From 926f21a51c2c9f1cd97b815323a8c2c8f5e9b927 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 16 Apr 2016 10:06:26 -0400 Subject: added netsurf profile --- etc/netsurf.profile | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 etc/netsurf.profile (limited to 'etc') diff --git a/etc/netsurf.profile b/etc/netsurf.profile new file mode 100644 index 000000000..26b621126 --- /dev/null +++ b/etc/netsurf.profile @@ -0,0 +1,34 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) + +noblacklist ~/.config/netsurf +noblacklist ~/.cache/netsurf +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +tracelog +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.config +mkdir ~/.config/netsurf +whitelist ~/.config/netsurf +mkdir ~/.cache +mkdir ~/.cache/netsurf +whitelist ~/.cache/netsurf + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc + + + -- cgit v1.2.3-70-g09d2 From 2cc65305e470638cd00bfc4aa90821851b35b53c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 17 Apr 2016 23:53:27 +1000 Subject: added warzone2100 profile --- etc/warzone2100.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/warzone2100.profile (limited to 'etc') diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile new file mode 100644 index 000000000..73408ffb1 --- /dev/null +++ b/etc/warzone2100.profile @@ -0,0 +1,19 @@ +# Firejail profile for warzone2100 +# Currently supports warzone2100-3.1 +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +noblacklist ~/.warzone2100-3.1 +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 -- cgit v1.2.3-70-g09d2 From eb5c4692f16f9329975ddc2919442aa1fb2c0a44 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 00:02:21 +1000 Subject: warzone2100 extra files --- Makefile.in | 1 + etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 4 files changed, 4 insertions(+) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 64a6fbd76..590f2cd5f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -165,6 +165,7 @@ realinstall: install -c -m 0644 .etc/abrowser.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7f18aa16f..43b9cff38 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -54,6 +54,7 @@ blacklist ${HOME}/.hedgewars blacklist ${HOME}/.steam blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad +blacklist ${HOME}/.warzone2100-3.1 # Cryptocoins blacklist ${HOME}/.*coin diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5f1546a4f..2413965ba 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -84,3 +84,4 @@ /etc/firejail/abrowser.profile /etc/firejail/0ad.profile /etc/firejail/netsurf.profile +/etc/firejail/warzone2100.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fed477f44..80433f1e5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -75,3 +75,4 @@ xchat # games hedgewars wesnot +warzone2100 -- cgit v1.2.3-70-g09d2 From 20b1a0d188129568efccfb21478cc035a1b0f048 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 17 Apr 2016 12:13:17 -0400 Subject: warzone2100 and firecfg fixes --- README | 1 + README.md | 3 ++- RELNOTES | 2 +- etc/warzone2100.profile | 2 +- src/firecfg/main.c | 5 +++-- 5 files changed, 8 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/README b/README index ade4b4258..e42c187e2 100644 --- a/README +++ b/README @@ -28,6 +28,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - split Icedove and Thunderbird profiles - added 0ad profile - fixed version for deb packages + - added Warzone2100 profile avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index d6a9a6c7a..ed564e58a 100644 --- a/README.md +++ b/README.md @@ -281,5 +281,6 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, -OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf +OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, +Warzone2100 diff --git a/RELNOTES b/RELNOTES index fc7df6f19..4bff6d092 100644 --- a/RELNOTES +++ b/RELNOTES @@ -18,7 +18,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq - * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf + * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 73408ffb1..7588da657 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -1,5 +1,6 @@ # Firejail profile for warzone2100 # Currently supports warzone2100-3.1 +noblacklist ~/.warzone2100-3.1 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -14,6 +15,5 @@ seccomp tracelog # Whitelist -noblacklist ~/.warzone2100-3.1 mkdir ~/.warzone2100-3.1 whitelist ~/.warzone2100-3.1 diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 70d29a3ed..5fcace6cb 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -79,7 +79,8 @@ static int find(const char *program, const char *directory) { static int which(const char *program) { // check some well-known paths if (find(program, "/bin") || find(program, "/usr/bin") || - find(program, "/sbin") || find(program, "/usr/sbin")) + find(program, "/sbin") || find(program, "/usr/sbin") || + find(program, "/usr/games")) return 1; // check environment @@ -268,7 +269,7 @@ static void set(void) { // empty line if (*start == '\0') continue; - + // set link set_file(start, firejail_exec); } -- cgit v1.2.3-70-g09d2 From 908d2a1d616a00462dbda4776aa51ee67727b2ad Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 02:33:11 +1000 Subject: disabled VeraCrypt access --- etc/disable-common.inc | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b1133f28f..2c8773b00 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -26,6 +26,14 @@ blacklist ${HOME}/.VirtualBox blacklist ${HOME}/VirtualBox VMs blacklist ${HOME}/.config/VirtualBox +# VeraCrypt +blacklist /usr/bin/veracrypt +blacklist /usr/bin/veracrypt-uninstall.sh +blacklist /usr/share/veracrypt +blacklist /usr/share/applications/veracrypt.* +blacklist /usr/share/pixmaps/veracrypt.* +blacklist ${HOME}/.VeraCrypt + # var blacklist /var/spool/cron blacklist /var/spool/anacron -- cgit v1.2.3-70-g09d2 From 9bb31411516cb6df99f3ebbf31a4fb17b8b56f77 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Apr 2016 05:21:41 +1000 Subject: Fixed path --- etc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 2c8773b00..4d05ba783 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -27,8 +27,8 @@ blacklist ${HOME}/VirtualBox VMs blacklist ${HOME}/.config/VirtualBox # VeraCrypt -blacklist /usr/bin/veracrypt -blacklist /usr/bin/veracrypt-uninstall.sh +blacklist ${PATH}/veracrypt +blacklist ${PATH}/veracrypt-uninstall.sh blacklist /usr/share/veracrypt blacklist /usr/share/applications/veracrypt.* blacklist /usr/share/pixmaps/veracrypt.* -- cgit v1.2.3-70-g09d2 From 96e801fd8a8f4a743e2286b9367177ce8f7b3c65 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 18 Apr 2016 09:38:54 -0400 Subject: added okular and gwenview profiles --- Makefile.in | 2 ++ README | 7 ++++--- README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 5 +++++ etc/gwenview.profile | 19 +++++++++++++++++++ etc/okular.profile | 21 +++++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 2 ++ 9 files changed, 58 insertions(+), 4 deletions(-) create mode 100644 etc/gwenview.profile create mode 100644 etc/okular.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 590f2cd5f..bc8061985 100644 --- a/Makefile.in +++ b/Makefile.in @@ -166,6 +166,8 @@ realinstall: install -c -m 0644 .etc/0ad.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/netsurf.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 55f9109da..e4ad5a49f 100644 --- a/README +++ b/README @@ -18,6 +18,10 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +curiosity-seeker (https://github.com/curiosity-seeker) + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) @@ -86,9 +90,6 @@ Rahiel Kasim (https://github.com/rahiel) - Mathematica profile creideiki (https://github.com/creideiki) - make the sandbox process reap all children -curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile sinkuu (https://github.com/sinkuu) - blacklisting kwalletd - fix symlink invocation for programs placing symlinks in $PATH diff --git a/README.md b/README.md index ed564e58a..afa1fa35c 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100 +Warzone2100, okular, gwenview diff --git a/RELNOTES b/RELNOTES index 37b4faf47..188f9d513 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,6 +20,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 + * new profiles: okular, gwenview * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 43b9cff38..23dd8e025 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -8,6 +8,11 @@ blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet +blacklist ~/.kde/share/apps/okular +blacklist ~/.kde/share/config/okularrc +blacklist ~/.kde/share/config/okularpartrc +blacklist ~/.kde/share/apps/gwenview +blacklist ~/.kde/share/config/gwenviewrc # Media players blacklist ${HOME}/.config/cmus diff --git a/etc/gwenview.profile b/etc/gwenview.profile new file mode 100644 index 000000000..d61c57adc --- /dev/null +++ b/etc/gwenview.profile @@ -0,0 +1,19 @@ +# KDE gwenview profile +noblacklist ~/.kde/share/apps/gwenview +noblacklist ~/.kde/share/config/gwenviewrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all +seccomp +protocol unix +noroot +nogroups +private-dev + +#Experimental: +#shell none +#private-bin gwenview +#private-etc X11 + diff --git a/etc/okular.profile b/etc/okular.profile new file mode 100644 index 000000000..7929a8796 --- /dev/null +++ b/etc/okular.profile @@ -0,0 +1,21 @@ +# KDE okular profile +noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde/share/config/okularpartrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all +seccomp +protocol unix +noroot +nogroups +private-dev + +#Experimental: +#net none +#shell none +#private-bin okular,kbuildsycoca4,kbuildsycoca5 +#private-etc X11 + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2413965ba..1ea112301 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -85,3 +85,6 @@ /etc/firejail/0ad.profile /etc/firejail/netsurf.profile /etc/firejail/warzone2100.profile +/etc/firejail/okular.profile +/etc/firejail/gwenview.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 80433f1e5..d732796e9 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -51,6 +51,8 @@ loweb lowriter Mathematica mathematica +gwenview +okular # Media vlc -- cgit v1.2.3-70-g09d2 From bc5a06e9970fe03325f28e0cdef96ea5c596113f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 00:06:13 +1000 Subject: added gpredict profile --- Makefile.in | 1 + README | 3 ++- README.md | 2 +- etc/disable-programs.inc | 1 + etc/gpredict.profile | 23 +++++++++++++++++++++++ platform/debian/conffiles | 2 +- src/firecfg/firecfg.config | 3 +++ 7 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 etc/gpredict.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index bc8061985..cb897c23d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -168,6 +168,7 @@ realinstall: install -c -m 0644 .etc/warzone2100.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index e4ad5a49f..d0a7aaf8d 100644 --- a/README +++ b/README @@ -31,9 +31,10 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added PaleMoon profile - split Icedove and Thunderbird profiles - added 0ad profile - - fixed version for deb packages + - fixed version for .deb packages - added Warzone2100 profile - blacklisted VeraCrypt + - added Gpredict profile avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index afa1fa35c..ca7927fff 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview +Warzone2100, okular, gwenview, Gpredict diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 23dd8e025..6c5515894 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -8,6 +8,7 @@ blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/Gpredict blacklist ~/.kde/share/apps/okular blacklist ~/.kde/share/config/okularrc blacklist ~/.kde/share/config/okularpartrc diff --git a/etc/gpredict.profile b/etc/gpredict.profile new file mode 100644 index 000000000..f53cb1b4f --- /dev/null +++ b/etc/gpredict.profile @@ -0,0 +1,23 @@ +# Firejail profile for gpredict. + +# Noblacklist +noblacklist ~/.config/Gpredict + +# Include +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +mkdir ~/.config +mkdir ~/.config/Gpredict +whitelist ~/.config/Gpredict diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 1ea112301..6f5b564a0 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -87,4 +87,4 @@ /etc/firejail/warzone2100.profile /etc/firejail/okular.profile /etc/firejail/gwenview.profile - +/etc/firejail/gpredict.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d732796e9..8bebf76af 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -2,6 +2,9 @@ # This is the list of programs handled by firecfg utility # +# astronomy +gpredict + # browsers/email firefox iceweasel -- cgit v1.2.3-70-g09d2 From 63958869fef0e01adb64b83ffa8cdbaf892a93b9 Mon Sep 17 00:00:00 2001 From: Joan Figueras Date: Mon, 18 Apr 2016 23:00:55 +0200 Subject: added google-play-music-desktop-player profile --- etc/google-play-music-desktop-player.profile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/google-play-music-desktop-player.profile (limited to 'etc') diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..56d09d5b2 --- /dev/null +++ b/etc/google-play-music-desktop-player.profile @@ -0,0 +1,16 @@ +# Google Play Music desktop player profile +noblacklist ~/.config/Google Play Music Desktop Player + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +noroot + +#whitelist ~/.pulse +#whitelist ~/.config/pulse +whitelist ~/.config/Google Play Music Desktop Player -- cgit v1.2.3-70-g09d2 From aff18630c4fbe49859135c76dbb7ee83233c8f64 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 10:43:38 +1000 Subject: added aweather profile --- etc/aweather.profile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/aweather.profile (limited to 'etc') diff --git a/etc/aweather.profile b/etc/aweather.profile new file mode 100644 index 000000000..d7f510a7e --- /dev/null +++ b/etc/aweather.profile @@ -0,0 +1,23 @@ +# Firejail profile for aweather. + +# Noblacklist +noblacklist ~/.config/aweather + +# Include +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +mkdir ~/.config +mkdir ~/.config/aweather +whitelist ~/.config/aweather -- cgit v1.2.3-70-g09d2 From e42a45614a31eb06a9741490666ffc11a64d9931 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 11:04:24 +1000 Subject: extra aweather files --- Makefile.in | 1 + README | 1 + README.md | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 4 ++++ 6 files changed, 9 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index cb897c23d..0ba490454 100644 --- a/Makefile.in +++ b/Makefile.in @@ -169,6 +169,7 @@ realinstall: install -c -m 0644 .etc/okular.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index d0a7aaf8d..db7410a73 100644 --- a/README +++ b/README @@ -35,6 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Warzone2100 profile - blacklisted VeraCrypt - added Gpredict profile + - added Aweather profile avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index ca7927fff..99ded275e 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict +Warzone2100, okular, gwenview, Gpredict, Aweather diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6c5515894..2b3a933a5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -9,6 +9,7 @@ blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/Gpredict +blacklist ${HOME}/.config/aweather blacklist ~/.kde/share/apps/okular blacklist ~/.kde/share/config/okularrc blacklist ~/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6f5b564a0..1cdf3d0f4 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -88,3 +88,4 @@ /etc/firejail/okular.profile /etc/firejail/gwenview.profile /etc/firejail/gpredict.profile +/etc/firejail/aweather.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 8bebf76af..da31a7c7e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -5,6 +5,9 @@ # astronomy gpredict +# weather/climate +aweather + # browsers/email firefox iceweasel @@ -78,6 +81,7 @@ quassel xchat # games +0ad hedgewars wesnot warzone2100 -- cgit v1.2.3-70-g09d2 From 14bc13ca49895676e36e4ffa2f56657dc5336d10 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 11:44:05 +1000 Subject: added stellarium profile --- etc/stellarium.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/stellarium.profile (limited to 'etc') diff --git a/etc/stellarium.profile b/etc/stellarium.profile new file mode 100644 index 000000000..7cb74eeaa --- /dev/null +++ b/etc/stellarium.profile @@ -0,0 +1,27 @@ +# Firejail profile for Stellarium. + +# Noblacklist +noblacklist ~/.stellarium +noblacklist ~/.config/stellarium + +# Include +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Call these options +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium + +mkdir ~/.config +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium -- cgit v1.2.3-70-g09d2 From 7c0d9f974660f10ffc096a379d6dd4cb46761023 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 19 Apr 2016 11:49:44 +1000 Subject: extra stellarium files --- Makefile.in | 1 + README | 8 ++++---- README.md | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 10 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 0ba490454..c15ecd7dd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -170,6 +170,7 @@ realinstall: install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index db7410a73..7919bdaad 100644 --- a/README +++ b/README @@ -19,9 +19,9 @@ Firejail Authors: netblue30 (netblue30@yahoo.com) curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile - - okular and gwenview profiles + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) @@ -35,7 +35,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Warzone2100 profile - blacklisted VeraCrypt - added Gpredict profile - - added Aweather profile + - added Aweather, Stellarium profiles avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/README.md b/README.md index 99ded275e..5b2626288 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather +Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 2b3a933a5..317ac082f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -5,11 +5,13 @@ blacklist ${HOME}/.FBReader blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research +blacklist ${HOME}/.stellarium blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/Gpredict blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/stellarium blacklist ~/.kde/share/apps/okular blacklist ~/.kde/share/config/okularrc blacklist ~/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 1cdf3d0f4..7ce729d6e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -89,3 +89,4 @@ /etc/firejail/gwenview.profile /etc/firejail/gpredict.profile /etc/firejail/aweather.profile +/etc/firejail/stellarium.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index da31a7c7e..3812ee7d8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -4,6 +4,7 @@ # astronomy gpredict +stellarium # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 7cc1fa0d7e572b7e9417f011509c4cf6d719dd9b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 19 Apr 2016 08:54:04 -0400 Subject: google-play-music-desktop-player.profile --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 3 ++- etc/google-play-music-desktop-player.profile | 1 + platform/debian/conffiles | 1 + 6 files changed, 7 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index c15ecd7dd..dfeea565b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -171,6 +171,7 @@ realinstall: install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/aweather.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 7919bdaad..b1e1bd546 100644 --- a/README +++ b/README @@ -26,6 +26,7 @@ Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) - added abrowser profile + - added Google-Play-Music-Desktop-Player Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/README.md b/README.md index 5b2626288..1cfbd0aa9 100644 --- a/README.md +++ b/README.md @@ -282,5 +282,5 @@ $ man firejail-profile ## New security profiles lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, -Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium +Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player diff --git a/RELNOTES b/RELNOTES index 188f9d513..1502f5bba 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,8 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 - * new profiles: okular, gwenview + * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player + * new profiles: Aweather, Stellarium, gpredict * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 56d09d5b2..7fe43f1f6 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -10,6 +10,7 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink noroot +netfilter #whitelist ~/.pulse #whitelist ~/.config/pulse diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7ce729d6e..a5ca6d072 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -90,3 +90,4 @@ /etc/firejail/gpredict.profile /etc/firejail/aweather.profile /etc/firejail/stellarium.profile +/etc/firejail/google-play-music-desktop-player.profile -- cgit v1.2.3-70-g09d2 From 7dc1965e85e5f85cb0cdaf085db9949e4cdc1073 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 22 Apr 2016 01:03:36 +1000 Subject: fixed python libs --- etc/hexchat.profile | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 8f6fd6217..7978960c8 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,5 +1,6 @@ # HexChat instant messaging profile noblacklist ${HOME}/.config/hexchat +noblacklist /usr/lib/python2* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -8,3 +9,8 @@ caps.drop all seccomp protocol unix,inet,inet6 noroot +netfilter + +mkdir ~/.config +mkdir ~/.config/hexchat +whitelist ~/.config/hexchat -- cgit v1.2.3-70-g09d2 From f586c532955b81a2955aadfbfaddffe279744b54 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 22 Apr 2016 01:04:22 +1000 Subject: added print config dir --- etc/atril.profile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/atril.profile b/etc/atril.profile index e078c1d20..c5b2abc48 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -1,4 +1,5 @@ # Atril profile +noblacklist ~/.config/atril include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -7,6 +8,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 -netfilter +net none noroot tracelog + +mkdir ~/.config +mkdir ~/.config/atril +whitelist ~/.config/atril -- cgit v1.2.3-70-g09d2 From bec09e54d0f78277f5ab1c2cbb9afadbc53ae444 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 08:30:35 -0400 Subject: cherrytree profile fixes --- README | 1 + etc/cherrytree.profile | 2 ++ 2 files changed, 3 insertions(+) (limited to 'etc') diff --git a/README b/README index bf02d03ed..9ea2730ad 100644 --- a/README +++ b/README @@ -27,6 +27,7 @@ curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile - okular and gwenview profiles + - cherrytree profile fixes Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7bcc61e98..77fa79e11 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,4 +1,6 @@ # cherrytree note taking application +noblacklist /usr/bin/python2* +noblacklist /usr/lib/python2* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 3373ab1bd7f1abd83246bfd1ddfe76aa77e0726c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 22 Apr 2016 12:01:08 -0400 Subject: fix mate-terminal --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4d05ba783..9faa2aa6a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -141,3 +141,5 @@ blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper +blacklist ${PATH}/mate-terminal +blacklist ${PATH}/mate-terminal.wrapper -- cgit v1.2.3-70-g09d2 From ca8f44000f4a6a459aa99b883b047b8e5f0efa90 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 23 Apr 2016 04:51:04 +1000 Subject: blacklisted additional terminals --- README | 1 + etc/disable-common.inc | 5 +++++ 2 files changed, 6 insertions(+) (limited to 'etc') diff --git a/README b/README index 650b5236b..f2a9cef35 100644 --- a/README +++ b/README @@ -46,6 +46,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Aweather, Stellarium profiles - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal + - blacklisted escape-happy terminals in disable-common.inc avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 9faa2aa6a..3613fbce3 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -143,3 +143,8 @@ blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper blacklist ${PATH}/mate-terminal blacklist ${PATH}/mate-terminal.wrapper +blacklist ${PATH}/lilyterm +blacklist ${PATH}/pantheon-terminal +blacklist ${PATH}/roxterm +blacklist ${PATH}/roxterm-config +blacklist ${PATH}/terminix -- cgit v1.2.3-70-g09d2 From ef25891cfb6f77f462bd47b9295adddda46ebb81 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 23 Apr 2016 05:41:26 +1000 Subject: added urxvtc --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3613fbce3..479f32cb1 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -148,3 +148,5 @@ blacklist ${PATH}/pantheon-terminal blacklist ${PATH}/roxterm blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix +blacklist ${PATH}/urxvtc +blacklist ${PATH}/urxvtcd -- cgit v1.2.3-70-g09d2 From 23f24befa8ebc88e0ba198d889ee5e78e93c3a2f Mon Sep 17 00:00:00 2001 From: Ruan Date: Sat, 23 Apr 2016 10:46:49 +0200 Subject: Allow python3 for hexchat.profile HexChat uses python3 under Arch Linux, so this is required for it to launch. --- etc/hexchat.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 7978960c8..bace1c9e6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,6 +1,7 @@ # HexChat instant messaging profile noblacklist ${HOME}/.config/hexchat noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 53a4601321db31b590019c729ab47e1ceb3679ea Mon Sep 17 00:00:00 2001 From: Ruan Date: Sat, 23 Apr 2016 14:44:55 +0200 Subject: Include common whitelist for hexchat.profile --- etc/hexchat.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/hexchat.profile b/etc/hexchat.profile index bace1c9e6..b77555e55 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -15,3 +15,4 @@ netfilter mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From 67f5e3ca811fcb7fc6d9fbf47a4ae84c12c5a616 Mon Sep 17 00:00:00 2001 From: Joan Figueras Date: Sun, 24 Apr 2016 15:18:23 +0200 Subject: cyberfox profile --- etc/cyberfox.profile | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 etc/cyberfox.profile (limited to 'etc') diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile new file mode 100644 index 000000000..cef9ad464 --- /dev/null +++ b/etc/cyberfox.profile @@ -0,0 +1,52 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +noblacklist ~/.8pecxstudios/cyberfox +noblacklist ~/.cache/8pecxstudios +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +tracelog +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.8pecxstudios +whitelist ~/.8pecxstudios +mkdir ~/.cache +mkdir ~/.cache/8pecxstudios +mkdir ~/.cache/8pecxstudios/cyberfox +whitelist ~/.cache/8pecxstudios/cyberfox +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + -- cgit v1.2.3-70-g09d2 From b72b5caa9c641f0230103977c9fcdbbdc5b2ea0c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Apr 2016 11:30:33 -0400 Subject: cyberfox profile --- Makefile.in | 1 + README | 2 ++ RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 5ae9a3a54..b80dbe15b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -177,6 +177,7 @@ realinstall: install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 069a6e664..99cd08a5e 100644 --- a/README +++ b/README @@ -18,6 +18,7 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) + Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) @@ -36,6 +37,7 @@ Matthew Gyurgyik (https://github.com/pyther) Joan Figueras (https://github.com/figue) - added abrowser profile - added Google-Play-Music-Desktop-Player + - added cyberfox profile Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/RELNOTES b/RELNOTES index 91b41abcf..0a5cc926d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -22,7 +22,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player - * new profiles: Aweather, Stellarium, gpredict, quiterss + * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 317ac082f..297d25bf2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -45,6 +45,7 @@ blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.config/epiphany blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/qutebrowser +blacklist ${HOME}/.8pecxstudios # Instant Messaging blacklist ${HOME}/.config/hexchat @@ -93,6 +94,7 @@ blacklist ${HOME}/.cache/icedove blacklist ${HOME}/.cache/transmission blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios # share blacklist ${HOME}/.local/share/epiphany diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 8297f96eb..2456d8a90 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -92,3 +92,4 @@ /etc/firejail/stellarium.profile /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/quiterss.profile +/etc/firejail/cyberfox.profile -- cgit v1.2.3-70-g09d2 From 61b09428c5e92121d4192f480701f7a92a02634b Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 1 May 2016 13:18:47 +0200 Subject: noblacklist python3 --- etc/cherrytree.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 77fa79e11..1f69f61c6 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,6 +1,6 @@ # cherrytree note taking application noblacklist /usr/bin/python2* -noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From f374c79aa7d8248cc8a44d773f140966030f30a8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 1 May 2016 17:59:16 -0400 Subject: cleanup --- README | 37 +++++++++++++++++++------------------ etc/disable-devel.inc | 24 +++++++++++++----------- src/firejail/fs.c | 2 ++ 3 files changed, 34 insertions(+), 29 deletions(-) (limited to 'etc') diff --git a/README b/README index 7779ebf4e..0ae06b5ed 100644 --- a/README +++ b/README @@ -18,6 +18,25 @@ License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) +Reiner Herrmann + - a number of build patches + - man page fixes + - Debian and Ubuntu integration + - clang-analyzer fixes + - Debian reproducible build + - unit testing framework +avoidr (https://github.com/avoidr) + - whitelist fix + - recently-used.xbel fix + - added parole profile + - blacklist ncat, manpage fixes, + - hostname support in profile file + - Google Chrome profile rework + - added cmus profile + - man page fixes + - add net iface support in profile files + - paths fix + - lots of profile fixes Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) @@ -50,18 +69,6 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc -avoidr (https://github.com/avoidr) - - whitelist fix - - recently-used.xbel fix - - added parole profile - - blacklist ncat, manpage fixes, - - hostname support in profile file - - Google Chrome profile rework - - added cmus profile - - man page fixes - - add net iface support in profile files - - paths fix - - lots of profile fixes Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) @@ -166,12 +173,6 @@ sarneaud (https://github.com/sarneaud) - various enhancements and bug fixes Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) - user namespace implementation -Reiner Herrmann - - a number of build patches - - man page fixes - - Debian and Ubuntu integration - - clang-analyzer fixes - - Debian reproducible build sshirokov (http://sourceforge.net/u/yshirokov/profile/) - Patch to output "Reading profile" to stderr instead of stdout G4JC (http://sourceforge.net/u/gaming4jc/profile/) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index fa77ed8d1..2805938d7 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -35,17 +35,19 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby +# disabled temporarily pending globbing implementation +# in noblacklist command and firefox profile fix # Python 2 -blacklist /usr/bin/python2* -blacklist /usr/lib/python2* -blacklist /usr/local/lib/python2* -blacklist /usr/include/python2* -blacklist /usr/share/python2* - +#blacklist /usr/bin/python2* +#blacklist /usr/lib/python2* +#blacklist /usr/local/lib/python2* +#blacklist /usr/include/python2* +#blacklist /usr/share/python2* +# # Python 3 -blacklist /usr/bin/python3* -blacklist /usr/lib/python3* -blacklist /usr/local/lib/python3* -blacklist /usr/share/python3* -blacklist /usr/include/python3* +#blacklist /usr/bin/python3* +#blacklist /usr/lib/python3* +#blacklist /usr/local/lib/python3* +#blacklist /usr/share/python3* +#blacklist /usr/include/python3* diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 171b4848c..4dff6fce8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -729,9 +729,11 @@ void fs_basic_fs(void) { printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); if (!arg_writable_etc) { fs_rdonly("/etc"); + if (arg_debug) printf(", /etc"); } if (!arg_writable_var) { fs_rdonly("/var"); + if (arg_debug) printf(", /var"); } if (arg_debug) printf("\n"); fs_rdonly("/bin"); -- cgit v1.2.3-70-g09d2 From 7a00b97bf0073dd7fefc7f8ffebe25bdf431e153 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 3 May 2016 06:14:49 +1000 Subject: blacklisted g++ --- README | 1 + etc/disable-devel.inc | 2 ++ 2 files changed, 3 insertions(+) (limited to 'etc') diff --git a/README b/README index 0ae06b5ed..c40f99210 100644 --- a/README +++ b/README @@ -69,6 +69,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc + - blacklisted g++ Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 2805938d7..0c9d21d39 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -9,6 +9,8 @@ blacklist /usr/bin/c8* blacklist /usr/bin/c++* blacklist /usr/bin/ld blacklist /usr/bin/gdb +blacklist /usr/bin/g++* +blacklist /usr/bin/x86_64-linux-gnu-g++* # clang/llvm blacklist /usr/bin/clang* -- cgit v1.2.3-70-g09d2 From 87ae8e4cd596040c75009efeea1ed726d6a53c8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 2 May 2016 17:25:24 -0400 Subject: add Ubuntu snap application profile --- Makefile.in | 1 + README.md | 2 +- RELNOTES | 1 + etc/snap.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + 5 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 etc/snap.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 6c70e5360..8a6e8fa01 100644 --- a/Makefile.in +++ b/Makefile.in @@ -178,6 +178,7 @@ realinstall: install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README.md b/README.md index 8172a1798..c148608d9 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,6 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox +cyberfox, generic Ubuntu snap application profile diff --git a/RELNOTES b/RELNOTES index 0a5cc926d..b6304249f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -23,6 +23,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100 * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox + * new profiles: generic Ubuntu snap application profile * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/snap.profile b/etc/snap.profile new file mode 100644 index 000000000..b7e6d9b19 --- /dev/null +++ b/etc/snap.profile @@ -0,0 +1,13 @@ +################################ +# Generic Ubuntu snap application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ~/snap +include /etc/firejail/whitelist-common.inc + +caps.keep chown,sys_admin + + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2456d8a90..11d583ec3 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -93,3 +93,4 @@ /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/quiterss.profile /etc/firejail/cyberfox.profile +/etc/firejail/snap.profile -- cgit v1.2.3-70-g09d2 From c3354382c92b386da5ed76f5b12643412a2d32ea Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 4 May 2016 12:18:50 -0400 Subject: rename generic.profile as default.profile --- Makefile.in | 2 +- RELNOTES | 1 + etc/default.profile | 15 +++++++++++++++ etc/generic.profile | 15 --------------- platform/debian/conffiles | 2 +- src/firejail/firejail.h | 2 +- src/firejail/main.c | 4 ++-- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 4 ++-- test/extract_command.exp | 2 +- test/private.exp | 2 +- 11 files changed, 26 insertions(+), 25 deletions(-) create mode 100644 etc/default.profile delete mode 100644 etc/generic.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 39766a8b0..92254fbc0 100644 --- a/Makefile.in +++ b/Makefile.in @@ -113,7 +113,7 @@ realinstall: install -c -m 0644 .etc/vlc.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/deluge.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/qbittorrent.profile $(DESTDIR)/$(sysconfdir)/firejail/. - install -c -m 0644 .etc/generic.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/default.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pidgin.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xchat.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/empathy.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/RELNOTES b/RELNOTES index b6304249f..8ccbeed0d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,6 +24,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile + * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes -- netblue30 Sun, 3 Apr 2016 08:00:00 -0500 diff --git a/etc/default.profile b/etc/default.profile new file mode 100644 index 000000000..f2c7d4114 --- /dev/null +++ b/etc/default.profile @@ -0,0 +1,15 @@ +################################ +# Generic GUI application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +#blacklist ${HOME}/.wine + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot + diff --git a/etc/generic.profile b/etc/generic.profile deleted file mode 100644 index f2c7d4114..000000000 --- a/etc/generic.profile +++ /dev/null @@ -1,15 +0,0 @@ -################################ -# Generic GUI application profile -################################ -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - -#blacklist ${HOME}/.wine - -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot - diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 11d583ec3..109af24d7 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -27,7 +27,7 @@ /etc/firejail/totem.profile /etc/firejail/deluge.profile /etc/firejail/qbittorrent.profile -/etc/firejail/generic.profile +/etc/firejail/default.profile /etc/firejail/xchat.profile /etc/firejail/server.profile /etc/firejail/quassel.profile diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 302883310..f4a176caf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -68,7 +68,7 @@ #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" // profiles -#define DEFAULT_USER_PROFILE "generic" +#define DEFAULT_USER_PROFILE "default" #define DEFAULT_ROOT_PROFILE "server" #define MAX_INCLUDE_LEVEL 6 // include levels in profile files diff --git a/src/firejail/main.c b/src/firejail/main.c index 3ba3dd531..7aa81a9c5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -696,7 +696,7 @@ int main(int argc, char **argv) { int option_force = 0; int custom_profile = 0; // custom profile loaded char *custom_profile_dir = NULL; // custom profile directory - int arg_noprofile = 0; // use generic.profile if none other found/specified + int arg_noprofile = 0; // use default.profile if none other found/specified #ifdef HAVE_SECCOMP int highest_errno = errno_highest_nr(); #endif @@ -1920,7 +1920,7 @@ int main(int argc, char **argv) { } } - // use generic.profile as the default + // use default.profile as the default if (!custom_profile && !arg_noprofile) { if (cfg.chrootdir) fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 19063f5ef..0e9614ab6 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example: .RS $ firejail .br -Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/default.profile .br Parent pid 8553, child pid 8554 .br diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 6be278063..995aee809 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -868,7 +868,7 @@ Example: .br $ firejail .br -Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/default.profile .br Parent pid 8553, child pid 8554 .br @@ -1786,7 +1786,7 @@ To disable default profile loading, use --noprofile command option. Example: .RS $ firejail .br -Reading profile /etc/firejail/generic.profile +Reading profile /etc/firejail/default.profile .br Parent pid 8553, child pid 8554 .br diff --git a/test/extract_command.exp b/test/extract_command.exp index 99c1cc134..851b793c9 100755 --- a/test/extract_command.exp +++ b/test/extract_command.exp @@ -7,7 +7,7 @@ match_max 100000 send -- "firejail --debug ls -al\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/generic.profile" + "Reading profile /etc/firejail/default.profile" } expect { timeout {puts "TESTING ERROR 2\n";exit} diff --git a/test/private.exp b/test/private.exp index a5920c37b..80a921529 100755 --- a/test/private.exp +++ b/test/private.exp @@ -12,7 +12,7 @@ if { $argc != 1 } { } # testing profile and private -send -- "firejail --private --profile=/etc/firejail/generic.profile\r" +send -- "firejail --private --profile=/etc/firejail/default.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" -- cgit v1.2.3-70-g09d2 From 78fbedbe1199ce7914c021c376bb5752439f8c62 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 7 May 2016 14:20:03 +1000 Subject: added xapps && cleanup --- Makefile.in | 3 +++ README | 1 + README.md | 2 +- etc/disable-programs.inc | 17 ++++++++++++----- etc/xplayer.profile | 15 +++++++++++++++ etc/xreader.profile | 16 ++++++++++++++++ etc/xviewer.profile | 13 +++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 4 ++++ 9 files changed, 68 insertions(+), 6 deletions(-) create mode 100644 etc/xplayer.profile create mode 100644 etc/xreader.profile create mode 100644 etc/xviewer.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index fdf247255..2d49f88e1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -180,6 +180,9 @@ realinstall: install -c -m 0644 .etc/quiterss.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xplayer.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xviewer.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index c40f99210..fcd1c54cd 100644 --- a/README +++ b/README @@ -70,6 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc - blacklisted g++ + - added xplayer, xreader, and xviewer profiles Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index c148608d9..eb4b1af81 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,6 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile +cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 297d25bf2..1f3768693 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -12,17 +12,22 @@ blacklist ${HOME}/.config/uGet blacklist ${HOME}/.config/Gpredict blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/stellarium -blacklist ~/.kde/share/apps/okular -blacklist ~/.kde/share/config/okularrc -blacklist ~/.kde/share/config/okularpartrc -blacklist ~/.kde/share/apps/gwenview -blacklist ~/.kde/share/config/gwenviewrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/xreader +blacklist ${HOME}/.config/xviewer +blacklist ${HOME}/.kde/share/apps/okular +blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.kde/share/config/okularpartrc +blacklist ${HOME}/.kde/share/apps/gwenview +blacklist ${HOME}/.kde/share/config/gwenviewrc # Media players blacklist ${HOME}/.config/cmus blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/spotify blacklist ${HOME}/.config/vlc +blacklist ${HOME}/.config/totem +blacklist ${HOME}/.config/xplayer # HTTP / FTP / Mail blacklist ${HOME}/.icedove @@ -95,6 +100,7 @@ blacklist ${HOME}/.cache/transmission blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/xreader # share blacklist ${HOME}/.local/share/epiphany @@ -103,3 +109,4 @@ blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad +blacklist ${HOME}/.local/share/xplayer diff --git a/etc/xplayer.profile b/etc/xplayer.profile new file mode 100644 index 000000000..67a46a7da --- /dev/null +++ b/etc/xplayer.profile @@ -0,0 +1,15 @@ +# Xplayer profile +noblacklist ~/.config/xplayer +noblacklist ~/.local/share/xplayer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +noroot +tracelog +netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile new file mode 100644 index 000000000..7b72d41a6 --- /dev/null +++ b/etc/xreader.profile @@ -0,0 +1,16 @@ +# Xreader profile +noblacklist ~/.config/xreader +noblacklist ~/.cache/xreader +noblacklist ~/.local/share + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +noroot +tracelog +netfilter diff --git a/etc/xviewer.profile b/etc/xviewer.profile new file mode 100644 index 000000000..33e1e3c68 --- /dev/null +++ b/etc/xviewer.profile @@ -0,0 +1,13 @@ +noblacklist ~/.config/xviewer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +noroot +tracelog +netfilter diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 109af24d7..4f118d571 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -94,3 +94,6 @@ /etc/firejail/quiterss.profile /etc/firejail/cyberfox.profile /etc/firejail/snap.profile +/etc/firejail/xplayer.profile +/etc/firejail/xreader.profile +/etc/firejail/xviewer.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3812ee7d8..d019c3a5c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -60,6 +60,8 @@ Mathematica mathematica gwenview okular +atril +xreader # Media vlc @@ -70,6 +72,8 @@ parole rhythmbox totem cmus +xplayer +xviewer # chat/messaging bitlbee -- cgit v1.2.3-70-g09d2 From 43fc27396606a66de7948aeeaade550c0843b2f3 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 7 May 2016 14:48:38 +1000 Subject: forgot atril profile --- etc/atril.profile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/atril.profile b/etc/atril.profile index c5b2abc48..d1a7b25f8 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -1,5 +1,6 @@ # Atril profile noblacklist ~/.config/atril +noblacklist ~/.local/share include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -8,10 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 -net none noroot tracelog - -mkdir ~/.config -mkdir ~/.config/atril -whitelist ~/.config/atril +netfilter -- cgit v1.2.3-70-g09d2 From e1170a668adc5c504e544c21ae06e6dd31d5d9f8 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 8 May 2016 13:33:26 +1000 Subject: minor fixes --- RELNOTES | 2 +- etc/disable-programs.inc | 1 + etc/totem.profile | 12 ++++++++++++ etc/xplayer.profile | 8 ++++++++ etc/xviewer.profile | 4 ++++ 5 files changed, 26 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index 339e2ee2d..9c6aeac24 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,7 +24,7 @@ firejail (0.9.40-rc1) baseline; urgency=low * new profiles: okular, gwenview, Google-Play-Music-Desktop-Player * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer - * new profiles: xreader, xplayer + * new profiles: xreader, xviewer * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1f3768693..1e3f092fb 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -110,3 +110,4 @@ blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer +blacklsit ${HOME}/.local/share/totem diff --git a/etc/totem.profile b/etc/totem.profile index 4d87cbb85..416b0ef43 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -1,4 +1,7 @@ # Totem media player profile +noblacklist ~/.config/totem +noblacklist ~/.local/share/totem + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -9,3 +12,12 @@ seccomp protocol unix,inet,inet6 noroot netfilter + +mkdir ~/.config +mkdir ~/.config/totem +whitelist ~/.config/totme + +mkdir ~/.local +mkdir ~/.local/share +mkdir ~/.local/share/totem +whitelist ~/.local/share/totem diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 67a46a7da..e364a2a5d 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -13,3 +13,11 @@ protocol unix,inet,inet6 noroot tracelog netfilter + +mkdir ~/.config +mkdir ~/.config/xplayer +whitelist ~/.config/xplayer + +mkdir ~/.local +mkdir ~/.local/share +mkdir ~/.local/share/xplayer diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 33e1e3c68..5785ecabf 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -11,3 +11,7 @@ protocol unix,inet,inet6 noroot tracelog netfilter + +mkdir ~/.config +mkdir ~/.config/xviewer +whitelist ~/.config/xviewer -- cgit v1.2.3-70-g09d2 From 0e79ca99bb5fac8904de5136c33fb0c60d074808 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 8 May 2016 13:38:16 +1000 Subject: minor fixes --- etc/xplayer.profile | 8 -------- etc/xviewer.profile | 4 ---- 2 files changed, 12 deletions(-) (limited to 'etc') diff --git a/etc/xplayer.profile b/etc/xplayer.profile index e364a2a5d..67a46a7da 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -13,11 +13,3 @@ protocol unix,inet,inet6 noroot tracelog netfilter - -mkdir ~/.config -mkdir ~/.config/xplayer -whitelist ~/.config/xplayer - -mkdir ~/.local -mkdir ~/.local/share -mkdir ~/.local/share/xplayer diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 5785ecabf..33e1e3c68 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -11,7 +11,3 @@ protocol unix,inet,inet6 noroot tracelog netfilter - -mkdir ~/.config -mkdir ~/.config/xviewer -whitelist ~/.config/xviewer -- cgit v1.2.3-70-g09d2 From d4d72e218e50548c4a36ee35fef3fdf5f1c41bcf Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 8 May 2016 13:41:58 +1000 Subject: undo change --- etc/totem.profile | 9 --------- 1 file changed, 9 deletions(-) (limited to 'etc') diff --git a/etc/totem.profile b/etc/totem.profile index 416b0ef43..d23167b03 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -12,12 +12,3 @@ seccomp protocol unix,inet,inet6 noroot netfilter - -mkdir ~/.config -mkdir ~/.config/totem -whitelist ~/.config/totme - -mkdir ~/.local -mkdir ~/.local/share -mkdir ~/.local/share/totem -whitelist ~/.local/share/totem -- cgit v1.2.3-70-g09d2 From 95b4bd30d29d9e7f2b07c3f51ef311aaa62fbcd5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 8 May 2016 10:20:29 -0400 Subject: fixes --- etc/disable-programs.