (test/rlimit/rlimit-bad.exp)" +./rlimit-bad.exp + +echo "TESTING: rlimit errors profile (test/rlimit/rlimit-bad-profile.exp)" +./rlimit-bad-profile.exp + diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp new file mode 100755 index 000000000..80693a4a0 --- /dev/null +++ b/test/environment/rlimit-bad-profile.exp @@ -0,0 +1,35 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --profile=rlimit-bad1.profile\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Invalid rlimit option" +} +after 100 + +send -- "firejail --profile=rlimit-bad2.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Invalid rlimit option" +} +after 100 + +send -- "firejail --profile=rlimit-bad3.profile\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Invalid rlimit option" +} +after 100 +send -- "firejail --profile=rlimit-bad4.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Invalid rlimit option" +} +after 100 + +puts "\nall done\n" diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp new file mode 100755 index 000000000..574e7e174 --- /dev/null +++ b/test/environment/rlimit-bad.exp @@ -0,0 +1,34 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --rlimit-fsize=-1024\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "invalid rlimt fsize" +} +after 100 + +send -- "firejail --rlimit-nofile=asdf\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "invalid rlimt nofile" +} +after 100 + +send -- "firejail --rlimit-nproc=100.23\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "invalid rlimt nproc" +} +after 100 +send -- "firejail --rlimit-sigpending=2345-78\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "invalid rlimt sigpending" +} +after 100 + +puts "\nall done\n" diff --git a/test/environment/rlimit-bad1.profile b/test/environment/rlimit-bad1.profile new file mode 100644 index 000000000..b6d3340d8 --- /dev/null +++ b/test/environment/rlimit-bad1.profile @@ -0,0 +1 @@ +rlimit-fsize -1024 diff --git a/test/environment/rlimit-bad2.profile b/test/environment/rlimit-bad2.profile new file mode 100644 index 000000000..ef3f243c6 --- /dev/null +++ b/test/environment/rlimit-bad2.profile @@ -0,0 +1 @@ +rlimit-nofile asdf diff --git a/test/environment/rlimit-bad3.profile b/test/environment/rlimit-bad3.profile new file mode 100644 index 000000000..af016a29f --- /dev/null +++ b/test/environment/rlimit-bad3.profile @@ -0,0 +1 @@ +rlimit-nproc 100.23 diff --git a/test/environment/rlimit-bad4.profile b/test/environment/rlimit-bad4.profile new file mode 100644 index 000000000..aabe3d008 --- /dev/null +++ b/test/environment/rlimit-bad4.profile @@ -0,0 +1 @@ +rlimit-sigpending 67asd56 \ No newline at end of file diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp new file mode 100755 index 000000000..a9e54a405 --- /dev/null +++ b/test/environment/rlimit-profile.exp @@ -0,0 +1,33 @@ +#!/usr/bin/expect -f + +set timeout 10 +#cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=rlimit.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/limits\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Max file size 1024 1024" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Max processes 1000 1000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "Max open files 500 500" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Max pending signals 200 200" +} +after 100 +puts "\nall done\n" diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp new file mode 100755 index 000000000..611f69821 --- /dev/null +++ b/test/environment/rlimit.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/limits; pwd\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Max file size 1024 1024" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Max processes 1000 1000" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "Max open files 500 500" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Max pending signals 200 200" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "home" +} +after 100 +puts "\n" diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile new file mode 100644 index 000000000..271891c03 --- /dev/null +++ b/test/environment/rlimit.profile @@ -0,0 +1,4 @@ + rlimit-fsize 1024 +rlimit-nproc 1000 + rlimit-nofile 500 +rlimit-sigpending 200 \ No newline at end of file diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp deleted file mode 100755 index aeb5669e1..000000000 --- a/test/fs_chroot.exp +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --chroot=/tmp/chroot\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} - "Child process initialized" {puts "chroot available\n"}; -} -sleep 1 - -send -- "cd /home;pwd\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "home" -} -sleep 1 -send -- "bash\r" -sleep 1 -send -- "ls /; pwd\r" -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "this-is-my-chroot" -} -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "home" -} - - - -send -- "ps aux; pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ps aux" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - - -send -- "ps aux |wc -l; pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "6" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "home" -} -sleep 1 - - -puts "all done\n" - diff --git a/test/rlimit/rlimit-profile.exp b/test/rlimit/rlimit-profile.exp deleted file mode 100755 index a9e54a405..000000000 --- a/test/rlimit/rlimit-profile.exp +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -#cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=rlimit.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/limits\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Max file size 1024 1024" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Max processes 1000 1000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "Max open files 500 500" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Max pending signals 200 200" -} -after 100 -puts "\nall done\n" diff --git a/test/rlimit/rlimit.exp b/test/rlimit/rlimit.exp deleted file mode 100755 index 611f69821..000000000 --- a/test/rlimit/rlimit.exp +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -cd /home -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/limits; pwd\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Max file size 1024 1024" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Max processes 1000 1000" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "Max open files 500 500" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Max pending signals 200 200" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "home" -} -after 100 -puts "\n" diff --git a/test/rlimit/rlimit.profile b/test/rlimit/rlimit.profile deleted file mode 100644 index 271891c03..000000000 --- a/test/rlimit/rlimit.profile +++ /dev/null @@ -1,4 +0,0 @@ - rlimit-fsize 1024 -rlimit-nproc 1000 - rlimit-nofile 500 -rlimit-sigpending 200 \ No newline at end of file diff --git a/test/rlimit/rlimit.sh b/test/rlimit/rlimit.sh deleted file mode 100755 index d85497176..000000000 --- a/test/rlimit/rlimit.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) - -echo "TESTING: rlimit (test/rlimit/rlimit.exp)" -./rlimit.exp - -echo "TESTING: rlimit profile (test/rlimit/rlimit-profile.exp)" -./rlimit-profile.exp - -- cgit v1.2.3-70-g09d2 From fe8ed9b3abb32ec8b6dff8a0ae36038504ebc0e8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 19 Nov 2016 11:12:38 -0500 Subject: fix vivaldi profile, more testing --- etc/vivaldi.profile | 1 - test/fcopy/dircopy.exp | 30 +++++++++++++++++++++++++----- test/fcopy/fcopy.sh | 2 +- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 3c608dccb..08b046847 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -6,7 +6,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc netfilter -nonewprivs whitelist ${DOWNLOADS} mkdir ~/.config/vivaldi diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index b87f24a59..00b0204ae 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp @@ -55,28 +55,48 @@ after 100 send -- "ls -al dest\r" expect { timeout {puts "TESTING ERROR 8\n";exit} - "drwx--x--x" + "drwxr-xr-x" } expect { timeout {puts "TESTING ERROR 9\n";exit} - "rwxrwxrwx" + "a" } expect { timeout {puts "TESTING ERROR 10\n";exit} + "lrwxrwxrwx" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "dircopy.exp" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "rwxr-xr-x" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "file1" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} "rw-r--r--" } +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "file2" +} after 100 send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r" expect { - timeout {puts "TESTING ERROR 11\n";exit} - "differ" {puts "TESTING ERROR 12\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} + "differ" {puts "TESTING ERROR 17\n";exit} "done" } send -- "file dest/dircopy.exp\r" expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 18\n";exit} "symbolic link" } diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index 9961d6317..dcda5ca31 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh @@ -6,7 +6,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -rm -fr dest/* +mkdir dest echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)" ./cmdline.exp -- cgit v1.2.3-70-g09d2 From be09b34e3bfd9b111aef5da8c5bec52744c51bdd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 19 Nov 2016 11:35:52 -0500 Subject: qemu profile --- README | 1 + README.md | 2 +- RELNOTES | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README b/README index e21e96bc7..bd32034a3 100644 --- a/README +++ b/README @@ -103,6 +103,7 @@ valoq (https://github.com/valoq) - blacklist suid binaries in disable-common.inc - fix man pages - various profile improvements + - added keypass2, qemu profiles Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) diff --git a/README.md b/README.md index b29ad476e..56c0c68ec 100644 --- a/README.md +++ b/README.md @@ -56,5 +56,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque, qemu, keypass2 diff --git a/RELNOTES b/RELNOTES index 38da86b6e..3a7c398c2 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,7 +10,7 @@ firejail (0.9.45) baseline; urgency=low * feature: AppImage type 2 support * feature: test coverage (gcov) support * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, - * new profiles: mumble, zoom, Guayadeque + * new profiles: mumble, zoom, Guayadeque, qemu, keypass2 * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 -- cgit v1.2.3-70-g09d2 From 836bbf586f3134d41f6bb97f5eb00ba35f53962e Mon Sep 17 00:00:00 2001 From: Vasya Novikov Date: Sat, 19 Nov 2016 21:12:13 +0300 Subject: explain audit for seccomp logging --- src/man/firejail.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bb9ae270c..8441f25d5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1340,6 +1340,10 @@ at run time only if the correct architecture was detected. For the case of I386 both 32-bit and 64-bit filters are installed. .br +.br +Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag). +.br + .br Example: .br -- cgit v1.2.3-70-g09d2 From fa10ab0e093a4224b16491273b0162b0e0a77a3a Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 21:57:42 +0100 Subject: many new profiles --- README.md | 4 +++ etc/amarok.profile | 19 ++++++++++++++ etc/ark.profile | 23 +++++++++++++++++ etc/atool.profile | 24 +++++++++++++++++ etc/bleachbit.profile | 21 +++++++++++++++ etc/brasero.profile | 23 +++++++++++++++++ etc/dolphin.profile | 23 +++++++++++++++++ etc/dragon.profile | 22 ++++++++++++++++ etc/elinks.profile | 24 +++++++++++++++++ etc/enchant.profile | 23 +++++++++++++++++ etc/exiftool.profile | 28 ++++++++++++++++++++ etc/file-roller.profile | 21 +++++++++++++++ etc/gedit.profile | 26 +++++++++++++++++++ etc/gjs.profile | 28 ++++++++++++++++++++ etc/gnome-books.profile | 26 +++++++++++++++++++ etc/gnome-clocks.profile | 22 ++++++++++++++++ etc/gnome-documents.profile | 24 +++++++++++++++++ etc/gnome-maps.profile | 24 +++++++++++++++++ etc/gnome-music.profile | 22 ++++++++++++++++ etc/gnome-photos.profile | 26 +++++++++++++++++++ etc/gnome-weather.profile | 26 +++++++++++++++++++ etc/goobox.profile | 20 +++++++++++++++ etc/gpa.profile | 23 +++++++++++++++++ etc/gpg-agent.profile | 24 +++++++++++++++++ etc/gpg.profile | 24 +++++++++++++++++ etc/highlight.profile | 24 +++++++++++++++++ etc/img2txt.profile | 24 +++++++++++++++++ etc/k3b.profile | 21 +++++++++++++++ etc/kate.profile | 28 ++++++++++++++++++++ etc/lynx.profile | 22 ++++++++++++++++ etc/mediainfo.profile | 26 +++++++++++++++++++ etc/nautilus.profile | 26 +++++++++++++++++++ etc/odt2txt.profile | 24 +++++++++++++++++ etc/okular.profile | 16 ++++++------ etc/pdftotext.profile | 22 ++++++++++++++++ etc/simple-scan.profile | 23 +++++++++++++++++ etc/skanlite.profile | 21 +++++++++++++++ etc/ssh-agent.profile | 15 +++++++++++ etc/tracker.profile | 24 +++++++++++++++++ etc/transmission-cli.profile | 24 +++++++++++++++++ etc/transmission-show.profile | 24 +++++++++++++++++ etc/w3m.profile | 23 +++++++++++++++++ etc/xfburn.profile | 23 +++++++++++++++++ etc/xpra.profile | 21 +++++++++++++++ platform/debian/conffiles | 42 ++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 60 +++++++++++++++++++++++++++++++++++++++++-- 46 files changed, 1093 insertions(+), 10 deletions(-) create mode 100644 etc/amarok.profile create mode 100644 etc/ark.profile create mode 100644 etc/atool.profile create mode 100644 etc/bleachbit.profile create mode 100644 etc/brasero.profile create mode 100644 etc/dolphin.profile create mode 100644 etc/dragon.profile create mode 100644 etc/elinks.profile create mode 100644 etc/enchant.profile create mode 100644 etc/exiftool.profile create mode 100644 etc/file-roller.profile create mode 100644 etc/gedit.profile create mode 100644 etc/gjs.profile create mode 100644 etc/gnome-books.profile create mode 100644 etc/gnome-clocks.profile create mode 100644 etc/gnome-documents.profile create mode 100644 etc/gnome-maps.profile create mode 100644 etc/gnome-music.profile create mode 100644 etc/gnome-photos.profile create mode 100644 etc/gnome-weather.profile create mode 100644 etc/goobox.profile create mode 100644 etc/gpa.profile create mode 100644 etc/gpg-agent.profile create mode 100644 etc/gpg.profile create mode 100644 etc/highlight.profile create mode 100644 etc/img2txt.profile create mode 100644 etc/k3b.profile create mode 100644 etc/kate.profile create mode 100644 etc/lynx.profile create mode 100644 etc/mediainfo.profile create mode 100644 etc/nautilus.profile create mode 100644 etc/odt2txt.profile create mode 100644 etc/pdftotext.profile create mode 100644 etc/simple-scan.profile create mode 100644 etc/skanlite.profile create mode 100644 etc/ssh-agent.profile create mode 100644 etc/tracker.profile create mode 100644 etc/transmission-cli.profile create mode 100644 etc/transmission-show.profile create mode 100644 etc/w3m.profile create mode 100644 etc/xfburn.profile create mode 100644 etc/xpra.profile diff --git a/README.md b/README.md index ad90639e2..87a5b3f63 100644 --- a/README.md +++ b/README.md @@ -53,4 +53,8 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque +amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, exiftool, file-roller, gedit +gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather +goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext +simple-scan, skanlite, ssh-agent, transmission-cli, transmission-show, w3m, xfburn, xpra diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..962865790 --- /dev/null +++ b/etc/amarok.profile @@ -0,0 +1,19 @@ +# amorak profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +#seccomp +protocol unix,inet,inet6 + +#private-bin amorak +private-dev +private-tmp +#private-etc none diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile @@ -0,0 +1,23 @@ +# ark profile +noblacklist ~/.config/arkrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile @@ -0,0 +1,24 @@ +# atool profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin atool +private-tmp +private-dev +private-etc none + + diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile @@ -0,0 +1,21 @@ +# bleachbit profile +include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile @@ -0,0 +1,23 @@ +# brasero profile +noblacklist ~/.config/brasero + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin brasero +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile @@ -0,0 +1,23 @@ +# dolphin profile +noblacklist ~/.config/dolphinrc +noblacklist ~/.local/share/dolphin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile @@ -0,0 +1,22 @@ +# dragon player profile +noblacklist ~/.config/dragonplayerrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix,inet,inet6 + +private-bin dragon +private-dev +private-tmp +# private-etc + diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile @@ -0,0 +1,24 @@ +# elinks profile +noblacklist ~/.elinks + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin elinks +private-tmp +private-dev +# private-etc none + diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile @@ -0,0 +1,23 @@ +# enchant profile +noblacklist ~/.config/enchant + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin enchant +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile @@ -0,0 +1,28 @@ +# exiftool profile +noblacklist /usr/bin/perl +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin exiftool,perl +private-tmp +private-dev +private-etc none + + diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile @@ -0,0 +1,21 @@ +# file-roller profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin file-roller +# private-tmp +private-dev +# private-etc fonts diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile @@ -0,0 +1,26 @@ +# gedit profile + +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it + +noblacklist ~/.config/gedit + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gedit +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile @@ -0,0 +1,28 @@ +# gjs (gnome javascript bindings) profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books +noblacklist ~/.config/libreoffice +noblacklist ~/.local/share/gnome-photos +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile @@ -0,0 +1,26 @@ +# gnome-books profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-books +private-tmp +private-dev +private-etc fonts diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..30adadda1 --- /dev/null +++ b/etc/gnome-clocks.profile @@ -0,0 +1,22 @@ +# gnome-clocks profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-clocks +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile @@ -0,0 +1,24 @@ +# gnome-documents profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.config/libreoffice + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +private-tmp +private-dev diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile @@ -0,0 +1,24 @@ +# gnome-maps profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-maps +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile @@ -0,0 +1,22 @@ +# gnome-music profile +noblacklist ~/.local/share/gnome-music + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-music,python3 +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile @@ -0,0 +1,26 @@ +# gnome-photos profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.local/share/gnome-photos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-photos +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile @@ -0,0 +1,26 @@ +# gnome-weather profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile @@ -0,0 +1,20 @@ +# goobox profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin goobox +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile @@ -0,0 +1,23 @@ +# gpa profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gpa,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..31ed8812e --- /dev/null +++ b/etc/gpg-agent.profile @@ -0,0 +1,24 @@ +# gpg-agent profile + +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gpg-agent,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile @@ -0,0 +1,24 @@ +# gpg profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin gpg,gpg-agent +private-tmp +private-dev +# private-etc none diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile @@ -0,0 +1,24 @@ +# highlight profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin highlight +private-tmp +private-dev + + + diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile @@ -0,0 +1,24 @@ +# img2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +#private-bin img2txt +private-tmp +private-dev +#private-etc none + + diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..6e16d233c --- /dev/null +++ b/etc/k3b.profile @@ -0,0 +1,21 @@ +# k3b profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile @@ -0,0 +1,28 @@ +# kate profile +noblacklist ~/.local/share/kate +noblacklist ~/.config/katerc +noblacklist ~/.config/katepartrc +noblacklist ~/.config/kateschemarc +noblacklist ~/.config/katesyntaxhighlightingrc +noblacklist ~/.config/katevirc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin kate +private-tmp +private-dev +# private-etc fonts diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile @@ -0,0 +1,22 @@ +# lynx profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin lynx +private-tmp +private-dev +# private-etc none + diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile @@ -0,0 +1,26 @@ +# mediainfo profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin mediainfo +private-tmp +private-dev +private-etc none + + + + diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile @@ -0,0 +1,26 @@ +# nautilus profile + +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. + +noblacklist ~/.config/nautilus + +include /etc/firejail/disable-common.inc +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin nautilus +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile @@ -0,0 +1,24 @@ +# odt2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin odt2txt +private-tmp +private-dev +private-etc none + +read-only ${HOME} diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups +netfilter nonewprivs +nogroups noroot +nosound protocol unix seccomp -nosound +shell none +tracelog +# private-bin okular,kbuildsycoca4,kbuildsycoca5 +# private-etc X11 private-dev - -#Experimental: -#net none -#shell none -#private-bin okular,kbuildsycoca4,kbuildsycoca5 -#private-etc X11 +private-tmp diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile @@ -0,0 +1,22 @@ +# pdftotext profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin pdftotext +private-tmp +private-dev +private-etc none diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile @@ -0,0 +1,23 @@ +# simple-scan profile +noblacklist ~/.cache/simple-scan + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +#seccomp +netfilter +shell none +tracelog + +# private-bin simple-scan +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..6e8face75 --- /dev/null +++ b/etc/skanlite.profile @@ -0,0 +1,21 @@ +# skanlite profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +#seccomp +protocol unix + +private-bin skanlite +# private-dev +# private-tmp +# private-etc + diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile @@ -0,0 +1,15 @@ +# ssh-agent +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile @@ -0,0 +1,24 @@ +# tracker profile + +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin tracker +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile @@ -0,0 +1,24 @@ +# transmission-cli bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +#private-bin transmission-cli +private-tmp +private-dev +private-etc none diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile @@ -0,0 +1,24 @@ +# transmission-show profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +# private-bin +private-tmp +private-dev +private-etc none diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile @@ -0,0 +1,23 @@ +# w3m profile +noblacklist ~/.w3m + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin w3m +private-tmp +private-dev +private-etc none diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile @@ -0,0 +1,23 @@ +# xfburn profile +noblacklist ~/.config/xfburn + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin xfburn +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile @@ -0,0 +1,21 @@ +# xpra profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix,inet,inet6 + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6377c7426..60b4e0508 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -5,13 +5,18 @@ /etc/firejail/Telegram.profile /etc/firejail/Wire.profile /etc/firejail/abrowser.profile +/etc/firejail/amarok.profile +/etc/firejail/ark.profile /etc/firejail/atom-beta.profile /etc/firejail/atom.profile +/etc/firejail/atool.profile /etc/firejail/atril.profile /etc/firejail/audacious.profile /etc/firejail/audacity.profile /etc/firejail/aweather.profile /etc/firejail/bitlbee.profile +/etc/firejail/bleachbit.profile +/etc/firejail/brasero.profile /etc/firejail/brave.profile /etc/firejail/cherrytree.profile /etc/firejail/chromium-browser.profile @@ -34,17 +39,23 @@ /etc/firejail/display.profile /etc/firejail/dnscrypt-proxy.profile /etc/firejail/dnsmasq.profile +/etc/firejail/dolphin.profile /etc/firejail/dosbox.profile +/etc/firejail/dragon.profile /etc/firejail/dropbox.profile +/etc/firejail/elinks.profile /etc/firejail/emacs.profile /etc/firejail/empathy.profile +/etc/firejail/enchant.profile /etc/firejail/eog.profile /etc/firejail/eom.profile /etc/firejail/epiphany.profile /etc/firejail/evince.profile /etc/firejail/evolution.profile +/etc/firejail/exiftool.profile /etc/firejail/fbreader.profile /etc/firejail/feh.profile +/etc/firejail/file-roller.profile /etc/firejail/file.profile /etc/firejail/filezilla.profile /etc/firejail/firefox-esr.profile @@ -54,16 +65,29 @@ /etc/firejail/flowblade.profile /etc/firejail/franz.profile /etc/firejail/gajim.profile +/etc/firejail/gedit.profile /etc/firejail/gimp.profile /etc/firejail/git.profile /etc/firejail/gitter.profile +/etc/firejail/gjs.profile +/etc/firejail/gnome-books.profile /etc/firejail/gnome-chess.profile +/etc/firejail/gnome-clocks.profile +/etc/firejail/gnome-documents.profile +/etc/firejail/gnome-maps.profile /etc/firejail/gnome-mplayer.profile +/etc/firejail/gnome-music.profile +/etc/firejail/gnome-photos.profile +/etc/firejail/gnome-weather.profile +/etc/firejail/goobox.profile /etc/firejail/google-chrome-beta.profile /etc/firejail/google-chrome-stable.profile /etc/firejail/google-chrome-unstable.profile /etc/firejail/google-chrome.profile /etc/firejail/google-play-music-desktop-player.profile +/etc/firejail/gpa.profile +/etc/firejail/gpg-agent.profile +/etc/firejail/gpg.profile /etc/firejail/gpredict.profile /etc/firejail/gtar.profile /etc/firejail/gthumb.profile @@ -72,12 +96,16 @@ /etc/firejail/gzip.profile /etc/firejail/hedgewars.profile /etc/firejail/hexchat.profile +/etc/firejail/highlight.profile /etc/firejail/icecat.profile /etc/firejail/icedove.profile /etc/firejail/iceweasel.profile +/etc/firejail/img2txt.profile /etc/firejail/inkscape.profile /etc/firejail/inox.profile /etc/firejail/jitsi.profile +/etc/firejail/k3b.profile +/etc/firejail/kate.profile /etc/firejail/keepass.profile /etc/firejail/keepass2.profile /etc/firejail/keepassx.profile @@ -96,16 +124,20 @@ /etc/firejail/lowriter.profile /etc/firejail/luminance-hdr.profile /etc/firejail/lxterminal.profile +/etc/firejail/lynx.profile /etc/firejail/mathematica.profile /etc/firejail/mcabber.profile +/etc/firejail/mediainfo.profile /etc/firejail/midori.profile /etc/firejail/mpv.profile /etc/firejail/mumble.profile /etc/firejail/mupdf.profile /etc/firejail/mupen64plus.profile /etc/firejail/mutt.profile +/etc/firejail/nautilus.profile /etc/firejail/netsurf.profile /etc/firejail/nolocal.net +/etc/firejail/odt2txt.profile /etc/firejail/okular.profile /etc/firejail/openbox.profile /etc/firejail/openshot.profile @@ -113,6 +145,7 @@ /etc/firejail/opera.profile /etc/firejail/palemoon.profile /etc/firejail/parole.profile +/etc/firejail/pdftotext.profile /etc/firejail/pidgin.profile /etc/firejail/pix.profile /etc/firejail/polari.profile @@ -131,12 +164,15 @@ /etc/firejail/seamonkey-bin.profile /etc/firejail/seamonkey.profile /etc/firejail/server.profile +/etc/firejail/simple-scan.profile +/etc/firejail/skanlite.profile /etc/firejail/skype.profile /etc/firejail/skypeforlinux.profile /etc/firejail/slack.profile /etc/firejail/snap.profile /etc/firejail/soffice.profile /etc/firejail/spotify.profile +/etc/firejail/ssh-agent.profile /etc/firejail/ssh.profile /etc/firejail/start-tor-browser.profile /etc/firejail/steam.profile @@ -147,8 +183,11 @@ /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile /etc/firejail/totem.profile +/etc/firejail/tracker.profile +/etc/firejail/transmission-cli.profile /etc/firejail/transmission-gtk.profile /etc/firejail/transmission-qt.profile +/etc/firejail/transmission-show.profile /etc/firejail/uget-gtk.profile /etc/firejail/unbound.profile /etc/firejail/unrar.profile @@ -159,6 +198,7 @@ /etc/firejail/vivaldi-beta.profile /etc/firejail/vivaldi.profile /etc/firejail/vlc.profile +/etc/firejail/w3m.profile /etc/firejail/warzone2100.profile /etc/firejail/webserver.net /etc/firejail/weechat-curses.profile @@ -168,9 +208,11 @@ /etc/firejail/wine.profile /etc/firejail/wire.profile /etc/firejail/xchat.profile +/etc/firejail/xfburn.profile /etc/firejail/xiphos.profile /etc/firejail/xpdf.profile /etc/firejail/xplayer.profile +/etc/firejail/xpra.profile /etc/firejail/xreader.profile /etc/firejail/xviewer.profile /etc/firejail/xz.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d10d59657..7d7fad0a6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -14,6 +14,8 @@ qbittorrent rtorrent transmission-gtk transmission-qt +transmission-cli +transmission-show uget-gtk # browsers/email @@ -51,6 +53,9 @@ thunderbird vivaldi-beta vivaldi evolution +elinks +lynx +w3m # chat/messaging bitlbee @@ -94,21 +99,41 @@ wesnot warzone2100 # Media +amarok audacious audacity +bleachbit +brasero clementine cmus deadbeef display +dolphin +dragon +exiftool feh +gjs +gnome-books +gnome-clocks +gnome-documents +gnome-maps gnome-mplayer +gnome-music +goobox google-play-music-desktop-player +img2txt +k3b +mediainfo mpv +nautilus parole rhythmbox +simple-scan +skanlite spotify totem vlc +xfburn xplayer xviewer eom @@ -121,10 +146,13 @@ atril cherrytree evince fbreader +gedit gimp gthumb gwenview +highlight inkscape +kate libreoffice localc lodraw @@ -141,7 +169,9 @@ soffice synfigstudio Mathematica mathematica +odt2txt okular +pdftotext pix xpdf xreader @@ -151,14 +181,40 @@ flowblade eog # other -ssh -atom-beta atom +atom-beta +gpa +gpg +# don't run ssh-agent and gpg-agent with firejail by default +# this will break many processes using them in the background +# ssh-agent +# gpg-agent +git ranger keepass keepass2 keepassx +ssh +tracker xiphos +xpra # weather/climate aweather +gnome-weather + +# compressing tools +ark +atool +file-roller + +# when used by other processes in the background, it will break stuff +#7z +#cpio +#gtar +#gzip +#tar +#unrar +#unzip +#xz +#xzdec -- cgit v1.2.3-70-g09d2 From 96417ad9f2003e9916f5a2c3766a77be139b96e7 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 22:00:48 +0100 Subject: readme updated --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 87a5b3f63..af6573600 100644 --- a/README.md +++ b/README.md @@ -53,8 +53,8 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque -amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, exiftool, file-roller, gedit -gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather +amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit +gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext -simple-scan, skanlite, ssh-agent, transmission-cli, transmission-show, w3m, xfburn, xpra +simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra -- cgit v1.2.3-70-g09d2 From ecd3b2191b573081c41cec0c497f8043790d50be Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 22:22:19 +0100 Subject: fixed spacing in profiles --- etc/abrowser.profile | 1 - etc/brave.profile | 1 - etc/claws-mail.profile | 1 - etc/corebird.profile | 1 - etc/cyberfox.profile | 1 - etc/dillo.profile | 1 - etc/emacs.profile | 1 - etc/eog.profile | 1 - etc/evolution.profile | 1 - etc/firefox.profile | 1 - etc/gajim.profile | 1 - etc/git.profile | 1 - etc/gnome-clocks.profile | 1 - etc/gpg-agent.profile | 1 - etc/icecat.profile | 1 - etc/keepass.profile | 1 - etc/keepass2.profile | 1 - etc/keepassx.profile | 1 - etc/konversation.profile | 1 - etc/lxterminal.profile | 1 - etc/mutt.profile | 1 - etc/netsurf.profile | 1 - etc/psi-plus.profile | 1 - etc/qemu-launcher.profile | 1 - etc/qemu-system-x86_64.profile | 1 - etc/qutebrowser.profile | 1 - etc/virtualbox.profile | 1 - etc/wire.profile | 1 - etc/xviewer.profile | 1 + etc/zoom.profile | 1 - 30 files changed, 1 insertion(+), 29 deletions(-) diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 4aa18aa90..481301420 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -1,5 +1,4 @@ # Firejail profile for Abrowser - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla include /etc/firejail/disable-common.inc diff --git a/etc/brave.profile b/etc/brave.profile index 4fc3a5bb0..21ea7f908 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -1,5 +1,4 @@ # Profile for Brave browser - noblacklist ~/.config/brave include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 1b6d2f645..8921bb25e 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -1,5 +1,4 @@ # claws-mail profile - noblacklist ~/.claws-mail noblacklist ~/.signature noblacklist ~/.gnupg diff --git a/etc/corebird.profile b/etc/corebird.profile index 077ae30d0..6fb8219e8 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -1,5 +1,4 @@ # Firejail corebird profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index ae487fa3c..84021dab3 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,5 +1,4 @@ # Firejail profile for Cyberfox (based on Mozilla Firefox) - noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios include /etc/firejail/disable-common.inc diff --git a/etc/dillo.profile b/etc/dillo.profile index 2ddd363cb..108787920 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -1,5 +1,4 @@ # Firejail profile for Dillo web browser - noblacklist ~/.dillo include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/emacs.profile b/etc/emacs.profile index cbdba7712..2b9c5805c 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,5 +1,4 @@ # emacs profile - noblacklist ~/.emacs noblacklist ~/.emacs.d diff --git a/etc/eog.profile b/etc/eog.profile index 68e950bd7..d463f3a97 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -1,5 +1,4 @@ # eog (gnome image viewer) profile - noblacklist ~/.config/eog include /etc/firejail/disable-common.inc diff --git a/etc/evolution.profile b/etc/evolution.profile index d63eeed74..ab6dd7a4a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -1,5 +1,4 @@ # evolution profile - noblacklist ~/.config/evolution noblacklist ~/.local/share/evolution noblacklist ~/.cache/evolution diff --git a/etc/firefox.profile b/etc/firefox.profile index 6bb581f4f..4f971f330 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -1,5 +1,4 @@ # Firejail profile for Mozilla Firefox (Iceweasel in Debian) - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla noblacklist ~/.config/qpdfview diff --git a/etc/gajim.profile b/etc/gajim.profile index 809378ef9..b030a68b4 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,5 +1,4 @@ # Firejail profile for Gajim - mkdir ${HOME}/.cache/gajim mkdir ${HOME}/.local/share/gajim mkdir ${HOME}/.config/gajim diff --git a/etc/git.profile b/etc/git.profile index 73122d347..edb59ce13 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,5 +1,4 @@ # git profile - noblacklist ~/.gitconfig noblacklist ~/.ssh noblacklist ~/.gnupg diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 30adadda1..6cccf9d32 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -1,5 +1,4 @@ # gnome-clocks profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 31ed8812e..b0ebdf43c 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -1,5 +1,4 @@ # gpg-agent profile - noblacklist ~/.gnupg include /etc/firejail/disable-common.inc diff --git a/etc/icecat.profile b/etc/icecat.profile index 2f8e2df7f..0348076da 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,5 +1,4 @@ # Firejail profile for GNU Icecat - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla include /etc/firejail/disable-common.inc diff --git a/etc/keepass.profile b/etc/keepass.profile index 23f9a7b40..18a5f4ebd 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -1,5 +1,4 @@ # keepass password manager profile - noblacklist ${HOME}/.config/keepass noblacklist ${HOME}/.keepass diff --git a/etc/keepass2.profile b/etc/keepass2.profile index fd390f7ed..9daa014e3 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile @@ -1,5 +1,4 @@ # keepass password manager profile - #noblacklist ${HOME}/.config/KeePass #noblacklist ${HOME}/.keepass diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 415160df3..d8621773f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,5 +1,4 @@ # keepassx password manager profile - noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx noblacklist ${HOME}/keepassx.kdbx diff --git a/etc/konversation.profile b/etc/konversation.profile index e9546fd1b..c00b91c18 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -1,5 +1,4 @@ # Firejail konversation profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index d1d0b8a0d..12765c299 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -1,5 +1,4 @@ # lxterminal (LXDE) profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/mutt.profile b/etc/mutt.profile index 54cf828b1..2718421c5 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,5 +1,4 @@ # mutt email client profile - noblacklist ~/.muttrc noblacklist ~/.mutt noblacklist ~/.mutt/muttrc diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 1ed2163c2..2071e5519 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -1,5 +1,4 @@ # Firejail profile for Mozilla Firefox (Iceweasel in Debian) - noblacklist ~/.config/netsurf noblacklist ~/.cache/netsurf include /etc/firejail/disable-common.inc diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index a9323448b..e4e69b9f6 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -1,5 +1,4 @@ # Firejail profile for Psi+ - noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ include /etc/firejail/disable-common.inc diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 9fa8a91d4..f9c8e6345 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -1,5 +1,4 @@ # qemu-launcher profile - noblacklist ~/.qemu-launcher include /etc/firejail/disable-common.inc diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 3d4587fb1..65e1e44ea 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -1,5 +1,4 @@ # qemu profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 0efb7b629..eabbe0f3e 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -1,5 +1,4 @@ # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser - noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser include /etc/firejail/disable-common.inc diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 49f8f8b24..36a1e0704 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -1,5 +1,4 @@ # VirtualBox profile - noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/VirtualBox VMs noblacklist ${HOME}/.config/VirtualBox diff --git a/etc/wire.profile b/etc/wire.profile index c84b4cc28..ec8ed8771 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,5 +1,4 @@ # wire messenger profile - noblacklist ~/.config/Wire noblacklist ~/.config/wire diff --git a/etc/xviewer.profile b/etc/xviewer.profile index cbb59d16e..ca380b4c7 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -1,3 +1,4 @@ +# xviewer profile noblacklist ~/.config/xviewer include /etc/firejail/disable-common.inc diff --git a/etc/zoom.profile b/etc/zoom.profile index f5831dd88..4c08868cf 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -1,5 +1,4 @@ # Firejail profile for zoom.us - noblacklist ~/.config/zoomus.conf include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From b93b223507d3cb1a8b8f1c96657134d4c23da9a1 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:06:57 +0100 Subject: fixed typo --- etc/amarok.profile | 4 ++-- etc/k3b.profile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/amarok.profile b/etc/amarok.profile index 962865790..8d5b35d47 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -1,4 +1,4 @@ -# amorak profile +# amarok profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -13,7 +13,7 @@ shell none #seccomp protocol unix,inet,inet6 -#private-bin amorak +#private-bin amarok private-dev private-tmp #private-etc none diff --git a/etc/k3b.profile b/etc/k3b.profile index 6e16d233c..8a5fff0c6 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -15,7 +15,7 @@ seccomp protocol unix # private-bin -private-dev -private-tmp +# private-dev +# private-tmp # private-etc -- cgit v1.2.3-70-g09d2 From 35cf892b0bcb9b5a88e70c211c5dab3b65b86c2b Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:10:01 +0100 Subject: minor fix --- etc/skanlite.