From f5b452bc4276ff2abecae522d9598441899293f1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 11:22:24 -0400 Subject: private-bin conversion --- README.md | 2 +- etc/deluge.profile | 1 + etc/disable-devel.inc | 2 +- etc/evince.profile | 1 + etc/fbreader.profile | 3 +- etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/hexchat.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 4 +++ etc/weechat.profile | 4 +++ etc/xchat.profile | 2 ++ test/apps/apps.sh | 9 +++++ test/apps/uget-gtk.exp | 83 ++++++++++++++++++++++++++++++++++++++++++++ 17 files changed, 116 insertions(+), 3 deletions(-) create mode 100755 test/apps/uget-gtk.exp diff --git a/README.md b/README.md index db0625d43..69890ffaf 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## Converting profiles to private-bin - work in progress! -BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt +BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk File transfer: filezilla diff --git a/etc/deluge.profile b/etc/deluge.profile index 87a17423b..96df13a73 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin deluge,sh,python,uname +whitelist /tmp/.X11-unix diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 071a82f76..4e401055a 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, firefox addons, filezilla, cherrytree +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8671c1251..320d55fad 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -13,3 +13,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer +whitelist /tmp/.X11-unix diff --git a/etc/fbreader.profile b/etc/fbreader.profile index df359e50a..f155b02af 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -15,4 +15,5 @@ protocol unix,inet,inet6 seccomp shell none -private-bin fbreader,FBReader \ No newline at end of file +private-bin fbreader,FBReader +whitelist /tmp/.X11-unix diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 35663f2fa..c146dba13 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp +whitelist /tmp/.X11-unix diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 68d6a52d9..2d6cd160c 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin gthumb +whitelist /tmp/.X11-unix diff --git a/etc/hexchat.profile b/etc/hexchat.profile index a584d25c5..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -17,3 +17,5 @@ mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc + +# private-bin requires perl, python, etc. diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bb97a880b..bc87ad5c8 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin qbittorrent +whitelist /tmp/.X11-unix diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c196370a2..97c2335a8 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin rtorrent +whitelist /tmp/.X11-unix diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e8d0e25e7..80d71d615 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-gtk +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index fd3a98aad..dfb600871 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-qt +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 02c7f56bf..591a82af4 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -17,3 +17,7 @@ mkdir ~/.config mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc + +shell none +private-bin uget-gtk +whitelist /tmp/.X11-unix diff --git a/etc/weechat.profile b/etc/weechat.profile index 6cfe58420..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -9,3 +9,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# no private-bin support for various reasons: +# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file diff --git a/etc/xchat.profile b/etc/xchat.profile index 061c4f3da..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -10,3 +10,5 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# private-bin requires perl, python, etc. diff --git a/test/apps/apps.sh b/test/apps/apps.sh index bbfe2a606..c329c57e5 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -69,6 +69,15 @@ else echo "TESTING SKIP: qbittorrent not found" fi +which uget-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: uget" + ./uget-gtk.exp +else + echo "TESTING SKIP: uget-gtk not found" +fi + which filezilla if [ "$?" -eq 0 ]; then diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp new file mode 100755 index 000000000..47fa5849b --- /dev/null +++ b/test/apps/uget-gtk.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail uget-gtk\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/uget-gtk.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "uget-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-54-g00ecf