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e3f092fb..a3fd0fe73 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -110,4 +110,4 @@ blacklist ${HOME}/.local/share/steam blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer -blacklsit ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/totem -- cgit v1.2.3-70-g09d2 From bf3ba3e577a6d7e58b55f88d3ab363aa75337ba8 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 17:28:25 +0200 Subject: add mcabber.profile --- etc/mcabber.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/mcabber.profile (limited to 'etc') diff --git a/etc/mcabber.profile b/etc/mcabber.profile new file mode 100644 index 000000000..553672406 --- /dev/null +++ b/etc/mcabber.profile @@ -0,0 +1,19 @@ +# mcabber profile +noblacklist ${HOME}/.mcabber +noblacklist ${HOME}/.mcabberrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol inet,inet6 +netfilter +noroot + +private-bin mcabber +private-etc group +private-dev +shell none -- cgit v1.2.3-70-g09d2 From d32b616e41b8216e2573d80813d719ed6b714467 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sat, 14 May 2016 17:29:35 +0200 Subject: noblacklist mcabber --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a3fd0fe73..307ccaf6c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -55,6 +55,7 @@ blacklist ${HOME}/.8pecxstudios # Instant Messaging blacklist ${HOME}/.config/hexchat blacklist ${HOME}/.mcabber +blacklist ${HOME}/.mcabberrc blacklist ${HOME}/.purple blacklist ${HOME}/.config/psi+ blacklist ${HOME}/.retroshare -- cgit v1.2.3-70-g09d2 From 9c9055d1bd49080f97a456e35a886a0ab624bb45 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 15 May 2016 12:13:45 +0200 Subject: mcabber.profile: use empty /etc --- etc/mcabber.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 553672406..1d753d7c3 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -14,6 +14,6 @@ netfilter noroot private-bin mcabber -private-etc group +private-etc null private-dev shell none -- cgit v1.2.3-70-g09d2 From 471bba3242b01d91e6b1f52b9b12d2e88b5cf533 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 15 May 2016 12:28:43 +0200 Subject: cmus.profile: use empty /etc --- etc/cmus.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/cmus.profile b/etc/cmus.profile index 72b43a70f..bb57ac149 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -13,5 +13,5 @@ netfilter noroot private-bin cmus -private-etc group +private-etc null shell none -- cgit v1.2.3-70-g09d2 From 3fde5ba7f094b92c01075426b3f54b1b44c31dd9 Mon Sep 17 00:00:00 2001 From: avoidr Date: Sun, 15 May 2016 22:43:59 +0200 Subject: Revert "cmus.profile: use empty /etc" This reverts commit 471bba3242b01d91e6b1f52b9b12d2e88b5cf533. --- etc/cmus.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/cmus.profile b/etc/cmus.profile index bb57ac149..72b43a70f 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -13,5 +13,5 @@ netfilter noroot private-bin cmus -private-etc null +private-etc group shell none -- cgit v1.2.3-70-g09d2 From e21f5c16606e1613f56a297b7d09e1cb90c5b61d Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:17:56 +0300 Subject: Blacklist psi+ share directory. History and OTR keys are in there. --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 307ccaf6c..3474a6592 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -112,3 +112,4 @@ blacklist ${HOME}/.local/share/wesnoth blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/psi+ -- cgit v1.2.3-70-g09d2 From e5de12f12c06c35b68bcaedc225bca8765f162f1 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:20:31 +0300 Subject: Whitelist ~/.XCompose to prevent breaking custom compose keys --- etc/whitelist-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9d5ef3d96..b3a1a1d30 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -1,5 +1,6 @@ # common whitelist for all profiles +whitelist ~/.XCompose whitelist ~/.config/mimeapps.list whitelist ~/.icons whitelist ~/.config/user-dirs.dirs -- cgit v1.2.3-70-g09d2 From 2cdbcfc830c23574a71b2caed39ffb72580e3de7 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:31:53 +0300 Subject: Blacklist ~/.cert where Fedora (and probably other distros with SELinux) encourage users to store certificates --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 479f32cb1..a61f1b210 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -93,6 +93,7 @@ read-only ${HOME}/bin # top secret blacklist ${HOME}/.ssh +blacklist ${HOME}/.cert blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/kde4/share/apps/kwallet blacklist ${HOME}/kde/share/apps/kwallet -- cgit v1.2.3-70-g09d2 From e87f299a89faa57128d289bedaa644a65bd830a2 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:23:21 +0300 Subject: Add Psi+ profile --- etc/psi-plus.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/psi-plus.profile (limited to 'etc') diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile new file mode 100644 index 000000000..8194da74f --- /dev/null +++ b/etc/psi-plus.profile @@ -0,0 +1,27 @@ +# Firejail profile for Psi+ + +noblacklist ${HOME}/.config/psi+ +noblacklist ${HOME}/.local/share/psi+ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ${DOWNLOADS} +mkdir ~/.config +mkdir ~/.config/psi+ +whitelist ~/.config/psi+ +mkdir ~/.local +mkdir ~/.local/share +mkdir ~/.local/share/psi+ +whitelist ~/.local/share/psi+ +mkdir ~/.cache +mkdir ~/.cache/psi+ +whitelist ~/.cache/psi+ + +include /etc/firejail/whitelist-common.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot -- cgit v1.2.3-70-g09d2 From ae1f7b596acf4449369e87e755edc8a9073ad69e Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:29:43 +0300 Subject: Add generic Corebird profile --- etc/corebird.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 etc/corebird.profile (limited to 'etc') diff --git a/etc/corebird.profile b/etc/corebird.profile new file mode 100644 index 000000000..f3f73a44f --- /dev/null +++ b/etc/corebird.profile @@ -0,0 +1,12 @@ +# Firejail corebird profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot -- cgit v1.2.3-70-g09d2 From 0d80553ab42d5451647ff0fcf2082b87a0b6aca6 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 23 May 2016 23:30:10 +0300 Subject: Add generic Konversation profile --- etc/konversation.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 etc/konversation.profile (limited to 'etc') diff --git a/etc/konversation.profile b/etc/konversation.profile new file mode 100644 index 000000000..d10decb8f --- /dev/null +++ b/etc/konversation.profile @@ -0,0 +1,12 @@ +# Firejail konversation profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix,inet,inet6 +netfilter +noroot -- cgit v1.2.3-70-g09d2 From 4125505f2e632bc3f1358470c78e2f9bb88c368e Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:45:20 +0200 Subject: midori.profile: Use nonewprivs and noroot --- etc/midori.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/midori.profile b/etc/midori.profile index 7fc27e07c..568687058 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -8,4 +8,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter - +nonewprivs +noroot -- cgit v1.2.3-70-g09d2 From 1c0428dba28299b66380c8c05770d6619383d758 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 14:59:30 +0200 Subject: Add force-nonewprivs setting --- README.md | 7 +++++++ etc/firejail.config | 6 ++++++ src/firejail/checkcfg.c | 11 +++++++++++ src/firejail/firejail.h | 3 ++- src/firejail/sandbox.c | 2 +- src/man/firejail-config.txt | 8 ++++++++ 6 files changed, 35 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README.md b/README.md index 4fa79d9f2..6f05a010f 100644 --- a/README.md +++ b/README.md @@ -207,6 +207,13 @@ The following features can be enabled or disabled: x11 Enable or disable X11 sandboxing support, default enabled. + force-nonewprivs + Force use of theh NO_NEW_PRIVS prctl(2) flag. + This mitigates the possibility of a user abusing firejail's + features to trick a privileged (suid or file capabilities) + process into loading code or configuration that is partially + under their control. Default disabled + xephyr-screen Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for a full list of resolutions available on your diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..caaeb6792 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -30,6 +30,12 @@ # Enable or disable X11 sandboxing support, default enabled. # x11 yes +# Force use of nonewprivs. This mitigates the possibility of +# a user abusing firejail's features to trick a privileged (suid +# or file capabilities) process into loading code or configuration +# that is partially under their control. Default disabled +# force-nonewprivs no + # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 430b0c5a6..4fdbe1897 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -36,7 +36,9 @@ int checkcfg(int val) { int i; for (i = 0; i < CFG_MAX; i++) cfg_val[i] = 1; // most of them are enabled by default + cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default + cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default // open configuration file char *fname; @@ -106,6 +108,15 @@ int checkcfg(int val) { else goto errout; } + // nonewprivs + else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + cfg_val[CFG_SECCOMP] = 1; + else if (strcmp(ptr + 17, "no") == 0) + cfg_val[CFG_SECCOMP] = 0; + else + goto errout; + } // seccomp else if (strncmp(ptr, "seccomp ", 8) == 0) { if (strcmp(ptr + 8, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c9c090a97..661073730 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -566,7 +566,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_SECCOMP 5 #define CFG_NETWORK 6 #define CFG_RESTRICTED_NETWORK 7 -#define CFG_MAX 8 // this should always be the last entry +#define CFG_FORCE_NONEWPRIVS 8 +#define CFG_MAX 9 // this should always be the last entry int checkcfg(int val); // fs_rdwr.c diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 843c1efe5..6133a610d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -750,7 +750,7 @@ int sandbox(void* sandbox_arg) { //**************************************** // Set NO_NEW_PRIVS if desired //**************************************** - if (arg_nonewprivs) { + if (arg_nonewprivs || checkcfg(CFG_FORCE_NONEWPRIVS)) { int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if(no_new_privs != 0) diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..dcede2ec6 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -48,6 +48,14 @@ Enable or disable user namespace support, default enabled. \fBx11 Enable or disable X11 sandboxing support, default enabled. +.TP +\fBforce-nonewprivs +Force use of nonewprivs. This mitigates the possibility of +a user abusing firejail's features to trick a privileged (suid +or file capabilities) process into loading code or configuration +that is partially under their control. Default disabled. + + .TP \fBxephyr-screen Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for -- cgit v1.2.3-70-g09d2 From 845bd06665539af002b1bf74d2b7cb9e6cf11e0e Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 02:46:09 +0200 Subject: profiles: Add nonewprivs where sensible --- etc/0ad.profile | 1 + etc/Mathematica.profile | 1 + etc/abrowser.profile | 1 + etc/atril.profile | 1 + etc/audacious.profile | 1 + etc/aweather.profile | 1 + etc/bitlbee.profile | 1 + etc/cherrytree.profile | 1 + etc/clementine.profile | 1 + etc/cmus.profile | 1 + etc/conkeror.profile | 1 + etc/cyberfox.profile | 1 + etc/deadbeef.profile | 1 + etc/default.profile | 1 + etc/deluge.profile | 1 + etc/dillo.profile | 1 + etc/dnsmasq.profile | 1 + etc/dropbox.profile | 1 + etc/empathy.profile | 1 + etc/epiphany.profile | 2 +- etc/evince.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 1 + etc/firefox.profile | 1 + etc/flashpeak-slimjet.profile | 1 + etc/gnome-mplayer.profile | 1 + etc/google-play-music-desktop-player.profile | 1 + etc/gpredict.profile | 1 + etc/gwenview.profile | 1 + etc/hedgewars.profile | 1 + etc/hexchat.profile | 1 + etc/kmail.profile | 1 + etc/mcabber.profile | 1 + etc/mupen64plus.profile | 1 + etc/netsurf.profile | 1 + etc/okular.profile | 1 + etc/palemoon.profile | 1 + etc/parole.profile | 1 + etc/pidgin.profile | 1 + etc/polari.profile | 1 + etc/qbittorrent.profile | 1 + etc/qtox.profile | 1 + etc/quassel.profile | 1 + etc/quiterss.profile | 1 + etc/qutebrowser.profile | 1 + etc/rhythmbox.profile | 1 + etc/rtorrent.profile | 1 + etc/seamonkey.profile | 1 + etc/skype.profile | 1 + etc/spotify.profile | 1 + etc/ssh.profile | 1 + etc/steam.profile | 1 + etc/stellarium.profile | 1 + etc/telegram.profile | 1 + etc/totem.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 1 + etc/vivaldi.profile | 1 + etc/vlc.profile | 1 + etc/warzone2100.profile | 1 + etc/weechat.profile | 1 + etc/wesnoth.profile | 1 + etc/wine.profile | 1 + etc/xchat.profile | 1 + etc/xplayer.profile | 1 + etc/xreader.profile | 1 + etc/xviewer.profile | 1 + 68 files changed, 68 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/0ad.profile b/etc/0ad.profile index f8a3ce23d..e6540fb5d 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -12,6 +12,7 @@ protocol unix,inet,inet6,netlink netfilter tracelog noroot +nonewprivs # Whitelists noblacklist ~/.cache/0ad diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 05131df43..75dbebcf0 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -16,4 +16,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp +nonewprivs noroot diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 949635258..6a06ce76b 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/atril.profile b/etc/atril.profile index d1a7b25f8..c20a8c7b3 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot tracelog netfilter diff --git a/etc/audacious.profile b/etc/audacious.profile index 290faa260..0a1598dee 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/aweather.profile b/etc/aweather.profile index d7f510a7e..dd508e736 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index fb84c260a..b7ccd132e 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -9,3 +9,4 @@ private private-dev seccomp netfilter +nonewprivs diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 1f69f61c6..b3a34fc9a 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -19,6 +19,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot include /etc/firejail/whitelist-common.inc nosound diff --git a/etc/clementine.profile b/etc/clementine.profile index c6271e6e3..fb9dca2a9 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/cmus.profile b/etc/cmus.profile index 72b43a70f..16b9c112d 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -10,6 +10,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot private-bin cmus diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 007eef663..0a7966e4b 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -7,6 +7,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot whitelist ~/.conkeror.mozdev.org diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index cef9ad464..c5fb25e9a 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 2810e5323..9225ca16e 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -9,4 +9,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/default.profile b/etc/default.profile index f2c7d4114..d836a9f5d 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -11,5 +11,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot diff --git a/etc/deluge.profile b/etc/deluge.profile index 4043f58f5..f7a2b98e4 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -9,5 +9,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/dillo.profile b/etc/dillo.profile index 49c33fb7a..392000ade 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6 netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 474bc5aca..4459c40dd 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -11,3 +11,4 @@ protocol unix,inet,inet6,netlink netfilter private private-dev +nonewprivs diff --git a/etc/dropbox.profile b/etc/dropbox.profile index a0a944dce..568ab230a 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -6,4 +6,5 @@ include /etc/firejail/disable-passwdmgr.inc caps seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/empathy.profile b/etc/empathy.profile index 789bdda08..c08398e84 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -7,3 +7,4 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 95a673bf9..7783a05fd 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -23,4 +23,4 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter - +nonewprivs diff --git a/etc/evince.profile b/etc/evince.profile index c390dcaf3..3c883d43c 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -7,5 +7,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot nosound diff --git a/etc/fbreader.profile b/etc/fbreader.profile index cfbae1c74..7764a48c9 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -10,5 +10,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 8542de284..1ab08b568 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter nosound diff --git a/etc/firefox.profile b/etc/firefox.profile index 1ea94a2c7..6796ef7c4 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 94c672acf..77a95aa17 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -18,6 +18,7 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index ec3698ac8..010b19613 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 7fe43f1f6..fe2f79901 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6,netlink +nonewprivs noroot netfilter diff --git a/etc/gpredict.profile b/etc/gpredict.profile index f53cb1b4f..ba9fce37b 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/gwenview.profile b/etc/gwenview.profile index d61c57adc..87523d825 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix +nonewprivs noroot nogroups private-dev diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 5ab7cfe72..c5d863bd5 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nonewprivs noroot private-dev seccomp diff --git a/etc/hexchat.profile b/etc/hexchat.profile index b77555e55..3eb350660 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/kmail.profile b/etc/kmail.profile index a7079661b..a47945bc6 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -10,5 +10,6 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot tracelog diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 1d753d7c3..1536194b2 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -11,6 +11,7 @@ caps.drop all seccomp protocol inet,inet6 netfilter +nonewprivs noroot private-bin mcabber diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 7b38b411a..c9a99bede 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -16,6 +16,7 @@ mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ +nonewprivs noroot caps.drop all seccomp diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 26b621126..e01cace7f 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/okular.profile b/etc/okular.profile index 7929a8796..5179da787 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix +nonewprivs noroot nogroups private-dev diff --git a/etc/palemoon.profile b/etc/palemoon.profile index fc4ea453b..4db9b7adc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -16,6 +16,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/parole.profile b/etc/parole.profile index 0c9a72143..c0be0453b 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -11,5 +11,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index fd497f082..767da5f55 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -8,4 +8,5 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/polari.profile b/etc/polari.profile index 0bc46f3f7..7910f4e9b 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 8bdc745fb..858fdda4d 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -8,5 +8,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/qtox.profile b/etc/qtox.profile index 80acc3873..ca34e932a 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -12,4 +12,5 @@ include /etc/firejail/whitelist-common.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/quassel.profile b/etc/quassel.profile index 72004da7f..e68315c1c 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -6,5 +6,6 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 411d37dbd..5ad7ead1a 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -20,6 +20,7 @@ seccomp protocol unix,inet,inet6 netfilter tracelog +nonewprivs noroot nogroups shell none diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 934a374de..09d10b0bb 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -11,6 +11,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 782cd3832..ee0832863 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -7,5 +7,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index ae0430830..9ae2206c1 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -8,5 +8,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot nosound diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index a10d5b0ec..886af0f67 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -10,6 +10,7 @@ seccomp protocol unix,inet,inet6,netlink netfilter tracelog +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/skype.profile b/etc/skype.profile index 26feac1a4..4c4a34980 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs noroot seccomp protocol unix,inet,inet6 diff --git a/etc/spotify.profile b/etc/spotify.profile index fd4586dd5..1ee379dea 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -26,5 +26,6 @@ caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot diff --git a/etc/ssh.profile b/etc/ssh.profile index 7b282bde6..0c4621f66 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -9,4 +9,5 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot diff --git a/etc/steam.profile b/etc/steam.profile index 4c96e8258..ae5e93829 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nonewprivs noroot seccomp protocol unix,inet,inet6 diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 7cb74eeaa..148ec949d 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/telegram.profile b/etc/telegram.profile index df6b6a270..62a0fa404 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/totem.profile b/etc/totem.profile index d23167b03..f2bce5dee 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -10,5 +10,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index d61d36a8c..e27873f88 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -11,6 +11,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot tracelog nosound diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 3db7a5452..2caa923d8 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -11,6 +11,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot tracelog nosound diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index ef5aa7d4a..86e7be6fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -9,6 +9,7 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot whitelist ${DOWNLOADS} diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 449d9a168..2049d2bd9 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc netfilter +nonewprivs whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/vlc.profile b/etc/vlc.profile index 061ae6f78..d26034748 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -9,5 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot netfilter diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 7588da657..ceeaca012 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all netfilter +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/weechat.profile b/etc/weechat.profile index 280a5f9d8..11b5bd10f 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -7,5 +7,6 @@ caps.drop all seccomp protocol unix,inet,inet6 netfilter +nonewprivs noroot netfilter diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 340ba0db5..61a87d994 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot private-dev diff --git a/etc/wine.profile b/etc/wine.profile index ea6db8511..18e5346af 100644 --- a/etc/wine.profile +++ b/etc/wine.profile @@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs noroot seccomp diff --git a/etc/xchat.profile b/etc/xchat.profile index fcea4245e..f4b273693 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -8,4 +8,5 @@ include /etc/firejail/disable-devel.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 67a46a7da..fb0e3c910 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -10,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot tracelog netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index 7b72d41a6..4b7ed41be 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix,inet,inet6 +nonewprivs noroot tracelog netfilter diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 33e1e3c68..a0c91f0f3 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -9,5 +9,6 @@ caps.drop all seccomp protocol unix,inet,inet6 noroot +nonewprivs tracelog netfilter -- cgit v1.2.3-70-g09d2 From 10bf7d9418fb2d5aabaa5de6ffa8638e75bcbbdd Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Wed, 25 May 2016 15:59:46 +0200 Subject: Document the restricted-network change --- README.md | 6 +++--- etc/firejail.config | 4 ++-- src/man/firejail-config.txt | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'etc') diff --git a/README.md b/README.md index 4fa79d9f2..ce4aa4073 100644 --- a/README.md +++ b/README.md @@ -197,9 +197,9 @@ The following features can be enabled or disabled: restricted-network Enable or disable restricted network support, default disabled. If enabled, networking features should also be enabled (network - yes). Restricted networking grants access to --interface and - --net=ethXXX only to root user. Regular users are only allowed - --net=none. + yes). Restricted networking grants access to --interface, + --net=ethXXX and --netfilter only to root user. Regular users + are only allowed --net=none. Default disabled secomp Enable or disable seccomp support, default enabled. diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..fc09f1a0a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -17,8 +17,8 @@ # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). -# Restricted networking grants access to --interface and --net=ethXXX -# only to root user. Regular users are only allowed --net=none. +# Restricted networking grants access to --interface, --net=ethXXX and +# --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Enable or disable seccomp support, default enabled. diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index fcf4109ee..de89ff3eb 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -33,8 +33,8 @@ Enable or disable networking features, default enabled. \fBrestricted-network Enable or disable restricted network support, default disabled. If enabled, networking features should also be enabled (network yes). -Restricted networking grants access to --interface and --net=ethXXX -only to root user. Regular users are only allowed --net=none. +Restricted networking grants access to --interface, --net=ethXXX and +\-\-netfilter only to root user. Regular users are only allowed --net=none. .TP \fBsecomp -- cgit v1.2.3-70-g09d2 From 51cf1544128a69183f918661244e9104bae8cc16 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 26 May 2016 08:14:46 +1000 Subject: extra Brave files --- Makefile.in | 1 + README | 2 ++ README.md | 4 +--- RELNOTES | 1 + etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 8 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index edcf09225..6699ab732 100644 --- a/Makefile.in +++ b/Makefile.in @@ -187,6 +187,7 @@ realinstall: install -c -m 0644 .etc/corebird.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 390fbb84f..07f49c7d1 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - blacklisted escape-happy terminals in disable-common.inc - blacklisted g++ - added xplayer, xreader, and xviewer profiles + - added Brave profile + - added "shutdown" filter for x86_64 arch to seccomp Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index 4f90b6f27..8440d00a6 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,4 @@ $ man firejail-profile lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, -cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation - - +cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave diff --git a/RELNOTES b/RELNOTES index b791048e7..c9201cf38 100644 --- a/RELNOTES +++ b/RELNOTES @@ -25,6 +25,7 @@ firejail (0.9.40) baseline; urgency=low * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation + * new profiles: Brave * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 3474a6592..633f9c548 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -51,6 +51,7 @@ blacklist ${HOME}/.config/epiphany blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios +blacklist ${HOME}/.config/brave # Instant Messaging blacklist ${HOME}/.config/hexchat diff --git a/platform/debian/conffiles b/platform/debian/conffiles index eff859cc5..7da95eb68 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -101,3 +101,4 @@ /etc/firejail/corebird.profile /etc/firejail/konversation.profile /etc/firejail/psi-plus.profile +/etc/firejail/brave.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d019c3a5c..567f97c69 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -35,6 +35,7 @@ vivaldi-beta vivaldi dillo netsurf +brave # bittorrent/ftp deluge -- cgit v1.2.3-70-g09d2 From 0a502c19891d0ade26f6a7229f0d9c966d40cbf8 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 26 May 2016 08:15:17 +1000 Subject: added Brave profile --- etc/brave.profile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 etc/brave.profile (limited to 'etc') diff --git a/etc/brave.profile b/etc/brave.profile new file mode 100644 index 000000000..24a0a31c9 --- /dev/null +++ b/etc/brave.profile @@ -0,0 +1,18 @@ +# Profile for Brave browser + +noblacklist ~/.config/brave +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +noroot + +whitelist ${DOWNLOADS} + +mkdir ~/.config +mkdir ~/.config/brave +whitelist ~/.config/brave -- cgit v1.2.3-70-g09d2 From c59274d82fa8e16ad6842a15d9a1280660c481da Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 26 May 2016 08:16:32 +1000 Subject: nosound xreader and atril --- etc/atril.profile | 1 + etc/xreader.profile | 1 + 2 files changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/atril.profile b/etc/atril.profile index d1a7b25f8..91a97e826 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -12,3 +12,4 @@ protocol unix,inet,inet6 noroot tracelog netfilter +nosound diff --git a/etc/xreader.profile b/etc/xreader.profile index 7b72d41a6..a3871a7d3 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -14,3 +14,4 @@ protocol unix,inet,inet6 noroot tracelog netfilter +nosound -- cgit v1.2.3-70-g09d2 From 3597df9bc04fe4ab6eb891d267b0a08121416018 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 21:40:55 -0400 Subject: merged Various #542 pull request from Fred-Barclay --- Makefile.in | 1 + README | 3 +- README.md | 4 + RELNOTES | 7 +- etc/0ad.profile | 6 +- etc/Mathematica.profile | 2 +- etc/abrowser.profile | 13 ++- etc/atril.profile | 8 +- etc/audacious.profile | 4 +- etc/bitlbee.profile | 6 +- etc/brave.profile | 5 +- etc/cherrytree.profile | 9 +- etc/clementine.profile | 4 +- etc/cmus.profile | 4 +- etc/conkeror.profile | 4 +- etc/corebird.profile | 4 +- etc/cyberfox.profile | 13 ++- etc/deadbeef.profile | 4 +- etc/default.profile | 5 +- etc/deluge.profile | 4 +- etc/dillo.profile | 9 +- etc/disable-programs.inc | 1 + etc/dnsmasq.profile | 7 +- etc/dropbox.profile | 4 +- etc/empathy.profile | 4 +- etc/epiphany.profile | 5 +- etc/evince.profile | 4 +- etc/fbreader.profile | 4 +- etc/filezilla.profile | 6 +- etc/firefox.profile | 14 ++- etc/flashpeak-slimjet.profile | 4 +- etc/gitter.profile | 13 +++ etc/gnome-mplayer.profile | 4 +- etc/google-play-music-desktop-player.profile | 4 +- etc/gwenview.profile | 6 +- etc/hexchat.profile | 4 +- etc/kmail.profile | 4 +- etc/konversation.profile | 4 +- etc/lxterminal.profile | 4 +- etc/mcabber.profile | 4 +- etc/midori.profile | 4 +- etc/mupen64plus.profile | 4 +- etc/netsurf.profile | 9 +- etc/okular.profile | 8 +- etc/openbox.profile | 5 +- etc/palemoon.profile | 12 +-- etc/parole.profile | 4 +- etc/pidgin.profile | 4 +- etc/polari.profile | 7 +- etc/psi-plus.profile | 4 +- etc/qbittorrent.profile | 4 +- etc/qtox.profile | 4 +- etc/quassel.profile | 4 +- etc/quiterss.profile | 13 +-- etc/qutebrowser.profile | 6 +- etc/rhythmbox.profile | 6 +- etc/rtorrent.profile | 4 +- etc/seamonkey.profile | 13 ++- etc/skype.profile | 2 +- etc/spotify.profile | 9 +- etc/ssh.profile | 4 +- etc/steam.profile | 2 +- etc/telegram.profile | 6 +- etc/totem.profile | 4 +- etc/transmission-gtk.profile | 6 +- etc/transmission-qt.profile | 6 +- etc/uget-gtk.profile | 4 +- etc/vlc.profile | 6 +- etc/weechat.profile | 5 +- etc/wesnoth.profile | 4 +- etc/xchat.profile | 4 +- etc/xplayer.profile | 6 +- etc/xreader.profile | 8 +- etc/xviewer.profile | 6 +- platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 128 ++++++++++++++++----------- 76 files changed, 293 insertions(+), 252 deletions(-) create mode 100644 etc/gitter.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 6699ab732..ea6299b3e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -188,6 +188,7 @@ realinstall: install -c -m 0644 .etc/konversation.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index d926c8abe..437703b9b 100644 --- a/README +++ b/README @@ -79,7 +79,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - blacklisted g++ - added xplayer, xreader, and xviewer profiles - added Brave profile - - added "shutdown" filter for x86_64 arch to seccomp + - added Gitter profile + - various organising Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index c61543452..543565fe4 100644 --- a/README.md +++ b/README.md @@ -35,3 +35,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ````` # Current development version: 0.9.41 + +## New security profiles + +Gitter diff --git a/RELNOTES b/RELNOTES index 6c6bdb526..db3828354 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,8 @@ +firejail (0.9.41) baseline; urgency=low + * work in progress... + * new profiles: Gitter + -- netblue30 Tue, 31 May 2016 08:00:00 -0500 + firejail (0.9.40) baseline; urgency=low * added --nice option * added --x11 option @@ -25,7 +30,7 @@ firejail (0.9.40) baseline; urgency=low * new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox * new profiles: generic Ubuntu snap application profile, xplayer * new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation - * new profiles: Brave + * new profiles: Brave, Gitter * generic.profile renamed default.profile * build rpm packages using "make rpms" * bugfixes diff --git a/etc/0ad.profile b/etc/0ad.profile index e6540fb5d..3797ae5cd 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog noroot nonewprivs +protocol unix,inet,inet6,netlink +seccomp +tracelog # Whitelists noblacklist ~/.cache/0ad diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 75dbebcf0..e719f070f 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -15,6 +15,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp nonewprivs noroot +seccomp diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 6a06ce76b..65247e7d3 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -41,13 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/atril.profile b/etc/atril.profile index b55f99cdd..8ee7da173 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,10 +7,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -tracelog -netfilter nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/audacious.profile b/etc/audacious.profile index 0a1598dee..e5275213c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b7ccd132e..e63802c8a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -4,9 +4,9 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -protocol unix,inet,inet6 +netfilter +nonewprivs private private-dev +protocol unix,inet,inet6 seccomp -netfilter -nonewprivs diff --git a/etc/brave.profile b/etc/brave.profile index 24a0a31c9..4c42e9faa 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -6,10 +6,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp whitelist ${DOWNLOADS} diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index b3a34fc9a..bc6fe1d86 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -15,11 +15,12 @@ mkdir ~/.local/share whitelist ${HOME}/.local/share/ caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot -include /etc/firejail/whitelist-common.inc nosound +seccomp +protocol unix,inet,inet6,netlink +tracelog + +include /etc/firejail/whitelist-common.inc diff --git a/etc/clementine.profile b/etc/clementine.profile index fb9dca2a9..5ce085358 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/cmus.profile b/etc/cmus.profile index 16b9c112d..2e2a6940c 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp private-bin cmus private-etc group diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 0a7966e4b..e82eeec4c 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -4,11 +4,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp whitelist ~/.conkeror.mozdev.org whitelist ~/Downloads diff --git a/etc/corebird.profile b/etc/corebird.profile index f3f73a44f..077ae30d0 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index c5fb25e9a..0035b6be6 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.8pecxstudios @@ -41,13 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 9225ca16e..04abd0a92 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -7,7 +7,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/default.profile b/etc/default.profile index d836a9f5d..a2de72695 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -8,9 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc #blacklist ${HOME}/.wine caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot - +protocol unix,inet,inet6 +seccomp diff --git a/etc/deluge.profile b/etc/deluge.profile index f7a2b98e4..277ecc15e 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -6,9 +6,9 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/dillo.profile b/etc/dillo.profile index 392000ade..2ddd363cb 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6 +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.dillo @@ -21,6 +21,3 @@ mkdir ~/.fltk whitelist ~/.fltk include /etc/firejail/whitelist-common.inc - - - diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 633f9c548..1f86a0ebe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -65,6 +65,7 @@ blacklist ${HOME}/.config/xchat blacklist ${HOME}/.Skype blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.config/Gitter # Games blacklist ${HOME}/.hedgewars diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 4459c40dd..6b199c34b 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -5,10 +5,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc + caps -seccomp -protocol unix,inet,inet6,netlink netfilter +nonewprivs private private-dev -nonewprivs +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 568ab230a..2427c6af8 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -4,7 +4,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/empathy.profile b/etc/empathy.profile index c08398e84..371100814 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -4,7 +4,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 7783a05fd..57191429a 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -19,8 +19,9 @@ mkdir ${HOME}/.cache mkdir ${HOME}/.cache/epiphany whitelist ${HOME}/.cache/epiphany include /etc/firejail/whitelist-common.inc + caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/etc/evince.profile b/etc/evince.profile index 3c883d43c..8c84a1daa 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 7764a48c9..c4d84691c 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 1ab08b568..3cb4890e2 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/firefox.profile b/etc/firefox.profile index 6796ef7c4..2cc4d3cd8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -41,14 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - - diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 77a95aa17..f248c385a 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -15,11 +15,11 @@ include /etc/firejail/disable-programs.inc # caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/gitter.profile b/etc/gitter.profile new file mode 100644 index 000000000..0c2bd1353 --- /dev/null +++ b/etc/gitter.profile @@ -0,0 +1,13 @@ +# Firejail profile for Gitter +noblacklist ~/.config/Gitter + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 010b19613..f15778534 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index fe2f79901..b4cf8d9ac 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink nonewprivs noroot netfilter +protocol unix,inet,inet6,netlink +seccomp #whitelist ~/.pulse #whitelist ~/.config/pulse diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 87523d825..65cc084e6 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -5,16 +5,16 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc + caps.drop all -seccomp -protocol unix nonewprivs noroot nogroups private-dev +protocol unix +seccomp #Experimental: #shell none #private-bin gwenview #private-etc X11 - diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 3eb350660..a584d25c5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp mkdir ~/.config mkdir ~/.config/hexchat diff --git a/etc/kmail.profile b/etc/kmail.profile index a47945bc6..44a53e258 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp tracelog diff --git a/etc/konversation.profile b/etc/konversation.profile index d10decb8f..190061618 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +seccomp +protocol unix,inet,inet6 diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index b6acf2587..d1d0b8a0d 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter +protocol unix,inet,inet6 +seccomp #noroot - somehow this breaks on Debian Jessie! diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 1536194b2..6b236a9a7 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -8,11 +8,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol inet,inet6 netfilter nonewprivs noroot +protocol inet,inet6 +seccomp private-bin mcabber private-etc null diff --git a/etc/midori.profile b/etc/midori.profile index 568687058..c4055fa83 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index c9a99bede..d4b442df8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -16,8 +16,8 @@ mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ +caps.drop all +net none nonewprivs noroot -caps.drop all seccomp -net none diff --git a/etc/netsurf.profile b/etc/netsurf.profile index e01cace7f..3de6be238 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.config @@ -30,6 +30,3 @@ whitelist ~/.lastpass whitelist ~/.config/lastpass include /etc/firejail/whitelist-common.inc - - - diff --git a/etc/okular.profile b/etc/okular.profile index 5179da787..b1efc4753 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -6,17 +6,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc + caps.drop all -seccomp -protocol unix nonewprivs -noroot nogroups +noroot private-dev +protocol unix +seccomp #Experimental: #net none #shell none #private-bin okular,kbuildsycoca4,kbuildsycoca5 #private-etc X11 - diff --git a/etc/openbox.profile b/etc/openbox.profile index 6e2e5d6fd..f812768a1 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile @@ -5,8 +5,7 @@ include /etc/firejail/disable-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot - +protocol unix,inet,inet6 +seccomp diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 4db9b7adc..a74954ddb 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -12,12 +12,12 @@ include /etc/firejail/whitelist-common.inc # Options caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.moonchild productions @@ -41,9 +41,9 @@ whitelist ~/.cache/moonchild productions/pale moon #whitelist ~/.pki # For silverlight -#whitelist ~/.wine-pipelight -#whitelist ~/.wine-pipelight64 -#whitelist ~/.config/pipelight-widevine +#whitelist ~/.wine-pipelight +#whitelist ~/.wine-pipelight64 +#whitelist ~/.config/pipelight-widevine #whitelist ~/.config/pipelight-silverlight5.1 diff --git a/etc/parole.profile b/etc/parole.profile index c0be0453b..1440a9ef7 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -8,9 +8,9 @@ private-etc passwd,group,fonts private-bin parole,dbus-launch caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 767da5f55..091456d76 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/polari.profile b/etc/polari.profile index 7910f4e9b..366883c83 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -22,9 +22,8 @@ whitelist ${HOME}/.purple include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter - +protocol unix,inet,inet6 +seccomp diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 8194da74f..9380237be 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -21,7 +21,7 @@ whitelist ~/.cache/psi+ include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 858fdda4d..cbf898502 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -5,9 +5,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/qtox.profile b/etc/qtox.profile index ca34e932a..3a19efa3a 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -10,7 +10,7 @@ whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/quassel.profile b/etc/quassel.profile index e68315c1c..f92dfeb9f 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -4,8 +4,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 5ad7ead1a..3e5dde36e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -16,15 +16,16 @@ mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss caps.drop all -seccomp -protocol unix,inet,inet6 netfilter -tracelog nonewprivs -noroot nogroups -shell none -private-dev +noroot private-bin quiterss +private-dev #private-etc X11,ssl +protocol unix,inet,inet6 +seccomp +shell none +tracelog + include /etc/firejail/whitelist-common.