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 6e8face75..4dcfa64d9 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -12,7 +12,7 @@ noroot nosound shell none #seccomp -protocol unix +protocol unix,inet,inet6 private-bin skanlite # private-dev -- cgit v1.2.3-70-g09d2 From 84230c5ed4a507f4262ab764475eab962624e032 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:19:45 +0100 Subject: reversed incorrect changes --- etc/evince.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/evince.profile b/etc/evince.profile index cbb2083f4..12ea358be 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -19,4 +19,5 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev private-etc fonts -private-tmp \ No newline at end of file +# evince needs access to /tmp/mozilla* to work in firefox +# private-tmp -- cgit v1.2.3-70-g09d2 From bedf08d73c59ac95e2de56ccf279108a038cb313 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 20 Nov 2016 12:38:38 +0100 Subject: updated default.profile --- etc/default.profile | 10 ++++++++-- etc/file.profile | 19 ++++++++++++++----- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/etc/default.profile b/etc/default.profile index a2de72695..487e80c64 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -5,11 +5,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -#blacklist ${HOME}/.wine - caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +# private-bin program +# private-etc none +# private-dev +# private-tmp + diff --git a/etc/file.profile b/etc/file.profile index 199a97fad..f709e7f0c 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,16 +1,25 @@ # file profile -ignore noroot -include /etc/firejail/default.profile - -blacklist /tmp/.X11-unix +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all hostname file +netfilter net none no3d +nogroups +nonewprivs +#noroot nosound -quiet +protocol unix +seccomp shell none tracelog +quiet +x11 none + +blacklist /tmp/.X11-unix private-dev private-bin file -- cgit v1.2.3-70-g09d2 From a9e69fe9e65f44f1f9fa4088842ff2af3cd8d6ca Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 20 Nov 2016 12:40:52 +0100 Subject: fixed mudpf profile for debian --- etc/mupdf.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/mupdf.profile b/etc/mupdf.profile index dc23d5840..7116fa1a6 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -18,7 +18,7 @@ tracelog #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev -private-bin mupdf +private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts -- cgit v1.2.3-70-g09d2 From 64431c712ffb5d4805b61ea740bc9be98cf1b48f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 07:45:50 -0500 Subject: seccomp work 1 --- .gitignore | 5 +++++ Makefile.in | 14 +++++++++++- src/firejail/firejail.h | 9 ++++---- src/firejail/preproc.c | 58 ++++++++++--------------------------------------- src/firejail/sandbox.c | 4 ---- src/firejail/seccomp.c | 13 ++++++----- src/fseccomp/main.c | 4 ++-- 7 files changed, 44 insertions(+), 63 deletions(-) diff --git a/.gitignore b/.gitignore index 9b9935b93..89bf3c4fa 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,8 @@ src/fnet/fnet src/fseccomp/fseccomp src/fcopy/fcopy uids.h +seccomp +seccomp.debug +seccomp.i386 +seccomp.amd64 + diff --git a/Makefile.in b/Makefile.in index 772dc8c06..d1f03c788 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,8 @@ -all: apps man +all: apps man filters MYLIBS = src/lib APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp src/fcopy MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 +SECCOMP_FILTERS = seccomp seccomp.i386 seccomp.amd64 prefix=@prefix@ exec_prefix=@exec_prefix@ @@ -35,11 +36,18 @@ $(MANPAGES): $(wildcard src/man/*.txt) man: $(MANPAGES) +filters: src/fseccomp + src/fseccomp/fseccomp default seccomp + src/fseccomp/fseccomp default seccomp.debug allow-debuggers + src/fseccomp/fseccomp secondary 32 seccomp.i386 + src/fseccomp/fseccomp secondary 64 seccomp.amd64 + clean: for dir in $(APPS) $(MYLIBS); do \ $(MAKE) -C $$dir clean; \ done rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm + rm -f seccomp seccomp.debug seccomp.i386 seccomp.amd64 rm -f test/utils/index.html* rm -f test/utils/wget-log rm -f test/utils/lstesting @@ -79,6 +87,10 @@ realinstall: install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp.i386 $(DESTDIR)/$(libdir)/firejail/. + install -c -m 0644 seccomp.amd64 $(DESTDIR)/$(libdir)/firejail/. # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2562094d3..2e031ce04 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -47,10 +47,14 @@ #define RUN_BIN_DIR "/run/firejail/mnt/bin" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" -#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter #define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter +#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter #define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures #define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures +#define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp") // default filter built during make +#define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug") // default filter built during make +#define PATH_SECCOMP_AMD64 (LIBDIR "/firejail/seccomp.amd64") // amd64 filter built during make +#define PATH_SECCOMP_I386 (LIBDIR "/firejail/seccomp.i386") // i386 filter built during make #define RUN_DEV_DIR "/run/firejail/mnt/dev" @@ -374,9 +378,6 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); // preproc.c void preproc_build_firejail_dir(void); void preproc_mount_mnt_dir(void); -void preproc_build_cp_command(void); -void preproc_delete_cp_command(void) ; -void preproc_remount_mnt_dir(void); // fs.c // blacklist files or directoies by mounting empty files on top of them diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index ea4e6743f..d2db7d3dd 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) { create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); } - if (stat(RUN_MNT_DIR, &s)) { - create_empty_dir_as_root(RUN_MNT_DIR, 0755); - } + if (stat(RUN_MNT_DIR, &s)) { + create_empty_dir_as_root(RUN_MNT_DIR, 0755); + } create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); @@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) { tmpfs_mounted = 1; fs_logger2("tmpfs", RUN_MNT_DIR); - // create all seccomp files - // as root, create RUN_SECCOMP_I386 file - create_empty_file_as_root(RUN_SECCOMP_I386, 0644); - if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP_AMD64 file - create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); - if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP file - create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); - if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644)) - errExit("set_perms"); - - // as root, create RUN_SECCOMP_PROTOCOL file + //copy defaultl seccomp files + copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); + copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); + if (arg_allow_debuggers) + copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + else + copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); + + // as root, create an empty RUN_SECCOMP_PROTOCOL file create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) errExit("set_perms"); } } - -// grab a copy of cp command -void preproc_build_cp_command(void) { - struct stat s; - preproc_mount_mnt_dir(); - if (stat(RUN_CP_COMMAND, &s)) { - char* fname = realpath("/bin/cp", NULL); - if (fname == NULL || stat(fname, &s) || is_link(fname)) { - fprintf(stderr, "Error: invalid /bin/cp\n"); - exit(1); - } - int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755); - if (rv) { - fprintf(stderr, "Error: cannot access /bin/cp\n"); - exit(1); - } - ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755); - - free(fname); - } -} - -// delete the temporary cp command -void preproc_delete_cp_command(void) { - unlink(RUN_CP_COMMAND); -} diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c2e053b0c..ad77caeb2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -555,12 +555,9 @@ int sandbox(void* sandbox_arg) { //**************************** // fs pre-processing: - // - copy some commands under /run // - build seccomp filters // - create an empty /etc/ld.so.preload //**************************** - preproc_build_cp_command(); - #ifdef HAVE_SECCOMP if (cfg.protocol) { if (arg_debug) @@ -765,7 +762,6 @@ int sandbox(void* sandbox_arg) { //**************************** // fs post-processing //**************************** - preproc_delete_cp_command(); fs_logger_print(); fs_logger_change_owner(); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4a2221e98..30c63d734 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -92,11 +92,9 @@ int seccomp_load(const char *fname) { return 0; } - - - // i386 filter installed on amd64 architectures void seccomp_filter_32(void) { +#if 0 if (arg_debug) printf("Build secondary 32-bit filter\n"); @@ -105,7 +103,7 @@ void seccomp_filter_32(void) { PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); if (rv) exit(rv); - +#endif if (seccomp_load(RUN_SECCOMP_I386) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -114,6 +112,7 @@ void seccomp_filter_32(void) { // amd64 filter installed on i386 architectures void seccomp_filter_64(void) { +#if 0 if (arg_debug) printf("Build secondary 64-bit filter\n"); @@ -122,6 +121,7 @@ void seccomp_filter_64(void) { PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); if (rv) exit(rv); +#endif if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { if (arg_debug) @@ -129,7 +129,6 @@ void seccomp_filter_64(void) { } } - // drop filter for seccomp option int seccomp_filter_drop(int enforce_seccomp) { // default seccomp @@ -140,6 +139,8 @@ int seccomp_filter_drop(int enforce_seccomp) { #if defined(__i386__) seccomp_filter_64(); #endif + +#if 0 if (arg_debug) printf("Build default seccomp filter\n"); // build the seccomp filter as a regular user @@ -152,8 +153,8 @@ int seccomp_filter_drop(int enforce_seccomp) { PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); if (rv) exit(rv); +#endif } - // default seccomp filter with additional drop list else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { #if defined(__x86_64__) diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 2f85a786b..471e0b193 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -#if 0 +//#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -#endif +//#endif if (argc < 2) { usage(); return 1; -- cgit v1.2.3-70-g09d2 From c67467fed6392a2888c8e044f7dfa6815bc92901 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 08:20:09 -0500 Subject: seccomp work 2 --- src/firejail/fs.c | 22 ++++------------------ src/firejail/seccomp.c | 38 +------------------------------------- 2 files changed, 5 insertions(+), 55 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7ff7e3c59..5774ebf6a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1010,24 +1010,13 @@ void fs_chroot(const char *rootdir) { create_empty_dir_as_root(rundir, 0755); free(rundir); - // create /run/firejail/mnt directory in chroot and mount a tmpfs - if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1) + // create /run/firejail/mnt directory in chroot and mount the current one + if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) errExit("asprintf"); create_empty_dir_as_root(rundir, 0755); - if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting /run/firejail/mnt"); - fs_logger2("tmpfs", RUN_MNT_DIR); - free(rundir); + if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); - // retrieve seccomp.protocol - struct stat s; - if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) { - if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1) - errExit("asprintf"); - copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644); - free(rundir); - } - // copy /etc/resolv.conf in chroot directory // if resolv.conf in chroot is a symbolic link, this will fail // no exit on error, let the user deal with the problem @@ -1053,9 +1042,6 @@ void fs_chroot(const char *rootdir) { if (chroot(rootdir) < 0) errExit("chroot"); - // create all other /run/firejail files and directories - preproc_build_firejail_dir(); - if (checkcfg(CFG_CHROOT_DESKTOP)) { // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 30c63d734..4678f366b 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -94,16 +94,6 @@ int seccomp_load(const char *fname) { // i386 filter installed on amd64 architectures void seccomp_filter_32(void) { -#if 0 - if (arg_debug) - printf("Build secondary 32-bit filter\n"); - - // build the seccomp filter as a regular user - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, - PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_I386); - if (rv) - exit(rv); -#endif if (seccomp_load(RUN_SECCOMP_I386) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -112,17 +102,6 @@ void seccomp_filter_32(void) { // amd64 filter installed on i386 architectures void seccomp_filter_64(void) { -#if 0 - if (arg_debug) - printf("Build secondary 64-bit filter\n"); - - // build the seccomp filter as a regular user - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, - PATH_FSECCOMP, "secondary", "64", RUN_SECCOMP_AMD64); - if (rv) - exit(rv); -#endif - if (seccomp_load(RUN_SECCOMP_AMD64) == 0) { if (arg_debug) printf("Dual i386/amd64 seccomp filter configured\n"); @@ -139,21 +118,6 @@ int seccomp_filter_drop(int enforce_seccomp) { #if defined(__i386__) seccomp_filter_64(); #endif - -#if 0 - if (arg_debug) - printf("Build default seccomp filter\n"); - // build the seccomp filter as a regular user - int rv; - if (arg_allow_debuggers) - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, - PATH_FSECCOMP, "default", RUN_SECCOMP_CFG, "allow-debuggers"); - else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, - PATH_FSECCOMP, "default", RUN_SECCOMP_CFG); - if (rv) - exit(rv); -#endif } // default seccomp filter with additional drop list else if (cfg.seccomp_list && cfg.seccomp_list_drop == NULL) { @@ -209,7 +173,7 @@ int seccomp_filter_drop(int enforce_seccomp) { exit(1); } - if (arg_debug) + if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); -- cgit v1.2.3-70-g09d2 From aaa9bcb02fae1eb9ffb765080d6b466f52918285 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 11:19:25 -0500 Subject: profiles --- README | 34 +++++++++++++++++++--------------- etc/default.profile | 7 +++++-- etc/mupdf.profile | 8 +++++--- src/fseccomp/main.c | 4 ++-- 4 files changed, 31 insertions(+), 22 deletions(-) diff --git a/README b/README index bd32034a3..45d021008 100644 --- a/README +++ b/README @@ -80,6 +80,25 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +valoq (https://github.com/valoq) + - lots of profile fixes + - added support for /srv in --whitelist feature + - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles + - blacklist suid binaries in disable-common.inc + - fix man pages + - added keypass2, qemu profiles + - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles + - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles + - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles + - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles + - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles +Vasya Novikov (https://github.com/vn971) + - Wesnoth profile + - Hedegewars profile + - manpage fixes + - fixed firecfg clean/clear issue + - found the ugliest bug so far + - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile @@ -95,15 +114,6 @@ BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Impyy (https://github.com/Impyy) - added mumble profile -valoq (https://github.com/valoq) - - LibreOffice profile fixes - - cherrytree profile fixes - - added support for /srv in --whitelist feature - - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - - blacklist suid binaries in disable-common.inc - - fix man pages - - various profile improvements - - added keypass2, qemu profiles Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) @@ -196,12 +206,6 @@ avoidr (https://github.com/avoidr) - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile -Vasya Novikov (https://github.com/vn971) - - Wesnoth profile - - Hedegewars profile - - manpage fixes - - fixed firecfg clean/clear issue - - found the ugliest bug so far Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/etc/default.profile b/etc/default.profile index 487e80c64..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp -shell none +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none # private-bin program # private-etc none # private-dev diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7116fa1a6..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,9 +16,6 @@ net none shell none tracelog -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev - -private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts @@ -26,3 +23,8 @@ private-etc fonts # mupdf will never write anything read-only ${HOME} +# +# Experimental: +# +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +# private-bin mupdf,sh,tempfile,rm diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 471e0b193..2f85a786b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -//#if 0 +#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -//#endif +#endif if (argc < 2) { usage(); return 1; -- cgit v1.2.3-70-g09d2 From 80cc5fa809ebb3f213852312dea15cded00cc069 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 16:05:45 -0500 Subject: chroot testing --- Makefile.in | 6 +- gcov.sh | 4 ++ src/firejail/fs.c | 3 + src/tools/unchroot | Bin 9720 -> 0 bytes src/tools/unchroot.c | 125 -------------------------------------- test/chroot/chroot-resolvconf.exp | 14 ----- test/chroot/chroot.sh | 21 +++++++ test/chroot/configure | 46 ++++++++++++++ test/chroot/fs_chroot.exp | 26 ++------ test/chroot/unchroot-as-root.exp | 27 ++++++++ test/chroot/unchroot.c | 40 ++++++++++++ 11 files changed, 152 insertions(+), 160 deletions(-) delete mode 100755 src/tools/unchroot delete mode 100644 src/tools/unchroot.c delete mode 100755 test/chroot/chroot-resolvconf.exp create mode 100755 test/chroot/chroot.sh create mode 100755 test/chroot/configure create mode 100755 test/chroot/unchroot-as-root.exp create mode 100644 test/chroot/unchroot.c diff --git a/Makefile.in b/Makefile.in index d1f03c788..8251f9882 100644 --- a/Makefile.in +++ b/Makefile.in @@ -249,6 +249,10 @@ test: test-profiles test-fcopy test-fs test-utils test-environment test-apps te # with them you will need to restart your computer. ########################################## +# requires root access +test-chroot: + cd test/chroot; ./chroot.sh | grep testing + # Huge appimage files, not included in "make dist" archive test-appimage: cd test/appimage; ./appimage.sh | grep TESTING @@ -268,6 +272,6 @@ test-overlay: # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" -test-all: test-root test-network test-appimage test-overlay test-fcopy test +test-all: test-root test-chroot test-network test-appimage test-overlay echo "TEST COMPLETE" \ No newline at end of file diff --git a/gcov.sh b/gcov.sh index 900b7ca41..660aad7a1 100755 --- a/gcov.sh +++ b/gcov.sh @@ -29,6 +29,10 @@ make test-root generate sleep 2 +make test-chroot +generate +sleep 2 + make test-network generate sleep 2 diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5774ebf6a..8c776bad5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1042,6 +1042,9 @@ void fs_chroot(const char *rootdir) { if (chroot(rootdir) < 0) errExit("chroot"); + // create all other /run/firejail files and directories + preproc_build_firejail_dir(); + if (checkcfg(CFG_CHROOT_DESKTOP)) { // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) diff --git a/src/tools/unchroot b/src/tools/unchroot deleted file mode 100755 index d32ce2682..000000000 Binary files a/src/tools/unchroot and /dev/null differ diff --git a/src/tools/unchroot.c b/src/tools/unchroot.c deleted file mode 100644 index 21731296e..000000000 --- a/src/tools/unchroot.c +++ /dev/null @@ -1,125 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include - -/* - ** You should set NEED_FCHDIR to 1 if the chroot() on your - ** system changes the working directory of the calling - ** process to the same directory as the process was chroot()ed - ** to. - ** - ** It is known that you do not need to set this value if you - ** running on Solaris 2.7 and below. - ** - */ -#define NEED_FCHDIR 0 - -#define TEMP_DIR "waterbuffalo" - -/* Break out of a chroot() environment in C */ - -int main() { - int x; /* Used to move up a directory tree */ - int done=0; /* Are we done yet ? */ -#ifdef NEED_FCHDIR - int dir_fd; /* File descriptor to directory */ -#endif - struct stat sbuf; /* The stat() buffer */ - - /* - ** First we create the temporary directory if it doesn't exist - */ - if (stat(TEMP_DIR,&sbuf)<0) { - if (errno==ENOENT) { - if (mkdir(TEMP_DIR,0755)<0) { - fprintf(stderr,"Failed to create %s - %s\n", TEMP_DIR, - strerror(errno)); - exit(1); - } - } - else { - fprintf(stderr,"Failed to stat %s - %s\n", TEMP_DIR, - strerror(errno)); - exit(1); - } - } - else if (!S_ISDIR(sbuf.st_mode)) { - fprintf(stderr,"Error - %s is not a directory!\n",TEMP_DIR); - exit(1); - } - -#ifdef NEED_FCHDIR - /* - ** Now we open the current working directory - ** - ** Note: Only required if chroot() changes the calling program's - ** working directory to the directory given to chroot(). - ** - */ - if ((dir_fd=open(".",O_RDONLY))<0) { - fprintf(stderr,"Failed to open \".\" for reading - %s\n", - strerror(errno)); - exit(1); - } -#endif - - /* - ** Next we chroot() to the temporary directory - */ - if (chroot(TEMP_DIR)<0) { - fprintf(stderr,"Failed to chroot to %s - %s\n",TEMP_DIR, - strerror(errno)); - exit(1); - } - -#ifdef NEED_FCHDIR - /* - ** Partially break out of the chroot by doing an fchdir() - ** - ** This only partially breaks out of the chroot() since whilst - ** our current working directory is outside of the chroot() jail, - ** our root directory is still within it. Thus anything which refers - ** to "/" will refer to files under the chroot() point. - ** - ** Note: Only required if chroot() changes the calling program's - ** working directory to the directory given to chroot(). - ** - */ - if (fchdir(dir_fd)<0) { - fprintf(stderr,"Failed to fchdir - %s\n", - strerror(errno)); - exit(1); - } - close(dir_fd); -#endif - - /* - ** Completely break out of the chroot by recursing up the directory - ** tree and doing a chroot to the current working directory (which will - ** be the real "/" at that point). We just do a chdir("..") lots of - ** times (1024 times for luck :). If we hit the real root directory before - ** we have finished the loop below it doesn't matter as .. in the root - ** directory is the same as . in the root. - ** - ** We do the final break out by doing a chroot(".") which sets the root - ** directory to the current working directory - at this point the real - ** root directory. - */ - for(x=0;x<1024;x++) { - chdir(".."); - } - chroot("."); - - /* - ** We're finally out - so exec a shell in interactive mode - */ - if (execl("/bin/sh","-i",NULL)<0) { - fprintf(stderr,"Failed to exec - %s\n",strerror(errno)); - exit(1); - } -} diff --git a/test/chroot/chroot-resolvconf.exp b/test/chroot/chroot-resolvconf.exp deleted file mode 100755 index 2d0da2fb0..000000000 --- a/test/chroot/chroot-resolvconf.exp +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --chroot=/tmp/chroot /bin/bash\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "invalid /tmp/chroot/etc/resolv.conf file" -} - -puts "\nall done\n" - diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh new file mode 100755 index 000000000..34bff2a67 --- /dev/null +++ b/test/chroot/chroot.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +rm -f unchroot +gcc -o unchroot unchroot.c +sudo ./configure + +echo "TESTING: chroot (test/chroot/fs_chroot.exp)" +./fs_chroot.exp + +echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)" +sudo ./unchroot-as-root.exp + + + +rm -f unchroot diff --git a/test/chroot/configure b/test/chroot/configure new file mode 100755 index 000000000..ba8238803 --- /dev/null +++ b/test/chroot/configure @@ -0,0 +1,46 @@ +#!/bin/bash + +# build a very small chroot +ROOTDIR="/tmp/chroot" # default chroot directory +DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files +DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " +DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc +DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" + +rm -fr $ROOTDIR +mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} +chmod 777 $ROOTDIR/tmp +mkdir -p $ROOTDIR/etc/firejail +mkdir -p $ROOTDIR/home/netblue/.config/firejail +chown netblue:netblue $ROOTDIR/home/netblue +chown netblue:netblue $ROOTDIR/home/netblue/.config +cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/. +cp -a /etc/skel $ROOTDIR/etc/. +mkdir $ROOTDIR/home/someotheruser +mkdir $ROOTDIR/boot +mkdir $ROOTDIR/selinux +cp /etc/passwd $ROOTDIR/etc/. +cp /etc/group $ROOTDIR/etc/. +cp /etc/hosts $ROOTDIR/etc/. +cp /etc/hostname $ROOTDIR/etc/. +mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu +cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/. +cp -a /usr/lib/ssl $ROOTDIR/usr/lib/. +touch $ROOTDIR/var/log/syslog +touch $ROOTDIR/var/tmp/somefile +SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u` +for FILE in $SORTED +do + cp --parents $FILE $ROOTDIR +done +cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR +cp --parents /lib/ld-linux.so.2 $ROOTDIR +cp unchroot $ROOTDIR/. +touch $ROOTDIR/this-is-my-chroot + +cd $ROOTDIR; find . +mkdir -p usr/lib/firejail/ +cp /usr/lib/firejail/libtrace.so usr/lib/firejail/. + + +echo "To enter the chroot directory run: firejail --chroot=$ROOTDIR" diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index aeb5669e1..295ff8ff9 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp @@ -20,19 +20,14 @@ expect { sleep 1 send -- "bash\r" sleep 1 -send -- "ls /; pwd\r" +send -- "ls /\r" expect { timeout {puts "TESTING ERROR 0.2\n";exit} "this-is-my-chroot" } -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "home" -} - +after 100 - -send -- "ps aux; pwd\r" +send -- "ps aux\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "/bin/bash" @@ -45,23 +40,14 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "ps aux" } -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 +after 100 - -send -- "ps aux |wc -l; pwd\r" +send -- "ps aux | wc -l; pwd\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "6" } -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "home" -} -sleep 1 +after 100 puts "all done\n" diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp new file mode 100755 index 000000000..9f8a1d784 --- /dev/null +++ b/test/chroot/unchroot-as-root.exp @@ -0,0 +1,27 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --chroot=/tmp/chroot\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} + "Child process initialized" {puts "chroot available\n"}; +} +sleep 1 + +send -- "cd /\r" +after 100 + + +send -- "./unchroot\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Bad system call" +} +after 100 + +puts "all done\n" + diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c new file mode 100644 index 000000000..1982e07f3 --- /dev/null +++ b/test/chroot/unchroot.c @@ -0,0 +1,40 @@ +// simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier +#include +#include +#include +#include +#include + +void die(char *msg) { + perror(msg); + exit(1); +} + +int main(int argc, char *argv[]) +{ + int i; + + if (chdir("/") != 0) + die("chdir(/)"); + + if (mkdir("baz", 0777) != 0) + ; //die("mkdir(baz)"); + + if (chroot("baz") != 0) + die("chroot(baz)"); + + for (i=0; i<50; i++) { + if (chdir("..") != 0) + die("chdir(..)"); + } + + if (chroot(".") != 0) + die("chroot(.)"); + + printf("Exploit seems to work. =)\n"); + + execl("/bin/bash", "bash", "-i", (char *)0); + die("exec bash"); + + exit(0); +} -- cgit v1.2.3-70-g09d2 From 62b9173095929c7ef21b9fb2385f54ceba956aa7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 17:52:30 -0500 Subject: caps testing --- src/firejail/caps.c | 77 ++++++++++++++++----------------- src/firejail/firejail.h | 2 +- src/firejail/main.c | 6 +-- src/firejail/profile.c | 6 +-- test/filters/caps-print.exp | 103 ++++++++++++++++++++++++++++++++++++++++++++ test/filters/caps.exp | 73 +++++++++++++++++++++++++++++-- test/filters/caps1.profile | 1 + test/filters/caps2.profile | 1 + test/filters/caps3.profile | 1 + test/filters/filters.sh | 3 ++ 10 files changed, 221 insertions(+), 52 deletions(-) create mode 100755 test/filters/caps-print.exp create mode 100644 test/filters/caps1.profile create mode 100644 test/filters/caps2.profile create mode 100644 test/filters/caps3.profile diff --git a/src/firejail/caps.c b/src/firejail/caps.c index ba811cada..6cfa36629 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -181,12 +181,10 @@ static int caps_find_name(const char *name) { } // return 1 if error, 0 if OK -int caps_check_list(const char *clist, void (*callback)(int)) { +void caps_check_list(const char *clist, void (*callback)(int)) { // don't allow empty lists - if (clist == NULL || *clist == '\0') { - fprintf(stderr, "Error: empty capabilities lists are not allowed\n"); - return -1; - } + if (clist == NULL || *clist == '\0') + goto errexit; // work on a copy of the string char *str = strdup(clist); @@ -201,11 +199,8 @@ int caps_check_list(const char *clist, void (*callback)(int)) { else if (*ptr == ',') { *ptr = '\0'; int nr = caps_find_name(start); - if (nr == -1) { - fprintf(stderr, "Error: capability %s not found\n", start); - free(str); - return -1; - } + if (nr == -1) + goto errexit; else if (callback != NULL) callback(nr); @@ -215,17 +210,18 @@ int caps_check_list(const char *clist, void (*callback)(int)) { } if (*start != '\0') { int nr = caps_find_name(start); - if (nr == -1) { - fprintf(stderr, "Error: capability %s not found\n", start); - free(str); - return -1; - } + if (nr == -1) + goto errexit; else if (callback != NULL) callback(nr); } free(str); - return 0; + return; + +errexit: + fprintf(stderr, "Error: capability \"%s\" not found\n", start); + exit(1); } void caps_print(void) { @@ -256,49 +252,53 @@ void caps_print(void) { // enabled by default int caps_default_filter(void) { // drop capabilities - if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_MODULE"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_MODULE\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_RAWIO"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_RAWIO\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_BOOT"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_BOOT\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_NICE"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_NICE\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_TTY_CONFIG"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_TTY_CONFIG\n"); #ifdef CAP_SYSLOG - if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); + if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYSLOG\n"); #endif - if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); + if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_MKNOD\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_ADMIN"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_ADMIN\n"); return 