From e3abab47dcda4dba4a1412261e35cb1608ffd900 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 10:41:57 -0400 Subject: private-bin conversion --- README.md | 4 +++ etc/cherrytree.profile | 9 +++++ etc/disable-devel.inc | 2 +- etc/evince.profile | 3 ++ etc/fbreader.profile | 3 ++ etc/gnome-mplayer.profile | 3 ++ etc/gthumb.profile | 2 +- etc/vlc.profile | 2 +- src/firejail/main.c | 1 - test/apps/apps.sh | 10 ++++++ test/apps/gthumb.exp | 83 +++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 118 insertions(+), 4 deletions(-) create mode 100755 test/apps/gthumb.exp diff --git a/README.md b/README.md index 36fb99f3d..db0625d43 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra File transfer: filezilla +Media: vlc, mpv, gnome-mplayer + +Office: evince, gthumb, fbreader + ## New security profiles Gitter, gThumb, mpv, Franz messenger diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink tracelog include /etc/firejail/whitelist-common.inc + +# no private-bin support for various reasons: +#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree +#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" +#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree +#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null +#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc +# it requires acces to browser to show the online help +# it doesn't play nicely with expect diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, some firefox addons, filezilla +# Programs using python: deluge, firefox addons, filezilla, cherrytree # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -10,3 +10,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin evince,evince-previewer,evince-thumbnailer diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -13,3 +13,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin fbreader,FBReader \ No newline at end of file diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -9,3 +9,6 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +shell none +private-bin gnome-mplayer diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -13,5 +13,5 @@ noroot protocol unix,inet,inet6 seccomp -private-bin gthumb shell none +private-bin gthumb diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -16,4 +16,4 @@ seccomp # to test shell none -private-bin vlc +private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc diff --git a/src/firejail/main.c b/src/firejail/main.c index 1621d810f..d027eb697 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -135,7 +135,6 @@ static void myexit(int rv) { } static void my_handler(int s){ -printf("**************************\n"); EUID_ROOT(); if (!arg_quiet) { printf("\nParent received signal %d, shutting down the child process...\n", s); diff --git a/test/apps/apps.sh b/test/apps/apps.sh index fa56ce370..bbfe2a606 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -87,6 +87,16 @@ else echo "TESTING SKIP: evince not found" fi + +which gthumb +if [ "$?" -eq 0 ]; +then + echo "TESTING: gthumb" + ./gthumb.exp +else + echo "TESTING SKIP: gthumb not found" +fi + which icedove if [ "$?" -eq 0 ]; then diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..86bb975ba --- /dev/null +++ b/test/apps/gthumb.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gthumb\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gthumb.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gthumb" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-54-g00ecf