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 09d10b0bb..b590f0ef1 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index ee0832863..0782a653d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 9ae2206c1..0be5e15d1 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -5,9 +5,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 886af0f67..9ce4164c1 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -42,11 +42,10 @@ whitelist ~/.lastpass whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/skype.profile b/etc/skype.profile index 4c4a34980..9cbcd5117 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -8,5 +8,5 @@ caps.drop all netfilter nonewprivs noroot -seccomp protocol unix,inet,inet6 +seccomp diff --git a/etc/spotify.profile b/etc/spotify.profile index 1ee379dea..9ba25b818 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# Whitelist the folders needed by Spotify - This is more restrictive -# than a blacklist though, but this is all spotify requires for +# Whitelist the folders needed by Spotify - This is more restrictive +# than a blacklist though, but this is all spotify requires for # streaming audio mkdir ${HOME}/.config mkdir ${HOME}/.config/spotify @@ -23,9 +23,8 @@ whitelist ${HOME}/.cache/spotify include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot - +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/ssh.profile b/etc/ssh.profile index 0c4621f66..a6d52c5a5 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/steam.profile b/etc/steam.profile index ae5e93829..b15a54be9 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -10,5 +10,5 @@ caps.drop all netfilter nonewprivs noroot -seccomp protocol unix,inet,inet6 +seccomp diff --git a/etc/telegram.profile b/etc/telegram.profile index 62a0fa404..819cd8f3a 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -5,11 +5,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp whitelist ~/Downloads/Telegram Desktop mkdir ${HOME}/.TelegramDesktop diff --git a/etc/totem.profile b/etc/totem.profile index f2bce5dee..252b46979 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e27873f88..5aef32d45 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -8,10 +8,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -tracelog nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 2caa923d8..d8ab1c60d 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -8,10 +8,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -tracelog nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 86e7be6fd..02c7f56bf 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -6,11 +6,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/vlc.profile b/etc/vlc.profile index d26034748..f8eebd376 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/weechat.profile b/etc/weechat.profile index 11b5bd10f..6cfe58420 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -4,9 +4,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 61a87d994..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -9,10 +9,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp private-dev diff --git a/etc/xchat.profile b/etc/xchat.profile index f4b273693..061c4f3da 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index fb0e3c910..cd9cbed45 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -8,9 +8,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp tracelog -netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index 267330c1f..2cf109f09 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,10 +9,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -tracelog -netfilter nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/xviewer.profile b/etc/xviewer.profile index a0c91f0f3..51949526d 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,9 +6,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter noroot nonewprivs +protocol unix,inet,inet6 +seccomp tracelog -netfilter diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7da95eb68..7ae5ca1b9 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -102,3 +102,4 @@ /etc/firejail/konversation.profile /etc/firejail/psi-plus.profile /etc/firejail/brave.profile +/etc/firejail/gitter.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 567f97c69..566fb156f 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -6,88 +6,114 @@ gpredict stellarium -# weather/climate -aweather +# bittorrent/ftp +deluge +dropbox +filezilla +qbittorrent +rtorrent +transmission-gtk +transmission-qt +uget-gtk # browsers/email -firefox -iceweasel -chromium-browser +abrowser +brave chromium +chromium-browser conkeror -thunderbird -epiphany +cyberfox +firefox flashpeak-slimjet +epiphany +dillo +google-chrome google-chrome-beta google-chrome-stable google-chrome-unstable -google-chrome +iceweasel icecat icedove kmail midori +netsurf opera-beta opera qutebrowser seamonkey seamonkey-bin +thunderbird vivaldi-beta vivaldi -dillo -netsurf -brave - -# bittorrent/ftp -deluge -filezilla -qbittorrent -rtorrent -transmission-gtk -transmission-qt - -# office -cherrytree -evince -fbreader -localc -lodraw -loffice -lofromtemplate -loimpress -lomath -loweb -lowriter -Mathematica -mathematica -gwenview -okular -atril -xreader - -# Media -vlc -audacious -clementine -deadbeef -parole -rhythmbox -totem -cmus -xplayer -xviewer # chat/messaging bitlbee +corebird empathy -gnome-mplayer +gitter hexchat +konversation pidgin +polari +psi-plus qtox quassel +skype +telegram +weechat +weechat-curses xchat +# dns +dnscrypt-proxy +dnsmaq +unbound + +# emulators/compatibility layers +mupen64plus +wine + # games 0ad hedgewars +steam wesnot warzone2100 + +# Media +audacious +clementine +cmus +deadbeef +gnome-mplayer +google-play-music-desktop-player +parole +rhythmbox +spotify +totem +vlc +xplayer +xviewer + +# news readers +quiterss + +# office +atril +cherrytree +evince +fbreader +gwenview +Mathematica +mathematica +okular +xreader + +# other +lxterminal +openbox +snap +ssh + +# weather/climate +aweather -- cgit v1.2.3-70-g09d2 From 9e3469e1cffffa9d0e50f284c9b46a773138a1a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 6 Jun 2016 11:54:53 -0400 Subject: added gThumb and mpv profiles --- Makefile.in | 2 ++ README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ etc/gthumb.profile | 17 +++++++++++++++++ etc/mpv.profile | 14 ++++++++++++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 8 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 etc/gthumb.profile create mode 100644 etc/mpv.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index ea6299b3e..c7897145a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -189,6 +189,8 @@ realinstall: install -c -m 0644 .etc/psi-plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/brave.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README.md b/README.md index 723218fe0..efbb97f36 100644 --- a/README.md +++ b/README.md @@ -67,4 +67,4 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## New security profiles -Gitter +Gitter, gThumb, mpv diff --git a/RELNOTES b/RELNOTES index db3828354..7731c88f2 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.41) baseline; urgency=low * work in progress... - * new profiles: Gitter + * new profiles: Gitter, gThumb, mpv -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1f86a0ebe..04cc1ac7a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -6,6 +6,7 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/uGet @@ -26,6 +27,7 @@ blacklist ${HOME}/.config/cmus blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/spotify blacklist ${HOME}/.config/vlc +blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer diff --git a/etc/gthumb.profile b/etc/gthumb.profile new file mode 100644 index 000000000..55041b5cc --- /dev/null +++ b/etc/gthumb.profile @@ -0,0 +1,17 @@ +# gthumb profile +noblacklist ${HOME}/.config/gthumb + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-bin gthumb +shell none diff --git a/etc/mpv.profile b/etc/mpv.profile new file mode 100644 index 000000000..0a8a6103f --- /dev/null +++ b/etc/mpv.profile @@ -0,0 +1,14 @@ +# mpv media player profile +noblacklist ${HOME}/.config/mpv + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 7ae5ca1b9..b4bbdb36a 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -103,3 +103,5 @@ /etc/firejail/psi-plus.profile /etc/firejail/brave.profile /etc/firejail/gitter.profile +/etc/firejail/gthumb.profile +/etc/firejail/mpv.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 566fb156f..8bb90bf4a 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -87,6 +87,7 @@ cmus deadbeef gnome-mplayer google-play-music-desktop-player +mpv parole rhythmbox spotify @@ -104,6 +105,7 @@ cherrytree evince fbreader gwenview +gthumb Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From 609b9287190df1cb39bbce895ea15402ea864905 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 7 Jun 2016 08:02:20 -0400 Subject: remove noroot from midori profile --- etc/midori.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/midori.profile b/etc/midori.profile index c4055fa83..01ab58bc1 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -7,6 +7,6 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs -noroot +# noroot - noroot break midori on Ubuntu 14.04 protocol unix,inet,inet6 seccomp -- cgit v1.2.3-70-g09d2 From 86df483afa5088a64c99214c7c2cc6726cccc352 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Jun 2016 08:04:42 -0400 Subject: removed noroot from midori profile --- etc/midori.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/midori.profile b/etc/midori.profile index 01ab58bc1..046c45d94 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -10,3 +10,4 @@ nonewprivs # noroot - noroot break midori on Ubuntu 14.04 protocol unix,inet,inet6 seccomp + -- cgit v1.2.3-70-g09d2 From f1c611a1280cd977dc7c5643e5c3fd13315514e1 Mon Sep 17 00:00:00 2001 From: maces Date: Wed, 8 Jun 2016 21:54:04 +0200 Subject: added profile for franz messenger added profile for franz messenger app based n electron --- etc/franz.profile | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 etc/franz.profile (limited to 'etc') diff --git a/etc/franz.profile b/etc/franz.profile new file mode 100644 index 000000000..fc4a665de --- /dev/null +++ b/etc/franz.profile @@ -0,0 +1,26 @@ +# Franz profile +noblacklist ~/.config/Franz +noblacklist ~/.cache/Franz +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +#tracelog +nonewprivs +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.config +mkdir ~/.config/Franz +whitelist ~/.config/Franz +mkdir ~/.cache +mkdir ~/.cache/Franz +whitelist ~/.cache/Franz +mkdir ~/.pki +whitelist ~/.pki + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From d073a425b3e3ed3829a0e042e8c41963f0f40f0e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 08:42:59 -0400 Subject: whitelist support in /etc/firejail/firejail.config --- configure | 17 +++++++++++++++++ configure.ac | 9 +++++++++ etc/firejail.config | 15 +++++++++------ src/firejail/Makefile.in | 3 ++- src/firejail/checkcfg.c | 11 ++++++++++- src/firejail/firejail.h | 3 ++- src/firejail/main.c | 25 +++++++++++++++++++------ src/firejail/profile.c | 12 ++++++++++-- src/firejail/usage.c | 6 ++++-- src/man/firejail-config.txt | 19 +++++++++++-------- 10 files changed, 93 insertions(+), 27 deletions(-) (limited to 'etc') diff --git a/configure b/configure index 66b1663f9..da7d370d3 100755 --- a/configure +++ b/configure @@ -629,6 +629,7 @@ EGREP GREP CPP HAVE_FATAL_WARNINGS +HAVE_WHITELIST HAVE_FILE_TRANSFER HAVE_X11 HAVE_USERNS @@ -695,6 +696,7 @@ enable_network enable_userns enable_x11 enable_file_transfer +enable_whitelist enable_fatal_warnings ' ac_precious_vars='build_alias @@ -1324,6 +1326,7 @@ Optional Features: --disable-userns disable user namespace --disable-x11 disable X11 sandboxing support --disable-file-transfer disable file transfer + --disable-whitelist disable whitelist --enable-fatal-warnings -W -Wall -Werror Some influential environment variables: @@ -3161,6 +3164,19 @@ if test "x$enable_file_transfer" != "xno"; then : HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" +fi + +HAVE_WHITELIST="" +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; +fi + +if test "x$enable_whitelist" != "xno"; then : + + HAVE_WHITELIST="-DHAVE_WHITELIST" + + fi HAVE_FATAL_WARNINGS="" @@ -4823,6 +4839,7 @@ echo " bind: $HAVE_BIND" echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" +echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo diff --git a/configure.ac b/configure.ac index ef6a11af5..c9061f219 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [ AC_SUBST(HAVE_FILE_TRANSFER) ]) +HAVE_WHITELIST="" +AC_ARG_ENABLE([whitelist], + AS_HELP_STRING([--disable-whitelist], [disable whitelist])) +AS_IF([test "x$enable_whitelist" != "xno"], [ + HAVE_WHITELIST="-DHAVE_WHITELIST" + AC_SUBST(HAVE_WHITELIST) +]) + HAVE_FATAL_WARNINGS="" AC_ARG_ENABLE([fatal_warnings], AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror])) @@ -103,6 +111,7 @@ echo " bind: $HAVE_BIND" echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" +echo " whitelisting: $HAVE_WHITELIST" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo diff --git a/etc/firejail.config b/etc/firejail.config index 55d2faa9f..4fcaee213 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -12,6 +12,12 @@ # Enable or disable file transfer support, default enabled. # file-transfer yes +# Force use of nonewprivs. This mitigates the possibility of +# a user abusing firejail's features to trick a privileged (suid +# or file capabilities) process into loading code or configuration +# that is partially under their control. Default disabled +# force-nonewprivs no + # Enable or disable networking features, default enabled. # network yes @@ -27,15 +33,12 @@ # Enable or disable user namespace support, default enabled. # userns yes +# Enable or disable whitelisting support, default enabled +# whitelist yes + # Enable or disable X11 sandboxing support, default enabled. # x11 yes -# Force use of nonewprivs. This mitigates the possibility of -# a user abusing firejail's features to trick a privileged (suid -# or file capabilities) process into loading code or configuration -# that is partially under their control. Default disabled -# force-nonewprivs no - # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 3ad4ba75e..a8af1a4e0 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@ HAVE_USERNS=@HAVE_USERNS@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ +HAVE_WHITELIST=@HAVE_WHITELIST@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3ea8caf5b..bf85436c3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -38,7 +38,7 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default - cfg_val[CFG_FORCE_NONEWPRIVS ] = 0; // disabled by default + cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default // open configuration file char *fname; @@ -126,6 +126,15 @@ int checkcfg(int val) { else goto errout; } + // whitelist + else if (strncmp(ptr, "whitelist ", 10) == 0) { + if (strcmp(ptr + 10, "yes") == 0) + cfg_val[CFG_WHITELIST] = 1; + else if (strcmp(ptr + 10, "no") == 0) + cfg_val[CFG_WHITELIST] = 0; + else + goto errout; + } // network else if (strncmp(ptr, "network ", 8) == 0) { if (strcmp(ptr + 8, "yes") == 0) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d5e05f79..026273aa3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_NETWORK 6 #define CFG_RESTRICTED_NETWORK 7 #define CFG_FORCE_NONEWPRIVS 8 -#define CFG_MAX 9 // this should always be the last entry +#define CFG_WHITELIST 9 +#define CFG_MAX 10 // this should always be the last entry int checkcfg(int val); // fs_rdwr.c diff --git a/src/firejail/main.c b/src/firejail/main.c index 1c2f021bb..1621d810f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -276,6 +276,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { #endif #ifndef HAVE_FILE_TRANSFER printf("File transfer support is disabled.\n"); +#endif +#ifndef HAVE_WHITELIST + printf("whitelisting support is disabled.\n"); #endif exit(0); } @@ -1114,14 +1117,24 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + +#ifdef HAVE_WHITELIST else if (strncmp(argv[i], "--whitelist=", 12) == 0) { - char *line; - if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) - errExit("asprintf"); - - profile_check_line(line, 0, NULL); // will exit if something wrong - profile_add(line); + if (checkcfg(CFG_WHITELIST)) { + char *line; + if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + else { + fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); + exit(1); + } } +#endif + else if (strncmp(argv[i], "--read-only=", 12) == 0) { char *line; if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 192f36974..a64f28c9a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { - arg_whitelist = 1; - ptr += 10; +#ifdef HAVE_WHITELIST + if (checkcfg(CFG_WHITELIST)) { + arg_whitelist = 1; + ptr += 10; + } + else + return 0; +#else + return 0; +#endif } else if (strncmp(ptr, "read-only ", 10) == 0) ptr += 10; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d2f7d9460..af1a30ac3 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -72,8 +72,9 @@ void usage(void) { printf("\tsoftware build.\n\n"); printf(" --debug-syscalls - print all recognized system calls in the current Firejail\n"); printf("\tsoftware build.\n\n"); +#ifdef HAVE_WHITELIST printf(" --debug-whitelists - debug whitelisting.\n\n"); - +#endif #ifdef HAVE_NETWORK @@ -250,8 +251,9 @@ void usage(void) { printf(" --tree - print a tree of all sandboxed processes.\n\n"); printf(" --user=new_user - switch the user before starting the sandbox.\n\n"); printf(" --version - print program version and exit.\n\n"); +#ifdef HAVE_WHITELIST printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); - +#endif printf(" --writable-etc - /etc directory is mounted read-write.\n\n"); printf(" --writable-var - /var directory is mounted read-write.\n\n"); diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index 026765f1a..6a66c7f75 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -25,6 +25,13 @@ Enable or disable chroot support, default enabled. \fBfile-transfer Enable or disable file transfer support, default enabled. +.TP +\fBforce-nonewprivs +Force use of nonewprivs. This mitigates the possibility of +a user abusing firejail's features to trick a privileged (suid +or file capabilities) process into loading code or configuration +that is partially under their control. Default disabled. + .TP \fBnetwork Enable or disable networking features, default enabled. @@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled. Enable or disable user namespace support, default enabled. .TP -\fBx11 -Enable or disable X11 sandboxing support, default enabled. +\fBwhitelist +Enable or disable whitelisting support, default enabled. .TP -\fBforce-nonewprivs -Force use of nonewprivs. This mitigates the possibility of -a user abusing firejail's features to trick a privileged (suid -or file capabilities) process into loading code or configuration -that is partially under their control. Default disabled. - +\fBx11 +Enable or disable X11 sandboxing support, default enabled. .TP \fBxephyr-screen -- cgit v1.2.3-70-g09d2 From 1cceda11ad83b8e46ebe4293911046a35e2a748f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 08:58:20 -0400 Subject: Franz messenger profile --- Makefile.in | 1 + README | 2 ++ README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 1 + 6 files changed, 8 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index c7897145a..7a4590bcf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -191,6 +191,7 @@ realinstall: install -c -m 0644 .etc/gitter.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc diff --git a/README b/README index 437703b9b..d08a11680 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +maces (https://github.com/maces) + - Franz messenger profile KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter diff --git a/README.md b/README.md index efbb97f36..bc5717fb7 100644 --- a/README.md +++ b/README.md @@ -67,4 +67,4 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## New security profiles -Gitter, gThumb, mpv +Gitter, gThumb, mpv, Franz messenger diff --git a/RELNOTES b/RELNOTES index 7731c88f2..c2552c533 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,6 @@ firejail (0.9.41) baseline; urgency=low * work in progress... - * new profiles: Gitter, gThumb, mpv + * new profiles: Gitter, gThumb, mpv, Franz messenger -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 04cc1ac7a..6e79b3be0 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -68,6 +68,7 @@ blacklist ${HOME}/.Skype blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter +blacklist ${HOME}/.config/Franz # Games blacklist ${HOME}/.hedgewars @@ -106,6 +107,7 @@ blacklist ${HOME}/.cache/wesnoth blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.cache/Franz # share blacklist ${HOME}/.local/share/epiphany diff --git a/platform/debian/conffiles b/platform/debian/conffiles index b4bbdb36a..3ada0256a 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -105,3 +105,4 @@ /etc/firejail/gitter.profile /etc/firejail/gthumb.profile /etc/firejail/mpv.profile +/etc/firejail/franz.profile -- cgit v1.2.3-70-g09d2 From c80e838a5a6d36ad0a331c43df3a576fa48fd967 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 10:53:17 -0400 Subject: fixes --- Makefile.in | 2 +- etc/firejail.config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 7a4590bcf..c89f9167b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -193,7 +193,7 @@ realinstall: install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" - sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/firejail.config ]; then install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" + install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc # man pages rm -f firejail.1.gz diff --git a/etc/firejail.config b/etc/firejail.config index 4fcaee213..8795b0aae 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -33,7 +33,7 @@ # Enable or disable user namespace support, default enabled. # userns yes -# Enable or disable whitelisting support, default enabled +# Enable or disable whitelisting support, default enabled. # whitelist yes # Enable or disable X11 sandboxing support, default enabled. -- cgit v1.2.3-70-g09d2 From ecaf0cb4edcc9f216af7c0bfd238db6b2516c799 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Jun 2016 12:39:21 -0400 Subject: x11 work --- etc/firejail.config | 7 +++++++ src/firejail/checkcfg.c | 21 ++++++++++++++++++++- src/firejail/firejail.h | 6 ++++-- src/firejail/x11.c | 12 +++++++++--- 4 files changed, 40 insertions(+), 6 deletions(-) (limited to 'etc') diff --git a/etc/firejail.config b/etc/firejail.config index 8795b0aae..eaff4de8f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -45,3 +45,10 @@ # xephyr-screen 800x600 # xephyr-screen 1024x768 # xephyr-screen 1280x1024 + +# Firejail window title in Xephry, default enabled. +# xephyr-window-title yes + +# Xephyr command extra parameters. None by default, and the declaration is commented out. +# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev +# xephyr-extra-params -grayscale diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index bf85436c3..a69c2831e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -25,6 +25,7 @@ static int initialized = 0; static int cfg_val[CFG_MAX]; char *xephyr_screen = "800x600"; +char *xephyr_extra_params = ""; int checkcfg(int val) { EUID_ASSERT(); @@ -165,9 +166,27 @@ int checkcfg(int val) { if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) errExit("asprintf"); } + + // xephyr window title + else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { + if (strcmp(ptr + 20, "yes") == 0) + cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; + else if (strcmp(ptr + 20, "no") == 0) + cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; + else + goto errout; + } + + // Xephyr command extra parameters + else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) { + xephyr_extra_params = strdup(ptr + 19); + if (!xephyr_extra_params) + errExit("strdup"); + } + else goto errout; - + free(ptr); } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 026273aa3..6d64ce4cd 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -550,7 +550,6 @@ int x11_display(void); void x11_start(int argc, char **argv); void x11_start_xpra(int argc, char **argv); void x11_start_xephyr(int argc, char **argv); -extern char *xephyr_screen; // ls.c #define SANDBOX_FS_LS 0 @@ -569,7 +568,10 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_RESTRICTED_NETWORK 7 #define CFG_FORCE_NONEWPRIVS 8 #define CFG_WHITELIST 9 -#define CFG_MAX 10 // this should always be the last entry +#define CFG_XEPHYR_WINDOW_TITLE 10 +#define CFG_MAX 11 // this should always be the last entry +extern char *xephyr_screen; +extern char *xephyr_extra_params; int checkcfg(int val); // fs_rdwr.c diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 300078872..c742ff567 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -187,9 +187,15 @@ void x11_start_xephyr(int argc, char **argv) { // start xephyr char *cmd1; - if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" -noreset -screen %s :%d", xephyr_screen, display) == -1) - errExit("asprintf"); - + if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { + if (asprintf(&cmd1, "Xephyr -ac -br -title \"firejail x11 sandbox\" %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + errExit("asprintf"); + } + else { + if (asprintf(&cmd1, "Xephyr -ac -br %s -noreset -screen %s :%d", xephyr_extra_params, xephyr_screen, display) == -1) + errExit("asprintf"); + } + int len = 50; // DISPLAY... for (i = 0; i < argc; i++) { len += strlen(argv[i]) + 1; // + ' ' -- cgit v1.2.3-70-g09d2 From 783251e0749e27e28b3ac54b5047f10cf1c44016 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 08:40:24 -0400 Subject: private-bin conversion --- README.md | 4 +++ etc/deluge.profile | 5 ++- etc/disable-devel.inc | 3 +- etc/mpv.profile | 4 +++ etc/qbittorrent.profile | 3 ++ etc/rtorrent.profile | 3 ++ etc/transmission-gtk.profile | 5 ++- etc/transmission-qt.profile | 5 ++- etc/vlc.profile | 5 +++ src/man/firejail.txt | 2 +- test/apps/apps.sh | 9 +++++ test/apps/qbittorrent.exp | 83 ++++++++++++++++++++++++++++++++++++++++++++ 12 files changed, 125 insertions(+), 6 deletions(-) create mode 100755 test/apps/qbittorrent.exp (limited to 'etc') diff --git a/README.md b/README.md index bc5717fb7..029a7c904 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,10 @@ More packages build by AppImage developer Simon Peter: https://bintray.com/probo AppImage project home: https://github.com/probonopd/AppImageKit +## Converting profiles to private-bin - work in progress + +BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt + ## New security profiles Gitter, gThumb, mpv, Franz messenger diff --git a/etc/deluge.profile b/etc/deluge.profile index 277ecc15e..87a17423b 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -1,4 +1,4 @@ -# deluge bittorernt client profile +# deluge bittorrernt client profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc # deluge is using python on Debian @@ -12,3 +12,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin deluge,sh,python,uname diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 0c9d21d39..99f059c44 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,8 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# disabled temporarily pending globbing implementation -# in noblacklist command and firefox profile fix +# Programs using python: deluge, some firefox addons # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/mpv.profile b/etc/mpv.profile index 0a8a6103f..cbed7e8c6 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -12,3 +12,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# to test +shell none +private-bin mpv diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index cbf898502..bb97a880b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -11,3 +11,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin qbittorrent diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 0be5e15d1..c196370a2 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -11,3 +11,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin rtorrent diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 5aef32d45..e8d0e25e7 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -1,4 +1,4 @@ -# transmission-gtk profile +# transmission-gtk bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission @@ -15,3 +15,6 @@ nosound protocol unix,inet,inet6 seccomp tracelog + +shell none +private-bin transmission-gtk diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index d8ab1c60d..fd3a98aad 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -1,4 +1,4 @@ -# transmission-qt profile +# transmission-qt bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission @@ -15,3 +15,6 @@ nosound protocol unix,inet,inet6 seccomp tracelog + +shell none +private-bin transmission-qt diff --git a/etc/vlc.profile b/etc/vlc.profile index f8eebd376..e225e80e9 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -12,3 +12,8 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + + +# to test +shell none +private-bin vlc diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 71a73a02d..d72deab2f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1206,7 +1206,7 @@ sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotif add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, -migrate_pages, move_pages, vmsplice, perf_event_open, chroot, +migrate_pages, move_pages, vmsplice, chroot, tuxcall, reboot, mfsservctl and get_kernel_syms. .br diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 37d66d609..3ecc161a1 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -60,6 +60,15 @@ else echo "TESTING SKIP: transmission-qt not found" fi +which qbittorrent +if [ "$?" -eq 0 ]; +then + echo "TESTING: qbittorrent" + ./qbittorrent.exp +else + echo "TESTING SKIP: qbittorrent not found" +fi + which evince if [ "$?" -eq 0 ]; then diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp new file mode 100755 index 000000000..4f3f7c362 --- /dev/null +++ b/test/apps/qbittorrent.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail qbittorrent\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/qbittorrent.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 5 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "qbittorrent" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail qbittorrent" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail qbittorrent" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\n" + -- cgit v1.2.3-70-g09d2 From ca592b90f11fff9737731c69d1e1e2439b6e3c44 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 08:56:55 -0400 Subject: private-bin conversion --- README.md | 1 + etc/disable-devel.inc | 2 +- etc/filezilla.profile | 3 ++ test/apps/apps.sh | 9 ++++++ test/apps/filezilla.exp | 83 +++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 97 insertions(+), 1 deletion(-) create mode 100755 test/apps/filezilla.exp (limited to 'etc') diff --git a/README.md b/README.md index 029a7c904..8c2e9d9b6 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## Converting profiles to private-bin - work in progress BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt +File transfer: filezilla ## New security profiles diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 99f059c44..8c18ec2c3 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, some firefox addons +# Programs using python: deluge, some firefox addons, filezilla # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 3cb4890e2..35663f2fa 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -13,3 +13,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 3ecc161a1..fa56ce370 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -69,6 +69,15 @@ else echo "TESTING SKIP: qbittorrent not found" fi +which filezilla +if [ "$?" -eq 0 ]; +then + echo "TESTING: filezilla" + ./filezilla.exp +else + echo "TESTING SKIP: filezilla not found" +fi + which evince if [ "$?" -eq 0 ]; then diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp new file mode 100755 index 000000000..7f232f311 --- /dev/null +++ b/test/apps/filezilla.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail filezilla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/filezilla.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "filezilla" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail filezilla" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail filezilla" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From e3abab47dcda4dba4a1412261e35cb1608ffd900 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 10:41:57 -0400 Subject: private-bin conversion --- README.md | 4 +++ etc/cherrytree.profile | 9 +++++ etc/disable-devel.inc | 2 +- etc/evince.profile | 3 ++ etc/fbreader.profile | 3 ++ etc/gnome-mplayer.profile | 3 ++ etc/gthumb.profile | 2 +- etc/vlc.profile | 2 +- src/firejail/main.c | 1 - test/apps/apps.sh | 10 ++++++ test/apps/gthumb.exp | 83 +++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 118 insertions(+), 4 deletions(-) create mode 100755 test/apps/gthumb.exp (limited to 'etc') diff --git a/README.md b/README.md index 36fb99f3d..db0625d43 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,10 @@ BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, tra File transfer: filezilla +Media: vlc, mpv, gnome-mplayer + +Office: evince, gthumb, fbreader + ## New security profiles Gitter, gThumb, mpv, Franz messenger diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index bc6fe1d86..7b6238d98 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -24,3 +24,12 @@ protocol unix,inet,inet6,netlink tracelog include /etc/firejail/whitelist-common.inc + +# no private-bin support for various reasons: +#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree +#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" +#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree +#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null +#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc +# it requires acces to browser to show the online help +# it doesn't play nicely with expect diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 8c18ec2c3..071a82f76 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, some firefox addons, filezilla +# Programs using python: deluge, firefox addons, filezilla, cherrytree # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8c84a1daa..8671c1251 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -10,3 +10,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin evince,evince-previewer,evince-thumbnailer diff --git a/etc/fbreader.profile b/etc/fbreader.profile index c4d84691c..df359e50a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -13,3 +13,6 @@ noroot nosound protocol unix,inet,inet6 seccomp + +shell none +private-bin fbreader,FBReader \ No newline at end of file diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index f15778534..1caea177d 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -9,3 +9,6 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +shell none +private-bin gnome-mplayer diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 55041b5cc..68d6a52d9 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -13,5 +13,5 @@ noroot protocol unix,inet,inet6 seccomp -private-bin gthumb shell none +private-bin gthumb diff --git a/etc/vlc.profile b/etc/vlc.profile index e225e80e9..1a6e5a151 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -16,4 +16,4 @@ seccomp # to test shell none -private-bin vlc +private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc diff --git a/src/firejail/main.c b/src/firejail/main.c index 1621d810f..d027eb697 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -135,7 +135,6 @@ static void myexit(int rv) { } static void my_handler(int s){ -printf("**************************\n"); EUID_ROOT(); if (!arg_quiet) { printf("\nParent received signal %d, shutting down the child process...\n", s); diff --git a/test/apps/apps.sh b/test/apps/apps.sh index fa56ce370..bbfe2a606 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -87,6 +87,16 @@ else echo "TESTING SKIP: evince not found" fi + +which gthumb +if [ "$?" -eq 0 ]; +then + echo "TESTING: gthumb" + ./gthumb.exp +else + echo "TESTING SKIP: gthumb not found" +fi + which icedove if [ "$?" -eq 0 ]; then diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp new file mode 100755 index 000000000..86bb975ba --- /dev/null +++ b/test/apps/gthumb.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gthumb\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gthumb.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gthumb" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gthumb" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From f5b452bc4276ff2abecae522d9598441899293f1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 10 Jun 2016 11:22:24 -0400 Subject: private-bin conversion --- README.md | 2 +- etc/deluge.profile | 1 + etc/disable-devel.inc | 2 +- etc/evince.profile | 1 + etc/fbreader.profile | 3 +- etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/hexchat.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 4 +++ etc/weechat.profile | 4 +++ etc/xchat.profile | 2 ++ test/apps/apps.sh | 9 +++++ test/apps/uget-gtk.exp | 83 ++++++++++++++++++++++++++++++++++++++++++++ 17 files changed, 116 insertions(+), 3 deletions(-) create mode 100755 test/apps/uget-gtk.exp (limited to 'etc') diff --git a/README.md b/README.md index db0625d43..69890ffaf 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ AppImage project home: https://github.com/probonopd/AppImageKit ## Converting profiles to private-bin - work in progress! -BitTorrent profiles converted to private-bin: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt +BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk File transfer: filezilla diff --git a/etc/deluge.profile b/etc/deluge.profile index 87a17423b..96df13a73 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin deluge,sh,python,uname +whitelist /tmp/.X11-unix diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 071a82f76..4e401055a 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, firefox addons, filezilla, cherrytree +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/evince.profile b/etc/evince.profile index 8671c1251..320d55fad 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -13,3 +13,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer +whitelist /tmp/.X11-unix diff --git a/etc/fbreader.profile b/etc/fbreader.profile index df359e50a..f155b02af 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -15,4 +15,5 @@ protocol unix,inet,inet6 seccomp shell none -private-bin fbreader,FBReader \ No newline at end of file +private-bin fbreader,FBReader +whitelist /tmp/.X11-unix diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 35663f2fa..c146dba13 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp +whitelist /tmp/.X11-unix diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 68d6a52d9..2d6cd160c 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin gthumb +whitelist /tmp/.X11-unix diff --git a/etc/hexchat.profile b/etc/hexchat.profile index a584d25c5..4e829c379 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -17,3 +17,5 @@ mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc + +# private-bin requires perl, python, etc. diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bb97a880b..bc87ad5c8 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin qbittorrent +whitelist /tmp/.X11-unix diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c196370a2..97c2335a8 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin rtorrent +whitelist /tmp/.X11-unix diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e8d0e25e7..80d71d615 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-gtk +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index fd3a98aad..dfb600871 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -18,3 +18,4 @@ tracelog shell none private-bin transmission-qt +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 02c7f56bf..591a82af4 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -17,3 +17,7 @@ mkdir ~/.config mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc + +shell none +private-bin uget-gtk +whitelist /tmp/.X11-unix diff --git a/etc/weechat.profile b/etc/weechat.profile index 6cfe58420..410061278 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -9,3 +9,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# no private-bin support for various reasons: +# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file diff --git a/etc/xchat.profile b/etc/xchat.profile index 061c4f3da..1f2865cab 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -10,3 +10,5 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +# private-bin requires perl, python, etc. diff --git a/test/apps/apps.sh b/test/apps/apps.sh index bbfe2a606..c329c57e5 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -69,6 +69,15 @@ else echo "TESTING SKIP: qbittorrent not found" fi +which uget-gtk +if [ "$?" -eq 0 ]; +then + echo "TESTING: uget" + ./uget-gtk.exp +else + echo "TESTING SKIP: uget-gtk not found" +fi + which filezilla if [ "$?" -eq 0 ]; then diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp new file mode 100755 index 000000000..47fa5849b --- /dev/null +++ b/test/apps/uget-gtk.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail uget-gtk\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/uget-gtk.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "uget-gtk" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail uget-gtk" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2 From faf5badb5c5abe6f3487535e2fdb3b713788c021 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 11 Jun 2016 09:11:03 -0400 Subject: removed private-bin from qbittorrent --- etc/qbittorrent.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index bc87ad5c8..b2bfe49ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -12,6 +12,7 @@ nosound protocol unix,inet,inet6 seccomp -shell none -private-bin qbittorrent +# there are some problems with "Open destination folder", see bug #536 +#shell none +#private-bin qbittorrent whitelist /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From cd4205802c405bfe1a8f45a159309d598765d48e Mon Sep 17 00:00:00 2001 From: geg2048 Date: Sat, 11 Jun 2016 20:47:17 +0200 Subject: kwallet typo kde and kde4 are hidden. At least on my pc --- etc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index a61f1b210..cff2289fd 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -95,8 +95,8 @@ read-only ${HOME}/bin blacklist ${HOME}/.ssh blacklist ${HOME}/.cert blacklist ${HOME}/.gnome2/keyrings -blacklist ${HOME}/kde4/share/apps/kwallet -blacklist ${HOME}/kde/share/apps/kwallet +blacklist ${HOME}/.kde4/share/apps/kwallet +blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.local/share/kwalletd blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg -- cgit v1.2.3-70-g09d2 From 04fd67d0cc3b525d2fc46778df8d0e3a1babb7e6 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:35:25 +0200 Subject: disable-common: Add ZSH-related init files Antigen is a popular plugin manager for ZSH --- etc/disable-common.inc | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index cff2289fd..4a8a379e5 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -58,11 +58,15 @@ read-only ${HOME}/.xserverrc read-only ${HOME}/.profile # Shell startup files +read-only ${HOME}/.antigen read-only ${HOME}/.bash_login read-only ${HOME}/.bashrc read-only ${HOME}/.bash_profile read-only ${HOME}/.bash_logout +read-only ${HOME}/.zsh.d +read-only ${HOME}/.zshenv read-only ${HOME}/.zshrc +read-only ${HOME}/.zshrc.local read-only ${HOME}/.zlogin read-only ${HOME}/.zprofile read-only ${HOME}/.zlogout -- cgit v1.2.3-70-g09d2 From 91bca369232cb075d7a46a7218e1f7a9736d6360 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:36:53 +0200 Subject: disable-common: Make ~/.profile read-only Several shells, including Bash, fallback to ~/.profile if their specific profile file does not exist. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4a8a379e5..aebf099af 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -74,6 +74,7 @@ read-only ${HOME}/.zsh_files read-only ${HOME}/.tcshrc read-only ${HOME}/.cshrc read-only ${HOME}/.csh_files +read-only ${HOME}/.profile # Initialization files that allow arbitrary command execution read-only ${HOME}/.mailcap -- cgit v1.2.3-70-g09d2 From 0065456d6d6043206367ad56440943071ed25b69 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:38:01 +0200 Subject: disable-common: Protect caff's files Caff (CA fire & forget) is a popular GnuPG helper for keysigning safely. --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index aebf099af..c857ff439 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -77,6 +77,7 @@ read-only ${HOME}/.csh_files read-only ${HOME}/.profile # Initialization files that allow arbitrary command execution +read-only ${HOME}/.caffrc read-only ${HOME}/.mailcap read-only ${HOME}/.exrc read-only ${HOME}/_exrc @@ -105,6 +106,7 @@ blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.local/share/kwalletd blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg +blacklist ${HOME}/.caff blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key -- cgit v1.2.3-70-g09d2 From afb8b355971cf3c31e26e0384b93068aabea4ba1 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:45:08 +0200 Subject: disable-common: Blacklist ~/.smbcredentials --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c857ff439..689aecfd4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -107,6 +107,7 @@ blacklist ${HOME}/.local/share/kwalletd blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg blacklist ${HOME}/.caff +blacklist ${HOME}/.smbcredentials blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key -- cgit v1.2.3-70-g09d2 From 9c8fb3a24944e5618afe5ce118a1e45898a464b4 Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:45:54 +0200 Subject: disable-common: Make ~/.emacs.d and ~/.nano read-only --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 689aecfd4..a4c940bdb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -87,6 +87,8 @@ read-only ${HOME}/.gvimrc read-only ${HOME}/_gvimrc read-only ${HOME}/.vim read-only ${HOME}/.emacs +read-only ${HOME}/.emacs.d +read-only ${HOME}/.nano read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc -- cgit v1.2.3-70-g09d2 From 4ff6a94aa9cf45de40c7dffc2b7d8ad83794c98c Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:47:01 +0200 Subject: disable-common: Make ~/.msmtprc read-only msmtp is a MTA that aims for simplicity and security. ~/.msmtprc may specify commands that are run when sending email. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index a4c940bdb..b5b0f5f2f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -93,6 +93,7 @@ read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc read-only ${HOME}/.mutt/muttrc +read-only ${HOME}/.msmtprc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver -- cgit v1.2.3-70-g09d2 From 32bdfff6ada62f10e2b5221c772c8bf8efc36dff Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:48:47 +0200 Subject: disable-common: Make ~/.reportbugrc read-only reportbug is a standard Debian tool. Its config file may specify a specific command to use as MTA. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index b5b0f5f2f..0139e984e 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -94,6 +94,7 @@ read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc read-only ${HOME}/.mutt/muttrc read-only ${HOME}/.msmtprc +read-only ${HOME}/.reportbugrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver -- cgit v1.2.3-70-g09d2 From 9a6e6692b1709f3d5f06d5f1bd4d1544f026aa0b Mon Sep 17 00:00:00 2001 From: The Fox in the Shell Date: Sat, 18 Jun 2016 17:58:39 +0200 Subject: disable-common: Make ~/.dotfiles and ~/dotfiles RO Having dotfiles in such a directory, under version control, and symlinking the actual dotfiles to there, is a common-enough practice that I believe should be supported. --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0139e984e..197e5fbf0 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -78,6 +78,8 @@ read-only ${HOME}/.profile # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc +read-only ${HOME}/.dotfiles +read-only ${HOME}/dotfiles read-only ${HOME}/.mailcap read-only ${HOME}/.exrc read-only ${HOME}/_exrc -- cgit v1.2.3-70-g09d2 From 90f527234a62021466991c3f349e45cefbf79acd Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 19 Jun 2016 09:29:50 +1000 Subject: added libreoffice profile --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + etc/libreoffice.profile | 14 ++++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 8 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 etc/libreoffice.