0; + +errexit: + fprintf(stderr, "Error: cannot drop capabilities\n"); + exit(1); } void caps_drop_all(void) { @@ -359,19 +359,14 @@ static uint64_t extract_caps(int pid) { EUID_ASSERT(); char *file; - if (asprintf(&file, "/proc/%d/status", pid) == -1) { + if (asprintf(&file, "/proc/%d/status", pid) == -1) errExit("asprintf"); - exit(1); - } EUID_ROOT(); // grsecurity FILE *fp = fopen(file, "r"); EUID_USER(); // grsecurity - if (!fp) { - printf("Error: cannot open %s\n", file); - free(file); - exit(1); - } + if (!fp) + goto errexit; char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { @@ -385,6 +380,8 @@ static uint64_t extract_caps(int pid) { } } fclose(fp); + +errexit: free(file); fprintf(stderr, "Error: cannot read caps configuration\n"); exit(1); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2e031ce04..4ae3cfd9f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -508,7 +508,7 @@ int caps_default_filter(void); void caps_print(void); void caps_drop_all(void); void caps_set(uint64_t caps); -int caps_check_list(const char *clist, void (*callback)(int)); +void caps_check_list(const char *clist, void (*callback)(int)); void caps_drop_list(const char *clist); void caps_keep_list(const char *clist); void caps_print_filter(pid_t pid); diff --git a/src/firejail/main.c b/src/firejail/main.c index ff7b762cd..111a1d751 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1186,8 +1186,7 @@ int main(int argc, char **argv) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - return 1; + caps_check_list(arg_caps_list, NULL); } else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { arg_caps_keep = 1; @@ -1195,8 +1194,7 @@ int main(int argc, char **argv) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - return 1; + caps_check_list(arg_caps_list, NULL); } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 688fa9609..abb8bd9b6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -570,8 +570,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - exit(1); + caps_check_list(arg_caps_list, NULL); return 0; } @@ -582,8 +581,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - exit(1); + caps_check_list(arg_caps_list, NULL); return 0; } diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp new file mode 100755 index 000000000..d9d662239 --- /dev/null +++ b/test/filters/caps-print.exp @@ -0,0 +1,103 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --noprofile --caps --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Drop CAP_SYS_RAWIO" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Drop CAP_SYS_BOOT" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Drop CAP_SYS_NICE" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Drop CAP_SYS_TTY_CONFIG" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Drop CAP_SYSLOG" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Drop CAP_MKNOD" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Drop CAP_SYS_ADMIN" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --caps.print=test\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "chown - enabled" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "setgid - enabled" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "setuid - enabled" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mknod - disabled" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "syslog - disabled" +} +after 100 + +send -- "firejail --debug-caps\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "21 - sys_admin" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "22 - sys_boot" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "23 - sys_nice" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "24 - sys_resource" +} +after 100 + +send -- "firejail --caps.keep=\"bla bla bla\"\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "capability" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "not found" +} + +after 100 +puts "\nall done\n" diff --git a/test/filters/caps.exp b/test/filters/caps.exp index 7f7cf7dd1..2954f2e58 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 2 +after 100 send -- "cat /proc/self/status\r" expect { @@ -31,7 +31,7 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +after 100 send -- "cat /proc/self/status\r" expect { @@ -50,7 +50,7 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "Child process initialized" } -sleep 2 +after 100 send -- "cat /proc/self/status\r" expect { @@ -66,7 +66,74 @@ expect { "Seccomp:" } send -- "exit\r" +sleep 1 + + +send -- "firejail --profile=caps1.profile --debug\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Drop CAP_SYS_ADMIN" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Drop CAP_" {puts "TESTING ERROR 14\n";exit} + "Child process initialized" +} after 100 +send -- "exit\r" +sleep 1 +## tofix: possible problem with caps.keep in profile files +##send -- "firejail --caps.keep=chown,fowner --noprofile\r" +#send -- "firejail --profile=caps2.profile\r" +#expect { +# timeout {puts "TESTING ERROR 15\n";exit} +# "Child process initialized" +#} +#after 100 +# +#send -- "cat /proc/self/status\r" +#expect { +# timeout {puts "TESTING ERROR 16\n";exit} +# "CapBnd: 0000000000000009" +#} +#expect { +# timeout {puts "TESTING ERROR 17\n";exit} +# "Seccomp:" +#} +#send -- "exit\r" +#sleep 1 + +#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +send -- "firejail --profile=caps3.profile\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + "Child process initialized" +} +after 100 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + + +after 100 puts "\nall done\n" diff --git a/test/filters/caps1.profile b/test/filters/caps1.profile new file mode 100644 index 000000000..8b0c3b340 --- /dev/null +++ b/test/filters/caps1.profile @@ -0,0 +1 @@ +caps diff --git a/test/filters/caps2.profile b/test/filters/caps2.profile new file mode 100644 index 000000000..4f0016fad --- /dev/null +++ b/test/filters/caps2.profile @@ -0,0 +1 @@ +caps.drop chown,dac_override,dac_read_search,fowner \ No newline at end of file diff --git a/test/filters/caps3.profile b/test/filters/caps3.profile new file mode 100644 index 000000000..4f0016fad --- /dev/null +++ b/test/filters/caps3.profile @@ -0,0 +1 @@ +caps.drop chown,dac_override,dac_read_search,fowner \ No newline at end of file diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 5c7c98b3e..fea4a0296 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -12,6 +12,9 @@ echo "TESTING: noroot (test/filters/noroot.exp)" echo "TESTING: capabilities (test/filters/caps.exp)" ./caps.exp +echo "TESTING: capabilities print (test/filters/caps-print.exp)" +./caps-print.exp + rm -f seccomp-test-file if [ "$(uname -m)" = "x86_64" ]; then echo "TESTING: fseccomp (test/filters/fseccomp.exp)" -- cgit v1.2.3-70-g09d2 From 13ef7fba2bdf48319f68a7362779c41edae19651 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 21:23:10 -0500 Subject: testing --- test/environment/dns.exp | 47 ++++++++++++------------ test/fs/fs.sh | 3 ++ test/fs/user-dirs.dirs | 15 ++++++++ test/fs/whitelist-downloads.exp | 49 +++++++++++++++++++++++++ test/utils/audit.exp | 79 +++++++++++++++++++++++++++++++++++++++++ test/utils/utils.sh | 3 ++ 6 files changed, 174 insertions(+), 22 deletions(-) create mode 100644 test/fs/user-dirs.dirs create mode 100755 test/fs/whitelist-downloads.exp create mode 100755 test/utils/audit.exp diff --git a/test/environment/dns.exp b/test/environment/dns.exp index a6a7171eb..40403aade 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -4,6 +4,31 @@ set timeout 30 spawn $env(SHELL) match_max 100000 +send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/resolv.conf\r" +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "nameserver 8.8.4.4" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "nameserver 8.8.8.8" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "nameserver 4.2.2.1" +} +after 100 +send -- "exit\r" +after 100 + + # no chroot send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" expect { @@ -27,28 +52,6 @@ after 100 send -- "rm index.html\r" after 100 send -- "exit\r" -sleep 1 - -send -- "firejail --dns=8.8.4.4 --dns=8.8.8.8 --dns=4.2.2.1\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /etc/resolv.conf\r" -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "nameserver 8.8.4.4" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "nameserver 8.8.8.8" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "nameserver 4.2.2.1" -} after 100 puts "\nall done\n" diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 1c5473f79..d9a425661 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -61,6 +61,9 @@ echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" ./private-whitelist.exp +echo "TESTING: whitelist ~/Downloads (test/fs/whitelist-downloads.exp)" +./whitelist-downloads.exp + echo "TESTING: invalid filename (test/fs/invalid_filename.exp)" ./invalid_filename.exp diff --git a/test/fs/user-dirs.dirs b/test/fs/user-dirs.dirs new file mode 100644 index 000000000..0d19da4e4 --- /dev/null +++ b/test/fs/user-dirs.dirs @@ -0,0 +1,15 @@ +# This file is written by xdg-user-dirs-update +# If you want to change or add directories, just edit the line you're +# interested in. All local changes will be retained on the next run +# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped +# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an +# absolute path. No other format is supported. +# +XDG_DESKTOP_DIR="$HOME/Desktop" +XDG_DOWNLOAD_DIR="$HOME/Downloads" +XDG_TEMPLATES_DIR="$HOME/Templates" +XDG_PUBLICSHARE_DIR="$HOME/Public" +XDG_DOCUMENTS_DIR="$HOME/Documents" +XDG_MUSIC_DIR="$HOME/Music" +XDG_PICTURES_DIR="$HOME/Pictures" +XDG_VIDEOS_DIR="$HOME/Videos" diff --git a/test/fs/whitelist-downloads.exp b/test/fs/whitelist-downloads.exp new file mode 100755 index 000000000..6af318d2b --- /dev/null +++ b/test/fs/whitelist-downloads.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "cp user-dirs.dirs /tmp/.\r" +after 100 + +send -- "firejail --private --noprofile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +after 100 + +send -- "firejail --force --profile=/etc/firejail/firefox.profile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "cannot whitelist Downloads directory" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +after 100 + +send -- "exit\r" +after 100 + +send -- "cp /tmp/user-dirs.dirs ~/.config/.\r" +after 100 + +send -- "firejail --force --profile=/etc/firejail/firefox.profile\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "cannot whitelist Downloads directory" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +after 100 + +puts "\nall done\n" + diff --git a/test/utils/audit.exp b/test/utils/audit.exp new file mode 100755 index 000000000..931b46981 --- /dev/null +++ b/test/utils/audit.exp @@ -0,0 +1,79 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --audit\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Firejail Audit" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "is running in a PID namespace" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "container/sandbox firejail" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "seccomp BPF enabled" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "all capabilities are disabled" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "dev directory seems to be fully populated" +} +after 100 + + +send -- "firejail --audit=/usr/lib/firejail/faudit\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Firejail Audit" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "is running in a PID namespace" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "container/sandbox firejail" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "seccomp BPF enabled" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "all capabilities are disabled" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "dev directory seems to be fully populated" +} +after 100 + +send -- "firejail --audit=blablabla\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "cannot find the audit program" +} +after 100 + +send -- "firejail --audit=\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "invalid audit program" +} +after 100 + +puts "\nall done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 804e5ae0f..04702597f 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -6,6 +6,9 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: audit (test/utils/audit.exp)" +./audit.exp + echo "TESTING: version (test/utils/version.exp)" ./version.exp -- cgit v1.2.3-70-g09d2 From 10990a9da34bd360e48818608f46d9e9f544d0d9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 21 Nov 2016 08:47:33 -0500 Subject: testing --- gcov.sh | 4 ++-- src/lib/common.c | 19 +++++++++---------- src/lib/libnetlink.c | 46 ++++++---------------------------------------- src/lib/pid.c | 34 ++++++++++++++-------------------- 4 files changed, 31 insertions(+), 72 deletions(-) diff --git a/gcov.sh b/gcov.sh index 660aad7a1..c5c385dd3 100755 --- a/gcov.sh +++ b/gcov.sh @@ -13,9 +13,9 @@ gcov_init() { } generate() { - lcov --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file + lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file rm -fr gcov-dir - genhtml gcov-file --output-directory gcov-dir + genhtml -q gcov-file --output-directory gcov-dir } gcov_init diff --git a/src/lib/common.c b/src/lib/common.c index 2f2340963..add4ff087 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -39,22 +39,23 @@ int join_namespace(pid_t pid, char *type) { errExit("asprintf"); int fd = open(path, O_RDONLY); - if (fd < 0) { - free(path); - fprintf(stderr, "Error: cannot open /proc/%u/ns/%s.\n", pid, type); - return -1; - } + if (fd < 0) + goto errout; if (syscall(__NR_setns, fd, 0) < 0) { - free(path); - fprintf(stderr, "Error: cannot join namespace %s.\n", type); close(fd); - return -1; + goto errout; } close(fd); free(path); return 0; + +errout: + free(path); + fprintf(stderr, "Error: cannot join namespace %s\\n", type); + return -1; + } // return 1 if error @@ -187,8 +188,6 @@ char *pid_proc_cmdline(const pid_t pid) { for (i = 0; i < len; i++) { if (buffer[i] == '\0') buffer[i] = ' '; -// if (buffer[i] >= 0x80) // execv in progress!!! -// return NULL; } // return a malloc copy of the command line diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 836cf417d..417ef2c5f 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c @@ -105,6 +105,7 @@ int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions) return rtnl_open_byproto(rth, subscriptions, NETLINK_ROUTE); } +#if 0 int rtnl_wilddump_request(struct rtnl_handle *rth, int family, int type) { return rtnl_wilddump_req_filter(rth, family, type, RTEXT_FILTER_VF); @@ -303,6 +304,7 @@ int rtnl_dump_filter(struct rtnl_handle *rth, return rtnl_dump_filter_l(rth, a); } +#endif int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer, unsigned groups, struct nlmsghdr *answer) @@ -422,6 +424,7 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer, } } +#if 0 int rtnl_listen(struct rtnl_handle *rtnl, rtnl_filter_t handler, void *jarg) @@ -580,7 +583,7 @@ int addattrstrz(struct nlmsghdr *n, int maxlen, int type, const char *str) { return addattr_l(n, maxlen, type, str, strlen(str)+1); } - +#endif int addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data, @@ -632,46 +635,8 @@ printf("\tdata length: %d\n", alen); return 0; } -#if 0 -int addattr_l(struct nlmsghdr *n, int maxlen, int type, const void *data, - int alen) -{ -printf("%s: adding type %d, length %d ", __FUNCTION__, type, alen); -if (type == IFLA_INFO_KIND) { -if (alen) - printf("(IFLA_INFO_KIND %s)\n", (char *)data); -else -printf("(VETH_INFO_PEER)\n"); -} -else if (type == IFLA_IFNAME) { -printf("(IFLA_IFNAME %s)\n", (char *) data); -} -else if (type == IFLA_NET_NS_PID) { -printf("(IFLA_NET_NS_PID %u)\n", *((unsigned *) data)); -} -else if (type == IFLA_LINKINFO) -printf("(IFLA_LINKINFO)\n"); -else if (type == IFLA_INFO_DATA) -printf("(IFLA_INFO_DATA)\n"); -else - printf("\n"); - - int len = RTA_LENGTH(alen); - struct rtattr *rta; - - if (NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len) > maxlen) { - fprintf(stderr, "addattr_l ERROR: message exceeded bound of %d\n",maxlen); - return -1; - } - rta = NLMSG_TAIL(n); - rta->rta_type = type; - rta->rta_len = len; - memcpy(RTA_DATA(rta), data, alen); - n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); - return 0; -} -#endif +#if 0 int addraw_l(struct nlmsghdr *n, int maxlen, const void *data, int len) { if ((int)(NLMSG_ALIGN(n->nlmsg_len) + NLMSG_ALIGN(len)) > maxlen) { @@ -802,3 +767,4 @@ int __parse_rtattr_nested_compat(struct rtattr *tb[], int max, struct rtattr *rt memset(tb, 0, sizeof(struct rtattr *) * (max + 1)); return 0; } +#endif diff --git a/src/lib/pid.c b/src/lib/pid.c index ed583c51d..42687274e 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -34,10 +34,9 @@ int max_pids=32769; void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { // open stat file char *file; - if (asprintf(&file, "/proc/%u/statm", pid) == -1) { - perror("asprintf"); - exit(1); - } + if (asprintf(&file, "/proc/%u/statm", pid) == -1) + errExit("asprintf"); + FILE *fp = fopen(file, "r"); if (!fp) { free(file); @@ -59,10 +58,9 @@ void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) { // open stat file char *file; - if (asprintf(&file, "/proc/%u/stat", pid) == -1) { - perror("asprintf"); - exit(1); - } + if (asprintf(&file, "/proc/%u/stat", pid) == -1) + errExit("asprintf"); + FILE *fp = fopen(file, "r"); if (!fp) { free(file); @@ -93,10 +91,9 @@ myexit: unsigned long long pid_get_start_time(unsigned pid) { // open stat file char *file; - if (asprintf(&file, "/proc/%u/stat", pid) == -1) { - perror("asprintf"); - exit(1); - } + if (asprintf(&file, "/proc/%u/stat", pid) == -1) + errExit("asprintf"); + FILE *fp = fopen(file, "r"); if (!fp) { free(file); @@ -138,10 +135,8 @@ uid_t pid_get_uid(pid_t pid) { // open status file char *file; - if (asprintf(&file, "/proc/%u/status", pid) == -1) { - perror("asprintf"); - exit(1); - } + if (asprintf(&file, "/proc/%u/status", pid) == -1) + errExit("asprintf"); FILE *fp = fopen(file, "r"); if (!fp) { @@ -316,10 +311,9 @@ void pid_read(pid_t mon_pid) { // open stat file char *file; - if (asprintf(&file, "/proc/%u/status", pid) == -1) { - perror("asprintf"); - exit(1); - } + if (asprintf(&file, "/proc/%u/status", pid) == -1) + errExit("asprintf"); + FILE *fp = fopen(file, "r"); if (!fp) { free(file); -- cgit v1.2.3-70-g09d2 From bc6818c27f2f0310e71f69014c0e0bca30f330a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 21 Nov 2016 09:32:33 -0500 Subject: --quiet fix --- src/firejail/profile.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index abb8bd9b6..694509511 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -130,7 +130,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #if HAVE_USERNS if (checkcfg(CFG_USERNS)) check_user_namespace(); - else + else if (!arg_quiet) fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); #endif @@ -144,7 +144,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_seccomp = 1; - else + else if (!arg_quiet) fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); #endif return 0; @@ -175,7 +175,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.home_private_keep = ptr + 13; arg_private = 1; } - else + else if (!arg_quiet) fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); #endif return 0; @@ -208,7 +208,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) arg_netfilter = 1; - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -222,7 +222,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { errExit("strdup"); check_netfilter_file(arg_netfilter_file); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -236,7 +236,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { errExit("strdup"); check_netfilter_file(arg_netfilter6_file); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -254,7 +254,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.interface2.configured = 0; cfg.interface3.configured = 0; } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -295,7 +295,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } net_configure_bridge(br, ptr + 4); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -318,7 +318,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -363,7 +363,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -390,7 +390,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -410,7 +410,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -439,7 +439,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -467,7 +467,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -481,7 +481,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else + else if (!arg_quiet) fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); #endif return 0; @@ -508,7 +508,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!cfg.protocol) errExit("strdup"); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); #endif return 0; @@ -530,7 +530,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list = seccomp_check_list(ptr + 8); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); #endif @@ -544,7 +544,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); #endif return 0; @@ -557,7 +557,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); } - else + else if (!arg_quiet) fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); #endif return 0; @@ -779,7 +779,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { *(dname2 - 1) = ','; return 1; } - else { + else if (!arg_quiet) { fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); return 0; } -- cgit v1.2.3-70-g09d2 From d6b2ab7e97f9d07be86076beb7e00ada2d587dca Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 22 Nov 2016 12:53:02 +0100 Subject: added wget profile --- etc/transmission-cli.profile | 3 +-- etc/wget.profile | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 etc/wget.profile diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 88ded649c..6cbc3415c 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -net none nonewprivs noroot nosound -protocol unix +protocol unix,inet,inet6 seccomp shell none tracelog diff --git a/etc/wget.profile b/etc/wget.profile new file mode 100644 index 000000000..ad2b03b33 --- /dev/null +++ b/etc/wget.profile @@ -0,0 +1,21 @@ +# wget profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + + +# private-bin wget +# private-etc resolv.conf +private-dev +private-tmp + -- cgit v1.2.3-70-g09d2 From ab0f1d0b9b6237dc8543e218d6020bd261972113 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 22 Nov 2016 10:44:03 -0500 Subject: wget --- README | 1 + README.md | 2 +- platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README b/README index 45d021008..1fdd267a5 100644 --- a/README +++ b/README @@ -92,6 +92,7 @@ valoq (https://github.com/valoq) - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles + - added wget profile Vasya Novikov (https://github.com/vn971) - Wesnoth profile - Hedegewars profile diff --git a/README.md b/README.md index d653a235c..642bac678 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,6 @@ xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque, amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext -simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra +simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 60b4e0508..2c1164a43 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -219,3 +219,4 @@ /etc/firejail/xzdec.profile /etc/firejail/zathura.profile /etc/firejail/zoom.profile +/etc/firejail/wget.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 7d7fad0a6..c6a2bad83 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -17,6 +17,7 @@ transmission-qt transmission-cli transmission-show uget-gtk +wget # browsers/email abrowser -- cgit v1.2.3-70-g09d2 From eb01b2602cc57f4bc4587ca1fc4fa69ebd8761bd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 24 Nov 2016 08:36:30 -0500 Subject: ssh fix --- etc/disable-common.inc | 3 --- etc/ssh-agent.profile | 1 + etc/ssh.profile | 1 + src/firejail/fs.c | 9 +++++++-- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0dad8b385..f18b0d396 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -165,9 +165,6 @@ blacklist ${PATH}/newgrp blacklist ${PATH}/newuidmap blacklist ${PATH}/pkexec blacklist ${PATH}/sg -blacklist ${PATH}/rsh -blacklist ${PATH}/rlogin -blacklist ${PATH}/rcp blacklist ${PATH}/crontab blacklist ${PATH}/ksu blacklist ${PATH}/chsh diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 485bd8f3b..548ede37d 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -2,6 +2,7 @@ quiet noblacklist ~/.ssh noblacklist /tmp/ssh-* +noblacklist /etc/ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ssh.profile b/etc/ssh.profile index d3558ead3..b7a8ed2b9 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -2,6 +2,7 @@ quiet noblacklist ~/.ssh noblacklist /tmp/ssh-* +noblacklist /etc/ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8c776bad5..6f9b5a60c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -111,8 +111,12 @@ static void disable_file(OPERATION op, const char *filename) { fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); } else { - if (arg_debug) - printf("Disable %s\n", fname); + if (arg_debug) { + if (strcmp(filename, fname)) + printf("Disable %s (requesterd %s)\n", fname, filename); + else + printf("Disable %s\n", fname); + } else if (arg_debug_blacklists) { printf("Disable %s", fname); if (op == BLACKLIST_FILE) @@ -120,6 +124,7 @@ static void disable_file(OPERATION op, const char *filename) { else printf(" - no logging\n"); } + if (S_ISDIR(s.st_mode)) { if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) errExit("disable file"); -- cgit v1.2.3-70-g09d2 From fa79162b5eada1d0b9daa11ca327d65b42ed1b71 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 26 Nov 2016 10:25:06 -0500 Subject: fixes --- src/firejail/checkcfg.c | 4 ++++ src/firejail/ls.c | 31 ++++++++++++------------------- src/firejail/main.c | 9 +++++++-- src/firejail/sandbox.c | 10 ++++------ src/firejail/seccomp.c | 43 ++++++++++++++++++++++++++----------------- src/firemon/x11.c | 21 +++++++++------------ src/libtracelog/libtracelog.c | 10 ++++++---- todo | 1 + 8 files changed, 69 insertions(+), 60 deletions(-) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 78c0e5c60..963d95bed 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -185,6 +185,8 @@ int checkcfg(int val) { exit(1); } + if (netfilter_default) + goto errout; netfilter_default = strdup(fname); if (!netfilter_default) errExit("strdup"); @@ -216,6 +218,8 @@ int checkcfg(int val) { // Xephyr command extra parameters else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) { + if (*xephyr_extra_params != '\0') + goto errout; xephyr_extra_params = strdup(ptr + 19); if (!xephyr_extra_params) errExit("strdup"); diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 86c3a6079..5444ad9c2 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -258,42 +258,35 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // drop privileges drop_privs(0); + // check access if (access(fname1, R_OK) == -1) { fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } + char *rp = realpath(fname1, NULL); + if (!rp) { + fprintf(stderr, "Error: Cannot access %s\n", fname1); + exit(1); + } + if (arg_debug) + printf("realpath %s\n", rp); + // list directory contents struct stat s; - if (stat(fname1, &s) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); + if (stat(rp, &s) == -1) { + fprintf(stderr, "Error: Cannot access %s\n", rp); exit(1); } if (S_ISDIR(s.st_mode)) { - char *rp = realpath(fname1, NULL); - if (!rp) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); - exit(1); - } - if (arg_debug) - printf("realpath %s\n", rp); - char *dir; if (asprintf(&dir, "%s/", rp) == -1) errExit("asprintf"); print_directory(dir); - free(rp); free(dir); } else { - char *rp = realpath(fname1, NULL); - if (!rp) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); - exit(1); - } - if (arg_debug) - printf("realpath %s\n", rp); char *split = strrchr(rp, '/'); if (split) { *split = '\0'; @@ -302,8 +295,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { printf("path %s, file %s\n", rp, rp2); print_file_or_dir(rp, rp2, 1); } - free(rp); } + free(rp); } // get file from sandbox and store it in the current directory diff --git a/src/firejail/main.c b/src/firejail/main.c index 111a1d751..0929347b7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -2064,8 +2064,7 @@ int main(int argc, char **argv) { // command //************************************* else if (strcmp(argv[i], "--audit") == 0) { - if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1) - errExit("asprintf"); + arg_audit_prog = LIBDIR "/firejail/faudit"; arg_audit = 1; } else if (strncmp(argv[i], "--audit=", 8) == 0) { @@ -2076,6 +2075,12 @@ int main(int argc, char **argv) { arg_audit_prog = strdup(argv[i] + 8); if (!arg_audit_prog) errExit("strdup"); + + struct stat s; + if (stat(arg_audit_prog, &s) != 0) { + fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); + exit(1); + } arg_audit = 1; } else if (strcmp(argv[i], "--appimage") == 0) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ad77caeb2..0a6777fef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -236,12 +236,15 @@ static int monitor_application(pid_t app_pid) { // todo: make this generic // Dillo browser leaves a dpid process running, we need to shut it down + int found = 0; if (strcmp(cfg.command_name, "dillo") == 0) { char *pidname = pid_proc_comm(pid); if (pidname && strcmp(pidname, "dpid") == 0) - break; + found = 1; free(pidname); } + if (found) + break; monitored_pid = pid; break; @@ -283,11 +286,6 @@ void start_application(void) { //**************************************** if (arg_audit) { assert(arg_audit_prog); - struct stat s; - if (stat(arg_audit_prog, &s) != 0) { - fprintf(stderr, "Error: cannot find the audit program\n"); - exit(1); - } execl(arg_audit_prog, arg_audit_prog, NULL); } //**************************************** diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4678f366b..dd133b2ba 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -52,44 +52,53 @@ char *seccomp_check_list(const char *str) { int seccomp_load(const char *fname) { assert(fname); + + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; - // check file - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: cannot read protocol filter file\n"); - exit(1); - } - int size = s.st_size; + // calculate the number of entries + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); -//printf("size %d, entries %d\n", s.st_size, entries); + if (arg_debug) + printf("reading %d seccomp entries from %s\n", entries, fname); // read filter - struct sock_filter filter[entries]; + struct sock_filter *filter = malloc(size); + if (filter == NULL) + goto errexit; memset(&filter[0], 0, sizeof(filter)); - int src = open(fname, O_RDONLY); int rd = 0; while (rd < size) { - int rv = read(src, (unsigned char *) filter + rd, size - rd); - if (rv == -1) { - fprintf(stderr, "Error: cannot read %s file\n", fname); - exit(1); - } + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; rd += rv; } - close(src); + + // close file + close(fd); // install filter struct sock_fprog prog = { .len = entries, .filter = filter, }; - if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); return 1; } return 0; + +errexit: + fprintf(stderr, "Error: cannot read %s\n", fname); + exit(1); } // i386 filter installed on amd64 architectures diff --git a/src/firemon/x11.c b/src/firemon/x11.c index b0efb090a..73dc310d3 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c @@ -37,20 +37,17 @@ void x11(pid_t pid, int print_procs) { if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) errExit("asprintf"); - struct stat s; - if (stat(x11file, &s) == 0) { - FILE *fp = fopen(x11file, "r"); - if (!fp) { - free(x11file); - continue; - } - int display; - int rv = fscanf(fp, "%d", &display); - if (rv == 1) - printf(" DISPLAY :%d\n", display); - fclose(fp); + FILE *fp = fopen(x11file, "r"); + if (!fp) { + free(x11file); + continue; } + int display; + int rv = fscanf(fp, "%d", &display); + if (rv == 1) + printf(" DISPLAY :%d\n", display); + fclose(fp); free(x11file); } } diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index ff884c7d7..ca496d41c 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -163,9 +163,9 @@ static char *storage_find(const char *str) { #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" #define MAXBUF 4096 static int blacklist_loaded = 0; -static char *sandbox_pid_str = 0; +static char *sandbox_pid_str = NULL; static char *sandbox_name_str = NULL; -void load_blacklist(void) { +static void load_blacklist(void) { if (blacklist_loaded) return; @@ -184,13 +184,15 @@ void load_blacklist(void) { char *ptr = strchr(buf, '\n'); if (ptr) *ptr = '\0'; - sandbox_pid_str = strdup(buf + 13); + if (sandbox_pid_str == NULL) + sandbox_pid_str = strdup(buf + 13); } else if (strncmp(buf, "sandbox name: ", 14) == 0) { char *ptr = strchr(buf, '\n'); if (ptr) *ptr = '\0'; - sandbox_name_str = strdup(buf + 14); + if (sandbox_name_str == NULL); + sandbox_name_str = strdup(buf + 14); } else if (strncmp(buf, "blacklist ", 10) == 0) { char *ptr = strchr(buf, '\n'); diff --git a/todo b/todo index 6bc73313f..e18ef3e34 100644 --- a/todo +++ b/todo @@ -288,3 +288,4 @@ removable media, partitions, software RAID volumes, logical volumes, and files. 30. /* coverity[toctou] */ +31. test dillo, sandbox.c:240 -- cgit v1.2.3-70-g09d2 From e0bc50dc4138450dd7dca2e96289372d51592f41 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sat, 26 Nov 2016 11:04:40 -0600 Subject: added pluma and xed profiles --- etc/pluma.profile | 21 +++++++++++++++++++++ etc/xed.profile | 21 +++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 etc/pluma.profile create mode 100644 etc/xed.profile diff --git a/etc/pluma.profile b/etc/pluma.profile new file mode 100644 index 000000000..895cc2369 --- /dev/null +++ b/etc/pluma.profile @@ -0,0 +1,21 @@ +# Firejail profile for Xed +noblacklist ${HOME}/.config/pluma + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin pluma +private-dev +private-tmp diff --git a/etc/xed.profile b/etc/xed.profile new file mode 100644 index 000000000..051710a70 --- /dev/null +++ b/etc/xed.profile @@ -0,0 +1,21 @@ +# Firejail profile for Xed +noblacklist ${HOME}/.config/xed + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin xed +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From f88e0fcf806d17b7ef6822b3f1a7d4b672877be1 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sat, 26 Nov 2016 11:12:07 -0600 Subject: additional files for pluma and xed --- README | 1 + README.md | 13 ++++++------- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 14 insertions(+), 8 deletions(-) diff --git a/README b/README index 1fdd267a5..4d09a0a2c 100644 --- a/README +++ b/README @@ -80,6 +80,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles + - added xed and pluma profiles valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 642bac678..7fc552f1e 100644 --- a/README.md +++ b/README.md @@ -56,10 +56,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque, qemu, keypass2 -amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit -gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather -goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext -simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget - - +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, +amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, +gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, +goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, +simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, +xed, pluma diff --git a/RELNOTES b/RELNOTES index 3a7c398c2..c5872f676 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,7 +10,7 @@ firejail (0.9.45) baseline; urgency=low * feature: AppImage type 2 support * feature: test coverage (gcov) support * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, - * new profiles: mumble, zoom, Guayadeque, qemu, keypass2 + * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f4e66dc66..e2b7a4929 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -23,6 +23,8 @@ blacklist ${HOME}/.config/xviewer blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/mate/eom +blacklist ${HOME}/.config/xed +blacklist %{HOME}/.config/pluma blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2c1164a43..5776f3889 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -148,6 +148,7 @@ /etc/firejail/pdftotext.profile /etc/firejail/pidgin.profile /etc/firejail/pix.profile +/etc/firejail/pluma.profile /etc/firejail/polari.profile /etc/firejail/psi-plus.profile /etc/firejail/qbittorrent.profile @@ -208,6 +209,7 @@ /etc/firejail/wine.profile /etc/firejail/wire.profile /etc/firejail/xchat.profile +/etc/firejail/xed.profile /etc/firejail/xfburn.profile /etc/firejail/xiphos.profile /etc/firejail/xpdf.