From 75cefd5b166a55dfc9e81341c1debb1baf71b101 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 21 Aug 2023 10:00:47 -0300 Subject: tests: fix error when /dev/kmsg is missing This is breaking test-fs in CI since at least commit f37cd57cd ("disable all /bin/dpkg* programs in disable-common.inc", 2023-08-20)[1]. [1] https://github.com/netblue30/firejail/actions/runs/5918495917/job/16062400120 --- test/fs/kmsg.exp | 1 + 1 file changed, 1 insertion(+) diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp index 3f952a4d4..1e647ab8d 100755 --- a/test/fs/kmsg.exp +++ b/test/fs/kmsg.exp @@ -17,6 +17,7 @@ sleep 1 send -- "cat /dev/kmsg\r" expect { timeout {puts "TESTING ERROR 2\n";exit} + "No such file or directory" # FIXME: Needed in CI "Permission denied" } after 100 -- cgit v1.2.3-70-g09d2 From 5ba5ed07640eae8f94e8bcdaff1573a5161339e3 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 21 Aug 2023 10:21:11 -0300 Subject: profiles: restore entries for ssh-related paths This partially reverts commit d94f54736 ("disable all ssh utilities in disable-common.inc", 2023-08-20). Certain files in ~/.ssh are only used by sshd (not by ssh), so always blacklist them. Also, ssh itself does not need write access to the configuration files, so make them read-only by default. For details, see commit 2ec3f3a96 ("disable-common.inc: add missing openssh paths", 2021-01-09) / PR #3885. Cc: @netblue30 --- etc/inc/disable-common.inc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index faed10008..010cb05b6 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -319,9 +319,13 @@ read-only ${HOME}/.zshenv read-only ${HOME}/.zshrc read-only ${HOME}/.zshrc.local -# Remote access - ${HOME}/.ssh directory blacklisted in top secret section below +# Remote access (used only by sshd; should always be blacklisted) blacklist ${HOME}/.rhosts blacklist ${HOME}/.shosts +blacklist ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.ssh/authorized_keys2 +blacklist ${HOME}/.ssh/environment +blacklist ${HOME}/.ssh/rc blacklist /etc/hosts.equiv # Initialization files that allow arbitrary command execution @@ -354,6 +358,8 @@ read-only ${HOME}/.nanorc read-only ${HOME}/.npmrc read-only ${HOME}/.pythonrc.py read-only ${HOME}/.reportbugrc +read-only ${HOME}/.ssh/config +read-only ${HOME}/.ssh/config.d read-only ${HOME}/.tmux.conf read-only ${HOME}/.vim read-only ${HOME}/.viminfo -- cgit v1.2.3-70-g09d2