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 8726e4211..7f21811f5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -196,6 +196,7 @@ realinstall: install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 0f825fd8e..8c15b17a2 100644 --- a/README +++ b/README @@ -87,6 +87,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Brave profile - added Gitter profile - various organising + - added Libreoffice profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index 69890ffaf..c53823304 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ Office: evince, gthumb, fbreader ## New security profiles -Gitter, gThumb, mpv, Franz messenger +Gitter, gThumb, mpv, Franz messenger, LibreOffice diff --git a/RELNOTES b/RELNOTES index 04a9d7cbb..4a698620b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -3,7 +3,7 @@ firejail (0.9.41) baseline; urgency=low * compile time and run time support to disable whitelists * compile time support to disable global configuration file * some profiles have been converted to private-bin - * new profiles: Gitter, gThumb, mpv, Franz messenger + * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6e79b3be0..6c166c186 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -16,6 +16,7 @@ blacklist ${HOME}/.config/stellarium blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer +blacklist $(HOME)/.config/libreoffice blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile new file mode 100644 index 000000000..9056b1df2 --- /dev/null +++ b/etc/libreoffice.profile @@ -0,0 +1,14 @@ +# Firejail profile for LibreOffice +noblacklist ~/.config/libreoffice +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3ada0256a..6635a594b 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -106,3 +106,4 @@ /etc/firejail/gthumb.profile /etc/firejail/mpv.profile /etc/firejail/franz.profile +/etc/firejail/libreoffice.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e31a7c12a..eeac7a088 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -106,6 +106,7 @@ evince fbreader gwenview gthumb +LibreOffice Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From 03187188f55a78411f069c3e13f73dbe86c014dc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Jun 2016 06:21:27 -0400 Subject: fixes --- README | 1 + etc/disable-programs.inc | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/README b/README index 8c15b17a2..d87430f89 100644 --- a/README +++ b/README @@ -34,6 +34,7 @@ maces (https://github.com/maces) KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter + - disable-common.inc additions ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6c166c186..a5b33c860 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -16,7 +16,7 @@ blacklist ${HOME}/.config/stellarium blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer -blacklist $(HOME)/.config/libreoffice +blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc -- cgit v1.2.3-70-g09d2 From 08c8c86233337ff00ccb7112f659776e5ac1efe1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Jun 2016 07:15:16 -0400 Subject: libreoffice support --- Makefile.in | 8 ++++++++ etc/disable-devel.inc | 2 +- etc/libreoffice.profile | 4 ++++ etc/localc.profile | 5 +++++ etc/lodraw.profile | 5 +++++ etc/loffice.profile | 5 +++++ etc/lofromtemplate.profile | 5 +++++ etc/loimpress.profile | 5 +++++ etc/lomath.profile | 5 +++++ etc/loweb.profile | 5 +++++ etc/lowriter.profile | 5 +++++ platform/debian/conffiles | 10 ++++++++++ src/firecfg/firecfg.config | 9 ++++++++- 13 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 etc/localc.profile create mode 100644 etc/lodraw.profile create mode 100644 etc/loffice.profile create mode 100644 etc/lofromtemplate.profile create mode 100644 etc/loimpress.profile create mode 100644 etc/lomath.profile create mode 100644 etc/loweb.profile create mode 100644 etc/lowriter.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 7f21811f5..c7ecab5ac 100644 --- a/Makefile.in +++ b/Makefile.in @@ -197,6 +197,14 @@ realinstall: install -c -m 0644 .etc/mpv.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/franz.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/libreoffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/localc.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lodraw.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/loffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lofromtemplate.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/loimpress.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 4e401055a..821aa1ea4 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -37,7 +37,7 @@ blacklist /usr/lib/php* blacklist /usr/bin/ruby blacklist /usr/lib/ruby -# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice # Python 2 #blacklist /usr/bin/python2* #blacklist /usr/lib/python2* diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 9056b1df2..6cbdbfd66 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -12,3 +12,7 @@ noroot protocol unix,inet,inet6,netlink seccomp tracelog + +private-dev +whitelist /tmp/.X11-unix/ + diff --git a/etc/localc.profile b/etc/localc.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/localc.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lodraw.profile b/etc/lodraw.profile new file mode 100644 index 000000000..9a53d9fb0 --- /dev/null +++ b/etc/lodraw.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/liberoffice.profile + diff --git a/etc/loffice.profile b/etc/loffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lofromtemplate.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/loimpress.profile b/etc/loimpress.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loimpress.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lomath.profile b/etc/lomath.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lomath.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/loweb.profile b/etc/loweb.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/loweb.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/etc/lowriter.profile b/etc/lowriter.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/lowriter.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6635a594b..b3aa62217 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -107,3 +107,13 @@ /etc/firejail/mpv.profile /etc/firejail/franz.profile /etc/firejail/libreoffice.profile +/etc/firejail/localc.profile +/etc/firejail/lodraw.profile +/etc/firejail/loffice.profile +/etc/firejail/lofromtemplate.profile +/etc/firejail/loimpress.profile +/etc/firejail/lomath.profile +/etc/firejail/loweb.profile +/etc/firejail/lowriter.profile + + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index eeac7a088..fa2dee81d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -106,7 +106,14 @@ evince fbreader gwenview gthumb -LibreOffice +libreoffice +lodraw +loffice +lofromtemplate +loimpres +lomath +loweb +lowriter Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From ff7fd50f5df649cfc517d7c636b518b32b633830 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 19 Jun 2016 07:52:15 -0400 Subject: libreoffice support --- etc/lodraw.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/lodraw.profile b/etc/lodraw.profile index 9a53d9fb0..fecd08822 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile @@ -1,5 +1,5 @@ ################################ # LibreOffice profile ################################ -include /etc/firejail/liberoffice.profile +include /etc/firejail/libreoffice.profile -- cgit v1.2.3-70-g09d2 From 26c4c477177ad3801f2f6f99bfd8f44fe920af9c Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 19 Jun 2016 16:29:00 +0200 Subject: Add profile for Firefox ESR --- Makefile.in | 1 + etc/firefox-esr.profile | 2 ++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 4 files changed, 5 insertions(+) create mode 100644 etc/firefox-esr.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index c7ecab5ac..196c5892f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -98,6 +98,7 @@ realinstall: install -c -m 0644 .etc/rhythmbox.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/icedove.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/iceweasel.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/midori.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile new file mode 100644 index 000000000..d2fde9a3f --- /dev/null +++ b/etc/firefox-esr.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox ESR +include /etc/firejail/firefox.profile diff --git a/platform/debian/conffiles b/platform/debian/conffiles index b3aa62217..2730a497c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -11,6 +11,7 @@ /etc/firejail/dropbox.profile /etc/firejail/login.users /etc/firejail/firefox.profile +/etc/firejail/firefox-esr.profile /etc/firejail/opera.profile /etc/firejail/opera-beta.profile /etc/firejail/thunderbird.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index fa2dee81d..b54ca221c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -24,6 +24,7 @@ chromium-browser conkeror cyberfox firefox +firefox-esr flashpeak-slimjet epiphany dillo -- cgit v1.2.3-70-g09d2 From 8dc1d21e5a1196696fd617ecf4d025b274d57260 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 20 Jun 2016 10:09:02 +1000 Subject: Pix profile --- etc/pix.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/pix.profile (limited to 'etc') diff --git a/etc/pix.profile b/etc/pix.profile new file mode 100644 index 000000000..ccf0c0381 --- /dev/null +++ b/etc/pix.profile @@ -0,0 +1,19 @@ +# gthumb profile +noblacklist ${HOME}/.config/pix +noblacklist ${HOME}/.local/share/pix + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +shell none +private-bin pix +whitelist /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From bc5c520e8dbfdb8d070948b2bc9c3a7f1fdb3eab Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 20 Jun 2016 10:09:30 +1000 Subject: extra Pix files --- Makefile.in | 1 + README | 1 + README.md | 4 ++-- RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 3 +-- src/firecfg/firecfg.config | 1 + 7 files changed, 9 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 196c5892f..1a5a9160d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -206,6 +206,7 @@ realinstall: install -c -m 0644 .etc/lomath.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index d87430f89..9dfbbec14 100644 --- a/README +++ b/README @@ -89,6 +89,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Gitter profile - various organising - added Libreoffice profile + - added pix profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index c53823304..fa1e38b52 100644 --- a/README.md +++ b/README.md @@ -73,8 +73,8 @@ File transfer: filezilla Media: vlc, mpv, gnome-mplayer -Office: evince, gthumb, fbreader +Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix diff --git a/RELNOTES b/RELNOTES index 4a698620b..767ef8f34 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.41) baseline; urgency=low * compile time support to disable global configuration file * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice + * new profiles: pix -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a5b33c860..70deb2b0c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -17,6 +17,7 @@ blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer blacklist ${HOME}/.config/libreoffice +blacklist ${HOME}/.config/pix blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc @@ -120,3 +121,4 @@ blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/pix diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2730a497c..d312d4bd9 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -116,5 +116,4 @@ /etc/firejail/lomath.profile /etc/firejail/loweb.profile /etc/firejail/lowriter.profile - - +/etc/firejail/pix.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index b54ca221c..ee90a6d89 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -118,6 +118,7 @@ lowriter Mathematica mathematica okular +pix xreader # other -- cgit v1.2.3-70-g09d2 From c34aceb3df382f5649582854c05fc50dc5f5bc29 Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 20 Jun 2016 04:03:07 +0200 Subject: mpv.profile: make youtube-dl work --- etc/mpv.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/mpv.profile b/etc/mpv.profile index cbed7e8c6..80f8de54a 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -15,4 +15,4 @@ seccomp # to test shell none -private-bin mpv +private-bin mpv,youtube-dl,python2.7 -- cgit v1.2.3-70-g09d2 From 42b48c6e44235e323db8dd77428a4d7923ab6de2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 21 Jun 2016 12:08:53 -0400 Subject: libreoffice fix --- Makefile.in | 1 + README | 1 + etc/soffice.profile | 5 +++++ src/firecfg/firecfg.config | 1 + 4 files changed, 8 insertions(+) create mode 100644 etc/soffice.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 1a5a9160d..b21200180 100644 --- a/Makefile.in +++ b/Makefile.in @@ -207,6 +207,7 @@ realinstall: install -c -m 0644 .etc/loweb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 9dfbbec14..087e4f07d 100644 --- a/README +++ b/README @@ -51,6 +51,7 @@ avoidr (https://github.com/avoidr) - paths fix - lots of profile fixes - added mcabber profile + - fixed mpv profile Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) diff --git a/etc/soffice.profile b/etc/soffice.profile new file mode 100644 index 000000000..fecd08822 --- /dev/null +++ b/etc/soffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ee90a6d89..7340e430e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -115,6 +115,7 @@ loimpres lomath loweb lowriter +soffice Mathematica mathematica okular -- cgit v1.2.3-70-g09d2 From 66e7bdf16731a225fdd260f4b1bfb8d73fe9ce22 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 23 Jun 2016 10:52:43 -0400 Subject: profile update --- etc/deluge.profile | 2 ++ etc/evince.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 1 + etc/gthumb.profile | 1 + etc/pix.profile | 2 ++ etc/qbittorrent.profile | 1 + etc/rtorrent.profile | 1 + etc/transmission-gtk.profile | 2 ++ etc/transmission-qt.profile | 1 + etc/uget-gtk.profile | 2 ++ 11 files changed, 15 insertions(+) (limited to 'etc') diff --git a/etc/deluge.profile b/etc/deluge.profile index 96df13a73..61bc80bd5 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -16,3 +16,5 @@ seccomp shell none private-bin deluge,sh,python,uname whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/evince.profile b/etc/evince.profile index 320d55fad..9899da84d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -14,3 +14,4 @@ seccomp shell none private-bin evince,evince-previewer,evince-thumbnailer whitelist /tmp/.X11-unix +private-dev diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f155b02af..24b35df9a 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -17,3 +17,4 @@ seccomp shell none private-bin fbreader,FBReader whitelist /tmp/.X11-unix +private-dev diff --git a/etc/filezilla.profile b/etc/filezilla.profile index c146dba13..390769382 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -17,3 +17,4 @@ seccomp shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp whitelist /tmp/.X11-unix +private-dev diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 2d6cd160c..44e7051a5 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -16,3 +16,4 @@ seccomp shell none private-bin gthumb whitelist /tmp/.X11-unix +private-dev diff --git a/etc/pix.profile b/etc/pix.profile index ccf0c0381..4e53de00b 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -17,3 +17,5 @@ seccomp shell none private-bin pix whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index b2bfe49ca..c5b9a72e6 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -16,3 +16,4 @@ seccomp #shell none #private-bin qbittorrent whitelist /tmp/.X11-unix +private-dev diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 97c2335a8..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -15,3 +15,4 @@ seccomp shell none private-bin rtorrent whitelist /tmp/.X11-unix +private-dev diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 80d71d615..fa5c3b22b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,3 +19,5 @@ tracelog shell none private-bin transmission-gtk whitelist /tmp/.X11-unix +private-dev + diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index dfb600871..754211a63 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,3 +19,4 @@ tracelog shell none private-bin transmission-qt whitelist /tmp/.X11-unix +private-dev diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 591a82af4..2c3c62c5f 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -21,3 +21,5 @@ include /etc/firejail/whitelist-common.inc shell none private-bin uget-gtk whitelist /tmp/.X11-unix +private-dev + -- cgit v1.2.3-70-g09d2 From cb8f31dd884ed312443e2080f4e283a81ea914df Mon Sep 17 00:00:00 2001 From: kouul Date: Sat, 25 Jun 2016 15:25:12 +0400 Subject: xz decompressor --- etc/xzdec.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/xzdec.profile (limited to 'etc') diff --git a/etc/xzdec.profile b/etc/xzdec.profile new file mode 100644 index 000000000..f29f7360c --- /dev/null +++ b/etc/xzdec.profile @@ -0,0 +1,13 @@ +# Firejail profile for XZ decompressor +# xzdec.profile + +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +tracelog +noroot +shell none -- cgit v1.2.3-70-g09d2 From 82ebb6b943cb8b9ad1de1109ae93629e95d17492 Mon Sep 17 00:00:00 2001 From: jaykishan mutkawoa Date: Sat, 25 Jun 2016 15:52:58 +0400 Subject: cpio sandbox profile for decompression --- etc/cpio.profile | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 etc/cpio.profile (limited to 'etc') diff --git a/etc/cpio.profile b/etc/cpio.profile new file mode 100644 index 000000000..0efe2e20c --- /dev/null +++ b/etc/cpio.profile @@ -0,0 +1,7 @@ +include /usr/local/etc/firejail/server.profile +include /usr/local/etc/firejail/disable-common.inc +include /usr/local/etc/firejail/disable-programs.inc +include /usr/local/etc/firejail/disable-passwdmgr.inc +caps.drop all +shell none +seccomp -- cgit v1.2.3-70-g09d2 From b92cae3a9222decc4aebb447a44ffa127cedd3be Mon Sep 17 00:00:00 2001 From: root Date: Sat, 25 Jun 2016 15:57:38 +0400 Subject: Committer: Paupiah Yashvi Desctiption: Gzip sandbox profile for decompression Changes to be committed: new file: gzip.profile --- etc/gzip.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/gzip.profile (limited to 'etc') diff --git a/etc/gzip.profile b/etc/gzip.profile new file mode 100644 index 000000000..f231c3780 --- /dev/null +++ b/etc/gzip.profile @@ -0,0 +1,19 @@ +################################ +# Gzip profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +blacklist ${HOME}/.wine +blacklist ${HOME}/.ssh + +tracelog +caps.drop all +seccomp +net none +noroot +nosound +nogroups +nonewprivs + -- cgit v1.2.3-70-g09d2 From 135b32363fe676f05684b3a152da3c6110f65770 Mon Sep 17 00:00:00 2001 From: jaykishan mutkawoa Date: Sun, 26 Jun 2016 12:45:03 +0400 Subject: sandbox profile for CPIO --- etc/cpio.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/cpio.profile b/etc/cpio.profile index 0efe2e20c..811d657f2 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -3,5 +3,6 @@ include /usr/local/etc/firejail/disable-common.inc include /usr/local/etc/firejail/disable-programs.inc include /usr/local/etc/firejail/disable-passwdmgr.inc caps.drop all +net none shell none seccomp -- cgit v1.2.3-70-g09d2 From ce8789af098b9fded984b9ea65fb09ad75a58936 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 27 Jun 2016 05:33:05 +1000 Subject: added audacity profile --- etc/audacity.profile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/audacity.profile (limited to 'etc') diff --git a/etc/audacity.profile b/etc/audacity.profile new file mode 100644 index 000000000..8971ce1a2 --- /dev/null +++ b/etc/audacity.profile @@ -0,0 +1,16 @@ +# Audacity profile +noblacklist ~/.audacity-data + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +#private-bin audacity +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From a9108bb31f7ed62ef06dc15854697e5e3161108c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 27 Jun 2016 05:37:45 +1000 Subject: extra audacity files --- Makefile.in | 1 + README | 3 ++- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 8 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index b21200180..38279beca 100644 --- a/Makefile.in +++ b/Makefile.in @@ -208,6 +208,7 @@ realinstall: install -c -m 0644 .etc/lowriter.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 087e4f07d..ab7115bec 100644 --- a/README +++ b/README @@ -89,8 +89,9 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Brave profile - added Gitter profile - various organising - - added Libreoffice profile + - added LibreOffice profile - added pix profile + - added audacity profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) diff --git a/README.md b/README.md index fa1e38b52..6ab15d2fd 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity diff --git a/RELNOTES b/RELNOTES index 767ef8f34..78a21bd2b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,7 +4,7 @@ firejail (0.9.41) baseline; urgency=low * compile time support to disable global configuration file * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice - * new profiles: pix + * new profiles: pix, audacity -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 70deb2b0c..e9dd331aa 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -32,6 +32,7 @@ blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer +blacklist ${HOME}/.audacity-data # HTTP / FTP / Mail blacklist ${HOME}/.icedove diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 574567f4d..eca804ab6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -118,3 +118,4 @@ /etc/firejail/lowriter.profile /etc/firejail/pix.profile /etc/firejail/soffice.profile +/etc/firejail/audacity.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 7340e430e..35338d427 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -83,6 +83,7 @@ warzone2100 # Media audacious +audacity clementine cmus deadbeef -- cgit v1.2.3-70-g09d2 From 7b458eadbf0ad73153bcce884721cb3e7a82b21c Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 27 Jun 2016 01:14:30 +0200 Subject: tighten disable-devel.inc --- etc/disable-devel.inc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 821aa1ea4..963cf6da0 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -2,15 +2,20 @@ # GCC blacklist /usr/include +blacklist /usr/lib/gcc blacklist /usr/bin/gcc* blacklist /usr/bin/cpp* blacklist /usr/bin/c9* blacklist /usr/bin/c8* blacklist /usr/bin/c++* +blacklist /usr/bin/as blacklist /usr/bin/ld blacklist /usr/bin/gdb blacklist /usr/bin/g++* blacklist /usr/bin/x86_64-linux-gnu-g++* +blacklist /usr/bin/x86_64-linux-gnu-gcc* +blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* +blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* # clang/llvm blacklist /usr/bin/clang* @@ -18,6 +23,11 @@ blacklist /usr/bin/llvm* blacklist /usb/bin/lldb* blacklist /usr/lib/llvm* +# tcc - Tiny C Compiler +blacklist /usr/bin/tcc +blacklist /usr/bin/x86_64-tcc +blacklist /usr/lib/tcc + # Valgrind blacklist /usr/bin/valgrind* blacklist /usr/lib/valgrind @@ -51,4 +61,3 @@ blacklist /usr/lib/ruby #blacklist /usr/local/lib/python3* #blacklist /usr/share/python3* #blacklist /usr/include/python3* - -- cgit v1.2.3-70-g09d2 From 7b5b2f9d29218a662cac81f88ff0e39aa9b37c2c Mon Sep 17 00:00:00 2001 From: avoidr Date: Mon, 27 Jun 2016 01:47:20 +0200 Subject: s/Xephry/Xephyr/ --- etc/firejail.config | 2 +- src/man/firejail-config.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/firejail.config b/etc/firejail.config index eaff4de8f..59bbd77a5 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -46,7 +46,7 @@ # xephyr-screen 1024x768 # xephyr-screen 1280x1024 -# Firejail window title in Xephry, default enabled. +# Firejail window title in Xephyr, default enabled. # xephyr-window-title yes # Xephyr command extra parameters. None by default, and the declaration is commented out. diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index bc29dc977..386eda976 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt @@ -76,7 +76,7 @@ xephyr-screen 1280x1024 .TP \fBxephyr-window-title -Firejail window title in Xephry, default enabled. +Firejail window title in Xephyr, default enabled. .TP \fBxephyr-extra-params -- cgit v1.2.3-70-g09d2 From e34051c203dd7eafcd70789ccc852b743b782c3b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 26 Jun 2016 21:40:19 -0400 Subject: strings, cpio, gzip, xz profiles --- Makefile.in | 4 ++++ README | 9 +++++++++ README.md | 2 +- etc/strings.profile | 12 ++++++++++++ platform/debian/conffiles | 5 +++++ strings.profile | 12 ------------ 6 files changed, 31 insertions(+), 13 deletions(-) create mode 100644 etc/strings.profile delete mode 100644 strings.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 38279beca..cb166aa33 100644 --- a/Makefile.in +++ b/Makefile.in @@ -209,6 +209,10 @@ realinstall: install -c -m 0644 .etc/pix.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/audacity.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/cpio.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index ab7115bec..65eeccd03 100644 --- a/README +++ b/README @@ -25,6 +25,14 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Jaykishan Mutkawoa (https://github.com/jmutkawoa) + - cpio profile +Paupiah Yash (https://github.com/CaffeinatedStud) + - gzip profile +Akhil Hans Maulloo (https://github.com/kouul) + - xz profile +Rahul Golam (https://github.com/technoLord) + - strings profile geg2048 (https://github.com/geg2048) - kwallet profile fixes Simon Peter (https://github.com/probonopd) @@ -52,6 +60,7 @@ avoidr (https://github.com/avoidr) - lots of profile fixes - added mcabber profile - fixed mpv profile + - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile Vasya Novikov (https://github.com/vn971) diff --git a/README.md b/README.md index 6ab15d2fd..b11dc8249 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, gzip, cpio diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..ea6d4b415 --- /dev/null +++ b/etc/strings.profile @@ -0,0 +1,12 @@ +noblacklist ~/.config + +include /usr/local/etc/firejail/disable-common.inc +include /usr/local/etc/firejail/disable-programs.inc +include /usr/local/etc/firejail/disable-devel.inc +include /usr/local/etc/firejail/disable-passwdmgr.inc + +caps.drop all +noroot +nonewprivs +seccomp +tracelog diff --git a/platform/debian/conffiles b/platform/debian/conffiles index eca804ab6..a09df0c29 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -119,3 +119,8 @@ /etc/firejail/pix.profile /etc/firejail/soffice.profile /etc/firejail/audacity.profile +/etc/firejail/cpio.profile +/etc/firejail/gzip.profile +/etc/firejail/xzdec.profile +/etc/firejail/strings.profile + diff --git a/strings.profile b/strings.profile deleted file mode 100644 index ea6d4b415..000000000 --- a/strings.profile +++ /dev/null @@ -1,12 +0,0 @@ -noblacklist ~/.config - -include /usr/local/etc/firejail/disable-common.inc -include /usr/local/etc/firejail/disable-programs.inc -include /usr/local/etc/firejail/disable-devel.inc -include /usr/local/etc/firejail/disable-passwdmgr.inc - -caps.drop all -noroot -nonewprivs -seccomp -tracelog -- cgit v1.2.3-70-g09d2 From fdaab24ae0123ec3b0d23f5df6dd3dd97946cc52 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 27 Jun 2016 09:03:06 -0400 Subject: cpio, gzip, strings, xzdec --- etc/cpio.profile | 14 ++++++++------ etc/gzip.profile | 21 ++++----------------- etc/strings.profile | 16 +++++----------- etc/xzdec.profile | 16 +++++----------- 4 files changed, 22 insertions(+), 45 deletions(-) (limited to 'etc') diff --git a/etc/cpio.profile b/etc/cpio.profile index 811d657f2..f10b82962 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,8 +1,10 @@ -include /usr/local/etc/firejail/server.profile -include /usr/local/etc/firejail/disable-common.inc -include /usr/local/etc/firejail/disable-programs.inc -include /usr/local/etc/firejail/disable-passwdmgr.inc -caps.drop all +# cpio profile +# testing: find . -print -depth | cpio -ov > tree.cpio +include /etc/firejail/default.profile +tracelog net none shell none -seccomp +private-bin cpio +private-dev + + diff --git a/etc/gzip.profile b/etc/gzip.profile index f231c3780..3c9e8a9bf 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,19 +1,6 @@ -################################ -# Gzip profile -################################ -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - -blacklist ${HOME}/.wine -blacklist ${HOME}/.ssh - +# gzip profile +include /etc/firejail/default.profile tracelog -caps.drop all -seccomp net none -noroot -nosound -nogroups -nonewprivs - +shell none +private-dev diff --git a/etc/strings.profile b/etc/strings.profile index ea6d4b415..8be9a5719 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,12 +1,6 @@ -noblacklist ~/.config - -include /usr/local/etc/firejail/disable-common.inc -include /usr/local/etc/firejail/disable-programs.inc -include /usr/local/etc/firejail/disable-devel.inc -include /usr/local/etc/firejail/disable-passwdmgr.inc - -caps.drop all -noroot -nonewprivs -seccomp +# strings profile +include /etc/firejail/default.profile tracelog +net none +shell none +private-dev diff --git a/etc/xzdec.profile b/etc/xzdec.profile index f29f7360c..ade46dddd 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,13 +1,7 @@ -# Firejail profile for XZ decompressor -# xzdec.profile - -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -seccomp +# XZ decompressor profile +include /etc/firejail/default.profile tracelog -noroot +net none shell none +private-dev + -- cgit v1.2.3-70-g09d2 From 4ece607b8f833cf0974bcf2a5e41f0504cbbff59 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 07:58:20 -0400 Subject: sysutils --- Makefile.in | 7 +++++- etc/cpio.profile | 21 ++++++++++++---- etc/gzip.profile | 1 + etc/strings.profile | 1 + etc/xz.profile | 2 ++ etc/xzdec.profile | 4 ++-- platform/debian/conffiles | 1 + src/firejail/main.c | 61 +++++++++++++++++++++++++++++++++++++---------- test/sysutils/cpio.exp | 26 ++++++++++++++++++++ test/sysutils/gzip.exp | 26 ++++++++++++++++++++ test/sysutils/strings.exp | 26 ++++++++++++++++++++ test/sysutils/sysutils.sh | 44 ++++++++++++++++++++++++++++++++++ test/sysutils/xzdec.exp | 29 ++++++++++++++++++++++ todo | 7 ++++++ 14 files changed, 235 insertions(+), 21 deletions(-) create mode 100644 etc/xz.profile create mode 100755 test/sysutils/cpio.exp create mode 100755 test/sysutils/gzip.exp create mode 100755 test/sysutils/strings.exp create mode 100755 test/sysutils/sysutils.sh create mode 100755 test/sysutils/xzdec.exp (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index cb166aa33..5204fc34a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -53,6 +53,7 @@ clean: rm -f test/environment/wget-log* rm -fr test/environment/-testdir rm -f test/environment/logfile* + rm -f test/sysutils/firejail_t* cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. @@ -213,6 +214,7 @@ realinstall: install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc @@ -327,6 +329,9 @@ test-apps: test-apps-x11: cd test/apps-x11; ./apps-x11.sh | grep TESTING +test-sysutils: + cd test/sysutils; ./sysutils.sh | grep TESTING + test-utils: cd test/utils; ./utils.sh | grep TESTING @@ -342,5 +347,5 @@ test-network: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters +test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters echo "TEST COMPLETE" diff --git a/etc/cpio.profile b/etc/cpio.profile index f10b82962..b0e59c106 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,10 +1,21 @@ # cpio profile -# testing: find . -print -depth | cpio -ov > tree.cpio -include /etc/firejail/default.profile -tracelog +# /sbin and /usr/sbin are visible inside the sandbox +# /boot is not visible and /var is heavily modified + +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +private-dev +private-tmp +seccomp +caps.drop all net none shell none -private-bin cpio -private-dev +tracelog +net none + diff --git a/etc/gzip.profile b/etc/gzip.profile index 3c9e8a9bf..8d35c9f66 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -4,3 +4,4 @@ tracelog net none shell none private-dev +private-tmp diff --git a/etc/strings.profile b/etc/strings.profile index 8be9a5719..9bc67cfb8 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -4,3 +4,4 @@ tracelog net none shell none private-dev +private-tmp diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..709585acd --- /dev/null +++ b/etc/xz.profile @@ -0,0 +1,2 @@ +# xz profile +include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index ade46dddd..1bff66965 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,7 +1,7 @@ -# XZ decompressor profile +# xzdec profile include /etc/firejail/default.profile tracelog net none shell none private-dev - +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a09df0c29..34ab8cd81 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -123,4 +123,5 @@ /etc/firejail/gzip.profile /etc/firejail/xzdec.profile /etc/firejail/strings.profile +/etc/firejail/xz.profile diff --git a/src/firejail/main.c b/src/firejail/main.c index c6fbd584e..f149dd376 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -693,6 +693,52 @@ static void delete_x11_file(pid_t pid) { free(fname); } +static void detect_quiet(int argc, char **argv) { + int i; + char *progs[] = { + "cpio", + "strings", + "gzip", + "xz", + "xzdec", + NULL + }; + + // detect --quiet + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--quiet") == 0) { + arg_quiet = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } + + // argv[i] is the program name if --quiet was not already detected + if (arg_quiet || i == argc) + return; + + // extract the name of the program without the leading path + char *ptr = strrchr(argv[i], '/'); + char *name = (ptr)? (ptr + 1): argv[i]; + if (*name == '\0') + return; + + // look for the program in the list + int j = 0; + while (progs[j] != NULL) { + if (strcmp(name, progs[j]) == 0) { + arg_quiet = 1; + return; + } + j++; + } +} + //******************************************* // Main program //******************************************* @@ -709,6 +755,8 @@ int main(int argc, char **argv) { int highest_errno = errno_highest_nr(); #endif + detect_quiet(argc, argv); + // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); @@ -717,19 +765,6 @@ int main(int argc, char **argv) { if (*argv[0] != '-') run_symlink(argc, argv); - // detect --quiet - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--quiet") == 0) { - arg_quiet = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } // check if we already have a sandbox running // If LXC is detected, start firejail sandbox diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp new file mode 100755 index 000000000..9755d8737 --- /dev/null +++ b/test/sysutils/cpio.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r" +sleep 1 + +send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp new file mode 100755 index 000000000..ab0e727de --- /dev/null +++ b/test/sysutils/gzip.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp new file mode 100755 index 000000000..1fd0f5dc0 --- /dev/null +++ b/test/sysutils/strings.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh new file mode 100755 index 000000000..f230c9a6b --- /dev/null +++ b/test/sysutils/sysutils.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +which cpio +if [ "$?" -eq 0 ]; +then + echo "TESTING: cpio" + ./cpio.exp +else + echo "TESTING SKIP: cpio not found" +fi + +which strings +if [ "$?" -eq 0 ]; +then + echo "TESTING: strings" + ./strings.exp +else + echo "TESTING SKIP: strings not found" +fi + +which gzip +if [ "$?" -eq 0 ]; +then + echo "TESTING: gzip" + ./gzip.exp +else + echo "TESTING SKIP: gzip not found" +fi + +which xzdec +if [ "$?" -eq 0 ]; +then + echo "TESTING: xzdec" + ./xzdec.exp +else + echo "TESTING SKIP: xzdec not found" +fi + diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp new file mode 100755 index 000000000..0ea6f5fb0 --- /dev/null +++ b/test/sysutils/xzdec.exp @@ -0,0 +1,29 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" +sleep 1 + +send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/todo b/todo index cd36b5f11..a5c311562 100644 --- a/todo +++ b/todo @@ -101,3 +101,10 @@ firejail.src: E: no-changelogname-tag firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found 1 packages and 0 specfiles checked; 1 errors, 1 warnings. +15. Testing: +find /usr/share/doc/firejail | cpio -ov > t1 +strings /usr/bin/firejail > t1 +gzip -c /usr/bin/firejail > t1 + +use diff -s to compare the files + -- cgit v1.2.3-70-g09d2 From e413b78c49234ae2698f0d9f27945c30ef723fe0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 08:41:51 -0400 Subject: sysutils --- Makefile.in | 1 + etc/less.profile | 7 +++++++ platform/debian/conffiles | 1 + src/firejail/main.c | 1 + test/sysutils/less.exp | 20 ++++++++++++++++++++ test/sysutils/sysutils.sh | 18 ++++++++++++++++++ test/sysutils/xz.exp | 26 ++++++++++++++++++++++++++ 7 files changed, 74 insertions(+) create mode 100644 etc/less.profile create mode 100755 test/sysutils/less.exp create mode 100755 test/sysutils/xz.exp (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 5204fc34a..00131099a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -215,6 +215,7 @@ realinstall: install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/etc/less.profile b/etc/less.profile new file mode 100644 index 000000000..9cad7ceb6 --- /dev/null +++ b/etc/less.profile @@ -0,0 +1,7 @@ +# less profile +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 34ab8cd81..62a4cfebe 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -124,4 +124,5 @@ /etc/firejail/xzdec.profile /etc/firejail/strings.profile /etc/firejail/xz.profile +/etc/firejail/less.profile diff --git a/src/firejail/main.c b/src/firejail/main.c index f149dd376..463bf4f31 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -696,6 +696,7 @@ static void delete_x11_file(pid_t pid) { static void detect_quiet(int argc, char **argv) { int i; char *progs[] = { + "less", "cpio", "strings", "gzip", diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp new file mode 100755 index 000000000..720830304 --- /dev/null +++ b/test/sysutils/less.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail less ../../Makefile.in\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "MYLIBS" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "APPS" +} + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index f230c9a6b..d75738f97 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -42,3 +42,21 @@ else echo "TESTING SKIP: xzdec not found" fi +which xz +if [ "$?" -eq 0 ]; +then + echo "TESTING: xz" + ./xz.exp +else + echo "TESTING SKIP: xz not found" +fi + +which less +if [ "$?" -eq 0 ]; +then + echo "TESTING: less" + ./less.exp +else + echo "TESTING SKIP: less not found" +fi + diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp new file mode 100755 index 000000000..11d0e560c --- /dev/null +++ b/test/sysutils/xz.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 3b2da566f9dfa2af18b1c03e3f0c7d4764d975f4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 08:38:06 -0400 Subject: fixed telegram profile --- etc/telegram.profile | 3 --- 1 file changed, 3 deletions(-) (limited to 'etc') diff --git a/etc/telegram.profile b/etc/telegram.profile index 819cd8f3a..8e91e426b 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -11,6 +11,3 @@ noroot protocol unix,inet,inet6 seccomp -whitelist ~/Downloads/Telegram Desktop -mkdir ${HOME}/.TelegramDesktop -whitelist ~/.TelegramDesktop -- cgit v1.2.3-70-g09d2 From fe6b414578ac67533d9ce6b475503046d08bf19b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 3 Jul 2016 12:50:06 -0400 Subject: more Telegram fixes --- etc/Telegram.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/Telegram.profile (limited to 'etc') diff --git a/etc/Telegram.profile b/etc/Telegram.profile new file mode 100644 index 000000000..8e91e426b --- /dev/null +++ b/etc/Telegram.profile @@ -0,0 +1,13 @@ +# Telegram IRC profile +noblacklist ${HOME}/.TelegramDesktop +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + -- cgit v1.2.3-70-g09d2 From fa9e6aa8b5dd6937fa35847209faf703cd85f09c Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 4 Jul 2016 23:51:45 +1000 Subject: 'include' profile --- etc/Telegram.profile | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) (limited to 'etc') diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 8e91e426b..2e0f97821 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile @@ -1,13 +1,2 @@ # Telegram IRC profile -noblacklist ${HOME}/.TelegramDesktop -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6 -seccomp - +include /etc/firejail/telegram.profile -- cgit v1.2.3-70-g09d2 From c219c24261efb7e56d719c4a2bbf26b53b9036e4 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 5 Jul 2016 00:16:59 +1000 Subject: tightened qtox profile --- etc/qtox.profile | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'etc') diff --git a/etc/qtox.profile b/etc/qtox.profile index 3a19efa3a..39f900748 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/tox include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.config/tox whitelist ${HOME}/.config/tox @@ -10,7 +11,11 @@ whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all +netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + -- cgit v1.2.3-70-g09d2 From 6b5b020d253aa3f7b38c53a165b9f9478995cf10 Mon Sep 17 00:00:00 2001 From: Niklas Haas Date: Wed, 6 Jul 2016 05:21:55 +0200 Subject: disable-common: Blacklist ~/.config/keybase This is used by keybase.io's client to store secrets. --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 197e5fbf0..17f37c5cc 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -110,6 +110,7 @@ blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.config/keybase blacklist ${HOME}/.netrc blacklist ${HOME}/.gnupg blacklist ${HOME}/.caff -- cgit v1.2.3-70-g09d2 From 1f83479b6a5f8d372091fe73aa6c05d2721bf87f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 7 Jul 2016 05:43:27 +1000 Subject: Fixed typo --- etc/pix.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/pix.profile b/etc/pix.profile index 4e53de00b..87056e32c 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -1,4 +1,4 @@ -# gthumb profile +# Firejail profile for pix noblacklist ${HOME}/.config/pix noblacklist ${HOME}/.local/share/pix -- cgit v1.2.3-70-g09d2 From 6175c869299b89bd5f9742d404ed5cd7a85a581f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 7 Jul 2016 05:45:24 +1000 Subject: added Atom Beta profile --- etc/atom-beta.profile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/atom-beta.profile (limited to 'etc') diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile new file mode 100644 index 000000000..e2c3000c9 --- /dev/null +++ b/etc/atom-beta.profile @@ -0,0 +1,17 @@ +# Firjail profile for Atom Beta. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +seccomp +shell none + +private-dev -- cgit v1.2.3-70-g09d2 From 49968ea2702263b038a675e10f667d18ae030ee0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 7 Jul 2016 05:53:22 +1000 Subject: additional atom-beta files --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 1 + 7 files changed, 9 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 9ee65c975..85e81fada 100644 --- a/Makefile.in +++ b/Makefile.in @@ -220,6 +220,7 @@ realinstall: install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/less.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 6cab5bd7a..9bde4793f 100644 --- a/README +++ b/README @@ -52,6 +52,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added pix profile - added audacity profile - fixed Telegram and qtox profiles + - added Atom Beta profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index bec1a2716..e6757c6f1 100644 --- a/README.md +++ b/README.md @@ -102,5 +102,5 @@ Office: evince, gthumb, fbreader, pix ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta diff --git a/RELNOTES b/RELNOTES index 96a5f0a7f..e48f7dc29 100644 --- a/RELNOTES +++ b/RELNOTES @@ -8,6 +8,7 @@ firejail (0.9.41) baseline; urgency=low * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less + * new profiles: Atom Beta -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e9dd331aa..81c97ca2d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -1,4 +1,5 @@ # various programs +blacklist ${HOME}/.Atom blacklist ${HOME}/.remmina blacklist ${HOME}/.tconn blacklist ${HOME}/.FBReader @@ -6,6 +7,7 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 9ef2f1b26..20a68146c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -126,4 +126,6 @@ /etc/firejail/xz.profile /etc/firejail/less.profile /etc/firejail/Telegram.profile +/etc/firejail/atom-beta.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 35338d427..55b61df7d 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -126,6 +126,7 @@ xreader # other snap ssh +atom-beta # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 6e814a14b4a4805eca4f0cda68b9fec988b5c5e5 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 8 Jul 2016 11:15:04 +1000 Subject: added Atom profile --- etc/atom.profile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 etc/atom.profile (limited to 'etc') diff --git a/etc/atom.profile b/etc/atom.profile new file mode 100644 index 000000000..f996ea79e --- /dev/null +++ b/etc/atom.profile @@ -0,0 +1,17 @@ +# Firjail profile for Atom. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +seccomp +shell none + +private-dev -- cgit v1.2.3-70-g09d2 From 442655366ff4f32139cad216390eae8e9d12eda7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 8 Jul 2016 09:00:27 -0400 Subject: nosound --- etc/atom-beta.profile | 2 ++ etc/atom.profile | 1 + etc/bitlbee.profile | 2 ++ etc/cpio.profile | 1 + etc/deluge.profile | 1 + etc/dnscrypt-proxy.profile | 1 + etc/dnsmasq.profile | 1 + etc/fbreader.profile | 1 + etc/filezilla.profile | 2 ++ etc/gthumb.profile | 1 + etc/gwenview.profile | 1 + etc/gzip.profile | 1 + etc/hedgewars.profile | 1 + etc/less.profile | 1 + etc/libreoffice.profile | 1 + etc/mcabber.profile | 1 + etc/okular.profile | 1 + etc/pix.profile | 1 + etc/qbittorrent.profile | 1 + etc/quiterss.profile | 1 + etc/rtorrent.profile | 1 + etc/server.profile | 1 + etc/strings.profile | 1 + etc/uget-gtk.profile | 1 + etc/unbound.profile | 1 + etc/wesnoth.profile | 1 + etc/xzdec.profile | 1 + 27 files changed, 30 insertions(+) (limited to 'etc') diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index e2c3000c9..3c753e86c 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -15,3 +15,5 @@ seccomp shell none private-dev +nosound + diff --git a/etc/atom.profile b/etc/atom.profile index f996ea79e..8304cd379 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -15,3 +15,4 @@ seccomp shell none private-dev +nosound diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index e63802c8a..4666d2fe7 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -10,3 +10,5 @@ private private-dev protocol unix,inet,inet6 seccomp +nosound + diff --git a/etc/cpio.profile b/etc/cpio.profile index b0e59c106..b4d232496 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -16,6 +16,7 @@ net none shell none tracelog net none +nosound diff --git a/etc/deluge.profile b/etc/deluge.profile index 61bc80bd5..8fde9acf9 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -17,4 +17,5 @@ shell none private-bin deluge,sh,python,uname whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index bd7e19dc2..90c244e03 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 6b199c34b..1c01d44e4 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -11,5 +11,6 @@ netfilter nonewprivs private private-dev +nosound protocol unix,inet,inet6,netlink seccomp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 24b35df9a..de31ce8de 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -18,3 +18,4 @@ shell none private-bin fbreader,FBReader whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 390769382..551c17a78 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -18,3 +18,5 @@ shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp whitelist /tmp/.X11-unix private-dev +nosound + diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 44e7051a5..c673a1297 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -17,3 +17,4 @@ shell none private-bin gthumb whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 65cc084e6..67f10c4e1 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -13,6 +13,7 @@ nogroups private-dev protocol unix seccomp +nosound #Experimental: #shell none diff --git a/etc/gzip.profile b/etc/gzip.profile index 8d35c9f66..cc19e7608 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..11cd844ce 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -12,6 +12,7 @@ noroot private-dev seccomp tracelog +nosound mkdir ~/.hedgewars whitelist ~/.hedgewars diff --git a/etc/less.profile b/etc/less.profile index 9cad7ceb6..0c43111d7 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 6cbdbfd66..77a00ebef 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -15,4 +15,5 @@ tracelog private-dev whitelist /tmp/.X11-unix/ +nosound diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 6b236a9a7..48b46dba0 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -18,3 +18,4 @@ private-bin mcabber private-etc null private-dev shell none +nosound diff --git a/etc/okular.profile b/etc/okular.profile index b1efc4753..c9c342b15 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -14,6 +14,7 @@ noroot private-dev protocol unix seccomp +nosound #Experimental: #net none diff --git a/etc/pix.profile b/etc/pix.profile index 87056e32c..81ab7486f 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -18,4 +18,5 @@ shell none private-bin pix whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index c5b9a72e6..138b6db55 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -17,3 +17,4 @@ seccomp #private-bin qbittorrent whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 3e5dde36e..f2b9959f6 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -22,6 +22,7 @@ nogroups noroot private-bin quiterss private-dev +nosound #private-etc X11,ssl protocol unix,inet,inet6 seccomp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..15df2c374 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -16,3 +16,4 @@ shell none private-bin rtorrent whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/server.profile b/etc/server.profile index 1b3cb7207..88331d951 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound private-tmp seccomp diff --git a/etc/strings.profile b/etc/strings.profile index 9bc67cfb8..881edf4ad 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 2c3c62c5f..269f8f0fd 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -22,4 +22,5 @@ shell none private-bin uget-gtk whitelist /tmp/.X11-unix private-dev +nosound diff --git a/etc/unbound.profile b/etc/unbound.profile index 4365e4fee..5e2cb5f65 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -8,5 +8,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index cd0c6406f..8bd6ef8e1 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,6 +15,7 @@ protocol unix,inet,inet6 seccomp private-dev +nosound whitelist /tmp/.X11-unix diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 1bff66965..ddf2061bf 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,3 +5,4 @@ net none shell none private-dev private-tmp +nosound -- cgit v1.2.3-70-g09d2 From ec0483b9cecab6b654e7b0281b9cc6f9e4c7d98e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 02:52:01 +1000 Subject: private-bin conversion --- etc/qtox.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/qtox.profile b/etc/qtox.profile index 39f900748..0cac18573 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -8,14 +8,15 @@ include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.config/tox whitelist ${HOME}/.config/tox whitelist ${DOWNLOADS} -include /etc/firejail/whitelist-common.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp shell none tracelog +private-bin qtox -- cgit v1.2.3-70-g09d2 From c99ddd579d823dae018e1f65ad28b3234e8e51bb Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:27:38 +1000 Subject: tightened and fixed permissions warning --- etc/0ad.profile | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) (limited to 'etc') diff --git a/etc/0ad.profile b/etc/0ad.profile index 3797ae5cd..11fb45463 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -1,21 +1,13 @@ # Firejail profile for 0ad. +noblacklist ~/.cache/0ad noblacklist ~/.config/0ad +noblacklist ~/.local/share/0ad include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options -caps.drop all -netfilter -noroot -nonewprivs -protocol unix,inet,inet6,netlink -seccomp -tracelog - # Whitelists -noblacklist ~/.cache/0ad mkdir ~/.cache mkdir ~/.cache/0ad whitelist ~/.cache/0ad @@ -24,8 +16,20 @@ mkdir ~/.config mkdir ~/.config/0ad whitelist ~/.config/0ad -noblacklist ~/.local/share/0ad mkdir ~/.local mkdir ~/.local/share mkdir ~/.local/share/0ad whitelist ~/.local/share/0ad + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-dev + -- cgit v1.2.3-70-g09d2 From 56a34f63f22d20e2dd51f3a0932dc07f2647f252 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:28:39 +1000 Subject: If you give a mouse a cookie... --- etc/atril.profile | 8 ++++++-- etc/evince.profile | 3 ++- etc/xreader.profile | 8 ++++++-- 3 files changed, 14 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/atril.profile b/etc/atril.profile index 8ee7da173..bfe731bec 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,10 +7,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot nosound -protocol unix,inet,inet6 +protocol unix seccomp +shell none tracelog + +private-bin atril, atril-previewer, atril-thumbnailer +private-dev diff --git a/etc/evince.profile b/etc/evince.profile index 9899da84d..530ce959a 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -6,9 +6,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all nonewprivs +nogroups noroot nosound -protocol unix,inet,inet6 +protocol unix seccomp shell none diff --git a/etc/xreader.profile b/etc/xreader.profile index 2cf109f09..fed9d4db5 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,10 +9,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot nosound -protocol unix,inet,inet6 +protocol unix seccomp +shell none tracelog + +private-bin xreader, xreader-previewer, xreader-thumbnailer +private-dev -- cgit v1.2.3-70-g09d2 From 741bd754b70c5020b2c21681879ead4d1910e4ff Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 05:29:23 +1000 Subject: ...he'll probably want to hack Firejail profiles. --- etc/gthumb.profile | 9 +++++---- etc/pix.profile | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/etc/gthumb.profile b/etc/gthumb.profile index c673a1297..3c02576aa 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot -protocol unix,inet,inet6 +nosound +protocol unix seccomp - shell none +tracelog + private-bin gthumb whitelist /tmp/.X11-unix private-dev -nosound diff --git a/etc/pix.profile b/etc/pix.profile index 81ab7486f..80c05fd09 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -8,15 +8,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs +nogroups noroot -protocol unix,inet,inet6 +nosound +protocol unix seccomp - shell none +tracelog + private-bin pix whitelist /tmp/.X11-unix private-dev -nosound -- cgit v1.2.3-70-g09d2 From a31c175c95ac0c5bf0c023c532e79f7b50eb826f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 9 Jul 2016 07:25:15 -0400 Subject: fixes --- etc/hedgewars.profile | 1 - etc/wesnoth.profile | 1 - todo | 19 +++++++++++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 11cd844ce..c5d863bd5 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -12,7 +12,6 @@ noroot private-dev seccomp tracelog -nosound mkdir ~/.hedgewars whitelist ~/.hedgewars diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 8bd6ef8e1..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,7 +15,6 @@ protocol unix,inet,inet6 seccomp private-dev -nosound whitelist /tmp/.X11-unix diff --git a/todo b/todo index 20d4418ec..0a76cd850 100644 --- a/todo +++ b/todo @@ -164,3 +164,22 @@ $ vblank_mode=0 glxgears 18. Add nosound in all profiles with private-dev (including server.profile) test hedgewars! +19. new syscalls: +create_module +name_to_handle_at +ioprio_set, + +??? +146 - sched_get_priority_max +147 - sched_get_priority_min +204 - sched_getaffinity +315 - sched_getattr +143 - sched_getparam +145 - sched_getscheduler +148 - sched_rr_get_interval +203 - sched_setaffinity +314 - sched_setattr +142 - sched_setparam +144 - sched_setscheduler +24 - sched_yield + -- cgit v1.2.3-70-g09d2 From df5208d228c4864d7064ad47b4b2143e22959e84 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sat, 9 Jul 2016 23:59:23 +1000 Subject: cleanup --- etc/xreader.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/xreader.profile b/etc/xreader.profile index fed9d4db5..ac7d34022 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,8 +9,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix -- cgit v1.2.3-70-g09d2 From 2e1b94c4251e6a841672f3df96e3d503d380ef1b Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 10 Jul 2016 00:00:11 +1000 Subject: private-bin conversion --- etc/audacity.profile | 11 +++++++---- etc/aweather.profile | 19 ++++++++++--------- etc/gitter.profile | 7 ++++++- etc/gpredict.profile | 19 ++++++++++--------- etc/palemoon.profile | 24 ++++++++++++------------ etc/rhythmbox.profile | 6 ++++++ etc/spotify.profile | 5 +++++ etc/stellarium.profile | 23 ++++++++++++----------- etc/warzone2100.profile | 11 ++++++++--- etc/xplayer.profile | 5 +++++ etc/xviewer.profile | 11 ++++++++--- 11 files changed, 89 insertions(+), 52 deletions(-) (limited to 'etc') diff --git a/etc/audacity.profile b/etc/audacity.profile index 8971ce1a2..162201cb8 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -7,10 +7,13 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -netfilter nonewprivs -noroot nogroups -#private-bin audacity -protocol unix,inet,inet6 +noroot +protocol unix seccomp +shell none +tracelog + +private-bin audacity +private-dev diff --git a/etc/aweather.profile b/etc/aweather.profile index dd508e736..d617fb701 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -1,24 +1,25 @@ # Firejail profile for aweather. - -# Noblacklist noblacklist ~/.config/aweather - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.config +mkdir ~/.config/aweather +whitelist ~/.config/aweather + caps.drop all netfilter nonewprivs +nogroups noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.config -mkdir ~/.config/aweather -whitelist ~/.config/aweather +private-bin aweather +private-dev diff --git a/etc/gitter.profile b/etc/gitter.profile index 0c2bd1353..2882c59a6 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -1,6 +1,5 @@ # Firejail profile for Gitter noblacklist ~/.config/Gitter - include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -8,6 +7,12 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs +nogroups noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-bin gitter +private-dev diff --git a/etc/gpredict.profile b/etc/gpredict.profile index ba9fce37b..02bb4d24d 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -1,24 +1,25 @@ # Firejail profile for gpredict. - -# Noblacklist noblacklist ~/.config/Gpredict - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.config +mkdir ~/.config/Gpredict +whitelist ~/.config/Gpredict + caps.drop all netfilter nonewprivs +nogroups noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.config -mkdir ~/.config/Gpredict -whitelist ~/.config/Gpredict +private-bin gpredict +private-dev diff --git a/etc/palemoon.profile b/etc/palemoon.profile index a74954ddb..302c20d7d 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -1,31 +1,30 @@ # Firejail profile for Pale Moon - -# Noblacklists noblacklist ~/.moonchild productions/pale moon noblacklist ~/.cache/moonchild productions/pale moon - -# Included profiles include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/whitelist-common.inc -# Options +whitelist ${DOWNLOADS} +mkdir ~/.moonchild productions +whitelist ~/.moonchild productions +mkdir ~/.cache +mkdir ~/.cache/moonchild productions +mkdir ~/.cache/moonchild productions/pale moon +whitelist ~/.cache/moonchild productions/pale moon + caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog -whitelist ${DOWNLOADS} -mkdir ~/.moonchild productions -whitelist ~/.moonchild productions -mkdir ~/.cache -mkdir ~/.cache/moonchild productions -mkdir ~/.cache/moonchild productions/pale moon -whitelist ~/.cache/moonchild productions/pale moon +private-bin palemoon # These are uncommented in the Firefox profile. If you run into trouble you may # want to uncomment (some of) them. @@ -56,3 +55,4 @@ whitelist ~/.config/lastpass # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +#private-dev (disabled for now as it will interfere with webcam use in palemoon) diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0782a653d..9f087ea1d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-bin rhythmbox +private-dev diff --git a/etc/spotify.profile b/etc/spotify.profile index 9ba25b818..ca575970b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -24,7 +24,12 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-bin spotify +private-dev diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 148ec949d..d0c1326b3 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -1,28 +1,29 @@ # Firejail profile for Stellarium. - -# Noblacklist noblacklist ~/.stellarium noblacklist ~/.config/stellarium - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium +mkdir ~/.config +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium + caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.stellarium -whitelist ~/.stellarium +private-bin stellarium +private-dev -mkdir ~/.config -mkdir ~/.config/stellarium -whitelist ~/.config/stellarium diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ceeaca012..ff37e2800 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -6,15 +6,20 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# Whitelist +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 + # Call these options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.warzone2100-3.1 -whitelist ~/.warzone2100-3.1 +private-bin warzone2100 +private-dev diff --git a/etc/xplayer.profile b/etc/xplayer.profile index cd9cbed45..a46b2fa06 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -10,7 +10,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp +shell none tracelog + +private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer +private-dev diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 51949526d..7a4ae4858 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,9 +6,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -noroot nonewprivs -protocol unix,inet,inet6 +nogroups +noroot +nosound +protocol unix seccomp +shell none tracelog + +private-dev +private-bin xviewer -- cgit v1.2.3-70-g09d2 From ec44167ca0de9f0a582ce8d95dbddecf82efe0c7 Mon Sep 17 00:00:00 2001 From: Rahiel Kasim Date: Sun, 10 Jul 2016 11:44:01 +0200 Subject: restrict Dropbox to its own directories --- etc/dropbox.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'etc') diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 2427c6af8..71e019f8c 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -1,4 +1,5 @@ # dropbox profile +noblacklist ~/.config/autostart include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -8,3 +9,14 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp + +mkdir ~/Dropbox +whitelist ~/Dropbox +mkdir ~/.dropbox +whitelist ~/.dropbox +mkdir ~/.dropbox-dist +whitelist ~/.dropbox-dist + +mkdir ~/.config/autostart +mkfile ~/.config/autostart/dropbox.desktop +whitelist ~/.config/autostart/dropbox.desktop -- cgit v1.2.3-70-g09d2 From 0c37b30ad6bf30bb3f77b4bcb3b92a53bc6ff1fa Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 11 Jul 2016 13:49:38 +1000 Subject: Jitsi profile --- etc/jitsi.profile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/jitsi.profile (limited to 'etc') diff --git a/etc/jitsi.profile b/etc/jitsi.profile new file mode 100644 index 000000000..8baf1ad94 --- /dev/null +++ b/etc/jitsi.profile @@ -0,0 +1,16 @@ +# Firejail profile for jitsi +noblacklist ~/.jitsi +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + -- cgit v1.2.3-70-g09d2 From 9ff481769ae394e27ffa636c10a6614f3374e105 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 11 Jul 2016 14:39:42 +1000 Subject: extra Jitsi files --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 7 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index a5a3d7da9..181f30538 100644 --- a/Makefile.in +++ b/Makefile.in @@ -222,6 +222,7 @@ realinstall: install -c -m 0644 .etc/Telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 9f5bc7bdf..f2547ad90 100644 --- a/README +++ b/README @@ -57,6 +57,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added Atom Beta and Atom profiles - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. - several private-bin conversions + - added jitsi profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index a60c8dd7f..8f4a66c0f 100644 --- a/README.md +++ b/README.md @@ -135,5 +135,5 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi diff --git a/RELNOTES b/RELNOTES index ef3706eb1..3ff1bf1ad 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,7 @@ firejail (0.9.41) baseline; urgency=low * some profiles have been converted to private-bin * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom + * new profiles: Atom Beta, Atom, jitsi -- netblue30 Tue, 31 May 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 81c97ca2d..837ac1e4c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -74,6 +74,7 @@ blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.jitsi # Games blacklist ${HOME}/.hedgewars diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ae495ec6d..3bbd93d3c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -128,3 +128,4 @@ /etc/firejail/Telegram.profile /etc/firejail/atom-beta.profile /etc/firejail/atom.profile +/etc/firejail/jitsi.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 55e7e30de..665cd80c8 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -53,6 +53,7 @@ corebird empathy gitter hexchat +jitsi konversation pidgin polari -- cgit v1.2.3-70-g09d2 From a9f3209570c19843a011da9b254066eb38a648db Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 15 Jul 2016 07:28:06 +1000 Subject: Pidgin private-bin conversion --- README | 1 + README.md | 2 +- etc/pidgin.profile | 10 +++++++++- 3 files changed, 11 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index f2547ad90..2055c221c 100644 --- a/README +++ b/README @@ -58,6 +58,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. - several private-bin conversions - added jitsi profile + - pidgin private-bin conversion Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index 019a6a56c..f36bbc3ae 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer Office: evince, gthumb, fbreader, pix, atril, xreader -Chat/messaging: qtox, gitter +Chat/messaging: qtox, gitter, pidgin Games: warzone2100 diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 091456d76..3df2cafa6 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -2,11 +2,19 @@ noblacklist ${HOME}/.purple include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-bin pidgin +private-dev -- cgit v1.2.3-70-g09d2 From 56765e75e4c526750b8c157635c4345797327315 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 18 Jul 2016 03:49:02 +1000 Subject: for Issue #637 --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 17f37c5cc..d18ee0287 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -20,6 +20,8 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart blacklist ${HOME}/.fluxbox/startup blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment +blacklist ${HOME}/.gnomerc +blacklist /etc/X11/Xsession.d/ # VirtualBox blacklist ${HOME}/.VirtualBox -- cgit v1.2.3-70-g09d2 From 76a3248ab596149078b334949346f238092022f4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 21 Jul 2016 09:12:44 -0400 Subject: snap profile fix --- etc/snap.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/snap.profile b/etc/snap.profile index b7e6d9b19..270fdf1a5 100644 --- a/etc/snap.profile +++ b/etc/snap.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc whitelist ~/snap +whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.keep chown,sys_admin -- cgit v1.2.3-70-g09d2 From 6a7a3c938e0b4a6af76b855e6039eeffb4f34b37 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 24 Jul 2016 10:17:49 +1000 Subject: added eom profile --- etc/eom.profile | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 etc/eom.profile (limited to 'etc') diff --git a/etc/eom.profile b/etc/eom.profile new file mode 100644 index 000000000..81d993e96 --- /dev/null +++ b/etc/eom.profile @@ -0,0 +1,20 @@ +# Firejail profile for Eye of Mate (eom) +noblacklist ~/.config/mate/eom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin eom +private-dev -- cgit v1.2.3-70-g09d2 From 4f54836eecd4881f78b6ba97a08e62a1607176b0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 24 Jul 2016 10:18:12 +1000 Subject: extra eom files --- Makefile.in | 1 + README | 1 + README.md | 6 +++--- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 9 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index db326d2db..c6147cee7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -223,6 +223,7 @@ realinstall: install -c -m 0644 .etc/atom-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index 2055c221c..1c9d85d65 100644 --- a/README +++ b/README @@ -59,6 +59,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - several private-bin conversions - added jitsi profile - pidgin private-bin conversion + - added eom profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index f36bbc3ae..3ab6f43be 100644 --- a/README.md +++ b/README.md @@ -136,9 +136,9 @@ BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, ug File transfer: filezilla -Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer +Media: vlc, mpv, gnome-mplayer, audacity, rhythmbox, spotify, xplayer, xviewer, eom -Office: evince, gthumb, fbreader, pix, atril, xreader +Office: evince, gthumb, fbreader, pix, atril, xreader, Chat/messaging: qtox, gitter, pidgin @@ -152,5 +152,5 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom diff --git a/RELNOTES b/RELNOTES index 30672819c..be65b9fca 100644 --- a/RELNOTES +++ b/RELNOTES @@ -14,7 +14,7 @@ firejail (0.9.42~rc1) baseline; urgency=low * compile time support to disable global configuration file * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom, jitsi + * new profiles: Atom Beta, Atom, jitsi, eom -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 837ac1e4c..0f155351d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -20,6 +20,7 @@ blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/pix +blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 3bbd93d3c..24884228e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -129,3 +129,4 @@ /etc/firejail/atom-beta.profile /etc/firejail/atom.profile /etc/firejail/jitsi.profile +/etc/firejail/eom.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ba975c4b4..5909ab4fe 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -98,6 +98,7 @@ totem vlc xplayer xviewer +eom # news readers quiterss -- cgit v1.2.3-70-g09d2 From 858b89146a57f7c3ba6e07ecf497621d1d01d4e0 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Wed, 27 Jul 2016 22:19:01 +0200 Subject: disable-passwdmgr.inc: Don't leak keepassx config It contains the path to the last used database. --- etc/disable-passwdmgr.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index c1e68d1ec..6db9073ab 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -3,4 +3,5 @@ blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx blacklist ${HOME}/.password-store blacklist ${HOME}/keepassx.kdbx +blacklist ${HOME}/.config/keepassx -- cgit v1.2.3-70-g09d2 From e171eac90eb99b81a61a6850d7e8f4d4344c27c6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Jul 2016 08:21:21 -0400 Subject: fix cyberfox profile --- Makefile.in | 1 + README | 2 ++ etc/Cyberfox.profile | 3 +++ etc/cyberfox.profile | 5 ++--- platform/debian/conffiles | 1 + 5 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 etc/Cyberfox.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 0903e3b8d..3083ba19e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -224,6 +224,7 @@ realinstall: install -c -m 0644 .etc/atom.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index bbf138085..dc9d8a3b0 100644 --- a/README +++ b/README @@ -25,6 +25,8 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework +Thomas Jarosch (https://github.com/thomasjfox) + - disable keepassx in disable-passwdmgr.inc Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile new file mode 100644 index 000000000..1f74606ce --- /dev/null +++ b/etc/Cyberfox.profile @@ -0,0 +1,3 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +include /etc/firejail/cyberfox.profile diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 0035b6be6..afa77d1d4 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,6 +1,6 @@ # Firejail profile for Cyberfox (based on Mozilla Firefox) -noblacklist ~/.8pecxstudios/cyberfox +noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc @@ -19,8 +19,7 @@ mkdir ~/.8pecxstudios whitelist ~/.8pecxstudios mkdir ~/.cache mkdir ~/.cache/8pecxstudios -mkdir ~/.cache/8pecxstudios/cyberfox -whitelist ~/.cache/8pecxstudios/cyberfox +whitelist ~/.cache/8pecxstudios whitelist ~/dwhelper whitelist ~/.zotero whitelist ~/.vimperatorrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 24884228e..be302f833 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -94,6 +94,7 @@ /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/quiterss.profile /etc/firejail/cyberfox.profile +/etc/firejail/Cyberfox.profile /etc/firejail/snap.profile /etc/firejail/xplayer.profile /etc/firejail/xreader.profile -- cgit v1.2.3-70-g09d2 From 3da7ed2d8b6a6cb85b9fd07906b0ad518d5ccc32 Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Thu, 28 Jul 2016 16:24:29 +0200 Subject: Add profile for uudeview uudeview might access unsafe email content, therefore restrict it as much as possible. In fact it's best to call firejail with a private home dir, too. --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/uudeview.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + 6 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 etc/uudeview.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 3083ba19e..6c0e464e4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -225,6 +225,7 @@ realinstall: install -c -m 0644 .etc/jitsi.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/eom.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/Cyberfox.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc diff --git a/README b/README index dc9d8a3b0..7b28226e4 100644 --- a/README +++ b/README @@ -27,6 +27,7 @@ Reiner Herrmann (https://github.com/reinerh) - unit testing framework Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc + - added uudeview profile Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) diff --git a/README.md b/README.md index d1a41d1ca..26dc2c4e3 100644 --- a/README.md +++ b/README.md @@ -155,5 +155,5 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview diff --git a/RELNOTES b/RELNOTES index be65b9fca..4f1366108 100644 --- a/RELNOTES +++ b/RELNOTES @@ -14,7 +14,7 @@ firejail (0.9.42~rc1) baseline; urgency=low * compile time support to disable global configuration file * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less - * new profiles: Atom Beta, Atom, jitsi, eom + * new profiles: Atom Beta, Atom, jitsi, eom, uudeview -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/uudeview.profile b/etc/uudeview.profile new file mode 100644 index 000000000..8218ac959 --- /dev/null +++ b/etc/uudeview.profile @@ -0,0 +1,13 @@ +# uudeview profile +# the default profile will disable root user, enable seccomp filter etc. +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin uudeview +private-dev +private-tmp +private-etc nonexisting_fakefile_for_empty_etc +hostname uudeview +nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index be302f833..6e0f86473 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -131,3 +131,4 @@ /etc/firejail/atom.profile /etc/firejail/jitsi.profile /etc/firejail/eom.profile +/etc/firejail/uudeview.profile -- cgit v1.2.3-70-g09d2 From 340a6b2eeb010367180e530af976810c9d762580 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 28 Jul 2016 10:54:05 -0400 Subject: added netfilter-default config option in /etc/firejail/firejail.config --- RELNOTES | 3 ++- etc/firejail.config | 7 +++++++ etc/nolocal.net | 3 ++- src/firejail/checkcfg.c | 23 +++++++++++++++++++++++ src/firejail/firejail.h | 1 + src/firejail/netfilter.c | 2 ++ 6 files changed, 37 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index be65b9fca..4a6ae81ed 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,4 @@ -firejail (0.9.42~rc1) baseline; urgency=low +firejail (0.9.42~rc2) baseline; urgency=low * deprecated --user option, please use "sudo -u username firejail" instead * --read-write option rework * allow symlinks in home directory for --whitelist option @@ -12,6 +12,7 @@ firejail (0.9.42~rc1) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom diff --git a/etc/firejail.config b/etc/firejail.config index 59bbd77a5..20c4d7a5f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -27,6 +27,13 @@ # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no +# Change default netfilter configuration. When using --netfilter option without +# a file argument, the default filter is hardcoded (see man 1 firejail). This +# configuration entry allows the user to change the default by specifying +# a file containing the filter configuration. The filter file format is the +# format of iptables-save and iptable-restore commands. Example: +# netfilter-default /etc/iptables.iptables.rules + # Enable or disable seccomp support, default enabled. # seccomp yes diff --git a/etc/nolocal.net b/etc/nolocal.net index 9c0c6e125..9fa785450 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net @@ -4,7 +4,8 @@ :OUTPUT ACCEPT [0:0] ################################################################### -# Client filter rejecting local network traffic, with the exception of DNS traffic +# Client filter rejecting local network traffic, with the exception of +# DNS traffic # # Usage: # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6636e7efe..6929988ae 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -26,6 +26,7 @@ static int initialized = 0; static int cfg_val[CFG_MAX]; char *xephyr_screen = "800x600"; char *xephyr_extra_params = ""; +char *netfilter_default = NULL; int checkcfg(int val) { EUID_ASSERT(); @@ -159,6 +160,28 @@ int checkcfg(int val) { else goto errout; } + // netfilter + else if (strncmp(ptr, "netfilter-default ", 18) == 0) { + char *fname = ptr + 18; + while (*fname == ' ' || *fname == '\t') + ptr++; + char *end = strchr(fname, ' '); + if (end) + *end = '\0'; + + // is the file present? + struct stat s; + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); + exit(1); + } + + netfilter_default = strdup(fname); + if (!netfilter_default) + errExit("strdup"); + if (arg_debug) + printf("netfilter default file %s\n", fname); + } // Xephyr screen size else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 29bb6c494..7a538327d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -582,6 +582,7 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_MAX 11 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; +extern char *netfilter_default; int checkcfg(int val); // appimage.c diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 71abfb53d..b50d61039 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -66,6 +66,8 @@ void netfilter(const char *fname) { // custom filter int allocated = 0; + if (netfilter_default) + fname = netfilter_default; if (fname) { // buffer the filter struct stat s; -- cgit v1.2.3-70-g09d2 From d222f18b9e0556ecca90ca3883c0628427d18c14 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Fri, 29 Jul 2016 21:20:53 -0700 Subject: Allow BitlBee to write /var/lib/bitlbee Bitlbee stores its configuration in /var/lib/bitlbee. It must be able to write to this directory in order to save config changes (adding accounts, writing OTR keys, etc). --- etc/bitlbee.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 4666d2fe7..87d2e843a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -11,4 +11,4 @@ private-dev protocol unix,inet,inet6 seccomp nosound - +read-write /var/lib/bitlbee -- cgit v1.2.3-70-g09d2 From c2046e3bfd6df89362b7cc564377c6326393d009 Mon Sep 17 00:00:00 2001 From: Al S Date: Sat, 30 Jul 2016 13:47:27 +0300 Subject: Add new skypeforlinux profile. Per recommendation of @netblue30, allow use of the netlink protocol in order for skypeforlinux to properly function in a firejail environment, per discussion in Github issue #656. --- etc/skypeforlinux.profile | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 etc/skypeforlinux.profile (limited to 'etc') diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile new file mode 100644 index 000000000..a1d8487c8 --- /dev/null +++ b/etc/skypeforlinux.profile @@ -0,0 +1,12 @@ +# skypeforlinux profile +noblacklist ${HOME}/.config/skypeforlinux +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-terminals.inc +caps.drop all +netfilter +noroot +seccomp +protocol unix,inet,inet6,netlink -- cgit v1.2.3-70-g09d2 From 0657c20377d6f8d80f143e9c6a336601c8bbd2e2 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sat, 30 Jul 2016 17:58:25 +0200 Subject: Allow recursive mkdir (Closes #305) --- etc/0ad.profile | 4 ---- etc/abrowser.profile | 2 -- etc/aweather.profile | 1 - etc/brave.profile | 1 - etc/cherrytree.profile | 2 -- etc/chromium.profile | 2 -- etc/cyberfox.profile | 1 - etc/dropbox.profile | 1 - etc/epiphany.profile | 4 ---- etc/firefox.profile | 2 -- etc/flashpeak-slimjet.profile | 2 -- etc/franz.profile | 2 -- etc/google-chrome-beta.profile | 2 -- etc/google-chrome-unstable.profile | 2 -- etc/google-chrome.profile | 2 -- etc/gpredict.profile | 1 - etc/hexchat.profile | 1 - etc/icedove.profile | 1 - etc/mupen64plus.profile | 3 --- etc/netsurf.profile | 2 -- etc/opera-beta.profile | 2 -- etc/opera.profile | 2 -- etc/palemoon.profile | 2 -- etc/polari.profile | 4 ---- etc/psi-plus.profile | 4 ---- etc/quiterss.profile | 3 --- etc/qutebrowser.profile | 1 - etc/seamonkey.profile | 3 --- etc/spotify.profile | 4 ---- etc/stellarium.profile | 1 - etc/thunderbird.profile | 1 - etc/uget-gtk.profile | 1 - etc/vivaldi.profile | 2 -- etc/wesnoth.profile | 4 ---- etc/whitelist-common.inc | 1 - src/firejail/fs_mkdir.c | 39 +++++++++++++++++++++++++++++++++----- src/man/firejail-profile.txt | 8 ++------ test/fs/fs.sh | 3 ++- test/fs/mkdir.exp | 20 +++++++++++++++++++ test/fs/mkdir.profile | 2 ++ 40 files changed, 60 insertions(+), 85 deletions(-) create mode 100755 test/fs/mkdir.exp create mode 100644 test/fs/mkdir.profile (limited to 'etc') diff --git a/etc/0ad.profile b/etc/0ad.profile index 11fb45463..217cdeee0 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -8,16 +8,12 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelists -mkdir ~/.cache mkdir ~/.cache/0ad whitelist ~/.cache/0ad -mkdir ~/.config mkdir ~/.config/0ad whitelist ~/.config/0ad -mkdir ~/.local -mkdir ~/.local/share mkdir ~/.local/share/0ad whitelist ~/.local/share/0ad diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 65247e7d3..4aa18aa90 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -17,8 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla whitelist ~/.mozilla -mkdir ~/.cache -mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/abrowser whitelist ~/.cache/mozilla/abrowser whitelist ~/dwhelper diff --git a/etc/aweather.profile b/etc/aweather.profile index d617fb701..da93e8ba3 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -6,7 +6,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config mkdir ~/.config/aweather whitelist ~/.config/aweather diff --git a/etc/brave.profile b/etc/brave.profile index 4c42e9faa..4fc3a5bb0 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -14,6 +14,5 @@ seccomp whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/brave whitelist ~/.config/brave diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7b6238d98..76ee70679 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -7,10 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc whitelist ${HOME}/cherrytree -mkdir ~/.config mkdir ~/.config/cherrytree whitelist ${HOME}/.config/cherrytree/ -mkdir ~/.local mkdir ~/.local/share whitelist ${HOME}/.local/share/ diff --git a/etc/chromium.profile b/etc/chromium.profile index 7cf2853ca..0d383aebf 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/chromium whitelist ~/.config/chromium -mkdir ~/.cache mkdir ~/.cache/chromium whitelist ~/.cache/chromium mkdir ~/.pki diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index afa77d1d4..ae487fa3c 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -17,7 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.8pecxstudios whitelist ~/.8pecxstudios -mkdir ~/.cache mkdir ~/.cache/8pecxstudios whitelist ~/.cache/8pecxstudios whitelist ~/dwhelper diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 71e019f8c..40efd62b2 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -17,6 +17,5 @@ whitelist ~/.dropbox mkdir ~/.dropbox-dist whitelist ~/.dropbox-dist -mkdir ~/.config/autostart mkfile ~/.config/autostart/dropbox.desktop whitelist ~/.config/autostart/dropbox.desktop diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 57191429a..0e898f02b 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -8,14 +8,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc whitelist ${DOWNLOADS} -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/epiphany whitelist ${HOME}/.local/share/epiphany -mkdir ${HOME}/.config mkdir ${HOME}/.config/epiphany whitelist ${HOME}/.config/epiphany -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/epiphany whitelist ${HOME}/.cache/epiphany include /etc/firejail/whitelist-common.inc diff --git a/etc/firefox.profile b/etc/firefox.profile index 2cc4d3cd8..170d0fe10 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -17,8 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla whitelist ~/.mozilla -mkdir ~/.cache -mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/firefox whitelist ~/.cache/mozilla/firefox whitelist ~/dwhelper diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index f248c385a..7e0eb486b 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -22,10 +22,8 @@ protocol unix,inet,inet6,netlink seccomp whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/slimjet whitelist ~/.config/slimjet -mkdir ~/.cache mkdir ~/.cache/slimjet whitelist ~/.cache/slimjet mkdir ~/.pki diff --git a/etc/franz.profile b/etc/franz.profile index fc4a665de..3cb7942ab 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -14,10 +14,8 @@ nonewprivs noroot whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/Franz whitelist ~/.config/Franz -mkdir ~/.cache mkdir ~/.cache/Franz whitelist ~/.cache/Franz mkdir ~/.pki diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 11f9f9e33..fe870274f 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/google-chrome-beta whitelist ~/.config/google-chrome-beta -mkdir ~/.cache mkdir ~/.cache/google-chrome-beta whitelist ~/.cache/google-chrome-beta mkdir ~/.pki diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index f253e5a90..f6680ac2d 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/google-chrome-unstable whitelist ~/.config/google-chrome-unstable -mkdir ~/.cache mkdir ~/.cache/google-chrome-unstable whitelist ~/.cache/google-chrome-unstable mkdir ~/.pki diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 5e168aae5..a9fcebe73 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -11,10 +11,8 @@ include /etc/firejail/disable-programs.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/google-chrome whitelist ~/.config/google-chrome -mkdir ~/.cache mkdir ~/.cache/google-chrome whitelist ~/.cache/google-chrome mkdir ~/.pki diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 02bb4d24d..a8378a66e 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -6,7 +6,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config mkdir ~/.config/Gpredict whitelist ~/.config/Gpredict diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 4e829c379..0d7ee6594 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -13,7 +13,6 @@ netfilter protocol unix,inet,inet6 seccomp -mkdir ~/.config mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc diff --git a/etc/icedove.profile b/etc/icedove.profile index e9a63c8dd..23254751b 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -11,7 +11,6 @@ mkdir ~/.icedove whitelist ~/.icedove noblacklist ~/.cache/icedove -mkdir ~/.cache mkdir ~/.cache/icedove whitelist ~/.cache/icedove diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index d4b442df8..acb13e6b9 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -8,11 +8,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/mupen64plus whitelist ${HOME}/.local/share/mupen64plus/ -mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 3de6be238..1ed2163c2 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -15,10 +15,8 @@ seccomp tracelog whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/netsurf whitelist ~/.config/netsurf -mkdir ~/.cache mkdir ~/.cache/netsurf whitelist ~/.cache/netsurf diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3d6edb286..12c91c744 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -8,10 +8,8 @@ include /etc/firejail/disable-devel.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/opera-beta whitelist ~/.config/opera-beta -mkdir ~/.cache mkdir ~/.cache/opera-beta whitelist ~/.cache/opera-beta mkdir ~/.pki diff --git a/etc/opera.profile b/etc/opera.profile index ff00eb349..e0c89a195 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -9,10 +9,8 @@ include /etc/firejail/disable-devel.inc netfilter whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/opera whitelist ~/.config/opera -mkdir ~/.cache mkdir ~/.cache/opera whitelist ~/.cache/opera mkdir ~/.opera diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 302c20d7d..acedaebb7 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -9,8 +9,6 @@ include /etc/firejail/whitelist-common.inc whitelist ${DOWNLOADS} mkdir ~/.moonchild productions whitelist ~/.moonchild productions -mkdir ~/.cache -mkdir ~/.cache/moonchild productions mkdir ~/.cache/moonchild productions/pale moon whitelist ~/.cache/moonchild productions/pale moon diff --git a/etc/polari.profile b/etc/polari.profile index 366883c83..ac9530c40 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -3,18 +3,14 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share/ mkdir ${HOME}/.local/share/Empathy whitelist ${HOME}/.local/share/Empathy mkdir ${HOME}/.local/share/telepathy whitelist ${HOME}/.local/share/telepathy mkdir ${HOME}/.local/share/TpLogger whitelist ${HOME}/.local/share/TpLogger -mkdir ${HOME}/.config mkdir ${HOME}/.config/telepathy-account-widgets whitelist ${HOME}/.config/telepathy-account-widgets -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/telepathy whitelist ${HOME}/.cache/telepathy mkdir ${HOME}/.purple diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 9380237be..22c5bafc5 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -7,14 +7,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/psi+ whitelist ~/.config/psi+ -mkdir ~/.local -mkdir ~/.local/share mkdir ~/.local/share/psi+ whitelist ~/.local/share/psi+ -mkdir ~/.cache mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ diff --git a/etc/quiterss.profile b/etc/quiterss.profile index f2b9959f6..2ab5d8a8e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -4,14 +4,11 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc whitelist ${HOME}/quiterssfeeds.opml -mkdir ~/.config mkdir ~/.config/QuiteRss whitelist ${HOME}/.config/QuiteRss/ whitelist ${HOME}/.config/QuiteRssrc -mkdir ~/.local mkdir ~/.local/share whitelist ${HOME}/.local/share/ -mkdir ~/.cache mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index b590f0ef1..0efb7b629 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -17,7 +17,6 @@ tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser whitelist ~/.config/qutebrowser -mkdir ~/.cache mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser include /etc/firejail/whitelist-common.inc diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 9ce4164c1..b981d9516 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -14,11 +14,8 @@ seccomp tracelog whitelist ${DOWNLOADS} -mkdir ~/.mozilla mkdir ~/.mozilla/seamonkey whitelist ~/.mozilla/seamonkey -mkdir ~/.cache -mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/seamonkey whitelist ~/.cache/mozilla/seamonkey whitelist ~/dwhelper diff --git a/etc/spotify.profile b/etc/spotify.profile index ca575970b..6bcb99e0f 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -10,14 +10,10 @@ include /etc/firejail/disable-passwdmgr.inc # Whitelist the folders needed by Spotify - This is more restrictive # than a blacklist though, but this is all spotify requires for # streaming audio -mkdir ${HOME}/.config mkdir ${HOME}/.config/spotify whitelist ${HOME}/.config/spotify -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/spotify whitelist ${HOME}/.local/share/spotify -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify include /etc/firejail/whitelist-common.inc diff --git a/etc/stellarium.profile b/etc/stellarium.profile index d0c1326b3..adefa75ff 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -9,7 +9,6 @@ include /etc/firejail/disable-programs.inc # Whitelist mkdir ~/.stellarium whitelist ~/.stellarium -mkdir ~/.config mkdir ~/.config/stellarium whitelist ~/.config/stellarium diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 7882367b9..5db50da4d 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -11,7 +11,6 @@ mkdir ~/.thunderbird whitelist ~/.thunderbird noblacklist ~/.cache/thunderbird -mkdir ~/.cache mkdir ~/.cache/thunderbird whitelist ~/.cache/thunderbird diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 269f8f0fd..522b4bd1e 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -13,7 +13,6 @@ protocol unix,inet,inet6 seccomp whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 2049d2bd9..3c608dccb 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -9,10 +9,8 @@ netfilter nonewprivs whitelist ${DOWNLOADS} -mkdir ~/.config mkdir ~/.config/vivaldi whitelist ~/.config/vivaldi -mkdir ~/.cache mkdir ~/.cache/vivaldi whitelist ~/.cache/vivaldi include /etc/firejail/whitelist-common.inc diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index cd0c6406f..2ddb59d11 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -18,12 +18,8 @@ private-dev whitelist /tmp/.X11-unix -mkdir ${HOME}/.local -mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/wesnoth -mkdir ${HOME}/.config mkdir ${HOME}/.config/wesnoth -mkdir ${HOME}/.cache mkdir ${HOME}/.cache/wesnoth whitelist ${HOME}/.local/share/wesnoth whitelist ${HOME}/.config/wesnoth diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index b3a1a1d30..2317133c5 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -24,6 +24,5 @@ whitelist ~/.config/gtk-3.0 whitelist ~/.themes # dconf -mkdir ~/.config mkdir ~/.config/dconf whitelist ~/.config/dconf diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 50bcc613b..5bc2df2cc 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -22,8 +22,38 @@ #include #include #include - #include - +#include +#include + +static void mkdir_recursive(char *path) { + char *subdir = NULL; + struct stat s; + + if (chdir("/")) { + fprintf(stderr, "Error: can't chdir to /"); + return; + } + + subdir = strtok(path, "/"); + while(subdir) { + if (stat(subdir, &s) == -1) { + if (mkdir(subdir, 0700) == -1) { + fprintf(stderr, "Warning: cannot create %s directory\n", subdir); + return; + } + } else if (!S_ISDIR(s.st_mode)) { + fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir); + return; + } + if (chdir(subdir)) { + fprintf(stderr, "Error: can't chdir to %s", subdir); + return; + } + + subdir = strtok(NULL, "/"); + } +} + void fs_mkdir(const char *name) { EUID_ASSERT(); @@ -50,8 +80,7 @@ void fs_mkdir(const char *name) { drop_privs(0); // create directory - if (mkdir(expanded, 0700) == -1) - fprintf(stderr, "Warning: cannot create %s directory\n", expanded); + mkdir_recursive(expanded); exit(0); } // wait for the child to finish @@ -101,4 +130,4 @@ void fs_mkfile(const char *name) { doexit: free(expanded); -} \ No newline at end of file +} diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 504842a9e..7e33a6b45 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -136,7 +136,7 @@ The directory is created if it doesn't already exist. .br Use this command for whitelisted directories you need to preserve when the sandbox is closed. Without it, the application will create the directory, and the directory -will be deleted when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from +will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from firefox profile: .br @@ -145,17 +145,13 @@ mkdir ~/.mozilla .br whitelist ~/.mozilla .br -mkdir ~/.cache -.br -mkdir ~/.cache/mozilla -.br mkdir ~/.cache/mozilla/firefox .br whitelist ~/.cache/mozilla/firefox .TP \fBmkfile file Similar to mkdir, this command creates a file in user home before the sandbox is started. -The file is created if it doesn't already exist. +The file is created if it doesn't already exist, but it's target directory has to exist. .TP \fBnoexec file_or_directory Remount the file or the directory noexec, nodev and nosuid. diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 08888020c..00e6e29c2 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -51,5 +51,6 @@ echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" echo "TESTING: bind as user (test/fs/option_bind_user.exp)" ./option_bind_user.exp - +echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" +./mkdir.exp diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp new file mode 100755 index 000000000..111db06db --- /dev/null +++ b/test/fs/mkdir.