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c6a2bad83..764e9e501 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -195,9 +195,11 @@ ranger keepass keepass2 keepassx +pluma ssh tracker xiphos +xed xpra # weather/climate -- cgit v1.2.3-70-g09d2 From a4fd0e433ace4bbdafe808a56550d55431b882d2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 27 Nov 2016 10:36:49 -0500 Subject: fixes --- etc/disable-programs.inc | 2 +- src/faudit/dbus.c | 2 +- src/faudit/pid.c | 2 - src/firecfg/main.c | 1 + src/firejail/appimage.c | 15 ++++-- src/firejail/checkcfg.c | 5 +- src/firejail/fs.c | 1 + src/firejail/fs_bin.c | 1 + src/firejail/fs_home.c | 1 + src/firejail/fs_hostname.c | 4 +- src/firejail/fs_mkdir.c | 2 + src/firejail/fs_var.c | 10 ++-- src/firejail/fs_whitelist.c | 2 + src/firejail/ls.c | 5 ++ src/firejail/netfilter.c | 111 +++++++++++++++++++++++------------------- src/firejail/no_sandbox.c | 2 +- src/firejail/profile.c | 1 + src/firejail/pulseaudio.c | 1 + src/firejail/run_symlink.c | 1 + src/firejail/sbox.c | 1 + src/firejail/util.c | 9 ++-- src/firejail/x11.c | 1 + src/fseccomp/seccomp_print.c | 48 ++++++++++-------- src/lib/common.c | 2 + src/libtracelog/libtracelog.c | 2 +- todo | 2 - 26 files changed, 143 insertions(+), 91 deletions(-) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e2b7a4929..1ac926e3f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -24,7 +24,7 @@ blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/xed -blacklist %{HOME}/.config/pluma +blacklist ${HOME}/.config/pluma blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 4debf2ff6..d92660536 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -35,7 +35,7 @@ int check_unix(const char *sockfile) { struct sockaddr_un remote; memset(&remote, 0, sizeof(struct sockaddr_un)); remote.sun_family = AF_UNIX; - strcpy(remote.sun_path, sockfile); + strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path)); int len = strlen(remote.sun_path) + sizeof(remote.sun_family); if (*sockfile == '@') remote.sun_path[0] = '\0'; diff --git a/src/faudit/pid.c b/src/faudit/pid.c index a0fb1d921..84b23fe0a 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -46,7 +46,6 @@ void pid_test(void) { /* coverity[toctou] */ FILE *fp = fopen(fname, "r"); if (!fp) { -// fprintf(stderr, "Warning: cannot open %s\n", fname); free(fname); continue; } @@ -54,7 +53,6 @@ void pid_test(void) { // read file char buf[100]; if (fgets(buf, 10, fp) == NULL) { -// fprintf(stderr, "Warning: cannot read %s\n", fname); fclose(fp); free(fname); continue; diff --git a/src/firecfg/main.c b/src/firecfg/main.c index d2566ce22..15ee78384 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -342,6 +342,7 @@ static void fix_desktop_files(void) { if (stat(filename, &sb) == -1) errExit("stat"); + /* coverity[toctou] */ int fd = open(filename, O_RDONLY); if (fd == -1) errExit("open"); diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 6a9ca1679..0d1f8cb4d 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -51,6 +51,7 @@ void appimage_set(const char *appimage) { printf("AppImage ELF size %lu\n", size); // open appimage file + /* coverity[toctou] */ int ffd = open(appimage, O_RDONLY|O_CLOEXEC); if (ffd == -1) { fprintf(stderr, "Error: cannot open AppImage file\n"); @@ -74,6 +75,10 @@ void appimage_set(const char *appimage) { errExit("asprintf"); int lfd = open(devloop, O_RDONLY); + if (lfd == -1) { + fprintf(stderr, "Error: cannot open %s\n", devloop); + exit(1); + } if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) { fprintf(stderr, "Error: cannot configure the loopback device\n"); exit(1); @@ -118,7 +123,7 @@ void appimage_set(const char *appimage) { EUID_USER(); // set environment - if (appimage && setenv("APPIMAGE", appimage, 1) < 0) + if (setenv("APPIMAGE", appimage, 1) < 0) errExit("setenv"); if (mntdir && setenv("APPDIR", mntdir, 1) < 0) errExit("setenv"); @@ -170,8 +175,10 @@ void appimage_clear(void) { if (devloop) { int lfd = open(devloop, O_RDONLY); - rv = ioctl(lfd, LOOP_CLR_FD, 0); - (void) rv; - close(lfd); + if (lfd != -1) { + rv = ioctl(lfd, LOOP_CLR_FD, 0); + (void) rv; + close(lfd); + } } } diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 963d95bed..974fbb8a3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -32,6 +32,7 @@ char *netfilter_default = NULL; int checkcfg(int val) { assert(val < CFG_MAX); int line = 0; + FILE *fp = NULL; if (!initialized) { // initialize defaults @@ -47,7 +48,7 @@ int checkcfg(int val) { if (asprintf(&fname, "%s/firejail.config", SYSCONFDIR) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + fp = fopen(fname, "r"); if (!fp) { #ifdef HAVE_GLOBALCFG fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); @@ -285,6 +286,8 @@ int checkcfg(int val) { return cfg_val[val]; errout: + if (fp) + fclose(fp); fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line ); exit(1); } diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6f9b5a60c..9a2f4facc 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -717,6 +717,7 @@ void fs_overlayfs(void) { } } else { + /* coverity[toctou] */ if (mkdir(basedir, 0755) != 0) { fprintf(stderr, "Error: cannot create overlay directory\n"); exit(1); diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 421df717d..7c56d524e 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -59,6 +59,7 @@ static char *check_dir_or_file(const char *name) { if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories // check symlink to firejail executable in /usr/local/bin if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { + /* coverity[toctou] */ char *actual_path = realpath(fname, NULL); if (actual_path) { char *ptr = strstr(actual_path, "/firejail"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 1f8da398e..0872bf0d0 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -137,6 +137,7 @@ static int store_asoundrc(void) { if (stat(src, &s) == 0) { if (is_link(src)) { // make sure the real path of the file is inside the home directory + /* coverity[toctou] */ char* rp = realpath(src, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", src); diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index dcf06fc6f..b2e1b4a99 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -52,8 +52,10 @@ void fs_hostname(const char *hostname) { goto errexit; FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); - if (!fp2) + if (!fp2) { + fclose(fp1); goto errexit; + } char buf[4096]; int done = 0; diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 6bcb3f33e..5b6ceae90 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -37,6 +37,7 @@ static void mkdir_recursive(char *path) { subdir = strtok(path, "/"); while(subdir) { if (stat(subdir, &s) == -1) { + /* coverity[toctou] */ if (mkdir(subdir, 0700) == -1) { fprintf(stderr, "Warning: cannot create %s directory\n", subdir); return; @@ -118,6 +119,7 @@ void fs_mkfile(const char *name) { // drop privileges drop_privs(0); + /* coverity[toctou] */ FILE *fp = fopen(expanded, "w"); if (!fp) fprintf(stderr, "Warning: cannot create %s file\n", expanded); diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index ca50685ad..2aa4a1b54 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -128,16 +128,18 @@ void fs_var_log(void) { // create an empty /var/log/wtmp file /* coverity[toctou] */ FILE *fp = fopen("/var/log/wtmp", "w"); - SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); - if (fp) + if (fp) { + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); fclose(fp); + } fs_logger("touch /var/log/wtmp"); // create an empty /var/log/btmp file fp = fopen("/var/log/btmp", "w"); - SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); - if (fp) + if (fp) { + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); fclose(fp); + } fs_logger("touch /var/log/btmp"); } else diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 564dc8290..7b32021be 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -350,6 +350,8 @@ void fs_whitelist(void) { } // replace ~/ or ${HOME} into /home/username +// if (new_name) +// free(new_name); new_name = expand_home(entry->data + 10, cfg.homedir); assert(new_name); if (arg_debug) diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 5444ad9c2..4b4ae1de2 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -259,6 +259,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // check access + /* coverity[toctou] */ if (access(fname1, R_OK) == -1) { fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); @@ -392,6 +393,10 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // create a user-owned temporary file in /run/firejail directory char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; int fd = mkstemp(tmp_fname); + if (fd == -1) { + fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname); + exit(1); + } SET_PERMS_FD(fd, getuid(), getgid(), 0600); close(fd); diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 1df4b7a0f..0136ab1f8 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -69,31 +69,33 @@ void netfilter(const char *fname) { if (netfilter_default) fname = netfilter_default; if (fname) { - // buffer the filter - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: cannot find network filter file %s\n", fname); - exit(1); - } - - filter = malloc(s.st_size + 1); // + '\0' - if (!filter) - errExit("malloc"); - memset(filter, 0, s.st_size + 1); - - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open network filter file %s\n", fname); - exit(1); - } - - size_t sz = fread(filter, 1, s.st_size, fp); - if ((off_t)sz != s.st_size) { - fprintf(stderr, "Error: cannot read network filter file %s\n", fname); - exit(1); + assert(fname); + + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; + + // read filter + filter = malloc(size + 1); // + '\0' + if (filter == NULL) + goto errexit; + memset(&filter[0], 0, sizeof(filter)); + int rd = 0; + while (rd < size) { + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; + rd += rv; } - fclose(fp); + + // close file + close(fd); allocated = 1; } @@ -178,6 +180,11 @@ doexit: if (allocated) free(filter); + return; + +errexit: + fprintf(stderr, "Error: cannot read network filter %s\n", fname); + exit(1); } void netfilter6(const char *fname) { @@ -186,38 +193,38 @@ void netfilter6(const char *fname) { char *filter; - // buffer the filter - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: cannot find network filter file %s\n", fname); - exit(1); - } - - filter = malloc(s.st_size + 1); // + '\0' - if (!filter) - errExit("malloc"); - memset(filter, 0, s.st_size + 1); - - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open network filter file %s\n", fname); - exit(1); - } - - size_t sz = fread(filter, 1, s.st_size, fp); - if ((off_t)sz != s.st_size) { - fprintf(stderr, "Error: cannot read network filter file %s\n", fname); - exit(1); + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; + + // read filter + filter = malloc(size + 1); // + '\0' + if (filter == NULL) + goto errexit; + memset(&filter[0], 0, sizeof(filter)); + int rd = 0; + while (rd < size) { + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; + rd += rv; } - fclose(fp); + + // close file + close(fd); // temporarily mount a tempfs on top of /tmp directory if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /tmp"); // create the filter file - fp = fopen("/tmp/netfilter6", "w"); + FILE *fp = fopen("/tmp/netfilter6", "w"); if (!fp) { fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); exit(1); @@ -228,6 +235,7 @@ void netfilter6(const char *fname) { // find iptables command char *ip6tables = NULL; char *ip6tables_restore = NULL; + struct stat s; if (stat("/sbin/ip6tables", &s) == 0) { ip6tables = "/sbin/ip6tables"; ip6tables_restore = "/sbin/ip6tables-restore"; @@ -284,4 +292,9 @@ doexit: // unmount /tmp umount("/tmp"); free(filter); + return; + +errexit: + fprintf(stderr, "Error: cannot read network filter %s\n", fname); + exit(1); } diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index aae490c34..8af555ea2 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -232,7 +232,7 @@ void run_no_sandbox(int argc, char **argv) { // use $SHELL to get shell used in sandbox if (!arg_shell_none && !cfg.shell) { char *shell = getenv("SHELL"); - if (access(shell, R_OK) == 0) + if (shell && access(shell, R_OK) == 0) cfg.shell = shell; } // guess shell otherwise diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 694509511..9acb1b813 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -990,6 +990,7 @@ void profile_read(const char *fname) { // process quiet if (strcmp(ptr, "quiet") == 0) { arg_quiet = 1; + free(ptr); continue; } if (!msg_printed) { diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 6ec590eaa..f890dd534 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -137,6 +137,7 @@ void pulseaudio_init(void) { if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { + /* coverity[toctou] */ int rv = mkdir(dir1, 0700); if (rv == 0) { if (set_perms(dir1, getuid(), getgid(), 0700)) diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 8aa2fe53f..a4dce405d 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -59,6 +59,7 @@ void run_symlink(int argc, char **argv) { struct stat s; if (stat(name, &s) == 0) { + /* coverity[toctou] */ char* rp = realpath(name, NULL); if (!rp) errExit("realpath"); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 430ffb86e..dbfdd445a 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -150,6 +150,7 @@ int sbox_run(unsigned filter, int num, ...) { } else // the user could run the sandbox without /dev/null close(STDIN_FILENO); + close(fd); } umask(027); diff --git a/src/firejail/util.c b/src/firejail/util.c index 03f52fabb..c3e00a110 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -683,11 +683,12 @@ int remove_directory(const char *path) { void flush_stdin(void) { if (isatty(STDIN_FILENO)) { int cnt = 0; - ioctl(STDIN_FILENO, FIONREAD, &cnt); - if (cnt) { + int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); + if (rv == 0 && cnt) { if (!arg_quiet) printf("Warning: removing %d bytes from stdin\n", cnt); - ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + (void) rv; } } } @@ -700,6 +701,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { if (stat(dir, &s)) { if (arg_debug) printf("Creating empty %s directory\n", dir); + /* coverity[toctou] */ if (mkdir(dir, mode) == -1) errExit("mkdir"); if (set_perms(dir, 0, 0, mode)) @@ -717,6 +719,7 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { if (arg_debug) printf("Creating empty %s file\n", fname); + /* coverity[toctou] */ FILE *fp = fopen(fname, "w"); if (!fp) errExit("fopen"); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 9da6d3e30..807f2d5f0 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -151,6 +151,7 @@ void fs_x11(void) { fs_logger("tmpfs /tmp/.X11-unix"); // create an empty file + /* coverity[toctou] */ FILE *fp = fopen(x11file, "w"); if (!fp) { fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 7dc983b12..af240307c 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c @@ -26,35 +26,41 @@ static int filter_cnt = 0; static void load_seccomp(const char *fname) { assert(fname); + + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; - // check file - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error fseccomp: cannot read protocol filter file\n"); - exit(1); - } - int size = s.st_size; + // calculate the number of entries + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); filter_cnt = entries; -//printf("size %d, entries %d\n", s.st_size, entries); - - filter = malloc(sizeof(struct sock_filter) * entries); - if (!filter) - errExit("malloc"); - + // read filter - memset(filter, 0, sizeof(struct sock_filter) * entries); - int src = open(fname, O_RDONLY); + filter = malloc(size); + if (filter == NULL) + goto errexit; + memset(&filter[0], 0, sizeof(filter)); int rd = 0; while (rd < size) { - int rv = read(src, (unsigned char *) filter + rd, size - rd); - if (rv == -1) { - fprintf(stderr, "Error fseccomp: cannot read %s file\n", fname); - exit(1); - } + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; rd += rv; } - close(src); + + // close file + close(fd); + return; + +errexit: + fprintf(stderr, "Error fseccomp: cannot read %s\n", fname); + exit(1); } // debug filter diff --git a/src/lib/common.c b/src/lib/common.c index add4ff087..3f66fa72a 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -203,6 +203,8 @@ char *pid_proc_cmdline(const pid_t pid) { int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { // if comm is not firejail return 0 char *comm = pid_proc_comm(pid); + if (comm == NULL) + return 0; if (strcmp(comm, "firejail") != 0) { free(comm); return 0; diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index ca496d41c..90fe726de 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -191,7 +191,7 @@ static void load_blacklist(void) { char *ptr = strchr(buf, '\n'); if (ptr) *ptr = '\0'; - if (sandbox_name_str == NULL); + if (sandbox_name_str == NULL) sandbox_name_str = strdup(buf + 14); } else if (strncmp(buf, "blacklist ", 10) == 0) { diff --git a/todo b/todo index e18ef3e34..253704fcf 100644 --- a/todo +++ b/todo @@ -286,6 +286,4 @@ removable media, partitions, software RAID volumes, logical volumes, and files. 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* -30. /* coverity[toctou] */ -31. test dillo, sandbox.c:240 -- cgit v1.2.3-70-g09d2 From ae52d274c79ef5e9719940e4d76d8bd9c9b0a2d4 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 27 Nov 2016 15:12:37 -0600 Subject: Cryptocat profile --- etc/Cryptocat.profile | 20 ++++++++++++++++++++ etc/cryptocat.profile | 1 + 2 files changed, 21 insertions(+) create mode 100644 etc/Cryptocat.profile create mode 100644 etc/cryptocat.profile diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile new file mode 100644 index 000000000..3db34c03c --- /dev/null +++ b/etc/Cryptocat.profile @@ -0,0 +1,20 @@ +# Firejail profile for +noblacklist ${HOME}/.config/Cryptocat + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile new file mode 100644 index 000000000..0d392b272 --- /dev/null +++ b/etc/cryptocat.profile @@ -0,0 +1 @@ +include /etc/Cryptocat.profile -- cgit v1.2.3-70-g09d2 From cdc413f256f692a877623f059e67e3a2bbacfad6 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 27 Nov 2016 15:22:02 -0600 Subject: extra Cryptocat files --- README | 1 + README.md | 2 +- RELNOTES | 3 ++- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README b/README index 4d09a0a2c..5308ab022 100644 --- a/README +++ b/README @@ -81,6 +81,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles - added xed and pluma profiles + - added Cryptocat profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 7fc552f1e..981582ebf 100644 --- a/README.md +++ b/README.md @@ -61,4 +61,4 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, -xed, pluma +xed, pluma, Cryptocat diff --git a/RELNOTES b/RELNOTES index c5872f676..d20326121 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,7 +10,8 @@ firejail (0.9.45) baseline; urgency=low * feature: AppImage type 2 support * feature: test coverage (gcov) support * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, - * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma + * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, + * new profiles: Cryptocat * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1ac926e3f..76a4c4607 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -110,6 +110,7 @@ blacklist ${HOME}/.cache/gajim blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/Cryptocat # Games blacklist ${HOME}/.hedgewars diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5776f3889..4dcbc28f6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -27,6 +27,7 @@ /etc/firejail/conkeror.profile /etc/firejail/corebird.profile /etc/firejail/cpio.profile +/etc/firejail/Cryptocat.profile /etc/firejail/cyberfox.profile /etc/firejail/deadbeef.profile /etc/firejail/default.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 764e9e501..40dda07ff 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -61,6 +61,7 @@ w3m # chat/messaging bitlbee corebird +# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this empathy gitter hexchat -- cgit v1.2.3-70-g09d2 From 4ea68a4e03592d1c685f760f66eebe3018536416 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 27 Nov 2016 18:10:50 -0500 Subject: cleanup --- src/faudit/syscall.c | 3 ++- src/firejail/checkcfg.c | 9 ++++++--- src/firejail/ls.c | 10 ++++++---- src/firejail/netfilter.c | 8 +++++--- src/firejail/sbox.c | 4 +--- src/firejail/seccomp.c | 2 +- src/firejail/x11.c | 4 +++- src/fseccomp/seccomp_print.c | 2 +- 8 files changed, 25 insertions(+), 17 deletions(-) diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 3c87305df..4cd2526ba 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -35,7 +35,8 @@ void syscall_helper(int argc, char **argv) { (void) argc; if (strcmp(argv[2], "mount") == 0) { - mount(NULL, NULL, NULL, 0, NULL); + int rv = mount(NULL, NULL, NULL, 0, NULL); + (void) rv; printf("\nUGLY: mount syscall permitted.\n"); } else if (strcmp(argv[2], "umount2") == 0) { diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 974fbb8a3..6565f488a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -33,6 +33,7 @@ int checkcfg(int val) { assert(val < CFG_MAX); int line = 0; FILE *fp = NULL; + char *ptr; if (!initialized) { // initialize defaults @@ -76,7 +77,7 @@ int checkcfg(int val) { continue; // parse line - char *ptr = line_remove_spaces(buf); + ptr = line_remove_spaces(buf); if (!ptr) continue; @@ -286,8 +287,10 @@ int checkcfg(int val) { return cfg_val[val]; errout: - if (fp) - fclose(fp); + assert(ptr); + free(ptr); + assert(fp); + fclose(fp); fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line ); exit(1); } diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 4b4ae1de2..77eb35f97 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -259,11 +259,11 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // check access - /* coverity[toctou] */ if (access(fname1, R_OK) == -1) { fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } + /* coverity[toctou] */ char *rp = realpath(fname1, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", fname1); @@ -316,9 +316,11 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // create a user-owned temporary file in /run/firejail directory char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; int fd = mkstemp(tmp_fname); - SET_PERMS_FD(fd, getuid(), getgid(), 0600); - close(fd); - + if (fd != -1) { + SET_PERMS_FD(fd, getuid(), getgid(), 0600); + close(fd); + } + // copy the source file into the temporary file - we need to chroot pid_t child = fork(); if (child < 0) diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 0136ab1f8..43f08e45b 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -85,12 +85,14 @@ void netfilter(const char *fname) { filter = malloc(size + 1); // + '\0' if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size + 1); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); - if (rv == -1) + if (rv == -1) { + close(fd); goto errexit; + } rd += rv; } @@ -207,7 +209,7 @@ void netfilter6(const char *fname) { filter = malloc(size + 1); // + '\0' if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size + 1); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index dbfdd445a..65c4e35e9 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -145,12 +145,10 @@ int sbox_run(unsigned filter, int num, ...) { int fd = open("/dev/null",O_RDWR, 0); if (fd != -1) { dup2 (fd, STDIN_FILENO); - if (fd > 2) - close (fd); + close(fd); } else // the user could run the sandbox without /dev/null close(STDIN_FILENO); - close(fd); } umask(027); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index dd133b2ba..cdbbe4fdd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -72,7 +72,7 @@ int seccomp_load(const char *fname) { struct sock_filter *filter = malloc(size); if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 807f2d5f0..d9b3b23d1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -252,7 +252,8 @@ void x11_start_xephyr(int argc, char **argv) { } for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { - if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { +//todo: if working , add a -2 also in 0.9.44-bugfix + if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); exit(1); } @@ -716,6 +717,7 @@ void x11_xorg(void) { } if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) errExit("set_perms"); + /* coverity[toctou] */ unlink(tmpfname); // mount diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index af240307c..e22c682dc 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c @@ -45,7 +45,7 @@ static void load_seccomp(const char *fname) { filter = malloc(size); if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); -- cgit v1.2.3-70-g09d2 From d0c1fcfa273d323a26aa8477130e176dc2435bf5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 28 Nov 2016 10:36:04 -0500 Subject: netfilter rework --- src/firejail/firejail.h | 5 +- src/firejail/netfilter.c | 233 +++++++++-------------------------------------- src/firejail/sbox.c | 32 +++++-- src/firejail/util.c | 42 +++++++++ src/firejail/x11.c | 1 - 5 files changed, 115 insertions(+), 198 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4ae3cfd9f..61de17bf8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -41,7 +41,6 @@ #define RUN_CPU_CFG "/run/firejail/mnt/cpu" #define RUN_GROUPS_CFG "/run/firejail/mnt/groups" #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" -#define RUN_CP_COMMAND "/run/firejail/mnt/cp" #define RUN_HOME_DIR "/run/firejail/mnt/home" #define RUN_ETC_DIR "/run/firejail/mnt/etc" #define RUN_BIN_DIR "/run/firejail/mnt/bin" @@ -463,6 +462,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode); void create_empty_file_as_root(const char *dir, mode_t mode); int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); +char *read_text_file_or_exit(const char *fname); // fs_var.c void fs_var_log(void); // mounting /var/log @@ -679,6 +679,8 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar #define PATH_FIREMON (PREFIX "/bin/firemon") #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") #define PATH_FCOPY (LIBDIR "/firejail/fcopy") +#define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" + // bitmapped filters for sbox_run #define SBOX_ROOT (1 << 0) // run the sandbox as root #define SBOX_USER (1 << 1) // run the sandbox as a regular user @@ -686,6 +688,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar #define SBOX_CAPS_NONE (1 << 3) // drop all capabilities #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin +#define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin // run sbox int sbox_run(unsigned filter, int num, ...); diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 43f08e45b..ef4915f15 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -61,59 +61,6 @@ void check_netfilter_file(const char *fname) { void netfilter(const char *fname) { - // default filter - char *filter = client_filter; - - // custom filter - int allocated = 0; - if (netfilter_default) - fname = netfilter_default; - if (fname) { - assert(fname); - - // open filter file - int fd = open(fname, O_RDONLY); - if (fd == -1) - goto errexit; - int size = lseek(fd, 0, SEEK_END); - if (size == -1) - goto errexit; - if (lseek(fd, 0 , SEEK_SET) == -1) - goto errexit; - - // read filter - filter = malloc(size + 1); // + '\0' - if (filter == NULL) - goto errexit; - memset(filter, 0, size + 1); - int rd = 0; - while (rd < size) { - int rv = read(fd, (unsigned char *) filter + rd, size - rd); - if (rv == -1) { - close(fd); - goto errexit; - } - rd += rv; - } - - // close file - close(fd); - allocated = 1; - } - - // temporarily mount a tempfs on top of /tmp directory - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting /tmp"); - - // create the filter file - FILE *fp = fopen("/tmp/netfilter", "w"); - if (!fp) { - fprintf(stderr, "Error: cannot open /tmp/netfilter file\n"); - exit(1); - } - fprintf(fp, "%s\n", filter); - fclose(fp); - // find iptables command struct stat s; char *iptables = NULL; @@ -127,113 +74,49 @@ void netfilter(const char *fname) { iptables_restore = "/usr/sbin/iptables-restore"; } if (iptables == NULL || iptables_restore == NULL) { - fprintf(stderr, "Error: iptables command not found\n"); - goto doexit; + fprintf(stderr, "Error: iptables command not found, netfilter not configured\n"); + return; } - // push filter - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Installing network filter:\n%s\n", filter); - - int fd; - if((fd = open("/tmp/netfilter", O_RDONLY)) == -1) { - fprintf(stderr,"Error: cannot open /tmp/netfilter\n"); - exit(1); - } - dup2(fd,STDIN_FILENO); - - // wipe out environment variables - clearenv(); - execl(iptables_restore, iptables_restore, NULL); - perror("execl"); - _exit(1); + // read filter + char *filter = client_filter; + int allocated = 0; + if (netfilter_default) + fname = netfilter_default; + if (fname) { + filter = read_text_file_or_exit(fname); + allocated = 1; } - // wait for the child to finish - waitpid(child, NULL, 0); - // debug - if (arg_debug) { - child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // elevate privileges in order to get grsecurity working - if (setreuid(0, 0)) - errExit("setreuid"); - if (setregid(0, 0)) - errExit("setregid"); - environ = NULL; - assert(getenv("LD_PRELOAD") == NULL); - execl(iptables, iptables, "-vL", NULL); - perror("execl"); - _exit(1); - } - // wait for the child to finish - waitpid(child, NULL, 0); + // create the filter file + FILE *fp = fopen(SBOX_STDIN_FILE, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); + exit(1); } + fprintf(fp, "%s\n", filter); + fclose(fp); + -doexit: - // unmount /tmp - umount("/tmp"); + // push filter + if (arg_debug) + printf("Installing network filter:\n%s\n", filter); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore); + unlink(SBOX_STDIN_FILE); + + // debug + if (arg_debug) + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); if (allocated) free(filter); return; - -errexit: - fprintf(stderr, "Error: cannot read network filter %s\n", fname); - exit(1); } void netfilter6(const char *fname) { if (fname == NULL) return; - char *filter; - - // open filter file - int fd = open(fname, O_RDONLY); - if (fd == -1) - goto errexit; - int size = lseek(fd, 0, SEEK_END); - if (size == -1) - goto errexit; - if (lseek(fd, 0 , SEEK_SET) == -1) - goto errexit; - - // read filter - filter = malloc(size + 1); // + '\0' - if (filter == NULL) - goto errexit; - memset(filter, 0, size + 1); - int rd = 0; - while (rd < size) { - int rv = read(fd, (unsigned char *) filter + rd, size - rd); - if (rv == -1) - goto errexit; - rd += rv; - } - - // close file - close(fd); - - // temporarily mount a tempfs on top of /tmp directory - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) - errExit("mounting /tmp"); - - // create the filter file - FILE *fp = fopen("/tmp/netfilter6", "w"); - if (!fp) { - fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); - exit(1); - } - fprintf(fp, "%s\n", filter); - fclose(fp); - // find iptables command char *ip6tables = NULL; char *ip6tables_restore = NULL; @@ -247,56 +130,30 @@ void netfilter6(const char *fname) { ip6tables_restore = "/usr/sbin/ip6tables-restore"; } if (ip6tables == NULL || ip6tables_restore == NULL) { - fprintf(stderr, "Error: ip6tables command not found\n"); - goto doexit; + fprintf(stderr, "Error: ip6tables command not found, netfilter6 not configured\n"); + return; } - // push filter - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Installing network filter:\n%s\n", filter); - - int fd; - if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) { - fprintf(stderr,"Error: cannot open /tmp/netfilter6\n"); - exit(1); - } - dup2(fd,STDIN_FILENO); - - // wipe out environment variables - clearenv(); - execl(ip6tables_restore, ip6tables_restore, NULL); - perror("execl"); - _exit(1); + // create the filter file + char *filter = read_text_file_or_exit(fname); + FILE *fp = fopen(SBOX_STDIN_FILE, "w"); + if (!fp) { + fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); + exit(1); } - // wait for the child to finish - waitpid(child, NULL, 0); + fprintf(fp, "%s\n", filter); + fclose(fp); + // push filter + if (arg_debug) + printf("Installing network filter:\n%s\n", filter); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); + unlink(SBOX_STDIN_FILE); + // debug - if (arg_debug) { - child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - clearenv(); - execl(ip6tables, ip6tables, "-vL", NULL); - perror("execl"); - _exit(1); - } - // wait for the child to finish - waitpid(child, NULL, 0); - } + if (arg_debug) + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL"); -doexit: - // unmount /tmp - umount("/tmp"); free(filter); return; - -errexit: - fprintf(stderr, "Error: cannot read network filter %s\n", fname); - exit(1); } diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65c4e35e9..f28bbaf1a 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -138,18 +138,34 @@ int sbox_run(unsigned filter, int num, ...) { if (child == 0) { // clean the new process clearenv(); - int max = 20; // getdtablesize() is overkill for a firejail process - for (i = 3; i < max; i++) - close(i); // close open files - if ((filter & SBOX_ALLOW_STDIN) == 0) { - int fd = open("/dev/null",O_RDWR, 0); - if (fd != -1) { - dup2 (fd, STDIN_FILENO); - close(fd); + + if (filter & SBOX_STDIN_FROM_FILE) { + int fd; + if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { + fprintf(stderr,"Error: cannot open /tmp/netfilter\n"); + exit(1); } + dup2(fd,STDIN_FILENO); + } + else if ((filter & SBOX_ALLOW_STDIN) == 0) { + int fd = open("/dev/null",O_RDWR, 0); + if (fd != -1) + dup2(fd, STDIN_FILENO); else // the user could run the sandbox without /dev/null close(STDIN_FILENO); } + + // close all other file descriptors + int max = 20; // getdtablesize() is overkill for a firejail process + for (i = 3; i < max; i++) + close(i); // close open files + + if (arg_debug) { + printf("sbox file descriptors:\n"); + int rv = system("ls -l /proc/self/fd"); + (void) rv; + } + umask(027); // apply filters diff --git a/src/firejail/util.c b/src/firejail/util.c index c3e00a110..75f2acdb9 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -777,3 +777,45 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { ASSERT_PERMS(fname, uid, gid, mode); } + +char *read_text_file_or_exit(const char *fname) { + assert(fname); + + // open file + int fd = open(fname, O_RDONLY); + if (fd == -1) { + fprintf(stderr, "Error: cannot read %s\n", fname); + exit(1); + } + + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; + + // allocate memory + char *data = malloc(size + 1); // + '\0' + if (data == NULL) + goto errexit; + memset(data, 0, size + 1); + + // read file + int rd = 0; + while (rd < size) { + int rv = read(fd, (unsigned char *) data + rd, size - rd); + if (rv == -1) { + goto errexit; + } + rd += rv; + } + + // close file + close(fd); + return data; + +errexit: + close(fd); + fprintf(stderr, "Error: cannot read %s\n", fname); + exit(1); +} \ No newline at end of file diff --git a/src/firejail/x11.c b/src/firejail/x11.c index d9b3b23d1..e67260490 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -252,7 +252,6 @@ void x11_start_xephyr(int argc, char **argv) { } for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { -//todo: if working , add a -2 also in 0.9.44-bugfix if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); exit(1); -- cgit v1.2.3-70-g09d2 From 69009709796704a6d67827758be8b382672cf8f2 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 29 Nov 2016 06:47:23 -0500 Subject: Add 10 new profiles Added profiles for Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, and Xonotic --- etc/bless.profile | 20 ++++++++++++++++++++ etc/disable-programs.inc | 7 +++++++ etc/gnome-2048.profile | 25 +++++++++++++++++++++++++ etc/gnome-calculator.profile | 19 +++++++++++++++++++ etc/gnome-contacts.profile | 19 +++++++++++++++++++ etc/jd-gui.profile | 19 +++++++++++++++++++ etc/lollypop.profile | 20 ++++++++++++++++++++ etc/multimc5.profile | 27 +++++++++++++++++++++++++++ etc/pdfsam.profile | 17 +++++++++++++++++ etc/pithos.profile | 19 +++++++++++++++++++ etc/xonotic-glx.profile | 5 +++++ etc/xonotic-sdl.profile | 5 +++++ etc/xonotic.profile | 25 +++++++++++++++++++++++++ 13 files changed, 227 insertions(+) create mode 100644 etc/bless.profile create mode 100644 etc/gnome-2048.profile create mode 100644 etc/gnome-calculator.profile create mode 100644 etc/gnome-contacts.profile create mode 100644 etc/jd-gui.profile create mode 100644 etc/lollypop.profile create mode 100644 etc/multimc5.profile create mode 100644 etc/pdfsam.profile create mode 100644 etc/pithos.profile create mode 100644 etc/xonotic-glx.profile create mode 100644 etc/xonotic-sdl.profile create mode 100644 etc/xonotic.profile diff --git a/etc/bless.profile b/etc/bless.profile new file mode 100644 index 000000000..752edadf7 --- /dev/null +++ b/etc/bless.profile @@ -0,0 +1,20 @@ +# +#Profile for bless +# + +#No Blacklist Paths +noblacklist ${HOME}/.config/bless + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 76a4c4607..f46274545 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -10,6 +10,7 @@ blacklist ${HOME}/.stellarium blacklist ${HOME}/.sword blacklist ${HOME}/.xiphos blacklist ${HOME}/.config/Atom +blacklist ${HOME}/.config/bless blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission @@ -44,6 +45,7 @@ blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/eog +blacklist ${HOME}/.config/jd-gui.cfg # Media players @@ -56,6 +58,7 @@ blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.audacity-data blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.local/share/lollypop # HTTP / FTP / Mail blacklist ${HOME}/.icedove @@ -119,6 +122,10 @@ blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad blacklist ${HOME}/.warzone2100-3.1 blacklist ${HOME}/.dosbox +blacklist ${HOME}/.local/share/gnome-2048 +blacklist ${HOME}/.local/share/multimc5 +blacklist ${HOME}/.multimc5 +blacklist ${HOME}/.xonotic # Cryptocoins blacklist ${HOME}/.*coin diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile new file mode 100644 index 000000000..f9982da61 --- /dev/null +++ b/etc/gnome-2048.profile @@ -0,0 +1,25 @@ +# +#Profile for gnome-2048 +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/gnome-2048 + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.local/share/gnome-2048 +whitelist ${HOME}/.local/share/gnome-2048 +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile new file mode 100644 index 000000000..49e068171 --- /dev/null +++ b/etc/gnome-calculator.profile @@ -0,0 +1,19 @@ +# +#Profile for gnome-calculator +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile new file mode 100644 index 000000000..9dc25b26c --- /dev/null +++ b/etc/gnome-contacts.profile @@ -0,0 +1,19 @@ +# +#Profile for gnome-contacts +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile new file mode 100644 index 000000000..1d6eb41f8 --- /dev/null +++ b/etc/jd-gui.profile @@ -0,0 +1,19 @@ +# +#Profile for jd-gui +# + +noblacklist ${HOME}/.config/jd-gui.cfg + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/lollypop.profile b/etc/lollypop.profile new file mode 100644 index 000000000..41a662bca --- /dev/null +++ b/etc/lollypop.profile @@ -0,0 +1,20 @@ +# +#Profile for lollypop +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/lollypop + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/multimc5.profile b/etc/multimc5.profile new file mode 100644 index 000000000..cc310f294 --- /dev/null +++ b/etc/multimc5.profile @@ -0,0 +1,27 @@ +# +#Profile for multimc5 +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/multimc5 +noblacklist ${HOME}/.multimc5 + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.local/share/multimc5 +whitelist ${HOME}/.local/share/multimc5 +mkdir ${HOME}/.multimc5 +whitelist ${HOME}/.multimc5 +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile new file mode 100644 index 000000000..6e50f37cf --- /dev/null +++ b/etc/pdfsam.profile @@ -0,0 +1,17 @@ +# +#Profile for pdfsam +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/pithos.profile b/etc/pithos.profile new file mode 100644 index 000000000..8270b8bee --- /dev/null +++ b/etc/pithos.profile @@ -0,0 +1,19 @@ +# +#Profile for pithos +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile new file mode 100644 index 000000000..b255ffdbb --- /dev/null +++ b/etc/xonotic-glx.profile @@ -0,0 +1,5 @@ +# +#Profile for xonotic:xonotic-glx +# + +include /etc/firejail/xonotic.profile diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile new file mode 100644 index 000000000..783667304 --- /dev/null +++ b/etc/xonotic-sdl.profile @@ -0,0 +1,5 @@ +# +#Profile for xonotic:xonotic-sdl +# + +include /etc/firejail/xonotic.profile diff --git a/etc/xonotic.profile b/etc/xonotic.profile new file mode 100644 index 000000000..75d649619 --- /dev/null +++ b/etc/xonotic.profile @@ -0,0 +1,25 @@ +# +#Profile for xonotic +# + +#No Blacklist Paths +noblacklist ${HOME}/.xonotic + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.xonotic +whitelist ${HOME}/.xonotic +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From d3b6581db7fcd0fb0897ada9910140f0e43f4ed1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 10:04:43 -0500 Subject: testing and cleanup --- src/firejail/fs_var.c | 9 ++-- src/firejail/fs_whitelist.c | 98 +++++++++++++-------------------------- src/firejail/netfilter.c | 12 ++--- test/environment/dns.exp | 27 ++++++++++- test/environment/dns.profile | 3 ++ test/fs/fs.sh | 3 ++ test/fs/whitelist-dev.exp | 47 +++++++++++++++++++ test/fs/whitelist.exp | 26 +++++------ test/network/ip6.exp | 40 ++++++++++++++++ test/network/ip6.profile | 3 ++ test/network/iprange.exp | 103 +++++++++++++++++++++++++++++++++++++++++ test/network/iprange.profile | 2 + test/network/network.sh | 6 +++ test/network/veth-name.exp | 77 ++++++++++++++++++++++++++++++ test/network/veth-name.profile | 3 ++ test/root/root.sh | 3 ++ test/root/whitelist-mnt.exp | 86 ++++++++++++++++++++++++++++++++++ 17 files changed, 454 insertions(+), 94 deletions(-) create mode 100644 test/environment/dns.profile create mode 100755 test/fs/whitelist-dev.exp create mode 100644 test/network/ip6.profile create mode 100755 test/network/iprange.exp create mode 100644 test/network/iprange.profile create mode 100755 test/network/veth-name.exp create mode 100644 test/network/veth-name.profile create mode 100755 test/root/whitelist-mnt.exp diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 2aa4a1b54..bdc5ecaf3 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -65,10 +65,9 @@ static void build_list(const char *srcdir) { struct stat s; char *name; if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) - continue; - if (stat(name, &s) == -1) - continue; - if (S_ISLNK(s.st_mode)) { + errExit("asprintf"); + if (stat(name, &s) == -1 || + S_ISLNK(s.st_mode)) { free(name); continue; } @@ -143,7 +142,7 @@ void fs_var_log(void) { fs_logger("touch /var/log/btmp"); } else - fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); + fprintf(stderr, "Warning: cannot hide /var/log directory\n"); } void fs_var_lib(void) { diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7b32021be..b10858411 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -95,34 +95,29 @@ static char *resolve_downloads(void) { if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) errExit("asprintf"); - if (stat(fname, &s) == -1) { - fprintf(stderr, "***\n"); - fprintf(stderr, "*** Error: directory %s not found.\n", fname); - fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n"); - fprintf(stderr, "*** \tPlease create a Downloads directory.\n"); - fprintf(stderr, "***\n"); + if (stat(fname, &s) == -1) free(fname); - return NULL; - } + goto errout; char *rv; if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) errExit("asprintf"); return rv; } - else { - fprintf(stderr, "***\n"); - fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n"); - fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n"); - fprintf(stderr, "***\n"); - fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n"); - fprintf(stderr, "***\n"); - return NULL; - } + else + goto errout; } } } + fclose(fp); + return NULL; + +errout: + fprintf(stderr, "***\n"); + fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); + fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); + fprintf(stderr, "***\n"); return NULL; } @@ -181,10 +176,8 @@ static void whitelist_path(ProfileEntry *entry) { if (entry->home_dir) { if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { fname = path + strlen(cfg.homedir); - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; } else fname = path; @@ -194,70 +187,56 @@ static void whitelist_path(ProfileEntry *entry) { } else if (entry->tmp_dir) { fname = path + 4; // strlen("/tmp") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) errExit("asprintf"); } else if (entry->media_dir) { fname = path + 6; // strlen("/media") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) errExit("asprintf"); } else if (entry->mnt_dir) { fname = path + 4; // strlen("/mnt") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) errExit("asprintf"); } else if (entry->var_dir) { fname = path + 4; // strlen("/var") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) errExit("asprintf"); } else if (entry->dev_dir) { fname = path + 4; // strlen("/dev") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) errExit("asprintf"); } else if (entry->opt_dir) { fname = path + 4; // strlen("/opt") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) errExit("asprintf"); } else if (entry->srv_dir) { fname = path + 4; // strlen("/srv") - if (*fname == '\0') { - fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); - exit(1); - } + if (*fname == '\0') + goto errexit; if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) errExit("asprintf"); @@ -305,6 +284,11 @@ static void whitelist_path(ProfileEntry *entry) { errExit("mount bind"); free(wfile); + return; + +errexit: + fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path); + exit(1); } @@ -432,8 +416,6 @@ void fs_whitelist(void) { tmp_dir = 1; // both path and absolute path are under /tmp if (strncmp(fname, "/tmp/", 5) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } @@ -442,8 +424,6 @@ void fs_whitelist(void) { media_dir = 1; // both path and absolute path are under /media if (strncmp(fname, "/media/", 7) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } @@ -452,8 +432,6 @@ void fs_whitelist(void) { mnt_dir = 1; // both path and absolute path are under /mnt if (strncmp(fname, "/mnt/", 5) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } @@ -467,8 +445,6 @@ void fs_whitelist(void) { else if (strcmp(new_name, "/var/lock")== 0) ; else if (strncmp(fname, "/var/", 5) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } @@ -477,8 +453,6 @@ void fs_whitelist(void) { dev_dir = 1; // both path and absolute path are under /dev if (strncmp(fname, "/dev/", 5) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } @@ -487,8 +461,6 @@ void fs_whitelist(void) { opt_dir = 1; // both path and absolute path are under /dev if (strncmp(fname, "/opt/", 5) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } @@ -497,14 +469,10 @@ void fs_whitelist(void) { srv_dir = 1; // both path and absolute path are under /srv if (strncmp(fname, "/srv/", 5) != 0) { - if (arg_debug) - fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); goto errexit; } } else { - if (arg_debug) - fprintf(stderr, "Debug %d: \n", __LINE__); goto errexit; } diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ef4915f15..ed411313a 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) { EUID_ASSERT(); invalid_filename(fname); - if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { - fprintf(stderr, "Error: invalid network filter file\n"); - exit(1); - } - - // access call checks as real UID/GID, not as effective UID/GID - if (access(fname, R_OK)) { - fprintf(stderr, "Error: cannot access network filter file\n"); + if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { + fprintf(stderr, "Error: invalid network filter file %s\n", fname); exit(1); } } @@ -138,7 +132,7 @@ void netfilter6(const char *fname) { char *filter = read_text_file_or_exit(fname); FILE *fp = fopen(SBOX_STDIN_FILE, "w"); if (!fp) { - fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); + fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); exit(1); } fprintf(fp, "%s\n", filter); diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 40403aade..d00e9fb94 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -26,10 +26,33 @@ expect { } after 100 send -- "exit\r" -after 100 +sleep 1 + +send -- "firejail --profile=dns.profile\r" +expect { + timeout {puts "TESTING ERROR 12.1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/resolv.conf\r" +expect { + timeout {puts "TESTING ERROR 12.2\n";exit} + "nameserver 8.8.4.4" +} +expect { + timeout {puts "TESTING ERROR 12.3\n";exit} + "nameserver 8.8.8.8" +} +expect { + timeout {puts "TESTING ERROR 12.4\n";exit} + "nameserver 4.2.2.1" +} +after 100 +send -- "exit\r" +sleep 1 -# no chroot send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} diff --git a/test/environment/dns.profile b/test/environment/dns.profile new file mode 100644 index 000000000..d1b842c86 --- /dev/null +++ b/test/environment/dns.profile @@ -0,0 +1,3 @@ +dns 8.8.4.4 +dns 8.8.8.8 +dns 4.2.2.1 diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d9a425661..611b62b09 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -88,6 +88,9 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" echo "TESTING: whitelist (test/fs/whitelist.exp)" ./whitelist.exp +echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" +./whitelist-dev.exp + echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" ./fscheck-bindnoroot.exp diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp new file mode 100755 index 000000000..a19d5cedf --- /dev/null +++ b/test/fs/whitelist-dev.exp @@ -0,0 +1,47 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --whitelist=/dev/null --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /dev | find /dev | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "firejail --whitelist=/var/tmp --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /dev | find /dev | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + + + +after 100 +puts "\nall done\n" + diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9a9a0f353..9b631b884 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp @@ -36,7 +36,7 @@ after 200 send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" after 200 -send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" +send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -49,19 +49,19 @@ expect { "2" } -send -- "cat fjtest-file\r" +send -- "cat ~/fjtest-file\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "123" @@ -86,7 +86,7 @@ expect { "1" } -send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "123" @@ -111,37 +111,37 @@ expect { "4" } -send -- "cat fjtest-file\r" +send -- "cat ~/fjtest-file\r" expect { timeout {puts "TESTING ERROR 22\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 23\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 24\n";exit} "123" } -send -- "cat fjtest-file-lnk\r" +send -- "cat ~/fjtest-file-lnk\r" expect { timeout {puts "TESTING ERROR 25\n";exit} "123" } -send -- "cat fjtest-dir-lnk/fjtest-file\r" +send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" expect { timeout {puts "TESTING ERROR 26\n";exit} "123" } -send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 27\n";exit} "123" @@ -193,13 +193,13 @@ expect { "2" } -send -- "cat fjtest-file-lnk\r" +send -- "cat ~/fjtest-file-lnk\r" expect { timeout {puts "TESTING ERROR 42\n";exit} "123" } -send -- "cat fjtest-dir-lnk/fjtest-file\r" +send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" expect { timeout {puts "TESTING ERROR 43\n";exit} "123" diff --git a/test/network/ip6.exp b/test/network/ip6.exp index f0fcebcf8..1db16c28a 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -43,6 +43,46 @@ expect { } send -- "exit\r" +sleep 2 + + +send -- "firejail --debug --profile=ip6.profile\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Installing network filter" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "DROP" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} + "2001:db8:1f0a:3ec::2" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "inet6" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "2001:db8:0:f101::1" +} +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "Scope:Global" { puts "Debian\n"} + "scopeid 0x0" { puts "Arch\n"} +} + +send -- "exit\r" + after 100 puts "\nall done\n" diff --git a/test/network/ip6.profile b/test/network/ip6.profile new file mode 100644 index 000000000..87afa3941 --- /dev/null +++ b/test/network/ip6.profile @@ -0,0 +1,3 @@ +net br0 +ip6 2001:0db8:0:f101::1/64 +netfilter6 ipv6.net diff --git a/test/network/iprange.exp b/test/network/iprange.exp new file mode 100755 index 000000000..a1b2ccab4 --- /dev/null +++ b/test/network/iprange.exp @@ -0,0 +1,103 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.50" {puts "10.10.30.50\n"} + "10.10.30.51" {puts "10.10.30.51\n"} + "10.10.30.52" {puts "10.10.30.52\n"} + "10.10.30.53" {puts "10.10.30.53\n"} + "10.10.30.54" {puts "10.10.30.54\n"} + "10.10.30.55" {puts "10.10.30.55\n"} +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 2 + +send -- "firejail --profile=iprange.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "10.10.30.50" {puts "10.10.30.50\n"} + "10.10.30.51" {puts "10.10.30.51\n"} + "10.10.30.52" {puts "10.10.30.52\n"} + "10.10.30.53" {puts "10.10.30.53\n"} + "10.10.30.54" {puts "10.10.30.54\n"} + "10.10.30.55" {puts "10.10.30.55\n"} +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 2 + + + +send -- "firejail --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "no network device configured" +} +after 100 + +send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "cannot configure the IP range twice for the same interface" +} +after 100 + +send -- "firejail --net=br1 --iprange=10.10.30.50\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "invalid IP range" +} +after 100 + +send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "IP range addresses not in network range" +} +after 100 + +send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "invalid IP range" +} +after 100 + + +after 100 + +puts "\nall done\n" + diff --git a/test/network/iprange.profile b/test/network/iprange.profile new file mode 100644 index 000000000..ecc01cd93 --- /dev/null +++ b/test/network/iprange.profile @@ -0,0 +1,2 @@ +net br1 +iprange 10.10.30.50,10.10.30.55 diff --git a/test/network/network.sh b/test/network/network.sh index e1646d64a..bea5dfb26 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -78,6 +78,12 @@ echo "TESTING: veth (net_veth.exp)" echo "TESTING: netfilter (net_netfilter.exp)" ./net_netfilter.exp +echo "TESTING: iprange (iprange.exp)" +./iprange.exp + +echo "TESTING: veth-name (veth-name.exp)" +./veth-name.exp + echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" ./4bridges_arp.exp diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp new file mode 100755 index 000000000..36ed41d92 --- /dev/null +++ b/test/network/veth-name.exp @@ -0,0 +1,77 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "blablabla" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "master br1 state UP" +} +sleep 1 + + +send -- "firejail --profile=veth-name.profile\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "10.10.60.51" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "bingo" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "master br4 state UP" +} +sleep 1 + + +after 100 +puts "\nall done\n" + diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile new file mode 100644 index 000000000..f00a74d63 --- /dev/null +++ b/test/network/veth-name.profile @@ -0,0 +1,3 @@ +net br4 +ip 10.10.60.51 +veth-name bingo diff --git a/test/root/root.sh b/test/root/root.sh index 494bd4fe7..01c372f68 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -53,6 +53,9 @@ fi echo "TESTING: fs private (test/root/private.exp)" ./private.exp +echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)" +./whitelist-mnt.exp + #******************************** # seccomp #******************************** diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp new file mode 100755 index 000000000..58ae4fffc --- /dev/null +++ b/test/root/whitelist-mnt.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch /mnt/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /mnt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "touch /opt/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/opt/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /opt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "touch /media/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/media/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /media | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /var | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "" +} +after 100 +send -- "exit\r" +sleep 1 + + + +after 100 +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 422ab86d878bbc285d538703f6a7cc1a03ee4eae Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 11:17:34 -0500 Subject: xpra fix --- etc/disable-common.inc | 2 +- src/firecfg/firecfg.config | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f18b0d396..bc2f6869d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -24,7 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment blacklist ${HOME}/.gnomerc blacklist /etc/X11/Xsession.d/ -blacklist ${HOME}/.xpra +# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs # VirtualBox blacklist ${HOME}/.VirtualBox diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 40dda07ff..47ba677fd 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -201,7 +201,6 @@ ssh tracker xiphos xed -xpra # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 5dd8b1f19e71534643ec560113f8c005a8ac2db2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 11:23:33 -0500 Subject: quiet fix --- etc/file.profile | 2 +- etc/git.profile | 2 +- etc/gzip.profile | 2 +- etc/strings.profile | 2 +- etc/tar.profile | 2 +- etc/unrar.profile | 2 +- etc/unzip.profile | 2 +- etc/uudeview.profile | 2 +- etc/xzdec.profile | 2 +- src/firejail/run_symlink.c | 2 -- 10 files changed, 9 insertions(+), 11 deletions(-) diff --git a/etc/file.profile b/etc/file.profile index f709e7f0c..d145fe12a 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,4 +1,5 @@ # file profile +quiet include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,7 +17,6 @@ protocol unix seccomp shell none tracelog -quiet x11 none blacklist /tmp/.X11-unix diff --git a/etc/git.profile b/etc/git.profile index edb59ce13..d60e58c03 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,4 +1,5 @@ # git profile +quiet noblacklist ~/.gitconfig noblacklist ~/.ssh noblacklist ~/.gnupg @@ -19,7 +20,6 @@ nonewprivs noroot nosound protocol unix,inet,inet6 -quiet seccomp shell none diff --git a/etc/gzip.profile b/etc/gzip.profile index d51b9a951..feb27c150 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,4 +1,5 @@ # gzip profile +quiet ignore noroot include /etc/firejail/default.profile @@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix net none no3d nosound -quiet shell none tracelog diff --git a/etc/strings.profile b/etc/strings.profile index 7c464bf88..2b7724b11 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,10 +1,10 @@ # strings profile +quiet ignore noroot include /etc/firejail/default.profile net none nosound -quiet shell none tracelog diff --git a/etc/tar.profile b/etc/tar.profile index 91fdaf48d..3addb02fb 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,4 +1,5 @@ # tar profile +quiet ignore noroot include /etc/firejail/default.profile @@ -8,7 +9,6 @@ hostname tar net none no3d nosound -quiet shell none tracelog diff --git a/etc/unrar.profile b/etc/unrar.profile index 0700cafe9..bde6f4e22 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,4 +1,5 @@ # unrar profile +quiet ignore noroot include /etc/firejail/default.profile @@ -8,7 +9,6 @@ hostname unrar net none no3d nosound -quiet shell none tracelog diff --git a/etc/unzip.profile b/etc/unzip.profile index a43785795..8c10d11a0 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,4 +1,5 @@ # unzip profile +quiet ignore noroot include /etc/firejail/default.profile blacklist /tmp/.X11-unix @@ -7,7 +8,6 @@ hostname unzip net none no3d nosound -quiet shell none tracelog diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 5ba0896ab..d5b750a13 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,4 +1,5 @@ # uudeview profile +quiet ignore noroot include /etc/firejail/default.profile @@ -7,7 +8,6 @@ blacklist /etc hostname uudeview net none nosound -quiet shell none tracelog diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 04f98cef6..6164e3200 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,4 +1,5 @@ # xzdec profile +quiet ignore noroot include /etc/firejail/default.profile @@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix net none no3d nosound -quiet shell none tracelog diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index a4dce405d..753c50208 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -90,8 +90,6 @@ void run_symlink(int argc, char **argv) { if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) errExit("asprintf"); - printf("Redirecting symlink to %s\n", program); - // drop privileges if (setgid(getgid()) < 0) errExit("setgid/getgid"); -- cgit v1.2.3-70-g09d2 From a439e16ac082c9fcaef9bce4fa20db1393963fdf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 13:22:18 -0500 Subject: netfilter fixes --- src/firejail/netfilter.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ed411313a..9e759ec70 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -95,7 +95,10 @@ void netfilter(const char *fname) { // push filter if (arg_debug) printf("Installing network filter:\n%s\n", filter); - sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore); + + // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter + // we run this command with caps and seccomp disabled in order to allow the loading of these modules + sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); unlink(SBOX_STDIN_FILE); // debug @@ -141,7 +144,10 @@ void netfilter6(const char *fname) { // push filter if (arg_debug) printf("Installing network filter:\n%s\n", filter); - sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); + + // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter + // we run this command with caps and seccomp disabled in order to allow the loading of these modules + sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); unlink(SBOX_STDIN_FILE); // debug -- cgit v1.2.3-70-g09d2 From 1a944eae59bf61c6f59be0f10e1865749842d38e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 14:29:20 -0500 Subject: fixes --- etc/wget.profile | 1 + src/firecfg/firecfg.config | 17 ----------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/etc/wget.profile b/etc/wget.profile index ad2b03b33..d9bca2acc 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -1,4 +1,5 @@ # wget profile +quiet include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 47ba677fd..369abdc20 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -17,7 +17,6 @@ transmission-qt transmission-cli transmission-show uget-gtk -wget # browsers/email abrowser @@ -187,17 +186,11 @@ atom atom-beta gpa gpg -# don't run ssh-agent and gpg-agent with firejail by default -# this will break many processes using them in the background -# ssh-agent -# gpg-agent -git ranger keepass keepass2 keepassx pluma -ssh tracker xiphos xed @@ -211,13 +204,3 @@ ark atool file-roller -# when used by other processes in the background, it will break stuff -#7z -#cpio -#gtar -#gzip -#tar -#unrar -#unzip -#xz -#xzdec -- cgit v1.2.3-70-g09d2 From 09bd0623dd8b07083f58df97ba1a035465968001 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 18:01:29 -0500 Subject: testing --- test/environment/dns.exp | 4 ---- test/root/whitelist-mnt.exp | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/test/environment/dns.exp b/test/environment/dns.exp index d00e9fb94..3e2a0ffd4 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -54,10 +54,6 @@ send -- "exit\r" sleep 1 send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Child process initialized" -} expect { timeout {puts "TESTING ERROR 1.2\n";exit} "connect" diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp index 58ae4fffc..a21446afe 100755 --- a/test/root/whitelist-mnt.exp +++ b/test/root/whitelist-mnt.exp @@ -79,6 +79,25 @@ after 100 send -- "exit\r" sleep 1 +send -- "touch /srv/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/srv/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /srv | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + after 100 -- cgit v1.2.3-70-g09d2 From 84fa03cd77b0afcdee5cc6816596ab5c8a633185 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 21:38:09 -0500 Subject: private-opt and private-srv --- src/firejail/firejail.h | 8 ++- src/firejail/fs_etc.c | 34 +++++++------ src/firejail/main.c | 20 ++++++++ src/firejail/profile.c | 16 ++++++ src/firejail/sandbox.c | 22 ++++++++- test/root/private.exp | 57 +++++++++++++++++++++ test/root/root.sh | 4 +- test/root/whitelist-mnt.exp | 105 --------------------------------------- test/root/whitelist.exp | 118 ++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 260 insertions(+), 124 deletions(-) delete mode 100755 test/root/whitelist-mnt.exp create mode 100755 test/root/whitelist.exp diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 61de17bf8..d172efce1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -43,6 +43,8 @@ #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" #define RUN_HOME_DIR "/run/firejail/mnt/home" #define RUN_ETC_DIR "/run/firejail/mnt/etc" +#define RUN_OPT_DIR "/run/firejail/mnt/opt" +#define RUN_SRV_DIR "/run/firejail/mnt/srv" #define RUN_BIN_DIR "/run/firejail/mnt/bin" #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" @@ -200,6 +202,8 @@ typedef struct config_t { char *home_private; // private home directory char *home_private_keep; // keep list for private home directory char *etc_private_keep; // keep list for private etc directory + char *opt_private_keep; // keep list for private opt directory + char *srv_private_keep; // keep list for private srv directory char *bin_private_keep; // keep list for private bin directory char *cwd; // current working directory char *overlay_dir; @@ -315,6 +319,8 @@ extern int arg_doubledash; // double dash extern int arg_shell_none; // run the program directly without a shell extern int arg_private_dev; // private dev directory extern int arg_private_etc; // private etc directory +extern int arg_private_opt; // private opt directory +extern int arg_private_srv; // private srv directory extern int arg_private_bin; // private bin directory extern int arg_private_tmp; // private tmp directory extern int arg_scan; // arp-scan all interfaces @@ -556,7 +562,7 @@ void network_del_run_file(pid_t pid); void network_set_run_file(pid_t pid); // fs_etc.c -void fs_private_etc_list(void); +void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); // no_sandbox.c int check_namespace_virt(void); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 80329d5ba..9a28ac601 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -47,7 +47,7 @@ errexit: exit(1); } -static void duplicate(char *fname) { +static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); exit(1); @@ -55,40 +55,44 @@ static void duplicate(char *fname) { invalid_filename(fname); char *src; - if (asprintf(&src, "/etc/%s", fname) == -1) + if (asprintf(&src, "%s/%s", private_dir, fname) == -1) errExit("asprintf"); if (check_dir_or_file(src) == 0) { if (!arg_quiet) - fprintf(stderr, "Warning: skipping %s for private bin\n", fname); + fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir); free(src); return; } + if (arg_debug) + printf("copying %s to private %s\n", src, private_dir); + struct stat s; if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { // create the directory in RUN_ETC_DIR char *dirname; - if (asprintf(&dirname, "%s/%s", RUN_ETC_DIR, fname) == -1) + if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) errExit("asprintf"); create_empty_dir_as_root(dirname, s.st_mode); sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); free(dirname); } else - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, RUN_ETC_DIR); + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); fs_logger2("clone", src); free(src); } -void fs_private_etc_list(void) { - char *private_list = cfg.etc_private_keep; +void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { + assert(private_dir); + assert(private_run_dir); assert(private_list); // create /run/firejail/mnt/etc directory - mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); - fs_logger("tmpfs /etc"); + mkdir_attr(private_run_dir, 0755, 0, 0); + fs_logger2("tmpfs", private_dir); fs_logger_print(); // save the current log @@ -97,7 +101,7 @@ void fs_private_etc_list(void) { // using a new child process with root privileges if (*private_list != '\0') { if (arg_debug) - printf("Copying files in the new etc directory:\n"); + printf("Copying files in the new %s directory:\n", private_dir); // copy the list of files in the new home directory char *dlist = strdup(private_list); @@ -106,18 +110,18 @@ void fs_private_etc_list(void) { char *ptr = strtok(dlist, ","); - duplicate(ptr); + duplicate(ptr, private_dir, private_run_dir); while ((ptr = strtok(NULL, ",")) != NULL) - duplicate(ptr); + duplicate(ptr, private_dir, private_run_dir); free(dlist); fs_logger_print(); } if (arg_debug) - printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); - if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) + printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); + if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); - fs_logger("mount /etc"); + fs_logger2("mount", private_dir); } diff --git a/src/firejail/main.c b/src/firejail/main.c index 0929347b7..4ccbb6a86 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -88,6 +88,8 @@ int arg_doubledash = 0; // double dash int arg_shell_none = 0; // run the program directly without a shell int arg_private_dev = 0; // private dev directory int arg_private_etc = 0; // private etc directory +int arg_private_opt = 0; // private opt directory +int arg_private_srv = 0; // private srv directory int arg_private_bin = 0; // private bin directory int arg_private_tmp = 0; // private tmp directory int arg_scan = 0; // arp-scan all interfaces @@ -1624,6 +1626,24 @@ int main(int argc, char **argv) { } arg_private_etc = 1; } + else if (strncmp(argv[i], "--private-opt=", 14) == 0) { + // extract private opt list + cfg.opt_private_keep = argv[i] + 14; + if (*cfg.opt_private_keep == '\0') { + fprintf(stderr, "Error: invalid private-opt option\n"); + exit(1); + } + arg_private_opt = 1; + } + else if (strncmp(argv[i], "--private-srv=", 14) == 0) { + // extract private srv list + cfg.srv_private_keep = argv[i] + 14; + if (*cfg.srv_private_keep == '\0') { + fprintf(stderr, "Error: invalid private-etc option\n"); + exit(1); + } + arg_private_srv = 1; + } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { // extract private bin list cfg.bin_private_keep = argv[i] + 14; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9acb1b813..2be6948f0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -739,6 +739,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + // private /opt list of files