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2016 Firejail Authors +# License GPL v2 + +set timeout 3 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit} + "No such file or directory" { puts "TESTING ERROR 1.3\n";exit} + ".firejail_test/a/b/c/d.txt" +} +send -- "rm -rf ~/.firejail_test\r" +after 100 + +puts "\nall done\n" diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile new file mode 100644 index 000000000..61b44c9ac --- /dev/null +++ b/test/fs/mkdir.profile @@ -0,0 +1,2 @@ +mkdir ~/.firejail_test/a/b/c +mkfile ~/.firejail_test/a/b/c/d.txt -- cgit v1.2.3-70-g09d2 From 2d60937932a44ed5dfe3afecdae846386275a25a Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sat, 30 Jul 2016 23:10:50 +0200 Subject: Add profiles for tar (gtar), unzip and unrar I've tested compression and uncompression of various tar formats and also straced unzip/unrar regarding their file access in /etc. -> should be fine. If you want to unpack files in /usr/bin, then use the --ignore=private-bin switch. Same for /etc: --ignore=private-etc --- Makefile.in | 4 ++++ README | 1 + README.md | 1 + etc/gtar.profile | 1 + etc/tar.profile | 13 +++++++++++++ etc/unrar.profile | 11 +++++++++++ etc/unzip.profile | 11 +++++++++++ platform/debian/conffiles | 4 ++++ 8 files changed, 46 insertions(+) create mode 100644 etc/gtar.profile create mode 100644 etc/tar.profile create mode 100644 etc/unrar.profile create mode 100644 etc/unzip.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 44833021e..50210fcd9 100644 --- a/Makefile.in +++ b/Makefile.in @@ -144,6 +144,7 @@ realinstall: install -c -m 0644 .etc/google-chrome.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/google-play-music-desktop-player.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gpredict.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/gtar.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gthumb.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gwenview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. @@ -201,6 +202,7 @@ realinstall: install -c -m 0644 .etc/steam.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/stellarium.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/tar.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/telegram.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/thunderbird.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/totem.profile $(DESTDIR)/$(sysconfdir)/firejail/. @@ -208,6 +210,8 @@ realinstall: install -c -m 0644 .etc/transmission-qt.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/unrar.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/unzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/uudeview.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/vivaldi-beta.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/vivaldi.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README b/README index 200a7ef72..76c0ed30d 100644 --- a/README +++ b/README @@ -34,6 +34,7 @@ Peter Hogg (https://github.com/pigmonkey) Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile + - added tar (gtar), unzip and unrar profile - improved profile list Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client diff --git a/README.md b/README.md index 26dc2c4e3..faa647125 100644 --- a/README.md +++ b/README.md @@ -156,4 +156,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview +tar (gtar), unzip, unrar diff --git a/etc/gtar.profile b/etc/gtar.profile new file mode 100644 index 000000000..5dbc550f6 --- /dev/null +++ b/etc/gtar.profile @@ -0,0 +1 @@ +include /etc/firejail/tar.profile diff --git a/etc/tar.profile b/etc/tar.profile new file mode 100644 index 000000000..4ce3e59f0 --- /dev/null +++ b/etc/tar.profile @@ -0,0 +1,13 @@ +# tar profile +include /etc/firejail/default.profile + +tracelog +net none +shell none + +# support compressed archives +private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-dev +private-etc passwd,group,localtime +hostname tar +nosound diff --git a/etc/unrar.profile b/etc/unrar.profile new file mode 100644 index 000000000..ccd144699 --- /dev/null +++ b/etc/unrar.profile @@ -0,0 +1,11 @@ +# unrar profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unrar +private-dev +private-etc passwd,group,localtime +hostname unrar +nosound diff --git a/etc/unzip.profile b/etc/unzip.profile new file mode 100644 index 000000000..d4862004c --- /dev/null +++ b/etc/unzip.profile @@ -0,0 +1,11 @@ +# unzip profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unzip +private-dev +private-etc passwd,group,localtime +hostname unzip +nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5367edfe5..d302c5732 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -50,6 +50,7 @@ /etc/firejail/google-chrome.profile /etc/firejail/google-play-music-desktop-player.profile /etc/firejail/gpredict.profile +/etc/firejail/gtar.profile /etc/firejail/gthumb.profile /etc/firejail/gwenview.profile /etc/firejail/gzip.profile @@ -108,6 +109,7 @@ /etc/firejail/steam.profile /etc/firejail/stellarium.profile /etc/firejail/strings.profile +/etc/firejail/tar.profile /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile /etc/firejail/totem.profile @@ -115,6 +117,8 @@ /etc/firejail/transmission-qt.profile /etc/firejail/uget-gtk.profile /etc/firejail/unbound.profile +/etc/firejail/unrar.profile +/etc/firejail/unzip.profile /etc/firejail/uudeview.profile /etc/firejail/vivaldi-beta.profile /etc/firejail/vivaldi.profile -- cgit v1.2.3-70-g09d2 From f72ac8eab33b4c923d75e010545721cc8fe552ce Mon Sep 17 00:00:00 2001 From: Thomas Jarosch Date: Sun, 31 Jul 2016 00:22:46 +0200 Subject: Add file.profile --- Makefile.in | 1 + README | 1 + README.md | 2 +- RELNOTES | 1 + etc/file.profile | 11 +++++++++++ platform/debian/conffiles | 1 + 6 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 etc/file.profile (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 50210fcd9..6837d59cd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -131,6 +131,7 @@ realinstall: install -c -m 0644 .etc/epiphany.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/evince.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/fbreader.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/file.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/filezilla.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/firefox-esr.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/firefox.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README b/README index 76c0ed30d..9e2073e66 100644 --- a/README +++ b/README @@ -35,6 +35,7 @@ Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile - added tar (gtar), unzip and unrar profile + - added file profile - improved profile list Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client diff --git a/README.md b/README.md index faa647125..b186db8db 100644 --- a/README.md +++ b/README.md @@ -156,5 +156,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar +tar (gtar), unzip, unrar, file diff --git a/RELNOTES b/RELNOTES index e37e24778..4d7f67bda 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview + * new profiles: tar (gtar), unzip, unrar, file -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/file.profile b/etc/file.profile new file mode 100644 index 000000000..357576040 --- /dev/null +++ b/etc/file.profile @@ -0,0 +1,11 @@ +# file profile +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin file +private-dev +private-etc magic.mgc,magic,localtime +hostname file +nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d302c5732..76ca9d44e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -36,6 +36,7 @@ /etc/firejail/epiphany.profile /etc/firejail/evince.profile /etc/firejail/fbreader.profile +/etc/firejail/file.profile /etc/firejail/filezilla.profile /etc/firejail/firefox-esr.profile /etc/firejail/firefox.profile -- cgit v1.2.3-70-g09d2 From 59cd5a6b6bb90d316d7f628fd6fc2df9ff2b17ab Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 31 Jul 2016 10:06:41 -0400 Subject: cleanup and some new tests --- README | 5 +++++ RELNOTES | 1 + etc/file.profile | 1 + etc/tar.profile | 1 + etc/unrar.profile | 1 + etc/unzip.profile | 1 + src/firejail/cmdline.c | 10 +++++----- src/firejail/firejail.h | 3 +++ src/firejail/fs_bin.c | 2 +- src/firejail/main.c | 5 +++++ test/sysutils/file.exp | 16 ++++++++++++++++ test/sysutils/sysutils.sh | 18 ++++++++++++++++++ test/sysutils/tar.exp | 35 +++++++++++++++++++++++++++++++++++ todo | 6 +++++- 14 files changed, 98 insertions(+), 7 deletions(-) create mode 100755 test/sysutils/file.exp create mode 100755 test/sysutils/tar.exp (limited to 'etc') diff --git a/README b/README index 58503d0c7..4e610cb4a 100644 --- a/README +++ b/README @@ -25,6 +25,9 @@ Reiner Herrmann (https://github.com/reinerh) - clang-analyzer fixes - Debian reproducible build - unit testing framework + - moved build to .xz + - detached signatures for source archive + - recursive mkdir xee5ch (https://github.com/xee5ch) - skypeforlinux profile Peter Hogg (https://github.com/pigmonkey) @@ -39,6 +42,7 @@ Thomas Jarosch (https://github.com/thomasjfox) - improved profile list - fixed small variable glitch in stat64() / lstat64() (libtracelog) - added lstat() / lstat64() support to libtrace + - include mkuid.sh in make dist Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Aleksey Manevich (https://github.com/manevich) @@ -48,6 +52,7 @@ Aleksey Manevich (https://github.com/manevich) - fix double quotes/single quotes problem - big rework of argument processing subsystem - --join fixes + - spliting up cmdline.c Fred-Barclay (https://github.com/Fred-Barclay) - added Vivaldi, Atril profiles - added PaleMoon profile diff --git a/RELNOTES b/RELNOTES index 4d7f67bda..1746e03a1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,6 +9,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command + * recursive mkdir * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file diff --git a/etc/file.profile b/etc/file.profile index 357576040..1569b42c7 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,4 +1,5 @@ # file profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/tar.profile b/etc/tar.profile index 4ce3e59f0..769a3cd4e 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,4 +1,5 @@ # tar profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/unrar.profile b/etc/unrar.profile index ccd144699..74079e7b9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,4 +1,5 @@ # unrar profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/unzip.profile b/etc/unzip.profile index d4862004c..502839b98 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,4 +1,5 @@ # unzip profile +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 517124d9e..48cbaffb7 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c @@ -27,9 +27,9 @@ #include int cmdline_length(int argc, char **argv, int index) { - int i,j; + unsigned i,j; int len = 0; - int argcnt = argc - index; + unsigned argcnt = argc - index; bool in_quotes = false; for (i = 0; i < argcnt; i++) { @@ -63,8 +63,8 @@ int cmdline_length(int argc, char **argv, int index) { } void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { - int i,j; - int argcnt = argc - index; + unsigned i,j; + unsigned argcnt = argc - index; bool in_quotes = false; char *ptr1 = command_line; char *ptr2 = window_title; @@ -127,7 +127,7 @@ void quote_cmdline(char *command_line, char *window_title, int len, int argc, ch ptr2 += strlen(ptr2); } - assert(len == strlen(command_line)); + assert((unsigned) len == strlen(command_line)); } void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7a538327d..1546dc403 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -590,5 +590,8 @@ void appimage_set(const char *appimage_path); void appimage_clear(void); const char *appimage_getdir(void); +// cmdline.c +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); + #endif diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index ac731c246..dca66888c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -136,7 +136,7 @@ void fs_check_bin_list(void) { ptr = strrchr(newlist, ','); assert(ptr); *ptr = '\0'; - if (notfound) + if (notfound && !arg_quiet) fprintf(stderr, "Warning: not all executables from --private-bin list were found. The current list is %s\n", newlist); cfg.bin_private_keep = newlist; diff --git a/src/firejail/main.c b/src/firejail/main.c index e86d78ff1..d5ac7ad1d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -704,6 +704,11 @@ static void detect_quiet(int argc, char **argv) { "gzip", "xz", "xzdec", + "file", + "gtar", + "tar", + "unrar", + "unzip", NULL }; diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp new file mode 100755 index 000000000..e40b83197 --- /dev/null +++ b/test/sysutils/file.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail file ~/.bashrc\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "ASCII text" +} + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index d75738f97..315b73c9d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -60,3 +60,21 @@ else echo "TESTING SKIP: less not found" fi +which file +if [ "$?" -eq 0 ]; +then + echo "TESTING: file" + ./file.exp +else + echo "TESTING SKIP: file not found" +fi + +which tar +if [ "$?" -eq 0 ]; +then + echo "TESTING: tar" + ./tar.exp +else + echo "TESTING SKIP: tar not found" +fi + diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp new file mode 100755 index 000000000..af569f5ac --- /dev/null +++ b/test/sysutils/tar.exp @@ -0,0 +1,35 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/usr/share/doc/firejail/README" +} +after 100 + +send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + " 0 0 0" +} +sleep 1 +send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + " 0 0 0" +} +sleep 1 + + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/todo b/todo index 97632fa9c..009f9fe99 100644 --- a/todo +++ b/todo @@ -250,10 +250,14 @@ References 23. AppArmor +$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify + $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo update-grub $ sudo reboot -$ ps auxZ | grep -v '^unconfined' +If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. +$ sudo aa-notify -p -f /var/log/audit/audit.log + -- cgit v1.2.3-70-g09d2 From f5f26e4a4b8b9890a1828d6b4501c64527f60217 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 31 Jul 2016 10:40:49 -0400 Subject: integrate skypeforlinux profile --- Makefile.in | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + etc/skypeforlinux.profile | 7 +++---- platform/debian/conffiles | 1 + 6 files changed, 8 insertions(+), 6 deletions(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 405087433..98ecbd252 100644 --- a/Makefile.in +++ b/Makefile.in @@ -196,6 +196,7 @@ realinstall: install -c -m 0644 .etc/seamonkey.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/server.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/skype.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/skypeforlinux.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/snap.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/soffice.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/spotify.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/README.md b/README.md index b186db8db..17c7a89de 100644 --- a/README.md +++ b/README.md @@ -156,5 +156,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file +tar (gtar), unzip, unrar, file, skypeforlinux diff --git a/RELNOTES b/RELNOTES index 1746e03a1..a4fc92671 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,7 +17,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less * new profiles: Atom Beta, Atom, jitsi, eom, uudeview - * new profiles: tar (gtar), unzip, unrar, file + * new profiles: tar (gtar), unzip, unrar, file, skypeforlinux -- netblue30 Thu, 21 Jul 2016 08:00:00 -0500 firejail (0.9.40) baseline; urgency=low diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0f155351d..ed7710728 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -71,6 +71,7 @@ blacklist ${HOME}/.retroshare blacklist ${HOME}/.weechat blacklist ${HOME}/.config/xchat blacklist ${HOME}/.Skype +blacklist ${HOME}/.config/skypeforlinux blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index a1d8487c8..3f0a274f9 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -1,10 +1,9 @@ # skypeforlinux profile noblacklist ${HOME}/.config/skypeforlinux -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-terminals.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + caps.drop all netfilter noroot diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 76ca9d44e..c8eda3cb4 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -103,6 +103,7 @@ /etc/firejail/seamonkey.profile /etc/firejail/server.profile /etc/firejail/skype.profile +/etc/firejail/skypeforlinux.profile /etc/firejail/snap.profile /etc/firejail/soffice.profile /etc/firejail/spotify.profile -- cgit v1.2.3-70-g09d2 From 19a9166bd3f8ac58acc5b3cbe04d72d79d82c881 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 1 Aug 2016 09:55:12 -0400 Subject: added quiet profile command --- RELNOTES | 1 + etc/cpio.profile | 2 +- etc/file.profile | 1 + etc/gtar.profile | 2 ++ etc/gzip.profile | 2 ++ etc/less.profile | 2 ++ etc/strings.profile | 2 ++ etc/tar.profile | 1 + etc/unrar.profile | 1 + etc/unzip.profile | 1 + etc/uudeview.profile | 2 ++ etc/xz.profile | 1 + etc/xzdec.profile | 2 ++ src/firejail/main.c | 35 ----------------------------------- src/firejail/profile.c | 14 ++++++++++++-- src/man/firejail-profile.txt | 8 +++++++- 16 files changed, 38 insertions(+), 39 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index a4fc92671..3bdd21caa 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,6 +9,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command + * added quiet profile command * recursive mkdir * seccomp filter updated * compile time and run time support to disable whitelists diff --git a/etc/cpio.profile b/etc/cpio.profile index b4d232496..5772c7368 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,7 +1,7 @@ # cpio profile # /sbin and /usr/sbin are visible inside the sandbox # /boot is not visible and /var is heavily modified - +quiet noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc diff --git a/etc/file.profile b/etc/file.profile index 1569b42c7..c2d7b0b0f 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,4 +1,5 @@ # file profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/gtar.profile b/etc/gtar.profile index 5dbc550f6..2f675cd9d 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile @@ -1 +1,3 @@ +# gtar profile +quiet include /etc/firejail/tar.profile diff --git a/etc/gzip.profile b/etc/gzip.profile index cc19e7608..ce4aa3c4b 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,4 +1,6 @@ # gzip profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/etc/less.profile b/etc/less.profile index 0c43111d7..802e4196d 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -1,4 +1,6 @@ # less profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/etc/strings.profile b/etc/strings.profile index 881edf4ad..6ebe81d09 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,4 +1,6 @@ # strings profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/etc/tar.profile b/etc/tar.profile index 769a3cd4e..6daa7396a 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,4 +1,5 @@ # tar profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/unrar.profile b/etc/unrar.profile index 74079e7b9..e941a8f2a 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,4 +1,5 @@ # unrar profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/unzip.profile b/etc/unzip.profile index 502839b98..ab69e932e 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,4 +1,5 @@ # unzip profile +quiet ignore noroot include /etc/firejail/default.profile diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8218ac959..f6fe0abf1 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,5 +1,7 @@ # uudeview profile # the default profile will disable root user, enable seccomp filter etc. +quiet +ignore noroot include /etc/firejail/default.profile tracelog diff --git a/etc/xz.profile b/etc/xz.profile index 709585acd..5b29f7338 100644 --- a/etc/xz.profile +++ b/etc/xz.profile @@ -1,2 +1,3 @@ # xz profile +quiet include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index ddf2061bf..3692160e6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,4 +1,6 @@ # xzdec profile +quiet +ignore noroot include /etc/firejail/default.profile tracelog net none diff --git a/src/firejail/main.c b/src/firejail/main.c index de1dcc044..8bb438ba4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -697,21 +697,6 @@ static void delete_x11_file(pid_t pid) { static void detect_quiet(int argc, char **argv) { int i; - char *progs[] = { - "cpio", - "file", - "gtar", - "gzip", - "less", - "strings", - "tar", - "unrar", - "unzip", - "uudeview", - "xz", - "xzdec", - NULL - }; // detect --quiet for (i = 1; i < argc; i++) { @@ -726,26 +711,6 @@ static void detect_quiet(int argc, char **argv) { if (strncmp(argv[i], "--", 2) != 0) break; } - - // argv[i] is the program name if --quiet was not already detected - if (arg_quiet || i == argc) - return; - - // extract the name of the program without the leading path - char *ptr = strrchr(argv[i], '/'); - char *name = (ptr)? (ptr + 1): argv[i]; - if (*name == '\0') - return; - - // look for the program in the list - int j = 0; - while (progs[j] != NULL) { - if (strcmp(name, progs[j]) == 0) { - arg_quiet = 1; - return; - } - j++; - } } //******************************************* diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 46ef0921d..8c2970639 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -817,8 +817,7 @@ void profile_read(const char *fname) { exit(1); } - if (!arg_quiet) - fprintf(stderr, "Reading profile %s\n", fname); + int msg_printed = 0; // read the file line by line char buf[MAX_READ + 1]; @@ -836,6 +835,17 @@ void profile_read(const char *fname) { continue; } + // process quiet + if (strcmp(ptr, "quiet") == 0) { + arg_quiet = 1; + continue; + } + if (!msg_printed) { + if (!arg_quiet) + fprintf(stderr, "Reading profile %s\n", fname); + msg_printed = 1; + } + // process include if (strncmp(ptr, "include ", 8) == 0) { include_level++; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7e33a6b45..b6908dd00 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac Example: "noblacklist ${HOME}/.mozilla" .TP -\fBignore command +\fBignore Ignore command. Example: "ignore seccomp" +.TP +\fBquiet +Disable Firejail's output. This should be the first uncommented command in the profile file. + +Example: "quiet" + .SH Filesystem These profile entries define a chroot filesystem built on top of the existing host filesystem. Each line describes a file element that is removed from -- cgit v1.2.3-70-g09d2 From 355c86b0ff225bdc48b27fb4dfcb6232e4ec7b29 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 2 Aug 2016 10:03:28 -0400 Subject: apparmor --- Makefile.in | 2 + configure | 492 +++++++++++++++++++++++++---------------------- configure.ac | 23 +++ etc/firejail-default | 129 +++++++++++++ src/firejail/Makefile.in | 6 +- src/firejail/sandbox.c | 12 +- todo | 3 + 7 files changed, 438 insertions(+), 229 deletions(-) create mode 100644 etc/firejail-default (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index e47e109d3..4d7526826 100644 --- a/Makefile.in +++ b/Makefile.in @@ -85,6 +85,8 @@ realinstall: done sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc + # install apparmor profile + sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 install -m 0755 -d $(DESTDIR)/$(mandir)/man5 diff --git a/configure b/configure index 050b4df9c..0f6f8f7fb 100755 --- a/configure +++ b/configure @@ -625,9 +625,6 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H -EGREP -GREP -CPP HAVE_FATAL_WARNINGS HAVE_WHITELIST HAVE_FILE_TRANSFER @@ -638,6 +635,11 @@ HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP +EXTRA_LDFLAGS +EGREP +GREP +CPP +HAVE_APPARMOR RANLIB INSTALL_DATA INSTALL_SCRIPT @@ -690,6 +692,7 @@ SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking +enable_apparmor enable_seccomp enable_chroot enable_bind @@ -1319,6 +1322,7 @@ Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --enable-apparmor enable apparmor --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind @@ -1462,52 +1466,6 @@ fi } # ac_fn_c_try_compile -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link - # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. @@ -1708,6 +1666,52 @@ $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. @@ -3069,189 +3073,23 @@ else fi -HAVE_SECCOMP="" -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -if test "x$enable_seccomp" != "xno"; then : - - HAVE_SECCOMP="-DHAVE_SECCOMP" - - -fi - -HAVE_CHROOT="" -# Check whether --enable-chroot was given. -if test "${enable_chroot+set}" = set; then : - enableval=$enable_chroot; -fi - -if test "x$enable_chroot" != "xno"; then : - - HAVE_CHROOT="-DHAVE_CHROOT" - - -fi - -HAVE_BIND="" -# Check whether --enable-bind was given. -if test "${enable_bind+set}" = set; then : - enableval=$enable_bind; -fi - -if test "x$enable_bind" != "xno"; then : - - HAVE_BIND="-DHAVE_BIND" - - -fi - -HAVE_GLOBALCFG="" -# Check whether --enable-globalcfg was given. -if test "${enable_globalcfg+set}" = set; then : - enableval=$enable_globalcfg; -fi - -if test "x$enable_globalcfg" != "xno"; then : - - HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" - - -fi - -HAVE_NETWORK="" -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -# Check whether --enable-network was given. -if test "${enable_network+set}" = set; then : - enableval=$enable_network; -fi - -if test "x$enable_network" != "xno"; then : - - HAVE_NETWORK="-DHAVE_NETWORK" - if test "x$enable_network" = "xrestricted"; then : - - HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" - -fi - - -fi - -HAVE_USERNS="" -# Check whether --enable-userns was given. -if test "${enable_userns+set}" = set; then : - enableval=$enable_userns; -fi - -if test "x$enable_userns" != "xno"; then : - - HAVE_USERNS="-DHAVE_USERNS" - - -fi - -HAVE_X11="" -# Check whether --enable-x11 was given. -if test "${enable_x11+set}" = set; then : - enableval=$enable_x11; -fi - -if test "x$enable_x11" != "xno"; then : - - HAVE_X11="-DHAVE_X11" - - -fi - -HAVE_FILE_TRANSFER="" -# Check whether --enable-file-transfer was given. -if test "${enable_file_transfer+set}" = set; then : - enableval=$enable_file_transfer; -fi - -if test "x$enable_file_transfer" != "xno"; then : - - HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" - - -fi - -HAVE_WHITELIST="" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; -fi - -if test "x$enable_whitelist" != "xno"; then : - - HAVE_WHITELIST="-DHAVE_WHITELIST" - - -fi - -HAVE_FATAL_WARNINGS="" -# Check whether --enable-fatal_warnings was given. -if test "${enable_fatal_warnings+set}" = set; then : - enableval=$enable_fatal_warnings; -fi - -if test "x$enable_fatal_warnings" = "xyes"; then : - - HAVE_FATAL_WARNINGS="-W -Wall -Werror" - - +# Allow to build without apparmor support by calling: +# ./configure --disable-apparmor +# This makes it possible to run snaps in devmode on almost any host, +# regardless of the kernel version. +HAVE_APPARMOR="" +# Check whether --enable-apparmor was given. +if test "${enable_apparmor+set}" = set; then : + enableval=$enable_apparmor; fi +if test "x$enable_apparmor" = "xyes"; then : -# checking pthread library - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 -$as_echo_n "checking for main in -lpthread... " >&6; } -if ${ac_cv_lib_pthread_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpthread $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ + HAVE_APPARMOR="-DHAVE_APPARMOR" -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_pthread_main=yes -else - ac_cv_lib_pthread_main=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 -$as_echo "$ac_cv_lib_pthread_main" >&6; } -if test "x$ac_cv_lib_pthread_main" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPTHREAD 1 -_ACEOF - LIBS="-lpthread $LIBS" - -else - as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 -fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -3650,6 +3488,208 @@ fi done +if test "x$enable_apparmor" = "xyes"; then : + + ac_fn_c_check_header_mongrel "$LINENO" "sys/apparmor.h" "ac_cv_header_sys_apparmor_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_apparmor_h" = xyes; then : + +else + as_fn_error $? "Couldn't find sys/apparmor.h... please install apparmor user space library and development files " "$LINENO" 5 +fi + + + +fi +if test "x$enable_apparmor" = "xyes"; then : + + EXTRA_LDFLAGS="-lapparmor" + +fi + + +HAVE_SECCOMP="" +# Check whether --enable-seccomp was given. +if test "${enable_seccomp+set}" = set; then : + enableval=$enable_seccomp; +fi + +if test "x$enable_seccomp" != "xno"; then : + + HAVE_SECCOMP="-DHAVE_SECCOMP" + + +fi + +HAVE_CHROOT="" +# Check whether --enable-chroot was given. +if test "${enable_chroot+set}" = set; then : + enableval=$enable_chroot; +fi + +if test "x$enable_chroot" != "xno"; then : + + HAVE_CHROOT="-DHAVE_CHROOT" + + +fi + +HAVE_BIND="" +# Check whether --enable-bind was given. +if test "${enable_bind+set}" = set; then : + enableval=$enable_bind; +fi + +if test "x$enable_bind" != "xno"; then : + + HAVE_BIND="-DHAVE_BIND" + + +fi + +HAVE_GLOBALCFG="" +# Check whether --enable-globalcfg was given. +if test "${enable_globalcfg+set}" = set; then : + enableval=$enable_globalcfg; +fi + +if test "x$enable_globalcfg" != "xno"; then : + + HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" + + +fi + +HAVE_NETWORK="" +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +# Check whether --enable-network was given. +if test "${enable_network+set}" = set; then : + enableval=$enable_network; +fi + +if test "x$enable_network" != "xno"; then : + + HAVE_NETWORK="-DHAVE_NETWORK" + if test "x$enable_network" = "xrestricted"; then : + + HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" + +fi + + +fi + +HAVE_USERNS="" +# Check whether --enable-userns was given. +if test "${enable_userns+set}" = set; then : + enableval=$enable_userns; +fi + +if test "x$enable_userns" != "xno"; then : + + HAVE_USERNS="-DHAVE_USERNS" + + +fi + +HAVE_X11="" +# Check whether --enable-x11 was given. +if test "${enable_x11+set}" = set; then : + enableval=$enable_x11; +fi + +if test "x$enable_x11" != "xno"; then : + + HAVE_X11="-DHAVE_X11" + + +fi + +HAVE_FILE_TRANSFER="" +# Check whether --enable-file-transfer was given. +if test "${enable_file_transfer+set}" = set; then : + enableval=$enable_file_transfer; +fi + +if test "x$enable_file_transfer" != "xno"; then : + + HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" + + +fi + +HAVE_WHITELIST="" +# Check whether --enable-whitelist was given. +if test "${enable_whitelist+set}" = set; then : + enableval=$enable_whitelist; +fi + +if test "x$enable_whitelist" != "xno"; then : + + HAVE_WHITELIST="-DHAVE_WHITELIST" + + +fi + +HAVE_FATAL_WARNINGS="" +# Check whether --enable-fatal_warnings was given. +if test "${enable_fatal_warnings+set}" = set; then : + enableval=$enable_fatal_warnings; +fi + +if test "x$enable_fatal_warnings" = "xyes"; then : + + HAVE_FATAL_WARNINGS="-W -Wall -Werror" + + +fi + + +# checking pthread library +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 +$as_echo_n "checking for main in -lpthread... " >&6; } +if ${ac_cv_lib_pthread_main+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +int +main () +{ +return main (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pthread_main=yes +else + ac_cv_lib_pthread_main=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_main" >&5 +$as_echo "$ac_cv_lib_pthread_main" >&6; } +if test "x$ac_cv_lib_pthread_main" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF + + LIBS="-lpthread $LIBS" + +else + as_fn_error $? "*** POSIX thread support not installed ***" "$LINENO" 5 +fi + ac_fn_c_check_header_mongrel "$LINENO" "pthread.h" "ac_cv_header_pthread_h" "$ac_includes_default" if test "x$ac_cv_header_pthread_h" = xyes; then : @@ -4855,6 +4895,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" @@ -4866,6 +4907,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h +printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/configure.ac b/configure.ac index a84396ad4..315c25038 100644 --- a/configure.ac +++ b/configure.ac @@ -9,6 +9,27 @@ AC_PROG_CC AC_PROG_INSTALL AC_PROG_RANLIB +# Allow to build without apparmor support by calling: +# ./configure --disable-apparmor +# This makes it possible to run snaps in devmode on almost any host, +# regardless of the kernel version. +HAVE_APPARMOR="" +AC_ARG_ENABLE([apparmor], + AS_HELP_STRING([--enable-apparmor], [enable apparmor])) +AS_IF([test "x$enable_apparmor" = "xyes"], [ + HAVE_APPARMOR="-DHAVE_APPARMOR" + AC_SUBST(HAVE_APPARMOR) +]) + +AS_IF([test "x$enable_apparmor" = "xyes"], [ + AC_CHECK_HEADER(sys/apparmor.h, , [AC_MSG_ERROR( + [Couldn't find sys/apparmor.h... please install apparmor user space library and development files] )]) +]) +AS_IF([test "x$enable_apparmor" = "xyes"], [ + EXTRA_LDFLAGS="-lapparmor" +]) +AC_SUBST([EXTRA_LDFLAGS]) + HAVE_SECCOMP="" AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [disable seccomp])) @@ -117,6 +138,7 @@ echo " prefix: $prefix" echo " sysconfdir: $sysconfdir" echo " seccomp: $HAVE_SECCOMP" echo " : $HAVE_SECCOMP_H" +echo " apparmor: $HAVE_APPARMOR" echo " global config: $HAVE_GLOBALCFG" echo " chroot: $HAVE_CHROOT" echo " bind: $HAVE_BIND" @@ -128,6 +150,7 @@ echo " file transfer support: $HAVE_FILE_TRANSFER" echo " fatal warnings: $HAVE_FATAL_WARNINGS" printf " uid_min: "; grep UID_MIN uids.h printf " gid_min: "; grep GID_MIN uids.h +printf " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..609ab6c19 --- /dev/null +++ b/etc/firejail-default @@ -0,0 +1,129 @@ +#include + +profile firejail-default { + +##### +# D-Bus is a huge security hole, we disable it here. Uncomment this line if you +# need D-Bus functionality. +# +#dbus, + +##### +# Mask /proc and /sys information leakage. The configuration here is barely +# enough to run "top" or "ps aux". +# +/ r, +/[^proc,^sys]** mrwlk, + +/proc/ r, +/proc/meminfo r, +/proc/cpuinfo r, +/proc/filesystems r, +/proc/uptime r, +/proc/loadavg r, +/proc/stat r, +/proc/@{pid}/ r, +/proc/@{pid}/fd/ r, +/proc/@{pid}/task/ r, +/proc/@{pid}/cmdline r, +/proc/@{pid}/comm r, +/proc/@{pid}/stat r, +/proc/@{pid}/statm r, +/proc/@{pid}/status r, +/proc/sys/kernel/pid_max r, +/proc/sys/kernel/shmmax r, +/sys/ r, +/sys/bus/ r, +/sys/bus/** r, +/sys/class/ r, +/sys/class/** r, +/sys/devices/ r, +/sys/devices/** r, + +/proc/@{pid}/maps r, +/proc/@{pid}/mounts r, +/proc/@{pid}/mountinfo r, +/proc/@{pid}/oom_score_adj r, + +/{,var/}run/firejail/mnt/fslogger r, +/{,var/}run/user/**/dconf/ r, +/{,var/}run/user/**/dconf/user r, + +##### +# Allow running programs only from well-known system directories. If you need +# to run programs from your home directory, uncomment /home line. +# +/lib/** ix, +/lib64/** ix, +/bin/** ix, +/sbin/** ix, +/usr/bin/** ix, +/usr/sbin/** ix, +/usr/local/** ix, +/usr/lib/** ix, +/usr/games/** ix, +/opt/** ix, +#/home/** ix, + +##### +# Allow all networking functionality, and control it from Firejail. +# +network inet, +network inet6, +network unix, +network netlink, +network raw, + +##### +# There is no equivalent in Firejail for filtering signals. +# +signal, + +##### +# Disable all capabilities. If you run your sandbox as root, you might need to +# enable/uncomment some of them. +# +capability chown, +capability dac_override, +capability dac_read_search, +capability fowner, +capability fsetid, +capability kill, +capability setgid, +capability setuid, +capability setpcap, +capability linux_immutable, +capability net_bind_service, +capability net_broadcast, +capability net_admin, +capability net_raw, +capability ipc_lock, +capability ipc_owner, +capability sys_module, +capability sys_rawio, +capability sys_chroot, +capability sys_ptrace, +capability sys_pacct, +capability sys_admin, +capability sys_boot, +capability sys_nice, +capability sys_resource, +capability sys_time, +capability sys_tty_config, +capability mknod, +capability lease, +capability audit_write, +capability audit_control, +capability setfcap, +capability mac_override, +capability mac_admin, + +##### +# No mount/umount functionality when running as regular user. +# +mount, +remount, +umount, +pivot_root, + +} diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 21f415ba5..15253b5ab 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -18,19 +18,21 @@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) clean:; rm -f *.o firejail firejail.1 firejail.1.gz diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0fd81979f..1502a0312 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -39,6 +39,9 @@ # define PR_SET_NO_NEW_PRIVS 38 #endif +#ifdef HAVE_APPARMOR +#include +#endif static int monitored_pid = 0; @@ -392,6 +395,7 @@ int sandbox(void* sandbox_arg) { if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); + //**************************** // set hostname //**************************** @@ -503,7 +507,6 @@ int sandbox(void* sandbox_arg) { else fs_basic_fs(); - //**************************** // set hostname in /etc/hostname //**************************** @@ -798,8 +801,13 @@ int sandbox(void* sandbox_arg) { pid_t app_pid = fork(); if (app_pid == -1) errExit("fork"); - + if (app_pid == 0) { +#ifdef HAVE_APPARMOR + errno = 0; + if (aa_change_onexec("firejail-default")) + fprintf(stderr, "Warning: apparmor profile not loaded, errno %d\n", errno); +#endif prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died start_application(); // start app } diff --git a/todo b/todo index 009f9fe99..7a96bb2c4 100644 --- a/todo +++ b/todo @@ -251,6 +251,7 @@ References 23. AppArmor $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify +$ sudo apt-get install libapparmor-dev $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub $ sudo update-grub @@ -259,5 +260,7 @@ $ sudo reboot If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. $ sudo aa-notify -p -f /var/log/audit/audit.log +/sys/module/apparmor/parameters/enabled +/sys/kernel/security/apparmor -- cgit v1.2.3-70-g09d2 From 1351c4f7e62e7e123c4e9e33fdd071075c473103 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 3 Aug 2016 19:02:15 -0400 Subject: apparmor --- etc/firejail-default | 87 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 51 insertions(+), 36 deletions(-) (limited to 'etc') diff --git a/etc/firejail-default b/etc/firejail-default index 609ab6c19..cf4524648 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -1,19 +1,36 @@ -#include +######################################### +# Generic Firejail AppArmor profile +######################################### + +########## +# A simple PID declaration based on Ubuntu's @{pid} +# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. +# We don't know if this definition is available outside Debian and Ubuntu, so +# we declare our own here. +########## +@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} profile firejail-default { -##### -# D-Bus is a huge security hole, we disable it here. Uncomment this line if you -# need D-Bus functionality. -# +########## +# D-Bus is a huge security hole. Uncomment this line if you need D-Bus +# functionality. +########## #dbus, -##### +########## # Mask /proc and /sys information leakage. The configuration here is barely # enough to run "top" or "ps aux". -# +########## / r, /[^proc,^sys]** mrwlk, +/{,var/}run/ r, +/{,var/}run/** r, +/{,var/}run/user/**/dconf/ rw, +/{,var/}run/user/**/dconf/user rw, +/{,var/}run/firejail/mnt/fslogger r, +/{run,dev}/shm/ r, +/{run,dev}/shm/** rmwk, /proc/ r, /proc/meminfo r, @@ -22,14 +39,16 @@ profile firejail-default { /proc/uptime r, /proc/loadavg r, /proc/stat r, -/proc/@{pid}/ r, -/proc/@{pid}/fd/ r, -/proc/@{pid}/task/ r, -/proc/@{pid}/cmdline r, -/proc/@{pid}/comm r, -/proc/@{pid}/stat r, -/proc/@{pid}/statm r, -/proc/@{pid}/status r, + +/proc/@{PID}/ r, +/proc/@{PID}/fd/ r, +/proc/@{PID}/task/ r, +/proc/@{PID}/cmdline r, +/proc/@{PID}/comm r, +/proc/@{PID}/stat r, +/proc/@{PID}/statm r, +/proc/@{PID}/status r, +/proc/@{PID}/task/@{PID}/stat r, /proc/sys/kernel/pid_max r, /proc/sys/kernel/shmmax r, /sys/ r, @@ -40,19 +59,15 @@ profile firejail-default { /sys/devices/ r, /sys/devices/** r, -/proc/@{pid}/maps r, -/proc/@{pid}/mounts r, -/proc/@{pid}/mountinfo r, -/proc/@{pid}/oom_score_adj r, +/proc/@{PID}/maps r, +/proc/@{PID}/mounts r, +/proc/@{PID}/mountinfo r, +/proc/@{PID}/oom_score_adj r, -/{,var/}run/firejail/mnt/fslogger r, -/{,var/}run/user/**/dconf/ r, -/{,var/}run/user/**/dconf/user r, - -##### +########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, uncomment /home line. -# +########## /lib/** ix, /lib64/** ix, /bin/** ix, @@ -65,24 +80,23 @@ profile firejail-default { /opt/** ix, #/home/** ix, -##### +########## # Allow all networking functionality, and control it from Firejail. -# +########## network inet, network inet6, network unix, network netlink, network raw, -##### +########## # There is no equivalent in Firejail for filtering signals. -# +########## signal, -##### -# Disable all capabilities. If you run your sandbox as root, you might need to -# enable/uncomment some of them. -# +########## +# We let Firejail deal with capabilities. +########## capability chown, capability dac_override, capability dac_read_search, @@ -118,12 +132,13 @@ capability setfcap, capability mac_override, capability mac_admin, -##### -# No mount/umount functionality when running as regular user. -# +########## +# We let Firejail deal with mount/umount functionality. +########## mount, remount, umount, pivot_root, } + -- cgit v1.2.3-70-g09d2 From 25fa6746617e034e13e8d14cf7e2a0e7661d37ed Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 4 Aug 2016 09:15:42 -0400 Subject: apparmor fixes for Arch Linux --- Makefile.in | 3 ++- etc/firejail-default | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/Makefile.in b/Makefile.in index 4d7526826..978cbf92d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -86,7 +86,8 @@ realinstall: sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc # install apparmor profile - sh -c "if [ -d /etc/apparmor.d ]; then install -c -m 0644 etc/firejail-default /etc/apparmor.d/firejail-default; fi;" + sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" + install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 install -m 0755 -d $(DESTDIR)/$(mandir)/man5 diff --git a/etc/firejail-default b/etc/firejail-default index cf4524648..8abf2400b 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -28,6 +28,8 @@ profile firejail-default { /{,var/}run/** r, /{,var/}run/user/**/dconf/ rw, /{,var/}run/user/**/dconf/user rw, +/{,var/}run/user/**/pulse/ rw, +/{,var/}run/user/**/pulse/** rw, /{,var/}run/firejail/mnt/fslogger r, /{run,dev}/shm/ r, /{run,dev}/shm/** rmwk, @@ -51,6 +53,9 @@ profile firejail-default { /proc/@{PID}/task/@{PID}/stat r, /proc/sys/kernel/pid_max r, /proc/sys/kernel/shmmax r, +/proc/sys/vm/overcommit_memory r, +/proc/sys/vm/overcommit_ratio r, + /sys/ r, /sys/bus/ r, /sys/bus/** r, -- cgit v1.2.3-70-g09d2 From 9c3de20c36539a7752298cbb9eec674e24e191a9 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 5 Aug 2016 12:47:24 +1000 Subject: Added gnome-chess profile --- etc/gnome-chess.profile | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 etc/gnome-chess.profile (limited to 'etc') diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile new file mode 100644 index 000000000..e93970f7d --- /dev/null +++ b/etc/gnome-chess.profile @@ -0,0 +1,20 @@ +# Firejail profile for gnome-chess +noblacklist /.local/share/gnome-chess + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin gnome-chess +private-dev -- cgit v1.2.3-70-g09d2 From 7962d6ee8b6372e84a6de43180ae489a145f60da Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 5 Aug 2016 12:47:54 +1000 Subject: extra gnome-chess files --- README | 1 + README.md | 4 ++-- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 6 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index f742dd506..a690a9b65 100644 --- a/README +++ b/README @@ -83,6 +83,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added jitsi profile - pidgin private-bin conversion - added eom profile + - added gnome-chess profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index 4eea1aafc..96c4b26b2 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,7 @@ Office: evince, gthumb, fbreader, pix, atril, xreader, Chat/messaging: qtox, gitter, pidgin -Games: warzone2100 +Games: warzone2100, gnome-chess Weather/climate: aweather @@ -197,5 +197,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ed7710728..01e68506d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -128,3 +128,4 @@ blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/gnome-chess diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c8eda3cb4..d2ee3a83e 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -44,6 +44,7 @@ /etc/firejail/flashpeak-slimjet.profile /etc/firejail/franz.profile /etc/firejail/gitter.profile +/etc/firejail/gnome-chess.profile /etc/firejail/gnome-mplayer.profile /etc/firejail/google-chrome-beta.profile /etc/firejail/google-chrome-stable.