and directories + if (strncmp(ptr, "private-opt ", 12) == 0) { + cfg.opt_private_keep = ptr + 12; + arg_private_opt = 1; + + return 0; + } + + // private /srv list of files and directories + if (strncmp(ptr, "private-srv ", 12) == 0) { + cfg.srv_private_keep = ptr + 12; + arg_private_srv = 1; + + return 0; + } + // private /bin list of files if (strncmp(ptr, "private-bin ", 12) == 0) { cfg.bin_private_keep = ptr + 12; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a6777fef..68b8f554d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -671,13 +671,33 @@ int sandbox(void* sandbox_arg) { else if (arg_overlay) fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); else { - fs_private_etc_list(); + fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); // create /etc/ld.so.preload file again if (arg_trace || arg_tracelog || mask_x11_abstract_socket) fs_trace_preload(); } } + if (arg_private_opt) { + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n"); + else { + fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep); + } + } + + if (arg_private_srv) { + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n"); + else { + fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep); + } + } + if (arg_private_bin) { if (cfg.chrootdir) fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); diff --git a/test/root/private.exp b/test/root/private.exp index 4040081ee..9ce9716f9 100755 --- a/test/root/private.exp +++ b/test/root/private.exp @@ -29,5 +29,62 @@ expect { after 100 send -- "exit\r" +sleep 1 + + + +send -- "touch /opt/firejail-test-file\r" +after 100 +send -- "mkdir /opt/firejail-test-dir\r" +after 100 +send -- "touch /opt/firejail-test-dir/firejail-test-file\r" +after 100 +send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /opt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "4" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "touch /srv/firejail-test-file\r" +after 100 +send -- "mkdir /srv/firejail-test-dir\r" +after 100 +send -- "touch /srv/firejail-test-dir/firejail-test-file\r" after 100 +send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /srv | wc -l\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "4" +} +after 100 +send -- "exit\r" +sleep 1 + + + + + + + + + + puts "\nall done\n" diff --git a/test/root/root.sh b/test/root/root.sh index 01c372f68..371bccdff 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -53,8 +53,8 @@ fi echo "TESTING: fs private (test/root/private.exp)" ./private.exp -echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)" -./whitelist-mnt.exp +echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)" +./whitelist.exp #******************************** # seccomp diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp deleted file mode 100755 index a21446afe..000000000 --- a/test/root/whitelist-mnt.exp +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "touch /mnt/firejail-test-file\r" -after 100 -send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "find /mnt | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "2" -} -after 100 -send -- "exit\r" -sleep 1 - - -send -- "touch /opt/firejail-test-file\r" -after 100 -send -- "firejail --whitelist=/opt/firejail-test-file --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "find /opt | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "2" -} -after 100 -send -- "exit\r" -sleep 1 - -send -- "touch /media/firejail-test-file\r" -after 100 -send -- "firejail --whitelist=/media/firejail-test-file --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "find /media | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "2" -} -after 100 -send -- "exit\r" -sleep 1 - - -send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "find /var | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "" -} -after 100 -send -- "exit\r" -sleep 1 - -send -- "touch /srv/firejail-test-file\r" -after 100 -send -- "firejail --whitelist=/srv/firejail-test-file --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "find /srv | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "2" -} -after 100 -send -- "exit\r" -sleep 1 - - - - -after 100 -puts "\nall done\n" - diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp new file mode 100755 index 000000000..f6936c048 --- /dev/null +++ b/test/root/whitelist.exp @@ -0,0 +1,118 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch /mnt/firejail-test-file\r" +after 100 +send -- "mkdir /mnt/firejail-test-dir\r" +after 100 +send -- "touch /mnt/firejail-test-dir/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /mnt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "4" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "touch /opt/firejail-test-file\r" +after 100 +send -- "mkdir /opt/firejail-test-dir\r" +after 100 +send -- "touch /opt/firejail-test-dir/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /opt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "4" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "touch /media/firejail-test-file\r" +after 100 +send -- "mkdir /media/firejail-test-dir\r" +after 100 +send -- "touch /media/firejail-test-dir/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /media | wc -l\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "4" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /var | wc -l\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "touch /srv/firejail-test-file\r" +after 100 +send -- "mkdir /srv/firejail-test-dir\r" +after 100 +send -- "touch /srv/firejail-test-dir/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /srv | wc -l\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "4" +} +after 100 +send -- "exit\r" + + +after 100 +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From 11857ffe069ea49a02a8c3091cc4ad3f2d2b35e1 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 30 Nov 2016 12:28:57 +0100 Subject: gajim fix --- etc/gajim.profile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/gajim.profile b/etc/gajim.profile index b030a68b4..eb60f858b 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,4 +1,8 @@ # Firejail profile for Gajim +noblacklist ${HOME}/.cache/gajim +noblacklist ${HOME}/.local/share/gajim +noblacklist ${HOME}/.config/gajim + mkdir ${HOME}/.cache/gajim mkdir ${HOME}/.local/share/gajim mkdir ${HOME}/.config/gajim @@ -29,4 +33,6 @@ seccomp shell none #private-bin python2.7 gajim +#private-etc fonts private-dev +#private-tmp -- cgit v1.2.3-70-g09d2 From 4e623773c55f799526031df470c5f15bf13a454e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 30 Nov 2016 11:15:26 -0500 Subject: testing --- test/network/net_veth.exp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index 89dedcb24..04091047b 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp @@ -123,6 +123,18 @@ expect { } sleep 1 send -- "exit\r" +sleep 1 + +send -- "firejail --net=eth0 --ip=10.10.20.1\r" +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "the IP address is not in the interface range" +} + + + + + after 100 -- cgit v1.2.3-70-g09d2 From 301196ee268054c07918fe4bf8edbd2a32542da7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 30 Nov 2016 12:07:14 -0500 Subject: profiles --- README | 3 +++ README.md | 3 ++- RELNOTES | 6 +++++- platform/debian/conffiles | 12 ++++++++++++ todo | 12 +++++++++++- 5 files changed, 33 insertions(+), 3 deletions(-) diff --git a/README b/README index 5308ab022..a03b1cc9f 100644 --- a/README +++ b/README @@ -95,6 +95,9 @@ valoq (https://github.com/valoq) - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile +SpotComms (https://github.com/SpotComms) + - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles + - added PDFSam, Pithos, and Xonotic profiles Vasya Novikov (https://github.com/vn971) - Wesnoth profile - Hedegewars profile diff --git a/README.md b/README.md index 981582ebf..bb6d3c698 100644 --- a/README.md +++ b/README.md @@ -61,4 +61,5 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, -xed, pluma, Cryptocat +xed, pluma, Cryptocat Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, +PDFSam, Pithos, Xonotic diff --git a/RELNOTES b/RELNOTES index d20326121..3ccd51ce7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,9 +9,13 @@ firejail (0.9.45) baseline; urgency=low * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: AppImage type 2 support * feature: test coverage (gcov) support + * feature: private /opt directory (--private-opt, profile support) + * feature: private /srv directory (--private-srv, profile support) * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, - * new profiles: Cryptocat + * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, + * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, + * new profies: Xonotic * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 4dcbc28f6..551e7ad36 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -223,3 +223,15 @@ /etc/firejail/zathura.profile /etc/firejail/zoom.profile /etc/firejail/wget.profile +/etc/firejail/bless.profile +/etc/firejail/gnome-2048.profile +/etc/firejail/gnome-calculator.profile +/etc/firejail/gnome-contacts.profile +/etc/firejail/jd-gui.profile +/etc/firejail/lollypop.profile +/etc/firejail/multimc5.profile +/etc/firejail/pdfsam.profile +/etc/firejail/pithos.profile +/etc/firejail/xonotic-glx.profile +/etc/firejail/xonotic-sdl.profile +/etc/firejail/xonotic.profile diff --git a/todo b/todo index 253704fcf..070fb068d 100644 --- a/todo +++ b/todo @@ -286,4 +286,14 @@ removable media, partitions, software RAID volumes, logical volumes, and files. 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* - +30. +$ sudo firejail --fs.print=test +[sudo] password for netblue: +tmpfs /run/firejail/mnt << ???????????????? +sandbox name: test +sandbox pid: 5790 +sandbox filesystem: local +install mount namespace +read-only /etc +read-only /var +read-only /bin -- cgit v1.2.3-70-g09d2 From 7c1ed2fb0525cb1f1dcb5e08bf52756b7ac863ed Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 30 Nov 2016 12:59:48 -0500 Subject: private-opt, private-srv --- src/firejail/join.c | 33 ++------------------------------- src/man/firejail-profile.txt | 12 +++++++++++- src/man/firejail.txt | 26 ++++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 32 deletions(-) diff --git a/src/firejail/join.c b/src/firejail/join.c index 628002d35..bcf951f33 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -285,12 +285,6 @@ void join(pid_t pid, int argc, char **argv, int index) { seccomp_load(RUN_SECCOMP_CFG); #endif - // fix qt 4.8 - if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) - errExit("setenv"); - if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, - errExit("setenv"); - // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 if (arg_debug) @@ -307,14 +301,6 @@ void join(pid_t pid, int argc, char **argv, int index) { drop_privs(arg_nogroups); // nogroups not available for uid 0 - // set prompt color to green - char *prompt = getenv("FIREJAIL_PROMPT"); - if (prompt && strcmp(prompt, "yes") == 0) { - //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' - if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) - errExit("setenv"); - } - // set nice if (arg_nice) { errno = 0; @@ -326,24 +312,9 @@ void join(pid_t pid, int argc, char **argv, int index) { } } - // run cmdline trough shell + env_defaults(); if (cfg.command_line == NULL) { - // if the sandbox was started with --shell=none, it is possible we don't have a shell - // inside the sandbox - if (cfg.shell == NULL) { - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: no POSIX shell found, please use --shell command line option\n"); - exit(1); - } - } - - struct stat s; - if (stat(cfg.shell, &s) == -1) { - fprintf(stderr, "Error: %s shell not found inside the sandbox\n", cfg.shell); - exit(1); - } - + assert(cfg.shell); cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index d6113218c..007374c75 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -181,7 +181,7 @@ closed. \fBprivate directory Use directory as user home. .TP -\f\private-home file,directory +\fBprivate-home file,directory Build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home. All modifications are discarded when the sandbox is @@ -199,6 +199,16 @@ Build a new /etc in a temporary filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. .TP +\fBprivate-opt file,directory +Build a new /optin a temporary +filesystem, and copy the files and directories in the list. +All modifications are discarded when the sandbox is closed. +.TP +\fBprivate-srv file,directory +Build a new /srv in a temporary +filesystem, and copy the files and directories in the list. +All modifications are discarded when the sandbox is closed. +.TP \fBprivate-tmp Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .TP diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 8441f25d5..450f30c68 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1178,6 +1178,32 @@ $ firejail --private-etc=group,hostname,localtime, \\ .br nsswitch.conf,passwd,resolv.conf +.TP +\fB\-\-private-opt=file,directory +Build a new /opt in a temporary +filesystem, and copy the files and directories in the list. +If no listed file is found, /opt directory will be empty. +All modifications are discarded when the sandbox is closed. +.br + +.br +Example: +.br +$ firejail --private-opt=firefox /opt/firefox/firefox + +.TP +\fB\-\-private-srv=file,directory +Build a new /srv in a temporary +filesystem, and copy the files and directories in the list. +If no listed file is found, /srv directory will be empty. +All modifications are discarded when the sandbox is closed. +.br + +.br +Example: +.br +# firejail --private-srv=www /etc/init.d/apache2 start + .TP \fB\-\-private-tmp Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. -- cgit v1.2.3-70-g09d2 From fd1ecf1a4155627a20316d462b12dcef8d39e9ae Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 30 Nov 2016 17:23:07 -0500 Subject: private-opt, private-srv --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index bb6d3c698..bafcf6120 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,26 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ## AppImage type 2 support ````` +````` +## New command line options +````` + --private-opt=file,directory + Build a new /opt in a temporary filesystem, and copy the files + and directories in the list. If no listed file is found, /opt + directory will be empty. All modifications are discarded when + the sandbox is closed. + + Example: + $ firejail --private-opt=firefox /opt/firefox/firefox + + --private-srv=file,directory + Build a new /srv in a temporary filesystem, and copy the files + and directories in the list. If no listed file is found, /srv + directory will be empty. All modifications are discarded when + the sandbox is closed. + + Example: + # firejail --private-srv=www /etc/init.d/apache2 start ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, -- cgit v1.2.3-70-g09d2 From abc77414d8e1f864db6af55d46629f1e9f301f61 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 1 Dec 2016 12:09:19 +0100 Subject: blacklisted various program files --- etc/disable-common.inc | 1 + etc/disable-passwdmgr.inc | 3 +++ etc/disable-programs.inc | 34 +++++++++++++++++++++++++++++++++- etc/evince.profile | 2 ++ etc/gnome-chess.profile | 2 +- 5 files changed, 40 insertions(+), 2 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index bc2f6869d..8886a0bc3 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -194,6 +194,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd +blacklist ${PATH}/konsole # kernel files blacklist /vmlinuz* diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 6db9073ab..045b4d92b 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -1,7 +1,10 @@ blacklist ${HOME}/.pki/nssdb blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx +blacklist ${HOME}/.keepass blacklist ${HOME}/.password-store blacklist ${HOME}/keepassx.kdbx blacklist ${HOME}/.config/keepassx +blacklist ${HOME}/.config/keepass +blacklist ${HOME}/.config/KeePass diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 76a4c4607..f87053b7c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -44,7 +44,27 @@ blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/eog - +blacklist ${HOME}/.config/arkrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/brasero +blacklist ${HOME}/.config/enchant +blacklist ${HOME}/.config/gedit +blacklist ${HOME}/.config/Cryptocat +blacklist ${HOME}/.config/dolphinrc +blacklist ${HOME}/.config/katerc +blacklist ${HOME}/.config/katepartrc +blacklist ${HOME}/.config/kateschemarc +blacklist ${HOME}/.config/katesyntaxhighlightingrc +blacklist ${HOME}/.config/katevirc +blacklist ${HOME}/.config/nautilus +blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/evince +blacklist ${HOME}/.emacs +blacklist ${HOME}/.emacs.d +blacklist ${HOME}/.claws-mail +blacklist ${HOME}/.config/ranger +blacklist ${HOME}/.qemu-launcher # Media players blacklist ${HOME}/.config/cmus @@ -56,6 +76,7 @@ blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.audacity-data blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.config/dragonplayerrc # HTTP / FTP / Mail blacklist ${HOME}/.icedove @@ -88,6 +109,8 @@ blacklist ${HOME}/.msmtprc blacklist ${HOME}/.config/evolution blacklist ${HOME}/.local/share/evolution blacklist ${HOME}/.cache/evolution +blacklist ${HOME}/.elinks +blacklist ${HOME}/.w3m # Instant Messaging blacklist ${HOME}/.config/hexchat @@ -110,6 +133,7 @@ blacklist ${HOME}/.cache/gajim blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/wire blacklist ${HOME}/.config/Cryptocat # Games @@ -119,6 +143,7 @@ blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad blacklist ${HOME}/.warzone2100-3.1 blacklist ${HOME}/.dosbox +blacklist ${HOME}/.local/share/gnome-chess # Cryptocoins blacklist ${HOME}/.*coin @@ -151,6 +176,9 @@ blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/simple-scan +blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/org.gnome.Books # share blacklist ${HOME}/.local/share/epiphany @@ -166,6 +194,10 @@ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/zathura +blacklist ${HOME}/.local/share/gnome-music +blacklist ${HOME}/.local/share/gnome-photos +blacklist ${HOME}/.local/share/kate +blacklist ${HOME}/.local/share/dolphin # ssh blacklist /tmp/ssh-* diff --git a/etc/evince.profile b/etc/evince.profile index 12ea358be..1ec384947 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -1,4 +1,6 @@ # evince pdf reader profile +noblacklist ~/.config/evince + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 297f7e6a9..4db485ea7 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -1,5 +1,5 @@ # Firejail profile for gnome-chess -noblacklist /.local/share/gnome-chess +noblacklist ~/.local/share/gnome-chess include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 5a066e991cb22635b6f7e51bfae009570bac7f72 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 1 Dec 2016 14:36:45 +0100 Subject: added warning for dolphin --- etc/dolphin.profile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 1a6abb71d..09a86f811 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -1,9 +1,13 @@ # dolphin profile + +# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 + noblacklist ~/.config/dolphinrc noblacklist ~/.local/share/dolphin include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -- cgit v1.2.3-70-g09d2 From 5c0f1b10f9324d5ab50dcdea99283ce8bdff3fe0 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 1 Dec 2016 14:45:10 +0100 Subject: fixed ranger --- etc/ranger.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/ranger.profile b/etc/ranger.profile index 323e64dee..3538f3eb2 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -3,6 +3,7 @@ noblacklist /usr/bin/perl #noblacklist /usr/bin/cpan* noblacklist /usr/share/perl* noblacklist /usr/lib/perl* +noblacklist ~/.config/ranger include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 1 Dec 2016 12:30:11 -0500 Subject: cleanup --- src/firejail/main.c | 291 ++++++++++++++++++------------------------------- src/firejail/profile.c | 102 +++++++++-------- test/root/join.exp | 52 +++++++++ test/root/root.sh | 6 + test/utils/join.exp | 15 ++- 5 files changed, 233 insertions(+), 233 deletions(-) create mode 100755 test/root/join.exp diff --git a/src/firejail/main.c b/src/firejail/main.c index 4ccbb6a86..aa855b7eb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -250,10 +250,8 @@ static void check_network(Bridge *br) { #ifdef HAVE_USERNS void check_user_namespace(void) { EUID_ASSERT(); - if (getuid() == 0) { - fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); - exit(1); - } + if (getuid() == 0) + goto errout; // test user namespaces available in the kernel struct stat s1; @@ -263,16 +261,27 @@ void check_user_namespace(void) { stat("/proc/self/uid_map", &s2) == 0 && stat("/proc/self/gid_map", &s3) == 0) arg_noroot = 1; - else { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n"); - arg_noroot = 0; - } + else + goto errout; + + return; + +errout: + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: noroot option is not available\n"); + arg_noroot = 0; + } #endif -// exit commands +static void exit_err_feature(const char *feature) { + fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); + exit(1); +} + +// run independent commands and exit program +// this function handles command line options such as --version and --help static void run_cmd_and_exit(int i, int argc, char **argv) { EUID_ASSERT(); @@ -298,21 +307,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); EUID_ROOT(); - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); + if (setreuid(0, 0) < 0 || + setregid(0, 0) < 0) + errExit("setreuid/setregid"); errno = 0; - int rv = remove_directory(path); - if (rv) { - fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); - exit(1); - } - } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); + if (remove_directory(path)) + errExit("remove_directory"); } + else + exit_err_feature("overlayfs"); exit(0); } #endif @@ -322,30 +325,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { x11_start(argc, argv); exit(0); } - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } else if (strcmp(argv[i], "--x11=xpra") == 0) { if (checkcfg(CFG_X11)) { x11_start_xpra(argc, argv); exit(0); } - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } else if (strcmp(argv[i], "--x11=xephyr") == 0) { if (checkcfg(CFG_X11)) { x11_start_xephyr(argc, argv); exit(0); } - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } #endif #ifdef HAVE_NETWORK @@ -406,10 +403,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 12); bandwidth_pid(pid, cmd, dev, down, up); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); exit(0); } #endif @@ -422,20 +417,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); exit(rv); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strcmp(argv[i], "--debug-errnos") == 0) { if (checkcfg(CFG_SECCOMP)) { int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); exit(rv); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); exit(0); } else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { @@ -444,10 +435,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 16); seccomp_print_filter(pid); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); exit(0); } else if (strcmp(argv[i], "--debug-protocols") == 0) { @@ -460,10 +449,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 17); protocol_print_filter(pid); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); exit(0); } #endif @@ -530,10 +517,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { 2, PATH_FIREMON, "--netstats"); exit(0); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } #endif #ifdef HAVE_FILE_TRANSFER @@ -558,10 +543,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { sandboxfs(SANDBOX_FS_GET, pid, path, NULL); exit(0); } - else { - fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("file transfer"); } else if (strncmp(argv[i], "--put=", 6) == 0) { if (checkcfg(CFG_FILE_TRANSFER)) { @@ -590,10 +573,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); exit(0); } - else { - fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("file transfer"); } else if (strncmp(argv[i], "--ls=", 5) == 0) { if (checkcfg(CFG_FILE_TRANSFER)) { @@ -616,10 +597,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { sandboxfs(SANDBOX_FS_LS, pid, path, NULL); exit(0); } - else { - fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("file transfer"); } #endif else if (strncmp(argv[i], "--join=", 7) == 0) { @@ -685,11 +664,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 15); join(pid, argc, argv, i + 1); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } - + else + exit_err_feature("networking"); exit(0); } #endif @@ -1117,10 +1093,8 @@ int main(int argc, char **argv) { errExit("strdup"); } } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strcmp(argv[i], "--seccomp") == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1130,10 +1104,8 @@ int main(int argc, char **argv) { } arg_seccomp = 1; } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strncmp(argv[i], "--seccomp=", 10) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1144,10 +1116,8 @@ int main(int argc, char **argv) { arg_seccomp = 1; cfg.seccomp_list = seccomp_check_list(argv[i] + 10); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1158,10 +1128,8 @@ int main(int argc, char **argv) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1172,10 +1140,8 @@ int main(int argc, char **argv) { arg_seccomp = 1; cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } #endif else if (strcmp(argv[i], "--caps") == 0) @@ -1274,10 +1240,8 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } - else { - fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("bind"); } #endif else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { @@ -1315,10 +1279,8 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } - else { - fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("whitelist"); } #endif @@ -1368,10 +1330,8 @@ int main(int argc, char **argv) { free(subdirname); } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("overlayfs"); } else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { if (checkcfg(CFG_OVERLAYFS)) { @@ -1402,11 +1362,8 @@ int main(int argc, char **argv) { } cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } - + else + exit_err_feature("overlayfs"); } else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { if (checkcfg(CFG_OVERLAYFS)) { @@ -1421,10 +1378,8 @@ int main(int argc, char **argv) { } arg_overlay = 1; } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("overlayfs"); } #endif else if (strncmp(argv[i], "--profile=", 10) == 0) { @@ -1551,10 +1506,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("chroot"); } #endif else if (strcmp(argv[i], "--writable-etc") == 0) { @@ -1603,10 +1556,8 @@ int main(int argc, char **argv) { cfg.home_private_keep = argv[i] + 15; arg_private = 1; } - else { - fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("private-home"); } #endif else if (strcmp(argv[i], "--private-dev") == 0) { @@ -1680,10 +1631,8 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--noroot") == 0) { if (checkcfg(CFG_USERNS)) check_user_namespace(); - else { - fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("noroot"); } #endif else if (strcmp(argv[i], "--nonewprivs") == 0) { @@ -1758,10 +1707,8 @@ int main(int argc, char **argv) { } intf->configured = 1; } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--net=", 6) == 0) { @@ -1811,10 +1758,8 @@ int main(int argc, char **argv) { } net_configure_bridge(br, argv[i] + 6); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--veth-name=", 12) == 0) { @@ -1832,20 +1777,16 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strcmp(argv[i], "--scan") == 0) { if (checkcfg(CFG_NETWORK)) { arg_scan = 1; } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--iprange=", 10) == 0) { if (checkcfg(CFG_NETWORK)) { @@ -1885,10 +1826,8 @@ int main(int argc, char **argv) { return 1; } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--mac=", 6) == 0) { @@ -1909,10 +1848,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--mtu=", 6) == 0) { @@ -1928,10 +1865,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--ip=", 5) == 0) { @@ -1956,10 +1891,8 @@ int main(int argc, char **argv) { } } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--ip6=", 6) == 0) { @@ -1982,10 +1915,8 @@ int main(int argc, char **argv) { // exit(1); // } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } @@ -1996,10 +1927,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } #endif else if (strncmp(argv[i], "--dns=", 6) == 0) { @@ -2038,10 +1967,8 @@ int main(int argc, char **argv) { if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--netfilter=", 12) == 0) { @@ -2062,10 +1989,8 @@ int main(int argc, char **argv) { arg_netfilter_file = argv[i] + 12; check_netfilter_file(arg_netfilter_file); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { @@ -2074,10 +1999,8 @@ int main(int argc, char **argv) { arg_netfilter6_file = argv[i] + 13; check_netfilter_file(arg_netfilter6_file); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } #endif //************************************* @@ -2184,10 +2107,8 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--x11=xorg") == 0) { if (checkcfg(CFG_X11)) arg_x11_xorg = 1; - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } #endif else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2be6948f0..3697b54b9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -63,6 +63,13 @@ int profile_find(const char *name, const char *dir) { // run-time profiles //*************************************************** +static void warning_feature_disabled(const char *feature) { + if (!arg_quiet) + fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature); +} + + + // check profile line; if line == 0, this was generated from a command line option // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function @@ -130,8 +137,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #if HAVE_USERNS if (checkcfg(CFG_USERNS)) check_user_namespace(); - else if (!arg_quiet) - fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("noroot"); #endif return 0; @@ -144,8 +151,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_seccomp = 1; - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -175,8 +182,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.home_private_keep = ptr + 13; arg_private = 1; } - else if (!arg_quiet) - fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("private-home"); #endif return 0; } @@ -208,8 +215,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) arg_netfilter = 1; - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -222,8 +229,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { errExit("strdup"); check_netfilter_file(arg_netfilter_file); } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -236,8 +243,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { errExit("strdup"); check_netfilter_file(arg_netfilter6_file); } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -254,8 +261,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.interface2.configured = 0; cfg.interface3.configured = 0; } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -295,8 +302,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } net_configure_bridge(br, ptr + 4); } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -318,8 +325,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -363,8 +370,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -390,8 +397,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -410,8 +417,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -439,8 +446,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -467,8 +474,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -481,8 +488,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -508,8 +515,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!cfg.protocol) errExit("strdup"); } - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -531,7 +538,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.seccomp_list = seccomp_check_list(ptr + 8); } else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + warning_feature_disabled("seccomp"); #endif return 0; @@ -544,8 +551,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); } - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -557,8 +564,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); } - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -676,6 +683,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(0); } } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -684,10 +693,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) arg_x11_xorg = 1; - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - return 0; - } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -705,6 +712,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(0); } } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -723,6 +732,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(0); } } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -795,13 +806,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { *(dname2 - 1) = ','; return 1; } - else if (!arg_quiet) { - fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); - return 0; - } -#else - return 0; + else + warning_feature_disabled("bind"); #endif + return 0; } // rlimit diff --git a/test/root/join.exp b/test/root/join.exp new file mode 100755 index 000000000..e4a4e87af --- /dev/null +++ b/test/root/join.exp @@ -0,0 +1,52 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=jointesting --cpu=0 --nice=2\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --join=jointesting\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 +send -- "ps aux\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" +} + +send -- "exit\r" +sleep 1 +send -- "firejail --join-network=jointesting\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +send -- "exit\r" +sleep 1 +send -- "firejail --join-filesystem=jointesting\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} + +after 100 + +puts "\nall done\n" diff --git a/test/root/root.sh b/test/root/root.sh index 371bccdff..9764b3804 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -56,6 +56,12 @@ echo "TESTING: fs private (test/root/private.exp)" echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)" ./whitelist.exp +#******************************** +# utils +#******************************** +echo "TESTING: join (test/root/join.exp)" +./join.exp + #******************************** # seccomp #******************************** diff --git a/test/utils/join.exp b/test/utils/join.exp index fc30bc6a4..79fe99f2d 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -32,7 +32,20 @@ expect { "/bin/bash" } -send -- "exit" +send -- "exit\r" +sleep 1 +send -- "firejail --join-network=jointesting\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "is only available to root user" +} +after 100 +send -- "firejail --join-filesystem=jointesting\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "is only available to root user" +} + after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 89a0adc3cd1677f7b8cb129649fda8165c47f6d9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 1 Dec 2016 20:55:01 -0500 Subject: testing --- gcov.sh | 11 ++++++----- src/firejail/seccomp.c | 9 ++------- test/environment/dns.exp | 2 +- test/utils/shutdown.exp | 14 ++++++++++++++ todo | 2 ++ 5 files changed, 25 insertions(+), 13 deletions(-) diff --git a/gcov.sh b/gcov.sh index c5c385dd3..a3cd8c5ee 100755 --- a/gcov.sh +++ b/gcov.sh @@ -13,16 +13,17 @@ gcov_init() { } generate() { - lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file + lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-new + lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file rm -fr gcov-dir genhtml -q gcov-file --output-directory gcov-dir + sudo rm `find . -name *.gcda` + cp gcov-file gcov-file-old + gcov_init } -gcov_init -generate -echo "press any key to continue, or Ctrl-C to exit" -read text +gcov_init # running tests make test-root diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index cdbbe4fdd..96dfdaff2 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -195,10 +195,8 @@ int seccomp_filter_keep(void) { printf("Build drop seccomp filter\n"); // build the seccomp filter as a regular user - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep); - if (rv) - exit(rv); if (arg_debug) printf("seccomp filter configured\n"); @@ -246,10 +244,7 @@ void seccomp_print_filter(pid_t pid) { } // read and print the filter - run this as root, the user doesn't have access - int rv = sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, - PATH_FSECCOMP, "print", fname); - if (rv) - exit(rv); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", fname); free(fname); exit(0); diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 3e2a0ffd4..0d12a82f2 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -71,6 +71,6 @@ after 100 send -- "rm index.html\r" after 100 send -- "exit\r" -after 100 +sleep 1 puts "\nall done\n" diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 15a9a62c8..1ab231bf4 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp @@ -32,4 +32,18 @@ expect { } sleep 1 +send -- "firejail --shutdown=sutdowntesting\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "cannot find sandbox sutdowntesting" +} +after 100 + +send -- "firejail --shutdown=10\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "this is not a firejail sandbox" +} +after 100 + puts "\nall done\n" diff --git a/todo b/todo index 070fb068d..954fd786a 100644 --- a/todo +++ b/todo @@ -297,3 +297,5 @@ install mount namespace read-only /etc read-only /var read-only /bin + +31. --private and --allusers are coliding -- cgit v1.2.3-70-g09d2 From 4bfd6b8d93c957b676de6b3710da5b44190ec779 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 2 Dec 2016 12:16:14 +0100 Subject: removed duplicates --- etc/disable-programs.inc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8d0d75d63..777e122a0 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -47,12 +47,9 @@ blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/eog blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/arkrc -blacklist ${HOME}/.config/atril -blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/brasero blacklist ${HOME}/.config/enchant blacklist ${HOME}/.config/gedit -blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/dolphinrc blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/katepartrc @@ -198,7 +195,6 @@ blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix -blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/zathura blacklist ${HOME}/.local/share/gnome-music -- cgit v1.2.3-70-g09d2 From 6bf6d5ed51fa6f4247f10e83e85ca0b69650e389 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 2 Dec 2016 12:58:48 +0100 Subject: updated program files --- etc/disable-programs.inc | 408 +++++++++++++++++++++++++++-------------------- 1 file changed, 235 insertions(+), 173 deletions(-) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 777e122a0..48701b520 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -1,206 +1,268 @@ -# various programs +blacklist ${HOME}/.*coin +blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.Atom -blacklist ${HOME}/.remmina -blacklist ${HOME}/.tconn blacklist ${HOME}/.FBReader -blacklist ${HOME}/.wine +blacklist ${HOME}/.LuminanceHDR blacklist ${HOME}/.Mathematica +blacklist ${HOME}/.Natron +blacklist ${HOME}/.Skype +blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.Wolfram Research -blacklist ${HOME}/.stellarium -blacklist ${HOME}/.sword -blacklist ${HOME}/.xiphos +blacklist ${HOME}/.arduino15 +blacklist ${HOME}/.atom +blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.bcast5 +blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/INRIA +blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/champlain +blacklist ${HOME}/.cache/chromium +blacklist ${HOME}/.cache/chromium-dev +blacklist ${HOME}/.cache/darktable +blacklist ${HOME}/.cache/epiphany +blacklist ${HOME}/.cache/evolution +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.cache/google-chrome +blacklist ${HOME}/.cache/google-chrome-beta +blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/inox +blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/midori +blacklist ${HOME}/.cache/mozilla +blacklist ${HOME}/.cache/mutt +blacklist ${HOME}/.cache/netsurf +blacklist ${HOME}/.cache/opera +blacklist ${HOME}/.cache/opera-beta +blacklist ${HOME}/.cache/org.gnome.Books +blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/simple-scan +blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/spotify +blacklist ${HOME}/.cache/telepathy +blacklist ${HOME}/.cache/thunderbird +blacklist ${HOME}/.cache/torbrowser +blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/vivaldi +blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.claws-mail +blacklist ${HOME}/.config/0ad blacklist ${HOME}/.config/Atom -blacklist ${HOME}/.config/bless -blacklist ${HOME}/.config/gthumb -blacklist ${HOME}/.config/mupen64plus -blacklist ${HOME}/.config/transmission -blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/Brackets +blacklist ${HOME}/.config/Cryptocat +blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.config/Gitter +blacklist ${HOME}/.config/Google blacklist ${HOME}/.config/Gpredict -blacklist ${HOME}/.config/aweather -blacklist ${HOME}/.config/stellarium -blacklist ${HOME}/.config/atril -blacklist ${HOME}/.config/xreader -blacklist ${HOME}/.config/xviewer -blacklist ${HOME}/.config/libreoffice -blacklist ${HOME}/.config/pix -blacklist ${HOME}/.config/mate/eom -blacklist ${HOME}/.config/xed -blacklist ${HOME}/.config/pluma -blacklist ${HOME}/.kde/share/apps/okular -blacklist ${HOME}/.kde/share/config/okularrc -blacklist ${HOME}/.kde/share/config/okularpartrc -blacklist ${HOME}/.kde/share/apps/gwenview -blacklist ${HOME}/.kde/share/config/gwenviewrc -blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/INRIA blacklist ${HOME}/.config/Luminance -blacklist ${HOME}/.config/synfig -blacklist ${HOME}/.synfig -blacklist ${HOME}/.inkscape -blacklist ${HOME}/.gimp* -blacklist ${HOME}/.config/zathura -blacklist ${HOME}/.config/cherrytree -blacklist ${HOME}/.xpdfrc -blacklist ${HOME}/.openshot -blacklist ${HOME}/.openshot_qt -blacklist ${HOME}/.flowblade -blacklist ${HOME}/.config/flowblade -blacklist ${HOME}/.config/eog -blacklist ${HOME}/.config/jd-gui.cfg +blacklist ${HOME}/.config/Meltytech +blacklist ${HOME}/.config/Mumble +blacklist ${HOME}/.config/QuiteRss +blacklist ${HOME}/.config/QuiteRssrc +blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/ardour4 +blacklist ${HOME}/.config/ardour5 blacklist ${HOME}/.config/arkrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/autostart +blacklist ${HOME}/.config/autostart/dropbox.desktop +blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/blender +blacklist ${HOME}/.config/bless blacklist ${HOME}/.config/brasero +blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.config/chromium +blacklist ${HOME}/.config/chromium-dev +blacklist ${HOME}/.config/chromium-flags.conf +blacklist ${HOME}/.config/cmus +blacklist ${HOME}/.config/darktable +blacklist ${HOME}/.config/deadbeef +blacklist ${HOME}/.config/dolphinrc +blacklist ${HOME}/.config/dragonplayerrc blacklist ${HOME}/.config/enchant +blacklist ${HOME}/.config/eog +blacklist ${HOME}/.config/epiphany +blacklist ${HOME}/.config/evince +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.config/filezilla +blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/gedit -blacklist ${HOME}/.config/dolphinrc -blacklist ${HOME}/.config/katerc +blacklist ${HOME}/.config/google-chrome +blacklist ${HOME}/.config/google-chrome-beta +blacklist ${HOME}/.config/google-chrome-unstable +blacklist ${HOME}/.config/gthumb +blacklist ${HOME}/.config/hexchat +blacklist ${HOME}/.config/inox +blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/katepartrc +blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/kateschemarc blacklist ${HOME}/.config/katesyntaxhighlightingrc blacklist ${HOME}/.config/katevirc -blacklist ${HOME}/.config/nautilus -blacklist ${HOME}/.config/xfburn -blacklist ${HOME}/.config/evince -blacklist ${HOME}/.emacs -blacklist ${HOME}/.emacs.d -blacklist ${HOME}/.claws-mail -blacklist ${HOME}/.config/ranger -blacklist ${HOME}/.qemu-launcher - -# Media players -blacklist ${HOME}/.config/cmus -blacklist ${HOME}/.config/deadbeef -blacklist ${HOME}/.config/spotify -blacklist ${HOME}/.config/vlc -blacklist ${HOME}/.config/mpv -blacklist ${HOME}/.config/totem -blacklist ${HOME}/.config/xplayer -blacklist ${HOME}/.audacity-data -blacklist ${HOME}/.guayadeque -blacklist ${HOME}/.config/dragonplayerrc -blacklist ${HOME}/.local/share/lollypop - -# HTTP / FTP / Mail -blacklist ${HOME}/.icedove -blacklist ${HOME}/.thunderbird -blacklist ${HOME}/.sylpheed-2.0 +blacklist ${HOME}/.config/libreoffice +blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/midori -blacklist ${HOME}/.mozilla -blacklist ${HOME}/.config/chromium -blacklist ${HOME}/.config/google-chrome -blacklist ${HOME}/.config/google-chrome-beta -blacklist ${HOME}/.config/google-chrome-unstable +blacklist ${HOME}/.config/mpv +blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/nautilus +blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta -blacklist ${HOME}/.opera -blacklist ${HOME}/.config/vivaldi -blacklist ${HOME}/.filezilla -blacklist ${HOME}/.config/filezilla -blacklist ${HOME}/.dillo -blacklist ${HOME}/.conkeror.mozdev.org -blacklist ${HOME}/.config/epiphany -blacklist ${HOME}/.config/slimjet -blacklist ${HOME}/.config/qutebrowser -blacklist ${HOME}/.8pecxstudios -blacklist ${HOME}/.config/brave -blacklist ${HOME}/.config/inox -blacklist ${HOME}/.muttrc -blacklist ${HOME}/.mutt -blacklist ${HOME}/.mutt/muttrc -blacklist ${HOME}/.msmtprc -blacklist ${HOME}/.config/evolution -blacklist ${HOME}/.local/share/evolution -blacklist ${HOME}/.cache/evolution -blacklist ${HOME}/.elinks -blacklist ${HOME}/.w3m - -# Instant Messaging -blacklist ${HOME}/.config/hexchat -blacklist ${HOME}/.mcabber -blacklist ${HOME}/.mcabberrc -blacklist ${HOME}/.purple +blacklist ${HOME}/.config/pix +blacklist ${HOME}/.config/pluma blacklist ${HOME}/.config/psi+ -blacklist ${HOME}/.retroshare -blacklist ${HOME}/.weechat -blacklist ${HOME}/.config/xchat -blacklist ${HOME}/.Skype +blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/qutebrowser +blacklist ${HOME}/.config/ranger +blacklist ${HOME}/.config/redshift.conf blacklist ${HOME}/.config/skypeforlinux +blacklist ${HOME}/.config/slimjet +blacklist ${HOME}/.config/spotify +blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/synfig +blacklist ${HOME}/.config/telepathy-account-widgets +blacklist ${HOME}/.config/torbrowser +blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/tox -blacklist ${HOME}/.TelegramDesktop -blacklist ${HOME}/.config/Gitter -blacklist ${HOME}/.config/Franz -blacklist ${HOME}/.jitsi -blacklist ${HOME}/.config/Slack -blacklist ${HOME}/.cache/gajim -blacklist ${HOME}/.local/share/gajim -blacklist ${HOME}/.config/gajim -blacklist ${HOME}/.config/Wire -blacklist ${HOME}/.config/wire -blacklist ${HOME}/.config/Cryptocat - -# Games -blacklist ${HOME}/.hedgewars -blacklist ${HOME}/.steam +blacklist ${HOME}/.config/transmission +blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/vivaldi +blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth -blacklist ${HOME}/.config/0ad -blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.config/wire +blacklist ${HOME}/.config/xchat +blacklist ${HOME}/.config/xed +blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/xplayer +blacklist ${HOME}/.config/xreader +blacklist ${HOME}/.config/xviewer +blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/zoomus.conf +blacklist ${HOME}/.conkeror.mozdev.org +blacklist ${HOME}/.dillo blacklist ${HOME}/.dosbox -blacklist ${HOME}/.local/share/gnome-chess -blacklist ${HOME}/.local/share/gnome-2048 -blacklist ${HOME}/.local/share/multimc5 -blacklist ${HOME}/.multimc5 -blacklist ${HOME}/.xonotic - -# Cryptocoins -blacklist ${HOME}/.*coin +blacklist ${HOME}/.dropbox-dist blacklist ${HOME}/.electrum* -blacklist ${HOME}/wallet.dat - -# git, subversion -blacklist ${HOME}/.subversion -blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.elinks +blacklist ${HOME}/.emacs +blacklist ${HOME}/.emacs.d +blacklist ${HOME}/.filezilla +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.fltk +blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache - -# cache -blacklist ${HOME}/.cache/mozilla -blacklist ${HOME}/.cache/chromium -blacklist ${HOME}/.cache/google-chrome -blacklist ${HOME}/.cache/google-chrome-beta -blacklist ${HOME}/.cache/google-chrome-unstable -blacklist ${HOME}/.cache/opera -blacklist ${HOME}/.cache/opera-beta -blacklist ${HOME}/.cache/vivaldi -blacklist ${HOME}/.cache/epiphany -blacklist ${HOME}/.cache/slimjet -blacklist ${HOME}/.cache/qutebrowser -blacklist ${HOME}/.cache/spotify -blacklist ${HOME}/.cache/thunderbird -blacklist ${HOME}/.cache/icedove -blacklist ${HOME}/.cache/transmission -blacklist ${HOME}/.cache/wesnoth -blacklist ${HOME}/.cache/0ad -blacklist ${HOME}/.cache/8pecxstudios -blacklist ${HOME}/.cache/xreader -blacklist ${HOME}/.cache/Franz -blacklist ${HOME}/.cache/simple-scan -blacklist ${HOME}/.cache/libgweather -blacklist ${HOME}/.cache/org.gnome.Books - -# share +blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.googleearth/Cache/ +blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/myplaces.backup.kml +blacklist ${HOME}/.googleearth/myplaces.kml +blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.hedgewars +blacklist ${HOME}/.icedove +blacklist ${HOME}/.inkscape +blacklist ${HOME}/.jitsi +blacklist ${HOME}/.kde/share/apps/gwenview +blacklist ${HOME}/.kde/share/apps/okular +blacklist ${HOME}/.kde/share/config/gwenviewrc +blacklist ${HOME}/.kde/share/config/okularpartrc +blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.killingfloor +blacklist ${HOME}/.linphone-history.db +blacklist ${HOME}/.linphonerc +blacklist ${HOME}/.lmmsrc.xml +blacklist ${HOME}/.local/.share/maps-places.json +blacklist ${HOME}/.local/lib/python2.7/site-packages +blacklist ${HOME}/.local/share/0ad +blacklist ${HOME}/.local/share/3909/PapersPlease +blacklist ${HOME}/.local/share/Empathy +blacklist ${HOME}/.local/share/Mumble +blacklist ${HOME}/.local/share/QuiteRss +blacklist ${HOME}/.local/share/Ricochet +blacklist ${HOME}/.local/share/Steam +blacklist ${HOME}/.local/share/SuperHexagon +blacklist ${HOME}/.local/share/Terraria +blacklist ${HOME}/.local/share/TpLogger +blacklist ${HOME}/.local/share/aspyr-media +blacklist ${HOME}/.local/share/cdprojektred +blacklist ${HOME}/.local/share/data/Mumble +blacklist ${HOME}/.local/share/dolphin blacklist ${HOME}/.local/share/epiphany +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.local/share/feral-interactive +blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.local/share/gnome-2048 +blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/gnome-music +blacklist ${HOME}/.local/share/gnome-photos +blacklist ${HOME}/.local/share/kate +blacklist ${HOME}/.local/share/lollypop +blacklist ${HOME}/.local/share/multimc5 blacklist ${HOME}/.local/share/mupen64plus +blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam +blacklist ${HOME}/.local/share/telepathy +blacklist ${HOME}/.local/share/torbrowser +blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/vpltd +blacklist ${HOME}/.local/share/vulkan blacklist ${HOME}/.local/share/wesnoth -blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer -blacklist ${HOME}/.local/share/totem -blacklist ${HOME}/.local/share/psi+ -blacklist ${HOME}/.local/share/pix -blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/xreader blacklist ${HOME}/.local/share/zathura -blacklist ${HOME}/.local/share/gnome-music -blacklist ${HOME}/.local/share/gnome-photos -blacklist ${HOME}/.local/share/kate -blacklist ${HOME}/.local/share/dolphin - -# ssh +blacklist ${HOME}/.lv2 +blacklist ${HOME}/.mcabber +blacklist ${HOME}/.mcabberrc +blacklist ${HOME}/.mozilla +blacklist ${HOME}/.mozilla/seamonkey +blacklist ${HOME}/.mpdconf +blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.multimc5 +blacklist ${HOME}/.mutt +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.nv +blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.opera +blacklist ${HOME}/.opera-beta +blacklist ${HOME}/.pki +blacklist ${HOME}/.purple +blacklist ${HOME}/.qemu-launcher +blacklist ${HOME}/.remmina +blacklist ${HOME}/.retroshare +blacklist ${HOME}/.scribus +blacklist ${HOME}/.steam +blacklist ${HOME}/.steampath +blacklist ${HOME}/.steampid +blacklist ${HOME}/.stellarium +blacklist ${HOME}/.subversion +blacklist ${HOME}/.sword +blacklist ${HOME}/.sylpheed-2.0 +blacklist ${HOME}/.synfig +blacklist ${HOME}/.tconn +blacklist ${HOME}/.thunderbird +blacklist ${HOME}/.ts3client +blacklist ${HOME}/.vst +blacklist ${HOME}/.w3m +blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.weechat +blacklist ${HOME}/.wine +blacklist ${HOME}/.wine64 +blacklist ${HOME}/.xiphos +blacklist ${HOME}/.xonotic +blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.zoom +blacklist ${HOME}/wallet.dat blacklist /tmp/ssh-* -- cgit v1.2.3-70-g09d2 From d4f83991b0b76a30ee452279e7858acd439c18a6 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sat, 3 Dec 2016 14:37:32 +0100 Subject: Added profile Added truecrypt and zuluCrypt --- etc/disable-common.inc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 8886a0bc3..aad75bb4a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -39,6 +39,21 @@ blacklist /usr/share/applications/veracrypt.* blacklist /usr/share/pixmaps/veracrypt.* blacklist ${HOME}/.VeraCrypt +# TrueCrypt +blacklist ${PATH}/truecrypt +blacklist ${PATH}/truecrypt-uninstall.sh +blacklist /usr/share/truecrypt +blacklist /usr/share/applications/truecrypt.* +blacklist /usr/share/pixmaps/truecrypt.* +blacklist ${HOME}/.TrueCrypt + +# zuluCrypt +blacklist ${HOME}/.zuluCrypt +blacklist ${HOME}/.zuluCrypt-socket +blacklist ${PATH}/zuluCrypt-cli +blacklist ${PATH}/zuluMount-cli +blacklist ${PATH}/mount.ecryptfs_private + # var blacklist /var/spool/cron blacklist /var/spool/anacron -- cgit v1.2.3-70-g09d2 From 210b0c09dce90d9c68c15b80309e8cd93c988f54 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sat, 3 Dec 2016 18:07:04 +0100 Subject: Update disable-common.inc --- etc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index aad75bb4a..95af0aa34 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -51,8 +51,7 @@ blacklist ${HOME}/.TrueCrypt blacklist ${HOME}/.zuluCrypt blacklist ${HOME}/.zuluCrypt-socket blacklist ${PATH}/zuluCrypt-cli -blacklist ${PATH}/zuluMount-cli -blacklist ${PATH}/mount.ecryptfs_private +blacklist ${PATH}/zuluMount-cli # var blacklist /var/spool/cron @@ -188,6 +187,7 @@ blacklist ${PATH}/chage blacklist ${PATH}/expiry blacklist ${PATH}/unix_chkpwd blacklist ${PATH}/procmail +blacklist ${PATH}/mount.ecryptfs_private # other SUID binaries blacklist /usr/lib/virtualbox -- cgit v1.2.3-70-g09d2 From 3a88d1d2f6d187f3fe1deb73c09c48bf8e6fa2bc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 4 Dec 2016 09:44:47 -0500 Subject: truecrypt and zuluCrypt support --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index a03b1cc9f..8df3e8ad3 100644 --- a/README +++ b/README @@ -133,6 +133,7 @@ vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - claws-mail, mutt, git, emacs, vim profiles - lots of profile fixes + - support for truecrypt and zuluCrypt graywolf (https://github.com/graywolf) - spelling fix Tomasz Jan Góralczyk (https://github.com/tjg) -- cgit v1.2.3-70-g09d2 From 523a1471c071cb783674369ac03377b44d1b3c79 Mon Sep 17 00:00:00 2001 From: Lari Rauno Date: Mon, 5 Dec 2016 11:56:34 +0200 Subject: Whitelist required folders when running qutebrowser with webengine backend --- etc/qutebrowser.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index eabbe0f3e..dcacd4f29 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -18,4 +18,6 @@ mkdir ~/.config/qutebrowser whitelist ~/.config/qutebrowser mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser +mkdir ~/.local/share/qutebrowser +whitelist ~/.local/share/qutebrowser include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From d0cc960c9cd3bdab63dde02367bb9646134a7e28 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 5 Dec 2016 08:21:32 -0500 Subject: spoof machine-id --- README.md | 7 ++++++ RELNOTES | 1 + src/firejail/firejail.h | 2 ++ src/firejail/fs.c | 5 ++++- src/firejail/fs_etc.c | 51 ++++++++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 4 ++++ src/firejail/profile.c | 4 ++++ src/firejail/usage.c | 3 +++ src/man/firejail-profile.txt | 4 ++++ src/man/firejail.txt | 10 +++++++++ todo | 2 ++ 11 files changed, 92 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bafcf6120..16f84493b 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,13 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is Example: # firejail --private-srv=www /etc/init.d/apache2 start + + --machine-id + Preserve id number in /etc/machine-id file. By default a new + random id is generated inside the sandbox. + + Example: + $ firejail --machine-id ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, diff --git a/RELNOTES b/RELNOTES index 3ccd51ce7..c3a077c5e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -11,6 +11,7 @@ firejail (0.9.45) baseline; urgency=low * feature: test coverage (gcov) support * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) + * feature: spoof machine-id * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d172efce1..368e0d88d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -78,6 +78,7 @@ #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" +#define RUN_MACHINEID "/run/firejail/mnt/machine-id" #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" @@ -342,6 +343,7 @@ extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 extern int arg_x11_xorg; // use X11 security extention extern int arg_allusers; // all user home directories visible +extern int arg_machineid; // preserve /etc/machine-id extern int login_shell; extern int parent_to_child_fds[2]; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..53d63a108 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -597,7 +597,8 @@ void fs_basic_fs(void) { fs_var_lib(); fs_var_cache(); fs_var_utmp(); - + fs_machineid(); + // don't leak user information restrict_users(); @@ -880,6 +881,7 @@ void fs_overlayfs(void) { fs_var_lib(); fs_var_cache(); fs_var_utmp(); + fs_machineid(); // don't leak user information restrict_users(); @@ -1061,6 +1063,7 @@ void fs_chroot(const char *rootdir) { fs_var_lib(); fs_var_cache(); fs_var_utmp(); + fs_machineid(); // don't leak user information restrict_users(); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 9a28ac601..a04bf6725 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -23,6 +23,57 @@ #include #include +// spoof /etc/machine_id +void fs_machineid(void) { + union machineid_t { + uint8_t u8[16]; + uint32_t u32[4]; + } mid; + + // if --machine-id flag is active, do nothing + if (arg_machineid) + return; + + // init random number generator + srand(time(NULL)); + + // generate random id + mid.u32[0] = rand(); + mid.u32[1] = rand(); + mid.u32[2] = rand(); + mid.u32[3] = rand(); + + // UUID version 4 and DCE variant + mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; + mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; + + // write it in a file + FILE *fp = fopen(RUN_MACHINEID, "w"); + if (!fp) + errExit("fopen"); + fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); + fclose(fp); + if (set_perms(RUN_MACHINEID, 0, 0, 0444)) + errExit("set_perms"); + + + struct stat s; + // mount-bind + if (stat("/etc/machine-id", &s) == 0) { + if (arg_debug) + printf("installing a new /etc/machine-id\n"); + + if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) + errExit("mount"); + } +//#if 0 // todo: investigate + if (stat("/var/lib/dbus/machine-id", &s) == 0) { + if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) + errExit("mount"); + } +//#endif +} + // return 0 if file not found, 1 if found static int check_dir_or_file(const char *fname) { assert(fname); diff --git a/src/firejail/main.c b/src/firejail/main.c index aa855b7eb..32769845d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extention int arg_allusers = 0; // all user home directories visible +int arg_machineid = 0; // preserve /etc/machine-id int login_shell = 0; @@ -1520,6 +1521,9 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } + else if (strcmp(argv[i], "--machine-id") == 0) { + arg_machineid = 1; + } else if (strcmp(argv[i], "--private") == 0) { arg_private = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3697b54b9..63678514f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "machine-id") == 0) { + arg_machineid = 1; + return 0; + } // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8bed06e3..db3c25a5a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -94,6 +94,9 @@ void usage(void) { printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); #ifdef HAVE_NETWORK printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); +#endif + printf(" --machine-id - preserve /etc/machine-id\n"); +#ifdef HAVE_NETWORK printf(" --mtu=number - set interface MTU.\n"); #endif printf(" --name=name - set sandbox name.\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 007374c75..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -446,6 +446,10 @@ iprange 192.168.1.150,192.168.1.160 \fBmac address Assign MAC addresses to the last network interface defined by a net command. +.TP +\fBmachine-id +Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. + .TP \fBmtu number Assign a MTU value to the last network interface defined by a net command. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 450f30c68..fdeb9ea3f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -665,6 +665,16 @@ Example: .br $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox +.TP +\fB\-\-machine-id +Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. +.br + +.br +Example: +.br +$ firejail \-\-machine-id + .TP \fB\-\-mtu=number Assign a MTU value to the last network interface defined by a \-\-net option. diff --git a/todo b/todo index 954fd786a..86917e6cd 100644 --- a/todo +++ b/todo @@ -299,3 +299,5 @@ read-only /var read-only /bin 31. --private and --allusers are coliding + +32. machine-id defined in rfc4122 -- cgit v1.2.3-70-g09d2 From d093c926d0f8638f6aa9c048107c4435955fdca4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 5 Dec 2016 08:38:21 -0500 Subject: qutebrowser --- README | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README b/README index 8df3e8ad3..7570cc3f6 100644 --- a/README +++ b/README @@ -80,8 +80,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles - - added xed and pluma profiles - - added Cryptocat profile + - added xed and pluma profiles + - added Cryptocat profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature @@ -95,6 +95,8 @@ valoq (https://github.com/valoq) - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile +Lari Rauno (https://github.com/tuutti) + - qutebrowser profile fixes SpotComms (https://github.com/SpotComms) - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles - added PDFSam, Pithos, and Xonotic profiles -- cgit v1.2.3-70-g09d2 From 4d0797b12c8163e9e94ae0f0c7f4178bff9bdd4a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 5 Dec 2016 21:16:10 -0500 Subject: testing --- gcov.sh | 21 ++++++++++++++------- src/firejail/profile.c | 3 +++ src/firejail/rlimit.c | 12 ++++++++++++ src/firejail/sandbox.c | 9 +++++++++ 4 files changed, 38 insertions(+), 7 deletions(-) diff --git a/gcov.sh b/gcov.sh index a3cd8c5ee..57190cad2 100755 --- a/gcov.sh +++ b/gcov.sh @@ -2,13 +2,13 @@ gcov_init() { USER=`whoami` - firejail --help - firemon --help - /usr/lib/firejail/fnet --help - /usr/lib/firejail/fseccomp --help - /usr/lib/firejail/ftee --help - /usr/lib/firejail/fcopy --help - firecfg --help + firejail --help > /dev/null + firemon --help > /dev/null + /usr/lib/firejail/fnet --help > /dev/null + /usr/lib/firejail/fseccomp --help > /dev/null + /usr/lib/firejail/ftee --help > /dev/null + /usr/lib/firejail/fcopy --help > /dev/null + firecfg --help > /dev/null sudo chown $USER:$USER `find .` } @@ -24,6 +24,13 @@ generate() { gcov_init +lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-old + +#make test-environment +#generate +#sleep 2 +#exit + # running tests make test-root diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 63678514f..da3daf95a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1053,6 +1053,9 @@ void profile_read(const char *fname) { // else { // free(ptr); // } +#ifdef HAVE_GCOV + __gcov_flush(); +#endif } fclose(fp); } diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index a774fd6f5..47dd846d2 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c @@ -27,6 +27,9 @@ void set_rlimits(void) { if (arg_rlimit_nofile) { rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; rl.rlim_max = (rlim_t) cfg.rlimit_nofile; +#ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point + __gcov_dump(); +#endif if (setrlimit(RLIMIT_NOFILE, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -36,6 +39,9 @@ void set_rlimits(void) { if (arg_rlimit_nproc) { rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; rl.rlim_max = (rlim_t) cfg.rlimit_nproc; +#ifdef HAVE_GCOV + __gcov_dump(); +#endif if (setrlimit(RLIMIT_NPROC, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -45,6 +51,9 @@ void set_rlimits(void) { if (arg_rlimit_fsize) { rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; rl.rlim_max = (rlim_t) cfg.rlimit_fsize; +#ifdef HAVE_GCOV + __gcov_dump(); +#endif if (setrlimit(RLIMIT_FSIZE, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -54,6 +63,9 @@ void set_rlimits(void) { if (arg_rlimit_sigpending) { rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; +#ifdef HAVE_GCOV + __gcov_dump(); +#endif if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) errExit("setrlimit"); if (arg_debug) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 68b8f554d..50fcd6ed0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -286,6 +286,9 @@ void start_application(void) { //**************************************** if (arg_audit) { assert(arg_audit_prog); +#ifdef HAVE_GCOV + __gcov_dump(); +#endif execl(arg_audit_prog, arg_audit_prog, NULL); } //**************************************** @@ -309,6 +312,9 @@ void start_application(void) { if (!arg_command && !arg_quiet) printf("Child process initialized\n"); +#ifdef HAVE_GCOV + __gcov_dump(); +#endif execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); exit(1); } @@ -356,6 +362,9 @@ void start_application(void) { if (!arg_command && !arg_quiet) printf("Child process initialized\n"); +#ifdef HAVE_GCOV + __gcov_dump(); +#endif execvp(arg[0], arg); } -- cgit v1.2.3-70-g09d2 From 94abb4298e20bd1f9f89faf781defeb706462ac4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 6 Dec 2016 08:49:47 -0500 Subject: testing --- src/firejail/main.c | 130 ++++++++++++---------------------------------- src/firejail/no_sandbox.c | 96 +++++++--------------------------- 2 files changed, 51 insertions(+), 175 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 32769845d..545c38018 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -751,42 +751,6 @@ static void delete_x11_file(pid_t pid) { free(fname); } -static void detect_quiet(int argc, char **argv) { - int i; - - // detect --quiet - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--quiet") == 0) { - arg_quiet = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } -} - -static void detect_allow_debuggers(int argc, char **argv) { - int i; - - // detect --allow-debuggers - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--allow-debuggers") == 0) { - arg_allow_debuggers = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } -} - char *guess_shell(void) { char *shell = NULL; // shells in order of preference @@ -806,6 +770,25 @@ char *guess_shell(void) { return shell; } +static int check_arg(int argc, char **argv, const char *argument) { + int i; + int found = 0; + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--force") == 0) { + found = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } + + return found; +} + //******************************************* // Main program //******************************************* @@ -822,8 +805,10 @@ int main(int argc, char **argv) { // build /run/firejail directory structure preproc_build_firejail_dir(); - detect_quiet(argc, argv); - detect_allow_debuggers(argc, argv); + if (check_arg(argc, argv, "--quiet")) + arg_quiet = 1; + if (check_arg(argc, argv, "--allow-debuggers")) + arg_allow_debuggers = 1; // drop permissions by default and rise them when required EUID_INIT(); @@ -845,78 +830,27 @@ int main(int argc, char **argv) { EUID_USER(); if (rv == 0) { // if --force option is passed to the program, disregard the existing sandbox - int found = 0; - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--force") == 0 || - strcmp(argv[i], "--list") == 0 || - strcmp(argv[i], "--netstats") == 0 || - strcmp(argv[i], "--tree") == 0 || - strcmp(argv[i], "--top") == 0 || - strncmp(argv[i], "--ls=", 5) == 0 || - strncmp(argv[i], "--get=", 6) == 0 || - strcmp(argv[i], "--debug-caps") == 0 || - strcmp(argv[i], "--debug-errnos") == 0 || - strcmp(argv[i], "--debug-syscalls") == 0 || - strcmp(argv[i], "--debug-protocols") == 0 || - strcmp(argv[i], "--help") == 0 || - strcmp(argv[i], "--version") == 0 || - strcmp(argv[i], "--overlay-clean") == 0 || - strncmp(argv[i], "--dns.print=", 12) == 0 || - strncmp(argv[i], "--bandwidth=", 12) == 0 || - strncmp(argv[i], "--caps.print=", 13) == 0 || - strncmp(argv[i], "--cpu.print=", 12) == 0 || - //******************************************************************************** - // todo: fix the following problems - strncmp(argv[i], "--join=", 7) == 0 || - //[netblue@debian Downloads]$ firejail --join=896 - //Switching to pid 897, the first child process inside the sandbox - //Error: seccomp file not found - //******************************************************************************** - - strncmp(argv[i], "--join-filesystem=", 18) == 0 || - strncmp(argv[i], "--join-network=", 15) == 0 || - strncmp(argv[i], "--fs.print=", 11) == 0 || - strncmp(argv[i], "--protocol.print=", 17) == 0 || - strncmp(argv[i], "--seccomp.print", 15) == 0 || - strncmp(argv[i], "--shutdown=", 11) == 0) { - found = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } - - if (found == 0) { + if (check_arg(argc, argv, "--force")) + option_force = 1; + else { // start the program directly without sandboxing run_no_sandbox(argc, argv); // it will never get here! assert(0); } - else - option_force = 1; } } // check root/suid EUID_ROOT(); if (geteuid()) { - // detect --version - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--version") == 0) { - printf("firejail version %s\n", VERSION); - exit(0); - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; + // only --version is supported without SUID support + if (check_arg(argc, argv, "--force")) { + printf("firejail version %s\n", VERSION); + exit(0); } + + fprintf(stderr, "Error: cannot rise privileges\n"); exit(1); } EUID_USER(); diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 8af555ea2..07ac25dca 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) { // process limited subset of options int i; for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "--csh") == 0) { - if (arg_shell_none) { - fprintf(stderr, "Error: --shell=none was already specified.\n"); - exit(1); - } - if (cfg.shell) { - fprintf(stderr, "Error: only one default user shell can be specified\n"); - exit(1); - } - cfg.shell = "/bin/csh"; - } - else if (strcmp(argv[i], "--zsh") == 0) { - if (arg_shell_none) { - fprintf(stderr, "Error: --shell=none was already specified.\n"); - exit(1); - } - if (cfg.shell) { - fprintf(stderr, "Error: only one default user shell can be specified\n"); - exit(1); - } - cfg.shell = "/bin/zsh"; - } - else if (strcmp(argv[i], "--shell=none") == 0) { - arg_shell_none = 1; - if (cfg.shell) { - fprintf(stderr, "Error: a shell was already specified\n"); - exit(1); - } - } - else if (strncmp(argv[i], "--shell=", 8) == 0) { - if (arg_shell_none) { - fprintf(stderr, "Error: --shell=none was already specified.