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 48e205a58..c909e6903 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -78,6 +78,7 @@ wine # games 0ad +gnome-chess hedgewars steam wesnot -- cgit v1.2.3-70-g09d2 From 1bfbc86b893a41670759c9f7abb0864b28c62eeb Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 5 Aug 2016 12:54:15 +1000 Subject: tightened vlc --- etc/vlc.profile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/vlc.profile b/etc/vlc.profile index 1a6e5a151..c82247dd2 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -8,12 +8,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp - - -# to test shell none +tracelog + private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc -- cgit v1.2.3-70-g09d2 From 173a90129e73e81fa80bb12f6ec19e3943c74ca5 Mon Sep 17 00:00:00 2001 From: Reiner Herrmann Date: Sun, 7 Aug 2016 18:05:45 +0200 Subject: tar requires shell for executing compressors like bzip2 --- etc/tar.profile | 2 +- test/sysutils/tar.exp | 17 ++++++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/tar.profile b/etc/tar.profile index 6daa7396a..78bf7ad13 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -8,7 +8,7 @@ net none shell none # support compressed archives -private-bin tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev private-etc passwd,group,localtime hostname tar diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp index af569f5ac..f41d67d6f 100755 --- a/test/sysutils/tar.exp +++ b/test/sysutils/tar.exp @@ -9,20 +9,31 @@ match_max 100000 send -- "firejail /bin/tar -cjvf firejail_t2 /usr/share/doc/firejail\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 1.1\n";exit} + "Error" {puts "TESTING ERROR 1.2\n";exit} "/usr/share/doc/firejail/README" } after 100 +send -- "stat -c '|%s|' firejail_t2; uname -s\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "|0|" {puts "TESTING ERROR 2.2\n";exit} + "Linux" +} +sleep 1 + send -- "firejail /bin/tar --compare --file=firejail_t2 -C / | wc\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 3.1\n";exit} + "This does not look like a tar archive" {puts "TESTING ERROR 3.2\n"; exit} " 0 0 0" } sleep 1 send -- "/bin/tar --compare --file=firejail_t2 -C / | wc\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4.1\n";exit} + "This does not look like a tar archive" {puts "TESTING ERROR 4.2\n"; exit} " 0 0 0" } sleep 1 -- cgit v1.2.3-70-g09d2 From b6febe802a93ffe5a90fae25da3a4467dbbcb47b Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 11 Aug 2016 05:19:27 +1000 Subject: Fixed & tightened gnome-chess --- etc/gnome-chess.profile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index e93970f7d..297f7e6a9 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -7,14 +7,16 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -net none nogroups nonewprivs noroot nosound +protocol unix seccomp shell none tracelog -private-bin gnome-chess +private-bin fairymax,gnome-chess,hoichess private-dev +private-etc fonts,gnome-chess +private-tmp -- cgit v1.2.3-70-g09d2 From 28ae6fa41bd585b127e23f6a336673484711a919 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Aug 2016 07:43:17 -0400 Subject: removed strings profile --- README | 9 +++------ README.md | 2 +- etc/strings.profile | 10 ---------- platform/debian/conffiles | 1 - test/sysutils/sysutils.sh | 16 ++++++++-------- todo | 13 +++++++++++++ 6 files changed, 25 insertions(+), 26 deletions(-) delete mode 100644 etc/strings.profile (limited to 'etc') diff --git a/README b/README index 6e6411619..4145d5165 100644 --- a/README +++ b/README @@ -158,6 +158,7 @@ yumkam (https://github.com/yumkam) - man page fixes mahdi1234 (https://github.com/mahdi1234) - cherrytree profile + - Seamonkey profiles jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -176,6 +177,7 @@ pszxzsd (https://github.com/pszxzsd) Rahiel Kasim (https://github.com/rahiel) - Mathematica profile - whitelisted Dropbox profile + - whitelisted keysnail config for firefox creideiki (https://github.com/creideiki) - make the sandbox process reap all children sinkuu (https://github.com/sinkuu) @@ -187,8 +189,7 @@ Holger Heinz (https://github.com/hheinz) - manpage work Andrey Alekseenko (https://github.com/al42and) - fixing lintian warnings -mahdi1234 (https://github.com/mahdi1234) - - Seamonkey profiles + - fixed Skype profile Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Christian Stadelmann (https://github.com/genodeftest) @@ -199,8 +200,6 @@ Kaan Genç (https://github.com/SeriousBug) - dynamic allocation of noblacklist buffer Veeti Paananen (https://github.com/veeti) - fixed Spotify profile -Rahiel Kasim (https://github.com/rahiel) - - whitelist keysnail config for firefox rogshdo (https://github.com/rogshdo) - BitlBee profile Bruno Nova (https://github.com/brunonova) @@ -208,8 +207,6 @@ Bruno Nova (https://github.com/brunonova) - bash arguments fix Matt Parnell (https://github.com/ilikenwf) - whitelisting for core firefox related functionality -Andrey Alekseenko (https://github.com/al42and) - - fixed Skype profile Ondra Nekola (https://github.com/satai) - allow firefox theming with non-global themes emacsomancer (https://github.com/emacsomancer) diff --git a/README.md b/README.md index 67dd017a7..3047bf908 100644 --- a/README.md +++ b/README.md @@ -196,6 +196,6 @@ Browsers: Palemoon ## New security profiles -Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, strings, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview +Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess diff --git a/etc/strings.profile b/etc/strings.profile deleted file mode 100644 index 6ebe81d09..000000000 --- a/etc/strings.profile +++ /dev/null @@ -1,10 +0,0 @@ -# strings profile -quiet -ignore noroot -include /etc/firejail/default.profile -tracelog -net none -shell none -private-dev -private-tmp -nosound diff --git a/platform/debian/conffiles b/platform/debian/conffiles index d2ee3a83e..633123e92 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -111,7 +111,6 @@ /etc/firejail/ssh.profile /etc/firejail/steam.profile /etc/firejail/stellarium.profile -/etc/firejail/strings.profile /etc/firejail/tar.profile /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 315b73c9d..99939133d 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -15,14 +15,14 @@ else echo "TESTING SKIP: cpio not found" fi -which strings -if [ "$?" -eq 0 ]; -then - echo "TESTING: strings" - ./strings.exp -else - echo "TESTING SKIP: strings not found" -fi +#which strings +#if [ "$?" -eq 0 ]; +#then +# echo "TESTING: strings" +# ./strings.exp +#else +# echo "TESTING SKIP: strings not found" +#fi which gzip if [ "$?" -eq 0 ]; diff --git a/todo b/todo index 323374525..8fe3904da 100644 --- a/todo +++ b/todo @@ -266,3 +266,16 @@ $ sudo aa-notify -p -f /var/log/audit/audit.log 24. check monitor proc behaviour for sandboxes with --blacklist=/proc also check --apparmor in this case +25. bring back strings.profile + +# strings profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp +nosound + -- cgit v1.2.3-70-g09d2 From e8de54d45ea884aa5e6f67e3d75ddb1372741c7f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 11 Aug 2016 13:00:30 -0400 Subject: added quiet-by-default config option in /etc/firejail/firejail.config --- RELNOTES | 1 + etc/firejail.config | 6 +++++- src/firejail/checkcfg.c | 7 ++++++- src/firejail/env.c | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index 6449a13f2..79f634dcd 100644 --- a/RELNOTES +++ b/RELNOTES @@ -18,6 +18,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice * new profiles: pix, audacity, xz, xzdec, gzip, cpio, less diff --git a/etc/firejail.config b/etc/firejail.config index 20c4d7a5f..82fe65ac7 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -15,12 +15,16 @@ # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration -# that is partially under their control. Default disabled +# that is partially under their control. Default disabled. # force-nonewprivs no # Enable or disable networking features, default enabled. # network yes +# Enable --quiet as default every time the sandbox is started. Default disabled. +# quiet-by-default no + + # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 12921e294..3b60dafb6 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -220,7 +220,12 @@ int checkcfg(int val) { if (!xephyr_extra_params) errExit("strdup"); } - + + // quiet by default + else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + arg_quiet = 1; + } else goto errout; diff --git a/src/firejail/env.c b/src/firejail/env.c index a5b3ccfb3..79d6b81e3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -133,7 +133,7 @@ void env_defaults(void) { errExit("setenv"); // set the window title - printf("\033]0;firejail %s\007\n", cfg.window_title); + printf("\033]0;firejail %s\007", cfg.window_title);fflush(0); } // parse and store the environment setting -- cgit v1.2.3-70-g09d2 From a0ea44171a0eb2b08452ff352effe974d4feb80e Mon Sep 17 00:00:00 2001 From: Gaman Gabriel Date: Mon, 15 Aug 2016 21:11:50 +0300 Subject: Create inox.profile Inox is a privacy-focused browser based on Chromium. This profile will work with Inox, the Chromium profile is not compatible. --- etc/inox.profile | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 etc/inox.profile (limited to 'etc') diff --git a/etc/inox.profile b/etc/inox.profile new file mode 100644 index 000000000..49d2f2835 --- /dev/null +++ b/etc/inox.profile @@ -0,0 +1,24 @@ +# Inox browser profile +noblacklist ~/.config/inox +noblacklist ~/.cache/inox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/inox +whitelist ~/.config/inox +mkdir ~/.cache/inox +whitelist ~/.cache/inox +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From 4ed1dbe846474869f1766cf95ed2a3a9cc40850d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 08:17:46 -0400 Subject: inox profile integration --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 01e68506d..140417b01 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -60,6 +60,7 @@ blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/inox # Instant Messaging blacklist ${HOME}/.config/hexchat -- cgit v1.2.3-70-g09d2 From 0773b2791af79418572373ac8297bea6060d65a9 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Wed, 17 Aug 2016 09:18:20 +1000 Subject: tightened profiles --- etc/gnome-mplayer.profile | 5 ++++- etc/gpredict.profile | 3 ++- etc/gthumb.profile | 3 ++- etc/hedgewars.profile | 6 +++++- etc/hexchat.profile | 6 +++++- etc/jitsi.profile | 1 + etc/kmail.profile | 4 ++++ etc/konversation.profile | 3 +++ 8 files changed, 26 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1caea177d..1b0fc9807 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -5,10 +5,13 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp - shell none + private-bin gnome-mplayer +private-dev +private-tmp diff --git a/etc/gpredict.profile b/etc/gpredict.profile index a8378a66e..353ecceae 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -15,10 +15,11 @@ nonewprivs nogroups noroot nosound -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp shell none tracelog private-bin gpredict private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3c02576aa..e043c7229 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -19,3 +19,4 @@ tracelog private-bin gthumb whitelist /tmp/.X11-unix private-dev +private-tmp diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index c5d863bd5..7910b7eb0 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -7,12 +7,16 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +nogroups nonewprivs noroot -private-dev seccomp tracelog +private-dev +private-tmp + mkdir ~/.hedgewars whitelist ~/.hedgewars include /etc/firejail/whitelist-common.inc diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0d7ee6594..0ff64aef5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,9 +7,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all +netfilter +nogroups nonewprivs noroot -netfilter +nosound protocol unix,inet,inet6 seccomp @@ -18,3 +20,5 @@ whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc # private-bin requires perl, python, etc. +private-dev +private-tmp diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 8baf1ad94..c61158f8b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -14,3 +14,4 @@ seccomp shell none tracelog +private-tmp diff --git a/etc/kmail.profile b/etc/kmail.profile index 44a53e258..8c8fd18c4 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -9,7 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6,netlink seccomp tracelog + +private-dev +private-tmp diff --git a/etc/konversation.profile b/etc/konversation.profile index 190061618..e9546fd1b 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -7,6 +7,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups noroot seccomp protocol unix,inet,inet6 + +private-tmp -- cgit v1.2.3-70-g09d2 From 3adedf90bf9ecc2695bac0edd3f900300a48d562 Mon Sep 17 00:00:00 2001 From: greigdp Date: Wed, 17 Aug 2016 11:42:14 +0100 Subject: Add profile support for Slack --- etc/disable-programs.inc | 1 + etc/slack.profile | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 etc/slack.profile (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 140417b01..c94bcc9f4 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -78,6 +78,7 @@ blacklist ${HOME}/.TelegramDesktop blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Franz blacklist ${HOME}/.jitsi +blacklist ${HOME}/.config/Slack # Games blacklist ${HOME}/.hedgewars diff --git a/etc/slack.profile b/etc/slack.profile new file mode 100644 index 000000000..ea7b715f9 --- /dev/null +++ b/etc/slack.profile @@ -0,0 +1,27 @@ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ~/Downloads + +protocol unix,inet,inet6,netlink +private-dev +private-tmp +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +name slack +blacklist /var + +include /etc/firejail/whitelist-common.inc + +caps.drop all +seccomp +netfilter +nonewprivs +nogroups +noroot +shell none +private-bin slack -- cgit v1.2.3-70-g09d2 From 68f20d089d8df3813bfce9811553c4f938d5bd9b Mon Sep 17 00:00:00 2001 From: greigdp Date: Wed, 17 Aug 2016 11:44:33 +0100 Subject: Fix Spotify - "private-bin spotify" prevents Spotify loading --- etc/spotify.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/spotify.profile b/etc/spotify.profile index 6bcb99e0f..73d427db3 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -27,5 +27,5 @@ protocol unix,inet,inet6,netlink seccomp shell none -private-bin spotify +#private-bin spotify private-dev -- cgit v1.2.3-70-g09d2 From 30ce7015e8d8d44640c2d26580cdcd0ad54357d5 Mon Sep 17 00:00:00 2001 From: Icaro Perseo Date: Wed, 17 Aug 2016 21:25:55 -0500 Subject: New GTK paths added. --- etc/whitelist-common.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 2317133c5..abbb4a9fc 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -20,8 +20,11 @@ whitelist ~/.cache/fontconfig # gtk whitelist ~/.gtkrc whitelist ~/.gtkrc-2.0 +whitelist ~/.config/gtk-2.0 whitelist ~/.config/gtk-3.0 whitelist ~/.themes +whitelist ~/.kde/share/config/gtkrc +whitelist ~/.kde/share/config/gtkrc-2.0 # dconf mkdir ~/.config/dconf -- cgit v1.2.3-70-g09d2 From 9f5fc0e2a4aff2cde18aa34b3161a744e4a19aad Mon Sep 17 00:00:00 2001 From: Icaro Perseo Date: Wed, 17 Aug 2016 21:30:04 -0500 Subject: New KDE apps and settings path added. --- etc/disable-common.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index d18ee0287..ed6ee315b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -14,6 +14,7 @@ blacklist /etc/xdg/autostart blacklist ${HOME}/.kde4/Autostart blacklist ${HOME}/.kde4/share/autostart blacklist ${HOME}/.kde/Autostart +blacklist ${HOME}/.kde/share/autostart blacklist ${HOME}/.config/plasma-workspace/shutdown blacklist ${HOME}/.config/plasma-workspace/env blacklist ${HOME}/.config/lxsession/LXDE/autostart @@ -168,3 +169,5 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd +blacklist ${PATH}/konsole +blacklist ${PATH}/yakuake -- cgit v1.2.3-70-g09d2 From 9888f2d3c7f9ea3823f135a67b37f4f217f0f185 Mon Sep 17 00:00:00 2001 From: Icaro Perseo Date: Wed, 17 Aug 2016 21:42:06 -0500 Subject: 'icecat.profile' updated. --- etc/icecat.profile | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/icecat.profile b/etc/icecat.profile index 25d426ad2..2f8e2df7f 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,2 +1,51 @@ # Firejail profile for GNU Icecat -include /etc/firejail/firefox.profile + +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/icecat +whitelist ~/.cache/mozilla/icecat +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + -- cgit v1.2.3-70-g09d2 From 6ffdc467370c4d4964ced120e5a2cddc0bc38490 Mon Sep 17 00:00:00 2001 From: greigdp Date: Thu, 18 Aug 2016 12:00:46 +0100 Subject: Add profile for Gajim IM client --- etc/disable-programs.inc | 3 +++ etc/gajim.profile | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 etc/gajim.profile (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c94bcc9f4..26d9cf22b 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -79,6 +79,9 @@ blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Franz blacklist ${HOME}/.jitsi blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.config/gajim # Games blacklist ${HOME}/.hedgewars diff --git a/etc/gajim.profile b/etc/gajim.profile new file mode 100644 index 000000000..04902a734 --- /dev/null +++ b/etc/gajim.profile @@ -0,0 +1,33 @@ +# Firejail profile for Gajim + +mkdir ${HOME}/.cache/gajim +mkdir ${HOME}/.local/share/gajim +mkdir ${HOME}/.config/gajim +mkdir ${HOME}/Downloads + +# Allow the local python 2.7 site packages, in case any plugins are using these +mkdir ${HOME}/.local/lib/python2.7/site-packages/ +whitelist ${HOME}/.local/lib/python2.7/site-packages/ +read-only ${HOME}/.local/lib/python2.7/site-packages/ + +whitelist ${HOME}/.cache/gajim +whitelist ${HOME}/.local/share/gajim +whitelist ${HOME}/.config/gajim +whitelist ${HOME}/Downloads + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none + +#private-bin python2.7 gajim +private-dev -- cgit v1.2.3-70-g09d2 From fa68d0ca996a792b0c919d50888726fc3395f5c3 Mon Sep 17 00:00:00 2001 From: greigdp Date: Sat, 20 Aug 2016 18:44:30 +0100 Subject: Fix error in Slack profile noblacklist must appear before the includes, to avoid the default profiles from invoking blacklists. --- etc/slack.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/slack.profile b/etc/slack.profile index ea7b715f9..1009f7ee0 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,3 +1,6 @@ +noblacklist ${HOME}/.config/Slack +noblacklist ${HOME}/Downloads + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -6,7 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.config mkdir ${HOME}/.config/Slack whitelist ${HOME}/.config/Slack -whitelist ~/Downloads +whitelist ${HOME}/Downloads protocol unix,inet,inet6,netlink private-dev -- cgit v1.2.3-70-g09d2 From d366639fa538139776f7ee0d317f64e8e07ba15f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 17:52:27 -0400 Subject: fixes --- RELNOTES | 4 ++++ etc/disable-common.inc | 4 +--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index 363526417..52eef6a0e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,4 +1,8 @@ firejail (0.9.42~rc2) baseline; urgency=low + * security: --whitelist deleted files, submitted by Vasya Novikov + * security: disable x32 ABI, submitted by Jann Horn + * security: tighten --chroot, submitted by Jann Horn + * security: terminal sandbox escape, submitted by Stephan Sokolow * deprecated --user option, please use "sudo -u username firejail" instead * --read-write option rework * allow symlinks in home directory for --whitelist option diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ed6ee315b..c4169db8a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -155,7 +155,7 @@ blacklist /usr/local/sbin # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -# disable terminals running as server +# disable terminals running as server resulting in sandbox escape blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper blacklist ${PATH}/xfce4-terminal @@ -169,5 +169,3 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd -blacklist ${PATH}/konsole -blacklist ${PATH}/yakuake -- cgit v1.2.3-70-g09d2 From 0169ebe193abdfeddbd17a764688d5f9e7a3cb78 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 20 Aug 2016 21:06:21 -0400 Subject: run time support to disable remounting of /proc and /sys --- README | 1 + RELNOTES | 1 + etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 11 +++++++++-- src/firejail/firejail.h | 3 ++- src/firejail/sandbox.c | 9 ++++++++- 6 files changed, 24 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/README b/README index 51adbaf86..fe9ddaaae 100644 --- a/README +++ b/README @@ -41,6 +41,7 @@ Aleksey Manevich (https://github.com/manevich) - gether shell selection code in one place greigdp (https://github.com/greigdp) - Gajim IM client profile + - fix Slack profile Icaro Perseo (https://github.com/icaroperseo) - Icecat profile - several profile fixes diff --git a/RELNOTES b/RELNOTES index 52eef6a0e..d9e4314ba 100644 --- a/RELNOTES +++ b/RELNOTES @@ -24,6 +24,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * seccomp filter updated * compile time and run time support to disable whitelists * compile time support to disable global configuration file + * run time support to disable remounting of /proc and /sys * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice diff --git a/etc/firejail.config b/etc/firejail.config index 82fe65ac7..1b8d5f4e3 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -3,6 +3,9 @@ # Most features are enabled by default. Use 'yes' or 'no' as configuration # values. +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes + # Enable or disable bind support, default enabled. # bind yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f5ea7439b..c4a6888a9 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -29,7 +29,6 @@ char *xephyr_extra_params = ""; char *netfilter_default = NULL; int checkcfg(int val) { - EUID_ASSERT(); assert(val < CFG_MAX); int line = 0; @@ -38,7 +37,6 @@ int checkcfg(int val) { int i; for (i = 0; i < CFG_MAX; i++) cfg_val[i] = 1; // most of them are enabled by default - cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default @@ -226,6 +224,15 @@ int checkcfg(int val) { if (strcmp(ptr + 17, "yes") == 0) arg_quiet = 1; } + // remount /proc and /sys + else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) { + if (strcmp(ptr + 17, "yes") == 0) + cfg_val[CFG_REMOUNT_PROC_SYS] = 1; + else if (strcmp(ptr + 17, "no") == 0) + cfg_val[CFG_REMOUNT_PROC_SYS] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8301a79a0..067d788a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_FORCE_NONEWPRIVS 8 #define CFG_WHITELIST 9 #define CFG_XEPHYR_WINDOW_TITLE 10 -#define CFG_MAX 11 // this should always be the last entry +#define CFG_REMOUNT_PROC_SYS 11 +#define CFG_MAX 12 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a33c81937..0818bf450 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) { if (arg_debug) printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status); + // if /proc is not remounted, we cannot check /proc directory, + // for now we just get out of here + // todo: find another way of checking child processes! + if (!checkcfg(CFG_REMOUNT_PROC_SYS)) + break; + DIR *dir; if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again @@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) { //**************************** // update /proc, /sys, /dev, /boot directorymy //**************************** - fs_proc_sys_dev_boot(); + if (checkcfg(CFG_REMOUNT_PROC_SYS)) + fs_proc_sys_dev_boot(); //**************************** // apply the profile file -- cgit v1.2.3-70-g09d2 From e6ee65a48c1d17da1cd2058b1e61dc838513a49e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 21 Aug 2016 15:01:10 -0400 Subject: run time support to disable overlayfs --- RELNOTES | 1 + etc/firejail.config | 8 ++- src/firejail/checkcfg.c | 8 +++ src/firejail/firejail.h | 3 +- src/firejail/main.c | 168 ++++++++++++++++++++++++++++-------------------- 5 files changed, 115 insertions(+), 73 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index d9e4314ba..d59618c7c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,6 +16,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * --overlay-clean option * --overlay-named=name option * --overlay-path=path option + * compile time and run time support to disable overlayfs * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command diff --git a/etc/firejail.config b/etc/firejail.config index 1b8d5f4e3..275bba8e2 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -3,9 +3,6 @@ # Most features are enabled by default. Use 'yes' or 'no' as configuration # values. -# Remount /proc and /sys inside the sandbox, default enabled. -# remount-proc-sys yes - # Enable or disable bind support, default enabled. # bind yes @@ -24,9 +21,14 @@ # Enable or disable networking features, default enabled. # network yes +# Enable or disable overlayfs features, default enabled. +# overlayfs yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index c4a6888a9..fed934434 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -233,6 +233,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "overlayfs ", 10) == 0) { + if (strcmp(ptr + 10, "yes") == 0) + cfg_val[CFG_OVERLAYFS] = 1; + else if (strcmp(ptr + 10, "no") == 0) + cfg_val[CFG_OVERLAYFS] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 067d788a6..98ba8ee3b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -591,7 +591,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_WHITELIST 9 #define CFG_XEPHYR_WINDOW_TITLE 10 #define CFG_REMOUNT_PROC_SYS 11 -#define CFG_MAX 12 // this should always be the last entry +#define CFG_OVERLAYFS 12 +#define CFG_MAX 13 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/main.c b/src/firejail/main.c index c366390cc..1824765eb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -266,18 +266,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } #ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay-clean") == 0) { - char *path; - if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - EUID_ROOT(); - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); - errno = 0; - int rv = remove_directory(path); - if (rv) { - fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); + if (checkcfg(CFG_OVERLAYFS)) { + char *path; + if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + EUID_ROOT(); + if (setreuid(0, 0) < 0) + errExit("setreuid"); + if (setregid(0, 0) < 0) + errExit("setregid"); + errno = 0; + int rv = remove_directory(path); + if (rv) { + fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); + exit(1); + } + } + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); exit(1); } exit(0); @@ -1283,78 +1289,103 @@ int main(int argc, char **argv) { } #ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay") == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + + char *subdirname; + if (asprintf(&subdirname, "%d", getpid()) == -1) + errExit("asprintf"); + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); + + free(subdirname); } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); + exit(1); } - arg_overlay = 1; - arg_overlay_keep = 1; - - char *subdirname; - if (asprintf(&subdirname, "%d", getpid()) == -1) - errExit("asprintf"); - cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); - - free(subdirname); } else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); - } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + arg_overlay_reuse = 1; + + char *subdirname = argv[i] + 16; + if (subdirname == '\0') { + fprintf(stderr, "Error: invalid overlay option\n"); + exit(1); + } + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } - arg_overlay = 1; - arg_overlay_keep = 1; - arg_overlay_reuse = 1; - - char *subdirname = argv[i] + 16; - if (subdirname == '\0') { - fprintf(stderr, "Error: invalid overlay option\n"); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); exit(1); } - cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); + } else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); - } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; + arg_overlay_keep = 1; + arg_overlay_reuse = 1; + + char *dirname = argv[i] + 15; + if (dirname == '\0') { + fprintf(stderr, "Error: invalid overlay option\n"); + exit(1); + } + cfg.overlay_dir = expand_home(dirname, cfg.homedir); } - arg_overlay = 1; - arg_overlay_keep = 1; - arg_overlay_reuse = 1; - - char *dirname = argv[i] + 15; - if (dirname == '\0') { - fprintf(stderr, "Error: invalid overlay option\n"); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); exit(1); } - cfg.overlay_dir = expand_home(dirname, cfg.homedir); } else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { - if (cfg.chrootdir) { - fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); - exit(1); + if (checkcfg(CFG_OVERLAYFS)) { + if (cfg.chrootdir) { + fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); + exit(1); + } + struct stat s; + if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); + exit(1); + } + arg_overlay = 1; } - struct stat s; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { - fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); - exit(1); + else { + fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); + exit(1); } - arg_overlay = 1; } #endif else if (strncmp(argv[i], "--profile=", 10) == 0) { @@ -1477,7 +1508,6 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); exit(1); } - } #endif else if (strcmp(argv[i], "--writable-etc") == 0) { -- cgit v1.2.3-70-g09d2 From e93fbf3bd23a243e2dafecb2af07353049c3b890 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 21 Aug 2016 19:37:04 -0400 Subject: disable ssh-agent sockets in disable-programs.inc --- etc/disable-programs.inc | 3 +++ etc/ssh.profile | 1 + 2 files changed, 4 insertions(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 26d9cf22b..2f7584241 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -134,3 +134,6 @@ blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess + +# ssh +blacklist /tmp/ssh-* diff --git a/etc/ssh.profile b/etc/ssh.profile index a6d52c5a5..2411e46f3 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -1,5 +1,6 @@ # ssh client noblacklist ~/.ssh +noblacklist /tmp/ssh-* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From c6abe4d06cc6349b9a814b11c5058f749ac8585a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Aug 2016 07:59:03 -0400 Subject: run time support to disable chroot desktop features --- RELNOTES | 1 + etc/firejail.config | 5 ++ src/firejail/checkcfg.c | 8 +++ src/firejail/firejail.h | 3 +- src/firejail/fs.c | 132 +++++++++++++++++++++++++----------------------- 5 files changed, 84 insertions(+), 65 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index ee3d60230..2a3d93771 100644 --- a/RELNOTES +++ b/RELNOTES @@ -26,6 +26,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * compile time and run time support to disable whitelists * compile time support to disable global configuration file * run time support to disable remounting of /proc and /sys + * run time support to disable chroot desktop features * added quiet-by-default config option in /etc/firejail/firejail.config * added netfilter-default config option in /etc/firejail/firejail.config * added x11 command for profile files diff --git a/etc/firejail.config b/etc/firejail.config index 275bba8e2..6b6ba7fdf 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -9,6 +9,11 @@ # Enable or disable chroot support, default enabled. # chroot yes +# Use chroot for desktop programs, default enabled. The sandbox will have full +# access to system's /dev directory in order to allow video acceleration, +# and it will harden the rest of the chroot tree. +# chroot-desktop yes + # Enable or disable file transfer support, default enabled. # file-transfer yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fed934434..5bc859f8d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -241,6 +241,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { + if (strcmp(ptr + 15, "yes") == 0) + cfg_val[CFG_CHROOT_DESKTOP] = 1; + else if (strcmp(ptr + 15, "no") == 0) + cfg_val[CFG_CHROOT_DESKTOP] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8e30e929a..abbaa807c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -593,7 +593,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_XEPHYR_WINDOW_TITLE 10 #define CFG_REMOUNT_PROC_SYS 11 #define CFG_OVERLAYFS 12 -#define CFG_MAX 13 // this should always be the last entry +#define CFG_CHROOT_DESKTOP 13 +#define CFG_MAX 14 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c5ef27615..6c87df1e9 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1211,56 +1211,58 @@ int fs_check_chroot_dir(const char *rootdir) { void fs_chroot(const char *rootdir) { assert(rootdir); - // mount-bind a /dev in rootdir - char *newdev; - if (asprintf(&newdev, "%s/dev", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Mounting /dev on %s\n", newdev); - if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev"); - free(newdev); - - // x11 - if (getenv("FIREJAIL_X11")) { - char *newx11; - if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) + if (checkcfg(CFG_CHROOT_DESKTOP)) { + // mount-bind a /dev in rootdir + char *newdev; + if (asprintf(&newdev, "%s/dev", rootdir) == -1) errExit("asprintf"); if (arg_debug) - printf("Mounting /tmp/.X11-unix on %s\n", newx11); - if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /tmp/.X11-unix"); - free(newx11); - } - - // some older distros don't have a /run directory - // create one by default - // no exit on error, let the user deal with any problems - char *rundir; - if (asprintf(&rundir, "%s/run", rootdir) == -1) - errExit("asprintf"); - if (!is_dir(rundir)) { - int rv = mkdir(rundir, 0755); - (void) rv; - rv = chown(rundir, 0, 0); - (void) rv; + printf("Mounting /dev on %s\n", newdev); + if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev"); + free(newdev); + + // x11 + if (getenv("FIREJAIL_X11")) { + char *newx11; + if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Mounting /tmp/.X11-unix on %s\n", newx11); + if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /tmp/.X11-unix"); + free(newx11); + } + + // some older distros don't have a /run directory + // create one by default + // no exit on error, let the user deal with any problems + char *rundir; + if (asprintf(&rundir, "%s/run", rootdir) == -1) + errExit("asprintf"); + if (!is_dir(rundir)) { + int rv = mkdir(rundir, 0755); + (void) rv; + rv = chown(rundir, 0, 0); + (void) rv; + } + + // copy /etc/resolv.conf in chroot directory + // if resolv.conf in chroot is a symbolic link, this will fail + // no exit on error, let the user deal with the problem + char *fname; + if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Updating /etc/resolv.conf in %s\n", fname); + if (is_link(fname)) { + fprintf(stderr, "Error: invalid %s file\n", fname); + exit(1); + } + if (copy_file("/etc/resolv.conf", fname) == -1) + fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); } - // copy /etc/resolv.conf in chroot directory - // if resolv.conf in chroot is a symbolic link, this will fail - // no exit on error, let the user deal with the problem - char *fname; - if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Updating /etc/resolv.conf in %s\n", fname); - if (is_link(fname)) { - fprintf(stderr, "Error: invalid %s file\n", fname); - exit(1); - } - if (copy_file("/etc/resolv.conf", fname) == -1) - fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); - // chroot into the new directory if (arg_debug) printf("Chrooting into %s\n", rootdir); @@ -1269,24 +1271,26 @@ void fs_chroot(const char *rootdir) { // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot fs_build_remount_mnt_dir(); - // update /var directory in order to support multiple sandboxes running on the same root directory - if (!arg_private_dev) - fs_dev_shm(); - fs_var_lock(); - fs_var_tmp(); - fs_var_log(); - fs_var_lib(); - fs_var_cache(); - fs_var_utmp(); - - // don't leak user information - restrict_users(); - - // when starting as root, firejail config is not disabled; - // this mode could be used to install and test new software by chaining - // firejail sandboxes (firejail --force) - if (getuid() != 0) - disable_config(); + if (checkcfg(CFG_CHROOT_DESKTOP)) { + // update /var directory in order to support multiple sandboxes running on the same root directory + if (!arg_private_dev) + fs_dev_shm(); + fs_var_lock(); + fs_var_tmp(); + fs_var_log(); + fs_var_lib(); + fs_var_cache(); + fs_var_utmp(); + + // don't leak user information + restrict_users(); + + // when starting as root, firejail config is not disabled; + // this mode could be used to install and test new software by chaining + // firejail sandboxes (firejail --force) + if (getuid() != 0) + disable_config(); + } } #endif -- cgit v1.2.3-70-g09d2 From 277a06d1f24828b8cf408b5c2d3c072d4977eabe Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 25 Aug 2016 09:22:58 -0400 Subject: added back strings profile --- etc/strings.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/strings.profile (limited to 'etc') diff --git a/etc/strings.profile b/etc/strings.profile new file mode 100644 index 000000000..d013e7cb5 --- /dev/null +++ b/etc/strings.profile @@ -0,0 +1,11 @@ +# strings profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp +nosound + -- cgit v1.2.3-70-g09d2 From f67614cef6c9f6513b3efa72f05f763c510021ad Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 1 Sep 2016 03:42:13 +1000 Subject: may break on some systems --- etc/hexchat.profile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 0ff64aef5..5cefe45b5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,7 +1,8 @@ # HexChat instant messaging profile +# Currently in testing (may not work for all users) noblacklist ${HOME}/.config/hexchat -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* +#noblacklist /usr/lib/python2* +#noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -14,11 +15,14 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none +tracelog mkdir ~/.config/hexchat whitelist ~/.config/hexchat include /etc/firejail/whitelist-common.inc -# private-bin requires perl, python, etc. +private-bin hexchat +#debug note: private-bin requires perl, python, etc on some systems private-dev private-tmp -- cgit v1.2.3-70-g09d2 From c26be70b30582400dc88a4bb213368a6d7250302 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Thu, 1 Sep 2016 03:42:44 +1000 Subject: tested and stable --- etc/0ad.profile | 4 ++-- etc/atom-beta.profile | 7 ++++--- etc/atom.profile | 6 ++++-- etc/atril.profile | 1 + etc/audacity.profile | 2 ++ etc/aweather.profile | 3 ++- etc/dosbox.profile | 21 +++++++++++++++++++++ etc/eom.profile | 1 + etc/gitter.profile | 4 +++- etc/gthumb.profile | 1 - etc/libreoffice.profile | 3 +-- etc/palemoon.profile | 1 + etc/pidgin.profile | 1 + etc/qtox.profile | 1 + etc/rhythmbox.profile | 1 + etc/stellarium.profile | 2 +- etc/transmission-gtk.profile | 2 +- etc/vlc.profile | 2 ++ etc/warzone2100.profile | 1 + etc/xplayer.profile | 1 + etc/xreader.profile | 1 + etc/xviewer.profile | 3 ++- 22 files changed, 54 insertions(+), 15 deletions(-) create mode 100644 etc/dosbox.profile (limited to 'etc') diff --git a/etc/0ad.profile b/etc/0ad.profile index 217cdeee0..1e7c06879 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -19,8 +19,8 @@ whitelist ~/.local/share/0ad caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp @@ -28,4 +28,4 @@ shell none tracelog private-dev - +private-tmp diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 3c753e86c..9a8d93875 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -1,4 +1,4 @@ -# Firjail profile for Atom Beta. +# Firejail profile for Atom Beta. noblacklist ~/.atom noblacklist ~/.config/Atom @@ -11,9 +11,10 @@ netfilter nonewprivs nogroups noroot +nosound +protocol unix,inet,inet6,netlink seccomp shell none private-dev -nosound - +private-tmp diff --git a/etc/atom.profile b/etc/atom.profile index 8304cd379..3cb86847e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -1,4 +1,4 @@ -# Firjail profile for Atom. +# Firejail profile for Atom. noblacklist ~/.atom noblacklist ~/.config/Atom @@ -11,8 +11,10 @@ netfilter nonewprivs nogroups noroot +nosound +protocol unix,inet,inet6,netlink seccomp shell none private-dev -nosound +private-tmp diff --git a/etc/atril.profile b/etc/atril.profile index bfe731bec..d9e10b072 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -18,3 +18,4 @@ tracelog private-bin atril, atril-previewer, atril-thumbnailer private-dev +private-tmp diff --git a/etc/audacity.profile b/etc/audacity.profile index 162201cb8..be3fac9be 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter nonewprivs nogroups noroot @@ -17,3 +18,4 @@ tracelog private-bin audacity private-dev +private-tmp diff --git a/etc/aweather.profile b/etc/aweather.profile index da93e8ba3..4e5c36f50 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -15,10 +15,11 @@ nonewprivs nogroups noroot nosound -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp shell none tracelog private-bin aweather private-dev +private-tmp diff --git a/etc/dosbox.profile b/etc/dosbox.profile new file mode 100644 index 000000000..45fbb712a --- /dev/null +++ b/etc/dosbox.profile @@ -0,0 +1,21 @@ +# Firejail profile for dosbox +noblacklist ~/.dosbox + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin dosbox +private-dev +private-tmp diff --git a/etc/eom.profile b/etc/eom.profile index 81d993e96..dfcea82c1 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -18,3 +18,4 @@ tracelog private-bin eom private-dev +private-tmp diff --git a/etc/gitter.profile b/etc/gitter.profile index 2882c59a6..f43f5f199 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -7,12 +7,14 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot +nosound protocol unix,inet,inet6,netlink seccomp shell none private-bin gitter private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index e043c7229..3ffd10add 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -19,4 +19,3 @@ tracelog private-bin gthumb whitelist /tmp/.X11-unix private-dev -private-tmp diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 77a00ebef..75a52e9ff 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -7,6 +7,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -15,5 +16,3 @@ tracelog private-dev whitelist /tmp/.X11-unix/ -nosound - diff --git a/etc/palemoon.profile b/etc/palemoon.profile index acedaebb7..71deec6bc 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -23,6 +23,7 @@ shell none tracelog private-bin palemoon +private-tmp # These are uncommented in the Firefox profile. If you run into trouble you may # want to uncomment (some of) them. diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3df2cafa6..47be2b6ea 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -18,3 +18,4 @@ tracelog private-bin pidgin private-dev +private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 0cac18573..927487037 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -20,3 +20,4 @@ shell none tracelog private-bin qtox +private-tmp diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f087ea1d..0e8527ae7 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -16,3 +16,4 @@ tracelog private-bin rhythmbox private-dev +private-tmp diff --git a/etc/stellarium.profile b/etc/stellarium.profile index adefa75ff..d57c9e5f7 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -25,4 +25,4 @@ tracelog private-bin stellarium private-dev - +private-tmp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index fa5c3b22b..0cfa4fcfc 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -14,9 +14,9 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none tracelog -shell none private-bin transmission-gtk whitelist /tmp/.X11-unix private-dev diff --git a/etc/vlc.profile b/etc/vlc.profile index c82247dd2..cdd098dd5 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -17,3 +17,5 @@ shell none tracelog private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +private-dev +private-tmp diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ff37e2800..7c7efade8 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -23,3 +23,4 @@ tracelog private-bin warzone2100 private-dev +private-tmp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index a46b2fa06..54d5ed89b 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -19,3 +19,4 @@ tracelog private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer private-dev +private-tmp diff --git a/etc/xreader.profile b/etc/xreader.profile index ac7d34022..d2a000bd0 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -20,3 +20,4 @@ tracelog private-bin xreader, xreader-previewer, xreader-thumbnailer private-dev +private-tmp diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7a4ae4858..cbb59d16e 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -17,3 +17,4 @@ tracelog private-dev private-bin xviewer +private-tmp -- cgit v1.2.3-70-g09d2 From 425c3c34c54366cadc6f97df99dc6fa5c964dc25 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Fri, 2 Sep 2016 12:08:03 +1000 Subject: extra dosbox files --- README | 1 + README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 6 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index c8cdbb6d8..fa67c1252 100644 --- a/README +++ b/README @@ -103,6 +103,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - pidgin private-bin conversion - added eom profile - added gnome-chess profile + - added DOSBox profile Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) diff --git a/README.md b/README.md index 6785e3f7a..ebd39de5b 100644 --- a/README.md +++ b/README.md @@ -197,5 +197,5 @@ Browsers: Palemoon ## New security profiles Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview -tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client +tar (gtar), unzip, unrar, file, skypeforlinux, gnome-chess, inox, Slack, Gajim IM client, DOSBox diff --git a/RELNOTES b/RELNOTES index 62171af35..3c69b0a1c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -39,7 +39,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * profiles: pix, audacity, xz, xzdec, gzip, cpio, less * profiles: Atom Beta, Atom, jitsi, eom, uudeview * profiles: tar (gtar), unzip, unrar, file, skypeforlinux, - * profiles: inox, Slack, gnome-chess. Gajim IM client + * profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox * bugfixes -- netblue30 Thu, 26 Aug 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 2f7584241..fb0f5a669 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -89,6 +89,7 @@ blacklist ${HOME}/.steam blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.dosbox # Cryptocoins blacklist ${HOME}/.*coin diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2eaca90ce..691c536df 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -142,3 +142,4 @@ /etc/firejail/xz.profile /etc/firejail/xzdec.profile /etc/firejail/strings.profile +/etc/firejail/dosbox.