\n"); - exit(1); - } - invalid_filename(argv[i] + 8); - - if (cfg.shell) { - fprintf(stderr, "Error: only one user shell can be specified\n"); - exit(1); - } - cfg.shell = argv[i] + 8; - - if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) { - fprintf(stderr, "Error: invalid shell\n"); - exit(1); - } - - // access call checks as real UID/GID, not as effective UID/GID - if(cfg.chrootdir) { - char *shellpath; - if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) - errExit("asprintf"); - if (access(shellpath, R_OK)) { - fprintf(stderr, "Error: cannot access shell file in chroot\n"); - exit(1); - } - free(shellpath); - } else if (access(cfg.shell, R_OK)) { - fprintf(stderr, "Error: cannot access shell file\n"); - exit(1); - } - } + if (strcmp(argv[i], "--debug") == 0) + arg_debug = 1; + else if (strcmp(argv[i], "--csh") == 0 || + strcmp(argv[i], "--zsh") == 0 || + strcmp(argv[i], "--shell=none") == 0 || + strncmp(argv[i], "--shell=", 8) == 0) + fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable"); } // use $SHELL to get shell used in sandbox - if (!arg_shell_none && !cfg.shell) { - char *shell = getenv("SHELL"); - if (shell && access(shell, R_OK) == 0) - cfg.shell = shell; - } + char *shell = getenv("SHELL"); + if (shell && access(shell, R_OK) == 0) + cfg.shell = shell; + // guess shell otherwise - if (!arg_shell_none && !cfg.shell) { + if (!cfg.shell) { cfg.shell = guess_shell(); if (arg_debug) printf("Autoselecting %s as shell\n", cfg.shell); } - if (!arg_shell_none && !cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); + if (!cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); exit(1); } @@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) { } } - if (!arg_shell_none) { - if (prog_index == 0) { - cfg.command_line = cfg.shell; - cfg.window_title = cfg.shell; - } else { - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); - } + if (prog_index == 0) { + cfg.command_line = cfg.shell; + cfg.window_title = cfg.shell; + } else { + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); } cfg.original_argv = argv; -- cgit v1.2.3-70-g09d2 From 6c262c3e8746b4460a6a42a6686b89e44018ed99 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 6 Dec 2016 15:51:56 +0100 Subject: block dbus ipc --- src/firejail/fs.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9a2f4facc..d71478fc0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ } -// blacklist files or directoies by mounting empty files on top of them +// blacklist files or directories by mounting empty files on top of them void fs_blacklist(void) { char *homedir = cfg.homedir; assert(homedir); @@ -530,6 +530,69 @@ void fs_proc_sys_dev_boot(void) { // disable /dev/port disable_file(BLACKLIST_FILE, "/dev/port"); + + + // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted + + // disable various ipc sockets + struct stat s; + + // disable /run/user/{uid}/bus + char *fnamebus; + if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) + errExit("asprintf"); + if (stat(fnamebus, &s) == 0) + disable_file(BLACKLIST_FILE, fnamebus); + free(fnamebus); + + // disable /run/user/{uid}/gnupg + char *fnamegpg; + if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) + errExit("asprintf"); + if (stat(fnamegpg, &s) == 0) + disable_file(BLACKLIST_FILE, fnamegpg); + free(fnamegpg); + + // disable /run/user/{uid}/systemd + char *fnamesysd; + if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) + errExit("asprintf"); + if (stat(fnamesysd, &s) == 0) + disable_file(BLACKLIST_FILE, fnamesysd); + free(fnamesysd); + + + // WARNING: not working + // disable /run/user/{uid}/kdeinit* + //char *fnamekde; + //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) + // errExit("asprintf"); + //if (stat(fnamekde, &s) == 0) + // disable_file(BLACKLIST_FILE, fnamekde); + //free(fnamekde); + + + // disable /run/user/{uid}/pulse + /* char *fnamepulse; */ + /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ + /* errExit("asprintf"); */ + /* if (stat(fnamepulse, &s) == 0) */ + /* disable_file(BLACKLIST_FILE, fnamepulse); */ + /* free(fnamepulse); */ + + // disable /run/user/{uid}/dconf + /* char *fnamedconf; */ + /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ + /* errExit("asprintf"); */ + /* if (stat(fnamedconf, &s) == 0) */ + /* disable_file(BLACKLIST_FILE, fnamedconf); */ + /* free(fnamedconf); */ + + + //more files with sockets to be blacklisted + // /run/dbus /run/systemd /run/udev /run/lvm + + if (getuid() != 0) { // disable /dev/kmsg and /proc/kmsg -- cgit v1.2.3-70-g09d2 From 96b67ed4ed768e0d37c6e22334031cd302982509 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 6 Dec 2016 11:07:25 -0500 Subject: fixes --- src/firejail/main.c | 11 ++++++++--- src/firejail/no_sandbox.c | 1 + test/environment/firejail-in-firejail.exp | 27 ++++++++++++++++++++++++++- test/environment/firejail-in-firejail2.exp | 29 ++++++++++++++++++++++++++++- 4 files changed, 63 insertions(+), 5 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 545c38018..b25bad9f2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -774,7 +774,7 @@ static int check_arg(int argc, char **argv, const char *argument) { int i; int found = 0; for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--force") == 0) { + if (strcmp(argv[i], argument) == 0) { found = 1; break; } @@ -833,6 +833,11 @@ int main(int argc, char **argv) { if (check_arg(argc, argv, "--force")) option_force = 1; else { + if (check_arg(argc, argv, "--version")) { + printf("firejail version %s\n", VERSION); + exit(0); + } + // start the program directly without sandboxing run_no_sandbox(argc, argv); // it will never get here! @@ -840,12 +845,12 @@ int main(int argc, char **argv) { } } } - + // check root/suid EUID_ROOT(); if (geteuid()) { // only --version is supported without SUID support - if (check_arg(argc, argv, "--force")) { + if (check_arg(argc, argv, "--version")) { printf("firejail version %s\n", VERSION); exit(0); } diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 07ac25dca..c56d90994 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -229,5 +229,6 @@ void run_no_sandbox(int argc, char **argv) { fprintf(stderr, "Warning: an existing sandbox was detected. " "%s will run without any additional sandboxing features\n", command); + arg_quiet = 1; start_application(); } diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index 1122b712f..2b851ee72 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp @@ -16,9 +16,34 @@ sleep 1 send -- "firejail\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "Warning: an existing sandbox was detected" } after 100 +send -- "exit\r" +after 100 + +send -- "firejail --force\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "cannot rise privileges" +} +after 100 + +send -- "firejail --version\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "firejail version" +} +after 100 + +send -- "firejail --version --force\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "firejail version" +} +after 100 + + puts "\nall done\n" diff --git a/test/environment/firejail-in-firejail2.exp b/test/environment/firejail-in-firejail2.exp index 37d1c2870..330e5e372 100755 --- a/test/environment/firejail-in-firejail2.exp +++ b/test/environment/firejail-in-firejail2.exp @@ -14,11 +14,38 @@ expect { } sleep 1 +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Warning: an existing sandbox was detected" +} +after 100 + +send -- "exit\r" +after 100 + send -- "firejail --force\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "Child process initialized" } after 100 +send -- "exit\r" +after 100 + +send -- "firejail --version\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "firejail version" +} +after 100 + +send -- "firejail --version --force\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "firejail version" +} +after 100 + puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 8d929a786fec68549d0dbe00ceb4f9c7d3e94217 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 7 Dec 2016 15:06:39 +0100 Subject: removed dbus blacklist --- src/firejail/fs.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d71478fc0..ffad961c3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -536,14 +536,16 @@ void fs_proc_sys_dev_boot(void) { // disable various ipc sockets struct stat s; - - // disable /run/user/{uid}/bus - char *fnamebus; - if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) - errExit("asprintf"); - if (stat(fnamebus, &s) == 0) - disable_file(BLACKLIST_FILE, fnamebus); - free(fnamebus); + + + // breaks too many applications, option needed + /* // disable /run/user/{uid}/bus */ + /* char *fnamebus; */ + /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ + /* errExit("asprintf"); */ + /* if (stat(fnamebus, &s) == 0) */ + /* disable_file(BLACKLIST_FILE, fnamebus); */ + /* free(fnamebus); */ // disable /run/user/{uid}/gnupg char *fnamegpg; -- cgit v1.2.3-70-g09d2 From 7b8843fa8720e23351c2f0f3f29976cfc3fd964d Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Wed, 7 Dec 2016 11:32:03 -0600 Subject: Wireshark profile --- etc/wireshark.profile | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 etc/wireshark.profile diff --git a/etc/wireshark.profile b/etc/wireshark.profile new file mode 100644 index 000000000..898fc787e --- /dev/null +++ b/etc/wireshark.profile @@ -0,0 +1,22 @@ +# Firejail profile for +noblacklist ${HOME}/.config/wireshark + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin wireshark +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From 135ed96ca18fba8662591171e8cd944b8398d29e Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Wed, 7 Dec 2016 11:37:18 -0600 Subject: Extra wireshark files --- README | 1 + README.md | 4 ++-- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 1 + 6 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README b/README index 7570cc3f6..10136207d 100644 --- a/README +++ b/README @@ -82,6 +82,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added xiphos and Tor Browser Bundle profiles - added xed and pluma profiles - added Cryptocat profile + - added wireshark profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 16f84493b..609533a91 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, -xed, pluma, Cryptocat Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic +xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, +PDFSam, Pithos, Xonotic, wireshark diff --git a/RELNOTES b/RELNOTES index c3a077c5e..28aa1f4e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,7 +16,7 @@ firejail (0.9.45) baseline; urgency=low * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, - * new profies: Xonotic + * new profies: Xonotic, wireshark * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 48701b520..a9ca487c5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -139,6 +139,7 @@ blacklist ${HOME}/.config/vivaldi blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/wire +blacklist ${HOME}/.config/wireshark blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed blacklist ${HOME}/.config/xfburn diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 551e7ad36..97e7cf884 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -27,6 +27,7 @@ /etc/firejail/conkeror.profile /etc/firejail/corebird.profile /etc/firejail/cpio.profile +/etc/firejail/cryptocat.profile /etc/firejail/Cryptocat.profile /etc/firejail/cyberfox.profile /etc/firejail/deadbeef.profile @@ -209,6 +210,7 @@ /etc/firejail/whitelist-common.inc /etc/firejail/wine.profile /etc/firejail/wire.profile +/etc/firejail/wireshark.profile /etc/firejail/xchat.profile /etc/firejail/xed.profile /etc/firejail/xfburn.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 369abdc20..c4f52e256 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -192,6 +192,7 @@ keepass2 keepassx pluma tracker +wireshark xiphos xed -- cgit v1.2.3-70-g09d2 From c6ea2db9110feb68fe181188384c31254cdec945 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 7 Dec 2016 21:14:23 -0500 Subject: testing --- test/network/dns-print.exp | 31 +++++++++++++++ test/network/net_macvlan.exp | 93 ------------------------------------------- test/network/net_macvlan2.exp | 43 ++++++++++++++++++++ test/network/network.sh | 9 +++++ test/stress/net_macvlan.exp | 93 +++++++++++++++++++++++++++++++++++++++++++ test/stress/stress.sh | 11 +++++ 6 files changed, 187 insertions(+), 93 deletions(-) create mode 100755 test/network/dns-print.exp delete mode 100755 test/network/net_macvlan.exp create mode 100755 test/network/net_macvlan2.exp create mode 100755 test/stress/net_macvlan.exp create mode 100755 test/stress/stress.sh diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp new file mode 100755 index 000000000..9cdc14a6d --- /dev/null +++ b/test/network/dns-print.exp @@ -0,0 +1,31 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --dns.print=test-dns\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "nameserver 1.2.3.4" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "nameserver 2.3.4.5" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "nameserver 3.4.5.6" +} + +after 100 + +puts "\nall done\n" diff --git a/test/network/net_macvlan.exp b/test/network/net_macvlan.exp deleted file mode 100755 index f457ea98f..000000000 --- a/test/network/net_macvlan.exp +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2016 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# check the existing address -spawn $env(SHELL) -send -- "firejail --net=eth0 --ip=192.168.1.60\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit} - "the address 192.168.1.60 is already in use" -} - - - -# grab 30 ip addresses -set MAXi 229 -set i 200 -while { $i <= $MAXi } { - spawn $env(SHELL) - send -- "firejail --net=eth0 --ip=192.168.1.$i\r" - expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" - } - incr i - after 100 -} - - -# check an existing address -spawn $env(SHELL) -send -- "firejail --net=eth0 --ip=192.168.1.200\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "the address 192.168.1.200 is already in use" -} - - -set MAXi 254 -set i 2 -while { $i <= $MAXi } { - spawn $env(SHELL) - send -- "firejail --net=eth0\r" - expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "192.168.1.60" {puts "TESTING ERROR 2.2\n";exit} - "192.168.1.200" {puts "TESTING ERROR 3\n";exit} - "192.168.1.201" {puts "TESTING ERROR 3\n";exit} - "192.168.1.202" {puts "TESTING ERROR 3\n";exit} - "192.168.1.203" {puts "TESTING ERROR 3\n";exit} - "192.168.1.204" {puts "TESTING ERROR 3\n";exit} - "192.168.1.205" {puts "TESTING ERROR 3\n";exit} - "192.168.1.206" {puts "TESTING ERROR 3\n";exit} - "192.168.1.207" {puts "TESTING ERROR 3\n";exit} - "192.168.1.208" {puts "TESTING ERROR 3\n";exit} - "192.168.1.209" {puts "TESTING ERROR 3\n";exit} - "192.168.1.210" {puts "TESTING ERROR 3\n";exit} - "192.168.1.211" {puts "TESTING ERROR 3\n";exit} - "192.168.1.212" {puts "TESTING ERROR 3\n";exit} - "192.168.1.213" {puts "TESTING ERROR 3\n";exit} - "192.168.1.214" {puts "TESTING ERROR 3\n";exit} - "192.168.1.215" {puts "TESTING ERROR 3\n";exit} - "192.168.1.216" {puts "TESTING ERROR 3\n";exit} - "192.168.1.217" {puts "TESTING ERROR 3\n";exit} - "192.168.1.218" {puts "TESTING ERROR 3\n";exit} - "192.168.1.219" {puts "TESTING ERROR 3\n";exit} - "192.168.1.220" {puts "TESTING ERROR 3\n";exit} - "192.168.1.221" {puts "TESTING ERROR 3\n";exit} - "192.168.1.222" {puts "TESTING ERROR 3\n";exit} - "192.168.1.223" {puts "TESTING ERROR 3\n";exit} - "192.168.1.224" {puts "TESTING ERROR 3\n";exit} - "192.168.1.225" {puts "TESTING ERROR 3\n";exit} - "192.168.1.226" {puts "TESTING ERROR 3\n";exit} - "192.168.1.227" {puts "TESTING ERROR 3\n";exit} - "192.168.1.228" {puts "TESTING ERROR 3\n";exit} - "192.168.1.229" {puts "TESTING ERROR 3\n";exit} - "Child process initialized" - } - puts "************ $i ******************\n" - incr i - after 100 -# sleep 1 -} -send -- "exit\r" -after 100 - -puts "\n" - diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp new file mode 100755 index 000000000..7f21fc083 --- /dev/null +++ b/test/network/net_macvlan2.exp @@ -0,0 +1,43 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r" +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "eth0-" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "eth1-" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "eth2-" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "eth3-" +} +expect { + timeout {puts "TESTING ERROR 0.5\n";exit} + "Default gateway 192.168.1.1" +} +expect { + timeout {puts "TESTING ERROR 0.6\n";exit} + "Child process initialized" +} +after 100 +send -- "exit\r" +sleep 1 + + +after 100 + +puts "\nall done\n" + diff --git a/test/network/network.sh b/test/network/network.sh index bea5dfb26..94df9935e 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -11,6 +11,9 @@ sudo ./configure echo "TESTING: firemon interface (firemon-interfaces.exp)" sudo ./firemon-interfaces.exp +echo "TESTING: print dns (dns-print.exp)" +./dns-print.exp + echo "TESTING: firemon arp (firemon-arp.exp)" ./firemon-arp.exp @@ -69,6 +72,9 @@ echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" echo "TESTING: scan (net_scan.exp)" ./net_scan.exp +echo "TESTING: mtu (mtu.exp)" +./mtu.exp + echo "TESTING: interface (interface.exp)" ./interface.exp @@ -84,6 +90,9 @@ echo "TESTING: iprange (iprange.exp)" echo "TESTING: veth-name (veth-name.exp)" ./veth-name.exp +echo "TESTING: macvlan2 (net_macvlan2.exp)" +./net_macvlan2.exp + echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" ./4bridges_arp.exp diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp new file mode 100755 index 000000000..6ea4a6adf --- /dev/null +++ b/test/stress/net_macvlan.exp @@ -0,0 +1,93 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# check the existing address +spawn $env(SHELL) +send -- "firejail --net=eth0 --ip=192.168.1.60\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit} + "192.168.1.60 is interface eth0 address" +} + + + +# grab 30 ip addresses +set MAXi 229 +set i 200 +while { $i <= $MAXi } { + spawn $env(SHELL) + send -- "firejail --net=eth0 --ip=192.168.1.$i\r" + expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" + } + incr i + after 100 +} + + +# check an existing address +spawn $env(SHELL) +send -- "firejail --net=eth0 --ip=192.168.1.200\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "the address 192.168.1.200 is already in use" +} + + +set MAXi 254 +set i 2 +while { $i <= $MAXi } { + spawn $env(SHELL) + send -- "firejail --net=eth0\r" + expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "192.168.1.60" {puts "TESTING ERROR 2.2\n";exit} + "192.168.1.200" {puts "TESTING ERROR 3\n";exit} + "192.168.1.201" {puts "TESTING ERROR 3\n";exit} + "192.168.1.202" {puts "TESTING ERROR 3\n";exit} + "192.168.1.203" {puts "TESTING ERROR 3\n";exit} + "192.168.1.204" {puts "TESTING ERROR 3\n";exit} + "192.168.1.205" {puts "TESTING ERROR 3\n";exit} + "192.168.1.206" {puts "TESTING ERROR 3\n";exit} + "192.168.1.207" {puts "TESTING ERROR 3\n";exit} + "192.168.1.208" {puts "TESTING ERROR 3\n";exit} + "192.168.1.209" {puts "TESTING ERROR 3\n";exit} + "192.168.1.210" {puts "TESTING ERROR 3\n";exit} + "192.168.1.211" {puts "TESTING ERROR 3\n";exit} + "192.168.1.212" {puts "TESTING ERROR 3\n";exit} + "192.168.1.213" {puts "TESTING ERROR 3\n";exit} + "192.168.1.214" {puts "TESTING ERROR 3\n";exit} + "192.168.1.215" {puts "TESTING ERROR 3\n";exit} + "192.168.1.216" {puts "TESTING ERROR 3\n";exit} + "192.168.1.217" {puts "TESTING ERROR 3\n";exit} + "192.168.1.218" {puts "TESTING ERROR 3\n";exit} + "192.168.1.219" {puts "TESTING ERROR 3\n";exit} + "192.168.1.220" {puts "TESTING ERROR 3\n";exit} + "192.168.1.221" {puts "TESTING ERROR 3\n";exit} + "192.168.1.222" {puts "TESTING ERROR 3\n";exit} + "192.168.1.223" {puts "TESTING ERROR 3\n";exit} + "192.168.1.224" {puts "TESTING ERROR 3\n";exit} + "192.168.1.225" {puts "TESTING ERROR 3\n";exit} + "192.168.1.226" {puts "TESTING ERROR 3\n";exit} + "192.168.1.227" {puts "TESTING ERROR 3\n";exit} + "192.168.1.228" {puts "TESTING ERROR 3\n";exit} + "192.168.1.229" {puts "TESTING ERROR 3\n";exit} + "Child process initialized" + } + puts "************ $i ******************\n" + incr i + after 100 +# sleep 1 +} +send -- "exit\r" +after 100 + +puts "\n" + diff --git a/test/stress/stress.sh b/test/stress/stress.sh new file mode 100755 index 000000000..35c846071 --- /dev/null +++ b/test/stress/stress.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: macvlan (net_macvlan.exp)" +./net_macvlan.exp + -- cgit v1.2.3-70-g09d2 From 74980fb9d796d76f87e75561f6a08ad55960a3dd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Dec 2016 15:20:21 -0500 Subject: remove konsole from the list of restricted terminals in disable-common.inc --- etc/disable-common.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 95af0aa34..b86c6f998 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -209,7 +209,8 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd -blacklist ${PATH}/konsole +#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 +#blacklist ${PATH}/konsole # kernel files blacklist /vmlinuz* -- cgit v1.2.3-70-g09d2 From 0c5aa59b932c22798980899e1cd4df72badc8bbd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 9 Dec 2016 09:21:30 -0500 Subject: disable gnupg and systemd directories under /run/user --- README | 1 + RELNOTES | 1 + src/firejail/fs.c | 29 +++++++++++++++-------------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/README b/README index 10136207d..476ec40c6 100644 --- a/README +++ b/README @@ -96,6 +96,7 @@ valoq (https://github.com/valoq) - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile + - disable gnupg and systemd directories under /run/user Lari Rauno (https://github.com/tuutti) - qutebrowser profile fixes SpotComms (https://github.com/SpotComms) diff --git a/RELNOTES b/RELNOTES index 28aa1f4e1..7755ae3a6 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,7 @@ firejail (0.9.45) baseline; urgency=low * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable * security: split file copying in private option in a separate executable + * feature: disable gnupg and systemd directories under /run/user * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) * feature: AppImage type 2 support * feature: test coverage (gcov) support diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 905d2903d..84dc9046c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -538,31 +538,32 @@ void fs_proc_sys_dev_boot(void) { struct stat s; - // breaks too many applications, option needed - /* // disable /run/user/{uid}/bus */ - /* char *fnamebus; */ - /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ - /* errExit("asprintf"); */ - /* if (stat(fnamebus, &s) == 0) */ - /* disable_file(BLACKLIST_FILE, fnamebus); */ - /* free(fnamebus); */ - // disable /run/user/{uid}/gnupg char *fnamegpg; if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) - errExit("asprintf"); + errExit("asprintf"); if (stat(fnamegpg, &s) == 0) - disable_file(BLACKLIST_FILE, fnamegpg); + disable_file(BLACKLIST_FILE, fnamegpg); free(fnamegpg); // disable /run/user/{uid}/systemd char *fnamesysd; if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) - errExit("asprintf"); + errExit("asprintf"); if (stat(fnamesysd, &s) == 0) - disable_file(BLACKLIST_FILE, fnamesysd); + disable_file(BLACKLIST_FILE, fnamesysd); free(fnamesysd); +// todo: investigate +#if 0 + // breaks too many applications, option needed + /* // disable /run/user/{uid}/bus */ + /* char *fnamebus; */ + /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ + /* errExit("asprintf"); */ + /* if (stat(fnamebus, &s) == 0) */ + /* disable_file(BLACKLIST_FILE, fnamebus); */ + /* free(fnamebus); */ // WARNING: not working // disable /run/user/{uid}/kdeinit* @@ -593,7 +594,7 @@ void fs_proc_sys_dev_boot(void) { //more files with sockets to be blacklisted // /run/dbus /run/systemd /run/udev /run/lvm - +#endif if (getuid() != 0) { -- cgit v1.2.3-70-g09d2 From 8355c8aef298f877eb3ad86b50e9f90fe8765a9e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 10 Dec 2016 11:41:40 -0500 Subject: quiterss fixes --- README | 1 + etc/quiterss.profile | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/README b/README index 476ec40c6..d20503974 100644 --- a/README +++ b/README @@ -111,6 +111,7 @@ Vasya Novikov (https://github.com/vn971) - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles + - correct and tighten QuiteRss profile - dnsmasq profile - okular and gwenview profiles - cherrytree profile fixes diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2b28fce73..47ab77675 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -1,3 +1,8 @@ +noblacklist ${HOME}/.cache/QuiteRss +noblacklist ${HOME}/.config/QuiteRss +noblacklist ${HOME}/.config/QuiteRssrc +noblacklist ${HOME}/.local/share/QuiteRss + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -7,8 +12,9 @@ whitelist ${HOME}/quiterssfeeds.opml mkdir ~/.config/QuiteRss whitelist ${HOME}/.config/QuiteRss/ whitelist ${HOME}/.config/QuiteRssrc -mkdir ~/.local/share -whitelist ${HOME}/.local/share/ +mkdir ~/.local/share/data +mkdir ~/.local/share/data/QuiteRss +whitelist ${HOME}/.local/share/data/QuiteRss mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss -- cgit v1.2.3-70-g09d2 From 9a7acfd771e17bd7d2ca935fc17fa50ef579cce3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 11 Dec 2016 08:10:04 -0500 Subject: config support for firejail prompt in terminals --- RELNOTES | 1 + etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 10 ++++++++++ src/firejail/env.c | 14 +++++++++++--- src/firejail/firejail.h | 1 + 5 files changed, 26 insertions(+), 3 deletions(-) diff --git a/RELNOTES b/RELNOTES index 7755ae3a6..064553f98 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,6 +13,7 @@ firejail (0.9.45) baseline; urgency=low * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) * feature: spoof machine-id + * feature: config support for firejail prompt in terminal * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/etc/firejail.config b/etc/firejail.config index 2ea767f37..824e3f503 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -17,6 +17,9 @@ # Enable or disable file transfer support, default enabled. # file-transfer yes +# Enable Firejail green prompt in terminal, default disabled +# firejail-prompt no + # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6565f488a..098e8e967 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -43,6 +43,7 @@ int checkcfg(int val) { cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default + cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default // open configuration file char *fname; @@ -126,6 +127,15 @@ int checkcfg(int val) { else goto errout; } + // prompt + else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { + if (strcmp(ptr + 16, "yes") == 0) + cfg_val[CFG_FIREJAIL_PROMPT] = 1; + else if (strcmp(ptr + 16, "no") == 0) + cfg_val[CFG_FIREJAIL_PROMPT] = 0; + else + goto errout; + } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) diff --git a/src/firejail/env.c b/src/firejail/env.c index a02c67ae1..783f019a6 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -129,13 +129,21 @@ void env_defaults(void) { errExit("setenv"); // set prompt color to green - char *prompt = getenv("FIREJAIL_PROMPT"); - if (prompt && strcmp(prompt, "yes") == 0) { + int set_prompt = 0; + if (checkcfg(CFG_FIREJAIL_PROMPT)) + set_prompt = 1; + else { // check FIREJAIL_PROMPT="yes" environment variable + char *prompt = getenv("FIREJAIL_PROMPT"); + if (prompt && strcmp(prompt, "yes") == 0) + set_prompt = 1; + } + + if (set_prompt) { //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); } - + // set the window title if (!arg_quiet) printf("\033]0;firejail %s\007", cfg.window_title); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 368e0d88d..8fede5a69 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -661,6 +661,7 @@ enum { CFG_CHROOT_DESKTOP, CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, + CFG_FIREJAIL_PROMPT, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; -- cgit v1.2.3-70-g09d2 From f541d8b41e01f01370effd38a106a1284762ad0d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 11 Dec 2016 08:54:47 -0500 Subject: allusers manpage fix --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fdeb9ea3f..5b43b1ca5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -85,7 +85,7 @@ Example: $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-allusers -All user home directories are visible inside the sandbox. By default, only current user home directory is visible. +All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. .br .br -- cgit v1.2.3-70-g09d2 From bbb098e082e4d7493733b49c610859ac93ede8a5 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 11 Dec 2016 19:06:18 +0100 Subject: fixed ipc blacklist --- src/firejail/fs.c | 27 +++++++++++++++++++-------- src/firejail/fs_var.c | 2 ++ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 84dc9046c..f469cba0a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -531,17 +531,16 @@ void fs_proc_sys_dev_boot(void) { // disable /dev/port disable_file(BLACKLIST_FILE, "/dev/port"); - - // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted - // disable various ipc sockets - struct stat s; - + /* // disable various ipc sockets */ + struct stat s; // disable /run/user/{uid}/gnupg char *fnamegpg; if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) errExit("asprintf"); + if (stat(fnamegpg, &s) == -1) + mkdir_attr(fnamegpg, 0700, getuid(), getgid()); if (stat(fnamegpg, &s) == 0) disable_file(BLACKLIST_FILE, fnamegpg); free(fnamegpg); @@ -550,10 +549,13 @@ void fs_proc_sys_dev_boot(void) { char *fnamesysd; if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) errExit("asprintf"); + if (stat(fnamesysd, &s) == -1) + mkdir_attr(fnamesysd, 0755, getuid(), getgid()); if (stat(fnamesysd, &s) == 0) disable_file(BLACKLIST_FILE, fnamesysd); free(fnamesysd); + // todo: investigate #if 0 // breaks too many applications, option needed @@ -591,12 +593,21 @@ void fs_proc_sys_dev_boot(void) { /* disable_file(BLACKLIST_FILE, fnamedconf); */ /* free(fnamedconf); */ - + + // dirs in /run/user/{uid}/ + // using gnome: + // bus, dconf, gdm, gnome-shell, gnupg, gvfs, keyring, pulse, systemd + + // using kde: + // kdeinit__0, ... + //more files with sockets to be blacklisted // /run/dbus /run/systemd /run/udev /run/lvm -#endif - + + // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications +#endif + if (getuid() != 0) { // disable /dev/kmsg and /proc/kmsg disable_file(BLACKLIST_FILE, "/dev/kmsg"); diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bdc5ecaf3..86122e1c0 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -106,6 +106,8 @@ static void build_dirs(void) { void fs_var_log(void) { build_list("/var/log"); + // note: /var/log is not created here, if it does not exist, this section fails. Intended? + // create /var/log if it doesn't exit if (is_dir("/var/log")) { // extract group id for /var/log/wtmp -- cgit v1.2.3-70-g09d2 From 9a415a34dd3ce2b69b780fb9884dc15b61dcfd96 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 11 Dec 2016 19:18:09 +0100 Subject: fix comment --- src/firejail/fs.c | 6 +++--- src/man/firejail.txt | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f469cba0a..adddf626b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -532,7 +532,7 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/dev/port"); - /* // disable various ipc sockets */ + // disable various ipc sockets struct stat s; // disable /run/user/{uid}/gnupg @@ -601,8 +601,8 @@ void fs_proc_sys_dev_boot(void) { // using kde: // kdeinit__0, ... - //more files with sockets to be blacklisted - // /run/dbus /run/systemd /run/udev /run/lvm + // more files with sockets to be blacklisted + // /run/dbus /run/systemd /run/udev /run/lvm // /run/user/{uid} does not exist on some systems, usually used and created by desktop applications diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fdeb9ea3f..5b43b1ca5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -85,7 +85,7 @@ Example: $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-allusers -All user home directories are visible inside the sandbox. By default, only current user home directory is visible. +All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. .br .br -- cgit v1.2.3-70-g09d2 From ca979697ae0c806f9af521696daa6e43e450e036 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 13 Dec 2016 19:35:12 -0500 Subject: borken - configuration file should be owned by root --- src/firejail/checkcfg.c | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 098e8e967..c3eedc510 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -46,10 +46,7 @@ int checkcfg(int val) { cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default // open configuration file - char *fname; - if (asprintf(&fname, "%s/firejail.config", SYSCONFDIR) == -1) - errExit("asprintf"); - + const char *fname = SYSCONFDIR "/firejail.config"; fp = fopen(fname, "r"); if (!fp) { #ifdef HAVE_GLOBALCFG @@ -61,15 +58,6 @@ int checkcfg(int val) { #endif } - // if the file exists, it should be owned by root - struct stat s; - if (stat(fname, &s) == -1) - errExit("stat"); - if (s.st_uid != 0) { - fprintf(stderr, "Error: configuration file should be owned by root\n"); - exit(1); - } - // read configuration file char buf[MAX_READ]; while (fgets(buf,MAX_READ, fp)) { @@ -290,7 +278,6 @@ int checkcfg(int val) { } fclose(fp); - free(fname); initialized = 1; } @@ -324,10 +311,6 @@ void print_compiletime_support(void) { #endif ); - - - - printf("\t- bind support is %s\n", #ifdef HAVE_BIND "enabled" -- cgit v1.2.3-70-g09d2 From 71fa2e283c4721230569e8611ac0470916fc75d0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 14 Dec 2016 09:09:29 -0500 Subject: snap profile fix --- etc/snap.profile | 2 -- src/firejail/fs_var.c | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/etc/snap.profile b/etc/snap.profile index 270fdf1a5..e2ada3a99 100644 --- a/etc/snap.profile +++ b/etc/snap.profile @@ -9,6 +9,4 @@ whitelist ~/snap whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc -caps.keep chown,sys_admin - diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 86122e1c0..f742e7e22 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -106,8 +106,7 @@ static void build_dirs(void) { void fs_var_log(void) { build_list("/var/log"); - // note: /var/log is not created here, if it does not exist, this section fails. Intended? - + // note: /var/log is not created here, if it does not exist, this section fails. // create /var/log if it doesn't exit if (is_dir("/var/log")) { // extract group id for /var/log/wtmp -- cgit v1.2.3-70-g09d2 From e92d5d54195bae30ca78f33371460b98f94cc2ef Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 14 Dec 2016 09:20:52 -0500 Subject: machine-id fix --- src/firejail/fs_etc.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index a04bf6725..a27c0e41b 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -58,7 +58,6 @@ void fs_machineid(void) { struct stat s; - // mount-bind if (stat("/etc/machine-id", &s) == 0) { if (arg_debug) printf("installing a new /etc/machine-id\n"); @@ -66,12 +65,10 @@ void fs_machineid(void) { if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) errExit("mount"); } -//#if 0 // todo: investigate if (stat("/var/lib/dbus/machine-id", &s) == 0) { - if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) + if (mount(RUN_MACHINEID, "/var/lib/dbus/machine-id", "none", MS_BIND, "mode=444,gid=0")) errExit("mount"); } -//#endif } // return 0 if file not found, 1 if found -- cgit v1.2.3-70-g09d2 From 9d677b2b5acc6d5f905180e0abcf8e353bc09332 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 14 Dec 2016 10:17:20 -0500 Subject: added a 1 second delay after xpra server is started --- src/firejail/x11.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/firejail/x11.c b/src/firejail/x11.c index e67260490..91017237d 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -442,6 +442,9 @@ void x11_start_xpra(int argc, char **argv) { _exit(1); } + // add a small delay, on some systems it takes some time for the server to start + sleep(1); + // check X11 socket char *fname; if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) -- cgit v1.2.3-70-g09d2