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c909e6903..dd876c87c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -75,6 +75,7 @@ unbound # emulators/compatibility layers mupen64plus wine +dosbox # games 0ad -- cgit v1.2.3-70-g09d2 From 6aad9ad431f749003b4eab7b91cfdd0f218852a2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 4 Sep 2016 13:52:16 -0400 Subject: bringing back --private-home --- README | 2 +- README.md | 2 + RELNOTES | 1 + configure | 17 ++ configure.ac | 9 + etc/firejail.config | 3 + src/firejail/Makefile.in | 3 +- src/firejail/checkcfg.c | 32 +++- src/firejail/firejail.h | 4 +- src/firejail/fs_home.c | 408 +++++++++++++++++++++++++++++++++---------- src/firejail/main.c | 51 +++--- src/firejail/profile.c | 12 ++ src/firejail/sandbox.c | 8 + src/firejail/usage.c | 22 +-- src/man/firejail-profile.txt | 6 + src/man/firejail.txt | 13 ++ 16 files changed, 446 insertions(+), 147 deletions(-) (limited to 'etc') diff --git a/README b/README index 8923abaf4..7ba78a05f 100644 --- a/README +++ b/README @@ -87,7 +87,7 @@ greigdp (https://github.com/greigdp) Laurent Declercq (https://github.com/nuxwin) - fixed test for shell interpreter in chroots Franco (nextime) Lanza (https://github.com/nextime) - - added --private-template + - added --private-template/--private-home xee5ch (https://github.com/xee5ch) - skypeforlinux profile Peter Hogg (https://github.com/pigmonkey) diff --git a/README.md b/README.md index ebd39de5b..2f2ab38e7 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ Version 0.9.41~rc1 was released. +## Bringing back --private-home + ## Deprecated --user --user option was deprecated, please use "sudo -u username firejail application" instead. diff --git a/RELNOTES b/RELNOTES index d07bfa896..734a92b4f 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,7 @@ firejail (0.9.42~rc2) baseline; urgency=low * security: tighten --chroot, submitted by Jann Horn * security: terminal sandbox escape, submitted by Stephan Sokolow * security: several TOCTOU fixes submitted by Aleksey Manevich + * modifs: bringing back --private-home option * modifs: deprecated --user option, please use "sudo -u username firejail" * modifs: allow symlinks in home directory for --whitelist option * modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes" diff --git a/configure b/configure index 3f9d0fc42..0b05d42e5 100755 --- a/configure +++ b/configure @@ -636,6 +636,7 @@ HAVE_GLOBALCFG HAVE_BIND HAVE_CHROOT HAVE_SECCOMP +HAVE_PRIVATE_HOME HAVE_OVERLAYFS EXTRA_LDFLAGS EGREP @@ -696,6 +697,7 @@ ac_user_opts=' enable_option_checking enable_apparmor enable_overlayfs +enable_private_home enable_seccomp enable_chroot enable_bind @@ -1328,6 +1330,7 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-apparmor enable apparmor --disable-overlayfs disable overlayfs + --disable-private-home disable private home feature --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind @@ -3525,6 +3528,19 @@ if test "x$enable_overlayfs" != "xno"; then : HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" +fi + +HAVE_PRIVATEHOME="" +# Check whether --enable-private-home was given. +if test "${enable_private_home+set}" = set; then : + enableval=$enable_private_home; +fi + +if test "x$enable_private_home" != "xno"; then : + + HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" + + fi HAVE_SECCOMP="" @@ -4937,6 +4953,7 @@ echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" +echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" diff --git a/configure.ac b/configure.ac index 67b74e723..ca6066d25 100644 --- a/configure.ac +++ b/configure.ac @@ -38,6 +38,14 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [ AC_SUBST(HAVE_OVERLAYFS) ]) +HAVE_PRIVATEHOME="" +AC_ARG_ENABLE([private-home], + AS_HELP_STRING([--disable-private-home], [disable private home feature])) +AS_IF([test "x$enable_private_home" != "xno"], [ + HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" + AC_SUBST(HAVE_PRIVATE_HOME) +]) + HAVE_SECCOMP="" AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [disable seccomp])) @@ -163,6 +171,7 @@ echo " network: $HAVE_NETWORK" echo " user namespace: $HAVE_USERNS" echo " X11 sandboxing support: $HAVE_X11" echo " whitelisting: $HAVE_WHITELIST" +echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" diff --git a/etc/firejail.config b/etc/firejail.config index 6b6ba7fdf..08ff5380d 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -29,6 +29,9 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Enable or disable private-home feature, default enabled +# private-home yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index f56137308..fce460906 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -20,13 +20,14 @@ HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ +HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ H_FILE_LIST = $(sort $(wildcard *.[h])) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) -CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security +CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 5bc859f8d..99266c575 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -241,6 +241,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "private-home ", 13) == 0) { + if (strcmp(ptr + 13, "yes") == 0) + cfg_val[CFG_PRIVATE_HOME] = 1; + else if (strcmp(ptr + 13, "no") == 0) + cfg_val[CFG_PRIVATE_HOME] = 0; + else + goto errout; + } else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { if (strcmp(ptr + 15, "yes") == 0) cfg_val[CFG_CHROOT_DESKTOP] = 1; @@ -295,14 +303,6 @@ void print_compiletime_support(void) { #endif ); - printf("\t- overlayfs support is %s\n", -#ifdef HAVE_OVERLAYFS - "enabled" -#else - "disabled" -#endif - ); - printf("\t- file and directory whitelisting support is %s\n", #ifdef HAVE_WHITELIST "enabled" @@ -332,6 +332,22 @@ void print_compiletime_support(void) { printf("\t- networking features are available only to root user\n"); #endif + printf("\t- overlayfs support is %s\n", +#ifdef HAVE_OVERLAYFS + "enabled" +#else + "disabled" +#endif + ); + + printf("\t- private-home support is %s\n", +#ifdef HAVE_PRIVATE_HOME + "enabled" +#else + "disabled" +#endif + ); + printf("\t- seccomp-bpf support is %s\n", #ifdef HAVE_SECCOMP "enabled" diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7be04f782..9b60d40c2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -180,6 +180,7 @@ typedef struct config_t { char *profile_ignore[MAX_PROFILE_IGNORE]; char *chrootdir; // chroot directory char *home_private; // private home directory + char *home_private_keep; // keep list for private home directory char *etc_private_keep; // keep list for private etc directory char *bin_private_keep; // keep list for private bin directory char *cwd; // current working directory @@ -640,7 +641,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); #define CFG_REMOUNT_PROC_SYS 11 #define CFG_OVERLAYFS 12 #define CFG_CHROOT_DESKTOP 13 -#define CFG_MAX 14 // this should always be the last entry +#define CFG_PRIVATE_HOME 14 +#define CFG_MAX 15 // this should always be the last entry extern char *xephyr_screen; extern char *xephyr_extra_params; extern char *netfilter_default; diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 85fa244be..a4b2ec046 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -313,61 +313,6 @@ void fs_private(void) { } -int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw); - - -int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) -{ -(void) st; -(void) sftw; - char *homedir = cfg.homedir; - char *dest; - int srcbaselen = 0; - assert(homedir); - uid_t u = getuid(); - gid_t g = getgid(); - srcbaselen = strlen(cfg.private_template); - - if(ftype == FTW_F || ftype == FTW_D) { - if (asprintf(&dest, "%s/%s", homedir, path + srcbaselen) == -1) - errExit("asprintf"); - struct stat s; - // don't copy it if we already have the file - if (stat(dest, &s) == 0) - return(0); - if (stat(path, &s) == 0) { - if(ftype == FTW_F) { - if (copy_file(path, dest, u, g, 0644) == 0) { - if (arg_debug) - printf("copy from %s to %s\n", path, dest); - fs_logger2("clone", path); - } - } - else if(ftype == FTW_D) { - if (mkdir(dest, s.st_mode) == -1) - errExit("mkdir"); - if (chown(dest, u, g) < 0) - errExit("chown"); - if (arg_debug) - printf("copy from %s to %s\n", path, dest); - fs_logger2("clone", path); - } - } - free(dest); - } - return(0); -} - -void fs_private_template(void) { - - fs_private(); - if(nftw(cfg.private_template, fs_copydir, 1, FTW_PHYS) != 0) { - fprintf(stderr, "Error: unable to copy template dir\n"); - exit(1); - } - -} - // check new private home directory (--private= option) - exit if it fails void fs_check_private_dir(void) { EUID_ASSERT(); @@ -406,42 +351,323 @@ void fs_check_private_dir(void) { } } -// check new template home directoty (--private-template= option) - exit if it fails -void fs_check_private_template(void) { - EUID_ASSERT(); - invalid_filename(cfg.private_template); - - // Expand the home directory - char *tmp = expand_home(cfg.private_template, cfg.homedir); - cfg.private_template = realpath(tmp, NULL); - free(tmp); - - if (!cfg.private_template - || !is_dir(cfg.private_template) - || is_link(cfg.private_template) - || strstr(cfg.private_template, "..")) { - fprintf(stderr, "Error: invalid private template directory\n"); - exit(1); - } - - // check home directory and chroot home directory have the same owner - struct stat s2; - int rv = stat(cfg.private_template, &s2); - if (rv < 0) { - fprintf(stderr, "Error: cannot find %s directory\n", cfg.private_template); - exit(1); - } - - struct stat s1; - rv = stat(cfg.homedir, &s1); - if (rv < 0) { - fprintf(stderr, "Error: cannot find %s directory, full path name required\n", cfg.homedir); - exit(1); - } - if (s1.st_uid != s2.st_uid) { - printf("Error: --private-template directory should be owned by the current user\n"); - exit(1); - } +//*********************************************************************************** +// --private-home +//*********************************************************************************** +#define PRIVATE_COPY_LIMIT (500 * 1024 *1024) +static int size_limit_reached = 0; +static unsigned file_cnt = 0; +static unsigned size_cnt = 0; +static char *check_dir_or_file(const char *name); + +int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *sftw) { + if (size_limit_reached) + return 0; + + struct stat s; + char *dest; + if (asprintf(&dest, "%s%s", RUN_HOME_DIR, path + strlen(cfg.homedir)) == -1) + errExit("asprintf"); + + // don't copy it if we already have the file + if (stat(dest, &s) == 0) { + free(dest); + return 0; + } + + // extract mode and ownership + if (stat(path, &s) != 0) { + free(dest); + return 0; + } + + // check uid + if (s.st_uid != firejail_uid || s.st_gid != firejail_gid) { + free(dest); + return 0; + } + + if ((s.st_size + size_cnt) > PRIVATE_COPY_LIMIT) { + size_limit_reached = 1; + free(dest); + return 0; + } + + file_cnt++; + size_cnt += s.st_size; + + if(ftype == FTW_F) + copy_file(path, dest, firejail_uid, firejail_gid, s.st_mode); + else if (ftype == FTW_D) { + if (mkdir(dest, s.st_mode) == -1) + errExit("mkdir"); + if (chmod(dest, s.st_mode) < 0) { + fprintf(stderr, "Error: cannot change mode for %s\n", path); + exit(1); + } + if (chown(dest, firejail_uid, firejail_gid) < 0) { + fprintf(stderr, "Error: cannot change ownership for %s\n", path); + exit(1); + } + +#if 0 +struct stat s2; +if (stat(dest, &s2) == 0) { + printf("%s\t", dest); + printf((S_ISDIR(s.st_mode)) ? "d" : "-"); + printf((s.st_mode & S_IRUSR) ? "r" : "-"); + printf((s.st_mode & S_IWUSR) ? "w" : "-"); + printf((s.st_mode & S_IXUSR) ? "x" : "-"); + printf((s.st_mode & S_IRGRP) ? "r" : "-"); + printf((s.st_mode & S_IWGRP) ? "w" : "-"); + printf((s.st_mode & S_IXGRP) ? "x" : "-"); + printf((s.st_mode & S_IROTH) ? "r" : "-"); + printf((s.st_mode & S_IWOTH) ? "w" : "-"); + printf((s.st_mode & S_IXOTH) ? "x" : "-"); + printf("\n"); +} +#endif + + fs_logger2("clone", path); + } + + free(dest); + return(0); +} + +static void duplicate(char *name) { + char *fname = check_dir_or_file(name); + + if (arg_debug) + printf("Private home: duplicating %s\n", fname); + assert(strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0); + + struct stat s; + if (stat(fname, &s) == -1) { + free(fname); + return; + } + + if(nftw(fname, fs_copydir, 1, FTW_PHYS) != 0) { + fprintf(stderr, "Error: unable to copy template dir\n"); + exit(1); + } + fs_logger_print(); // save the current log + + free(fname); +} + + + +static char *check_dir_or_file(const char *name) { + assert(name); + struct stat s; + + // basic checks + invalid_filename(name); + + if (arg_debug) + printf("Private home: checking %s\n", name); + + // expand home directory + char *fname = expand_home(name, cfg.homedir); + if (!fname) { + fprintf(stderr, "Error: file %s not found.\n", name); + exit(1); + } + + // If it doesn't start with '/', it must be relative to homedir + if (fname[0] != '/') { + char* tmp; + if (asprintf(&tmp, "%s/%s", cfg.homedir, fname) == -1) + errExit("asprintf"); + free(fname); + fname = tmp; + } + + // check the file is in user home directory + char *rname = realpath(fname, NULL); + if (!rname) { + fprintf(stderr, "Error: invalid file %s\n", name); + exit(1); + } + if (strncmp(rname, cfg.homedir, strlen(cfg.homedir)) != 0) { + fprintf(stderr, "Error: file %s is not in user home directory\n", name); + exit(1); + } + + // a full home directory is not allowed + if (strcmp(rname, cfg.homedir) == 0) { + fprintf(stderr, "Error: invalid directory %s\n", rname); + exit(1); + } + + // only top files and directories in user home are allowed + char *ptr = rname + strlen(cfg.homedir); + if (*ptr == '\0') { + fprintf(stderr, "Error: invalid file %s\n", name); + exit(1); + } + ptr++; + ptr = strchr(ptr, '/'); + if (ptr) { + if (*ptr != '\0') { + fprintf(stderr, "Error: only top files and directories in user home are allowed\n"); + exit(1); + } + } + + if (stat(fname, &s) == -1) { + fprintf(stderr, "Error: file %s not found.\n", fname); + exit(1); + } + + // check uid + uid_t uid = getuid(); + gid_t gid = getgid(); + if (s.st_uid != uid || s.st_gid != gid) { + fprintf(stderr, "Error: only files or directories created by the current user are allowed.\n"); + exit(1); + } + + // dir or regular file + if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { + free(fname); + return rname; // regular exit from the function + } + + fprintf(stderr, "Error: invalid file type, %s.\n", fname); + exit(1); +} + + +// check directory list specified by user (--private-home option) - exit if it fails +void fs_check_home_list(void) { + if (strstr(cfg.home_private_keep, "..")) { + fprintf(stderr, "Error: invalid private-home list\n"); + exit(1); + } + + char *dlist = strdup(cfg.home_private_keep); + if (!dlist) + errExit("strdup"); + + char *ptr = strtok(dlist, ","); + char *tmp = check_dir_or_file(ptr); + free(tmp); + + while ((ptr = strtok(NULL, ",")) != NULL) { + tmp = check_dir_or_file(ptr); + free(tmp); + } + + free(dlist); } + +// private mode (--private-home=list): +// mount homedir on top of /home/user, +// tmpfs on top of /root in nonroot mode, +// tmpfs on top of /tmp in root mode, +// set skel files, +// restore .Xauthority +void fs_private_home_list(void) { + char *homedir = cfg.homedir; + char *private_list = cfg.home_private_keep; + assert(homedir); + assert(private_list); + + int xflag = store_xauthority(); + int aflag = store_asoundrc(); + + uid_t u = firejail_uid; + gid_t g = firejail_gid; + struct stat s; + if (stat(homedir, &s) == -1) { + fprintf(stderr, "Error: cannot find user home directory\n"); + exit(1); + } + + // create /tmp/firejail/mnt/home directory + fs_build_mnt_dir(); + int rv = mkdir(RUN_HOME_DIR, 0755); + if (rv == -1) + errExit("mkdir"); + if (chown(RUN_HOME_DIR, u, g) < 0) + errExit("chown"); + if (chmod(RUN_HOME_DIR, 0755) < 0) + errExit("chmod"); + ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); + + fs_logger_print(); // save the current log + + // copy the list of files in the new home directory + // using a new child process without root privileges + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + if (arg_debug) + printf("Copying files in the new home:\n"); + + // drop privileges + if (setgroups(0, NULL) < 0) + errExit("setgroups"); + if (setgid(getgid()) < 0) + errExit("setgid/getgid"); + if (setuid(getuid()) < 0) + errExit("setuid/getuid"); + + // copy the list of files in the new home directory + char *dlist = strdup(cfg.home_private_keep); + if (!dlist) + errExit("strdup"); + + char *ptr = strtok(dlist, ","); + duplicate(ptr); + while ((ptr = strtok(NULL, ",")) != NULL) + duplicate(ptr); + + if (!arg_quiet) { + if (size_limit_reached) + fprintf(stderr, "Warning: private-home copy limit of %u MB reached, not all the files were copied\n", + PRIVATE_COPY_LIMIT / (1024 *1024)); + else + printf("Private home: %u files, total size %u bytes\n", file_cnt, size_cnt); + } + + fs_logger_print(); // save the current log + free(dlist); + exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); + + if (arg_debug) + printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir); + + if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + + if (u != 0) { + // mask /root + if (arg_debug) + printf("Mounting a new /root directory\n"); + if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) + errExit("mounting home directory"); + } + else { + // mask /home + if (arg_debug) + printf("Mounting a new /home directory\n"); + if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) + errExit("mounting home directory"); + } + + skel(homedir, u, g); + if (xflag) + copy_xauthority(); + if (aflag) + copy_asoundrc(); +} diff --git a/src/firejail/main.c b/src/firejail/main.c index 501bccff2..94000d917 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1560,21 +1560,14 @@ int main(int argc, char **argv) { arg_writable_var = 1; } else if (strcmp(argv[i], "--private") == 0) { -#if 0 - if (arg_private_template) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } -#endif arg_private = 1; } else if (strncmp(argv[i], "--private=", 10) == 0) { -#if 0 - if (arg_private_template) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } -#endif + if (cfg.home_private_keep) { + fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n"); + exit(1); + } + // extract private home dirname cfg.home_private = argv[i] + 10; if (*cfg.home_private == '\0') { @@ -1584,21 +1577,25 @@ int main(int argc, char **argv) { fs_check_private_dir(); arg_private = 1; } -#if 0 - else if (strncmp(argv[i], "--private-template=", 19) == 0) { - cfg.private_template = argv[i] + 19; - if (arg_private) { - fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); - exit(1); - } - if (*cfg.private_template == '\0') { - fprintf(stderr, "Error: invalid private-template option\n"); - exit(1); - } - fs_check_private_template(); - arg_private_template = 1; - } -#endif +#ifdef HAVE_PRIVATE_HOME + else if (strncmp(argv[i], "--private-home=", 15) == 0) { + if (checkcfg(CFG_PRIVATE_HOME)) { + if (cfg.home_private) { + fprintf(stderr, "Error: a private home directory was already defined with --private option.\n"); + exit(1); + } + + // extract private home dirname + cfg.home_private_keep = argv[i] + 15; + fs_check_home_list(); + arg_private = 1; + } + else { + fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n"); + exit(1); + } + } +#endif else if (strcmp(argv[i], "--private-dev") == 0) { arg_private_dev = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ee5d8c159..a516f3216 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -169,6 +169,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } + if (strncmp(ptr, "private-home ", 13) == 0) { +#ifdef HAVE_PRIVATE_HOME + if (checkcfg(CFG_PRIVATE_HOME)) { + cfg.home_private_keep = ptr + 13; + fs_check_home_list(); + arg_private = 1; + } + else + fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); +#endif + return 0; + } else if (strcmp(ptr, "private-dev") == 0) { arg_private_dev = 1; return 0; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9423ae7e0..76efe996b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -540,6 +540,14 @@ int sandbox(void* sandbox_arg) { else fs_private_homedir(); } + else if (cfg.home_private_keep) { // --private-home= + if (cfg.chrootdir) + fprintf(stderr, "Warning: private-home= feature is disabled in chroot\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: private-home= feature is disabled in overlay\n"); + else + fs_private_home_list(); + } else // --private fs_private(); } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 363f973e8..52d9bbe7e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -221,24 +221,10 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); printf("\tclosed.\n\n"); printf(" --private=directory - use directory as user home.\n\n"); -#if 0 - printf(" --private-template=directory - same as --private but copy the\n"); - printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n"); - -.TP -\fB\-\-private-template=templatedir -Mount new /root and /home/user directories in temporary -filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is -closed. -.br - -.br -Example: -.br -$ firejail \-\-private-template=/home/netblue/.config/mozilla firefox -#endif - - + printf(" --private-home=file,directory - build a new user home in a temporary\n"); + printf("\t\tfilesystem, and copy the files and directories in the list in\n"); + printf("\t\tthe new home. All modifications are discarded when the sandbox\n"); + printf("\t\tis closed.\n\n"); printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); printf("\tand copy the programs in the list.\n\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e3217bbff..51b45cd10 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -170,6 +170,12 @@ closed. \fBprivate directory Use directory as user home. .TP +\f\private-home file,directory +Build a new user home in a temporary +filesystem, and copy the files and directories in the list in the +new home. All modifications are discarded when the sandbox is +closed. +.TP \fBprivate-bin file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dbb0df233..a5d3623b6 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1085,6 +1085,19 @@ Example: .br $ firejail \-\-private=/home/netblue/firefox-home firefox +.TP +\fB\-\-private-home=file,directory +Build a new user home in a temporary +filesystem, and copy the files and directories in the list in the +new home. All modifications are discarded when the sandbox is +closed. +.br + +.br +Example: +.br +$ firejail \-\-private-home=.mozilla firefox + .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. -- cgit v1.2.3-70-g09d2 From 482a38ca66c7b189a0fcc31fd680801a3bf3c893 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 17 Sep 2016 09:24:16 -0400 Subject: bug: add support to remove /usr/local from private-bin list, issue 778 --- etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/fs_bin.c | 7 +++++++ 4 files changed, 20 insertions(+) (limited to 'etc') diff --git a/etc/firejail.config b/etc/firejail.config index 08ff5380d..143400938 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -29,6 +29,9 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Remove /usr/local directories from private-bin list, default disabled +# private-bin-no-local no + # Enable or disable private-home feature, default enabled # private-home yes diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fdd2b8edd..78c0e5c60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -40,6 +40,7 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default + cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default // open configuration file char *fname; @@ -258,6 +259,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { + if (strcmp(ptr + 21, "yes") == 0) + cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; + else if (strcmp(ptr + 21, "no") == 0) + cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7043aa0ca..c0536502e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -651,6 +651,7 @@ enum { CFG_OVERLAYFS, CFG_CHROOT_DESKTOP, CFG_PRIVATE_HOME, + CFG_PRIVATE_BIN_NO_LOCAL, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6c4db57b4..40539305f 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -46,6 +46,13 @@ static char *check_dir_or_file(const char *name) { int i = 0; while (paths[i]) { + // private-bin-no-local can be disabled in /etc/firejail/firejail.config + if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { + i++; + continue; + } + + // check file if (asprintf(&fname, "%s/%s", paths[i], name) == -1) errExit("asprintf"); if (arg_debug) -- cgit v1.2.3-70-g09d2 From ccb3587e52814e178d585c93a1053ff00587d102 Mon Sep 17 00:00:00 2001 From: Tomasz Jan Góralczyk Date: Sat, 17 Sep 2016 14:25:29 +0100 Subject: Add netlink to --protocols in steam profile Fixes #779 --- etc/steam.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/steam.profile b/etc/steam.profile index b15a54be9..5dc5e80ff 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -10,5 +10,5 @@ caps.drop all netfilter nonewprivs noroot -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp -- cgit v1.2.3-70-g09d2 From d131c595b2da7717c0879cd962f174b32635a53c Mon Sep 17 00:00:00 2001 From: Pwnage Pineapple Date: Sat, 17 Sep 2016 16:32:20 -0500 Subject: Update okular.profile Gives Okular read-only access to kdeglobals file to fix theme issue --- etc/okular.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/okular.profile b/etc/okular.profile index c9c342b15..df142ccfc 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -2,6 +2,7 @@ noblacklist ~/.kde/share/apps/okular noblacklist ~/.kde/share/config/okularrc noblacklist ~/.kde/share/config/okularpartrc +read-only ~/.kde/share/config/kdeglobals include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From ea29b9538f57663e3554d480eb69a806e6d4b7a2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 18 Sep 2016 10:42:18 -0400 Subject: fixes --- README | 4 ++++ etc/firejail.config | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/README b/README index 9510b6b1d..9f3065b3b 100644 --- a/README +++ b/README @@ -74,6 +74,10 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added eom profile - added gnome-chess profile - added DOSBox profile +Tomasz Jan Góralczyk (https://github.com/tjg) + - fixed Steam profile +pwnage-pineapple (https://github.com/pwnage-pineapple) + - update Okular profile Sergey Alirzaev (https://github.com/l29ah) - firejail.h enum fix greigdp (https://github.com/greigdp) diff --git a/etc/firejail.config b/etc/firejail.config index 143400938..2ea767f37 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -29,7 +29,7 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes -# Remove /usr/local directories from private-bin list, default disabled +# Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no # Enable or disable private-home feature, default enabled -- cgit v1.2.3-70-g09d2 From ea01effe46990d7376efa81ad4da47430025a234 Mon Sep 17 00:00:00 2001 From: Dara Adib Date: Mon, 19 Sep 2016 22:45:59 -0400 Subject: Quiet SSH config firejail output in ssh client breaks git+ssh for me, e.g., $ git clone git@github.com:netblue30/firejail.git Cloning into 'firejail'... Reading profile /etc/firejail/ssh.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc fatal: protocol error: bad line length character: Pare The "Pare" comes from "Parent pid x, child pid y". --- etc/ssh.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/ssh.profile b/etc/ssh.profile index 2411e46f3..d3558ead3 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -1,4 +1,5 @@ # ssh client +quiet noblacklist ~/.ssh noblacklist /tmp/ssh-* -- cgit v1.2.3-70-g09d2 From dfe379acac6a87b6595e376b81851b3394297782 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 25 Sep 2016 01:48:10 +1000 Subject: Added tracelog --- etc/evince.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/evince.profile b/etc/evince.profile index 530ce959a..374fa4aaa 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,14 +5,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix seccomp - shell none +tracelog + private-bin evince,evince-previewer,evince-thumbnailer whitelist /tmp/.X11-unix private-dev -- cgit v1.2.3-70-g09d2 From ed31d2238915749730856f877fceae3579b320da Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 11:32:59 -0400 Subject: mupdf and qpdfview profiles --- README.md | 5 +++++ RELNOTES | 1 + etc/disable-programs.inc | 2 ++ etc/mupdf.profile | 18 ++++++++++++++++++ etc/qpdfview.profile | 22 ++++++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 2 ++ 7 files changed, 53 insertions(+) create mode 100644 etc/mupdf.profile create mode 100644 etc/qpdfview.profile (limited to 'etc') diff --git a/README.md b/README.md index 64a67bf63..9db50d5ba 100644 --- a/README.md +++ b/README.md @@ -64,3 +64,8 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ ## New profile commands x11 xpra, x11 xephyr, x11 block, allusers, join-or-start + +## New profiles + +qpdfview, mupdf + diff --git a/RELNOTES b/RELNOTES index f0528b28c..492bd007a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,6 +10,7 @@ firejail (0.9.43) baseline; urgency=low * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) * feature: x11 xpra, x11 xephyr, x11 block, allusers profile commands + * new profiles: qpdfview, mupdf * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index fb0f5a669..54c53e794 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -26,6 +26,7 @@ blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc blacklist ${HOME}/.kde/share/apps/gwenview blacklist ${HOME}/.kde/share/config/gwenviewrc +blacklist ${HOME}/.config/qpdfview # Media players blacklist ${HOME}/.config/cmus @@ -135,6 +136,7 @@ blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/qpdfview # ssh blacklist /tmp/ssh-* diff --git a/etc/mupdf.profile b/etc/mupdf.profile new file mode 100644 index 000000000..6f2db511b --- /dev/null +++ b/etc/mupdf.profile @@ -0,0 +1,18 @@ +# mupdf reader profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-tmp +private-dev diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile new file mode 100644 index 000000000..07ea173e6 --- /dev/null +++ b/etc/qpdfview.profile @@ -0,0 +1,22 @@ +# qpdfview profile +noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.local/share/qpdfview + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin qpdfview +private-tmp +private-dev diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 691c536df..0c494c042 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -143,3 +143,6 @@ /etc/firejail/xzdec.profile /etc/firejail/strings.profile /etc/firejail/dosbox.profile +/etc/firejail/mupdf.profile +/etc/firejail/qpdfview.profile + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index dd876c87c..ca28d025b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -128,6 +128,8 @@ mathematica okular pix xreader +mupdf +qpdfview # other ssh -- cgit v1.2.3-70-g09d2 From 9d21d8cf9d12513bfd77e44b845a1f5d7a06f594 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 27 Sep 2016 13:23:50 -0400 Subject: qt additions to whitelist-common.inc --- etc/whitelist-common.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index abbb4a9fc..fd44c2528 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -29,3 +29,6 @@ whitelist ~/.kde/share/config/gtkrc-2.0 # dconf mkdir ~/.config/dconf whitelist ~/.config/dconf + +# qt +whitelist ~/.config/kdeglobals -- cgit v1.2.3-70-g09d2 From 9498f2313e40f53abb8e47e08c3bbb88281d29ad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Sep 2016 10:29:01 -0400 Subject: profile cleanup --- etc/dnscrypt-proxy.profile | 1 + etc/dnsmasq.profile | 1 + etc/file.profile | 6 +++++- etc/gzip.profile | 5 ++++- etc/server.profile | 2 ++ etc/tar.profile | 6 +++++- etc/unrar.profile | 6 +++++- etc/unzip.profile | 6 +++++- etc/uudeview.profile | 2 ++ etc/xzdec.profile | 5 ++++- 10 files changed, 34 insertions(+), 6 deletions(-) (limited to 'etc') diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 90c244e03..926b8bfcc 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -9,5 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev nosound +no3d seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 1c01d44e4..3bd43f144 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -12,5 +12,6 @@ nonewprivs private private-dev nosound +no3d protocol unix,inet,inet6,netlink seccomp diff --git a/etc/file.profile b/etc/file.profile index c2d7b0b0f..860f7b104 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -7,7 +7,11 @@ tracelog net none shell none private-bin file -private-dev private-etc magic.mgc,magic,localtime hostname file +private-dev nosound +no3d +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/gzip.profile b/etc/gzip.profile index ce4aa3c4b..4843839c5 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,6 +5,9 @@ include /etc/firejail/default.profile tracelog net none shell none -private-dev private-tmp +blacklist /tmp/.X11-unix +private-dev nosound +no3d + diff --git a/etc/server.profile b/etc/server.profile index 88331d951..22cef0a3c 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -9,6 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc private private-dev nosound +no3d private-tmp +blacklist /tmp/.X11-unix seccomp diff --git a/etc/tar.profile b/etc/tar.profile index 78bf7ad13..3f6599784 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -10,6 +10,10 @@ shell none # support compressed archives private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev +nosound +no3d private-etc passwd,group,localtime hostname tar -nosound +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/unrar.profile b/etc/unrar.profile index e941a8f2a..f29d1b51b 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -8,6 +8,10 @@ net none shell none private-bin unrar private-dev +nosound +no3d private-etc passwd,group,localtime hostname unrar -nosound +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/unzip.profile b/etc/unzip.profile index ab69e932e..957dbdd71 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -7,7 +7,11 @@ tracelog net none shell none private-bin unzip -private-dev private-etc passwd,group,localtime hostname unzip +private-dev nosound +no3d +private-tmp +blacklist /tmp/.X11-unix + diff --git a/etc/uudeview.profile b/etc/uudeview.profile index f6fe0abf1..51e413493 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -13,3 +13,5 @@ private-tmp private-etc nonexisting_fakefile_for_empty_etc hostname uudeview nosound +uudeview + diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 3692160e6..0647bddeb 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,6 +5,9 @@ include /etc/firejail/default.profile tracelog net none shell none -private-dev private-tmp +blacklist /tmp/.X11-unix +private-dev nosound +no3d + -- cgit v1.2.3-70-g09d2 From e90a8025a8173f3ce1fb0d22c3fc0b2ccb431ecc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 30 Sep 2016 09:33:45 -0400 Subject: added luminance-hdr and synfigstudio profiles --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 3 +++ etc/luminance-hdr.profile | 23 +++++++++++++++++++++++ etc/synfigstudio.profile | 17 +++++++++++++++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 7 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 etc/luminance-hdr.profile create mode 100644 etc/synfigstudio.profile (limited to 'etc') diff --git a/README.md b/README.md index 05cfd3b11..e98f8ad21 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ x11 xpra, x11 xephyr, x11 block, allusers, join-or-start ## New profiles -qpdfview, mupdf +qpdfview, mupdf, Luminance HDR, Synfig Studio diff --git a/RELNOTES b/RELNOTES index 9b746e229..f09c628e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,7 @@ firejail (0.9.43) baseline; urgency=low * feature: blocking x11 (--x11=block) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands - * new profiles: qpdfview, mupdf + * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 54c53e794..8566ea0c5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -27,6 +27,9 @@ blacklist ${HOME}/.kde/share/config/okularpartrc blacklist ${HOME}/.kde/share/apps/gwenview blacklist ${HOME}/.kde/share/config/gwenviewrc blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/Luminance +blacklist ${HOME}/.config/synfig +blacklist ${HOME}/.synfig # Media players blacklist ${HOME}/.config/cmus diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile new file mode 100644 index 000000000..e9207fba3 --- /dev/null +++ b/etc/luminance-hdr.profile @@ -0,0 +1,23 @@ +# luminance-hdr +noblacklist ${HOME}/.config/Luminance +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + + +caps.drop all +netfilter +protocol unix +nonewprivs +noroot +seccomp +shell none +tracelog +private-tmp +private-dev +noexec ${HOME} +noexec /tmp +nogroups +nosound +ipc-namespace diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile new file mode 100644 index 000000000..d46467b99 --- /dev/null +++ b/etc/synfigstudio.profile @@ -0,0 +1,17 @@ +# synfigstudio +noblacklist ${HOME}/.config/synfig +noblacklist ${HOME}/.synfig +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 0c494c042..86f5564fd 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -145,4 +145,6 @@ /etc/firejail/dosbox.profile /etc/firejail/mupdf.profile /etc/firejail/qpdfview.profile +/etc/firejail/luminance-hdr.profile +/etc/firejail/synfigstudio.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ca28d025b..2fec8ef90 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -130,6 +130,8 @@ pix xreader mupdf qpdfview +luminance-hdr +synfigstudio # other ssh -- cgit v1.2.3-70-g09d2 From b806f35192817e78b95a92dd658f1430bcc6fb56 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 30 Sep 2016 10:13:00 -0400 Subject: gimp and inkscape profiles --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ etc/gimp.profile | 18 ++++++++++++++++++ etc/inkscape.profile | 18 ++++++++++++++++++ etc/luminance-hdr.profile | 2 -- platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 8 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 etc/gimp.profile create mode 100644 etc/inkscape.profile (limited to 'etc') diff --git a/README.md b/README.md index e98f8ad21..6fa6c996c 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ x11 xpra, x11 xephyr, x11 block, allusers, join-or-start ## New profiles -qpdfview, mupdf, Luminance HDR, Synfig Studio +qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape diff --git a/RELNOTES b/RELNOTES index f09c628e1..97ace1c91 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,7 @@ firejail (0.9.43) baseline; urgency=low * feature: blocking x11 (--x11=block) * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands - * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio + * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8566ea0c5..1e2b81d27 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -30,6 +30,8 @@ blacklist ${HOME}/.config/qpdfview blacklist ${HOME}/.config/Luminance blacklist ${HOME}/.config/synfig blacklist ${HOME}/.synfig +blacklist ${HOME}/.inkscape +blacklist ${HOME}/.gimp* # Media players blacklist ${HOME}/.config/cmus diff --git a/etc/gimp.profile b/etc/gimp.profile new file mode 100644 index 000000000..23361b771 --- /dev/null +++ b/etc/gimp.profile @@ -0,0 +1,18 @@ +# gimp +noblacklist ${HOME}/.gimp* +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp +nogroups +nosound diff --git a/etc/inkscape.profile b/etc/inkscape.profile new file mode 100644 index 000000000..cf885fba2 --- /dev/null +++ b/etc/inkscape.profile @@ -0,0 +1,18 @@ +# inkscape +noblacklist ${HOME}/.inkscape +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp +nogroups +nosound diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index e9207fba3..6e059ea52 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -3,8 +3,6 @@ noblacklist ${HOME}/.config/Luminance include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-devel.inc - caps.drop all netfilter diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 86f5564fd..75e7a469b 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -147,4 +147,6 @@ /etc/firejail/qpdfview.profile /etc/firejail/luminance-hdr.profile /etc/firejail/synfigstudio.profile +/etc/firejail/gimp.profile +/etc/firejail/inkscape.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2fec8ef90..75265545b 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -132,6 +132,8 @@ mupdf qpdfview luminance-hdr synfigstudio +gimp +inkscape # other ssh -- cgit v1.2.3-70-g09d2 From 0bec95a96abd2299dbb9fa9f17671747512768c5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 1 Oct 2016 12:56:39 -0400 Subject: potential Gentoo fix --- etc/disable-devel.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 963cf6da0..971857710 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -2,7 +2,7 @@ # GCC blacklist /usr/include -blacklist /usr/lib/gcc +#blacklist /usr/lib/gcc - seems to create problems on Gentoo blacklist /usr/bin/gcc* blacklist /usr/bin/cpp* blacklist /usr/bin/c9* -- cgit v1.2.3-70-g09d2 From 6c006921eb77a933f9cfb5baf98a4043447d985e Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:05:07 +0200 Subject: Create feh.profile --- etc/feh.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/feh.profile (limited to 'etc') diff --git a/etc/feh.profile b/etc/feh.profile new file mode 100644 index 000000000..ba8f32f44 --- /dev/null +++ b/etc/feh.profile @@ -0,0 +1,13 @@ +# feh image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix +seccomp -- cgit v1.2.3-70-g09d2 From 25fbc140c081cd41962cbca077fc7716c0191c17 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:06:16 +0200 Subject: Create zathura.profile --- etc/zathura.profile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/zathura.profile (limited to 'etc') diff --git a/etc/zathura.profile b/etc/zathura.profile new file mode 100644 index 000000000..99d9a1a90 --- /dev/null +++ b/etc/zathura.profile @@ -0,0 +1,19 @@ +# zathura document viewer profile +# noblacklist ~/.config/zathura +# noblacklist ~/.local/share/zathura +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +nonewprivs +noroot +nosound + +#net none +shell none +#private-etc X11 -- cgit v1.2.3-70-g09d2 From b11408ba5397e3b70786b98226adc03eb2da9cee Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 09:06:57 +0200 Subject: Create ranger.profile --- etc/ranger.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/ranger.profile (limited to 'etc') diff --git a/etc/ranger.profile b/etc/ranger.profile new file mode 100644 index 000000000..775098d91 --- /dev/null +++ b/etc/ranger.profile @@ -0,0 +1,13 @@ +# ranger file manager profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +nosound -- cgit v1.2.3-70-g09d2 From ba9edec22cce71b57266b20262fbb586314f3f8b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:54:05 +0200 Subject: added muttrc to blacklisted secets ~/.muttrc, ~/.mutt/muttrc and ~/.msmtprc contain in most cases login credentials of the users mail accounts --- etc/disable-common.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c4169db8a..4f854c8d8 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -121,6 +121,9 @@ blacklist ${HOME}/.smbcredentials blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.kdb blacklist ${HOME}/*.key +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc blacklist /etc/shadow blacklist /etc/gshadow blacklist /etc/passwd- -- cgit v1.2.3-70-g09d2 From 8026502c3758e82f64c13154030083460fa4528b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:55:19 +0200 Subject: added muttrc to disable-programs --- etc/disable-programs.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e2b81d27..bd338f401 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -67,6 +67,9 @@ blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave blacklist ${HOME}/.config/inox +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc # Instant Messaging blacklist ${HOME}/.config/hexchat -- cgit v1.2.3-70-g09d2 From 931f09d320dc7ab6f27ea5e724e9791eda2cec8b Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 14:59:27 +0200 Subject: Removed whitelisting There is no reason to assume the users database for cherrytree is in any of these specific directories. --- etc/cherrytree.profile | 6 ------ 1 file changed, 6 deletions(-) (limited to 'etc') diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 76ee70679..7c324a34b 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -6,12 +6,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -whitelist ${HOME}/cherrytree -mkdir ~/.config/cherrytree -whitelist ${HOME}/.config/cherrytree/ -mkdir ~/.local/share -whitelist ${HOME}/.local/share/ - caps.drop all netfilter nonewprivs -- cgit v1.2.3-70-g09d2 From afa0feed21dcd3b1ef30faf0a37110cef618feb4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 2 Oct 2016 09:14:31 -0400 Subject: feh, ranger, zathura profiles --- README | 2 ++ RELNOTES | 1 + etc/disable-programs.inc | 3 +++ etc/zathura.profile | 4 ++-- 4 files changed, 8 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index dcdc7fde1..e98352913 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +vismir2 (https://github.com/vismir2) + - feh, ranger and zathura profiles graywolf (https://github.com/graywolf) - spelling fix Dara Adib (https://github.com/daradib) diff --git a/RELNOTES b/RELNOTES index 2775ecdde..ad4c750b5 100644 --- a/RELNOTES +++ b/RELNOTES @@ -17,6 +17,7 @@ firejail (0.9.43) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape + * new profiles: feh, ranger, zathura * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1e2b81d27..e9416b34a 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -32,6 +32,8 @@ blacklist ${HOME}/.config/synfig blacklist ${HOME}/.synfig blacklist ${HOME}/.inkscape blacklist ${HOME}/.gimp* +blacklist ${HOME}/.config/zathura + # Media players blacklist ${HOME}/.config/cmus @@ -142,6 +144,7 @@ blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/zathura # ssh blacklist /tmp/ssh-* diff --git a/etc/zathura.profile b/etc/zathura.profile index 99d9a1a90..955792b2e 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,6 +1,6 @@ # zathura document viewer profile -# noblacklist ~/.config/zathura -# noblacklist ~/.local/share/zathura +noblacklist ~/.config/zathura +noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From b2b955ef34a62ec734d982fc601d77492dc4a232 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:41:45 +0200 Subject: hardened profile for feh --- etc/feh.profile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/feh.profile b/etc/feh.profile index ba8f32f44..5fcb6bf25 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,9 +5,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +seccomp +protocol unix netfilter +net none nonewprivs noroot +nogroups nosound -protocol unix -seccomp +shell none + +private-bin feh +whitelist /tmp/.X11-unix +private-dev +private-etc feh -- cgit v1.2.3-70-g09d2 From 83f5ee2ec327a9eca98fc835cc0f5cd68006c179 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:43:49 +0200 Subject: Fixed ranger to work correctly with atool needed perl, hardened profile --- etc/ranger.profile | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/ranger.profile b/etc/ranger.profile index 775098d91..af137fa13 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,4 +1,9 @@ -# ranger file manager profile +# ranger profile +noblacklist /usr/bin/perl +#noblacklist /usr/bin/cpan* +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -6,8 +11,14 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nonewprivs noroot +nogroups protocol unix seccomp nosound + +private-tmp +private-dev + -- cgit v1.2.3-70-g09d2 From 8edf59794fb37758f94e4b5a208615b957ac5863 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:45:14 +0200 Subject: hardened profile for zathura --- etc/zathura.profile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/zathura.profile b/etc/zathura.profile index 99d9a1a90..f6651af09 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,4 +1,4 @@ -# zathura document viewer profile +# zathura viewer profile # noblacklist ~/.config/zathura # noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc @@ -12,8 +12,9 @@ protocol unix netfilter nonewprivs noroot +nogroups nosound - -#net none shell none -#private-etc X11 + +private-bin zathura +private-dev -- cgit v1.2.3-70-g09d2 From 248bc971750a533888c61d0b97d0ff35542fe71d Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:49:26 +0200 Subject: hardened mupdf --- etc/mupdf.profile | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 6f2db511b..d1a157c3c 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -11,8 +11,14 @@ noroot nosound protocol unix seccomp +netfilter shell none tracelog +private-bin mupdf private-tmp private-dev + +# mupdf will never write anything +read-only ${HOME} + -- cgit v1.2.3-70-g09d2 From 1bb1eb6d0970e8e60938fe70ee54b677288312c8 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:56:13 +0200 Subject: fixed description --- etc/ranger.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/ranger.profile b/etc/ranger.profile index af137fa13..a040cd6bc 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,4 +1,4 @@ -# ranger profile +# ranger file manager profile noblacklist /usr/bin/perl #noblacklist /usr/bin/cpan* noblacklist /usr/share/perl* -- cgit v1.2.3-70-g09d2 From c313409c3d60dbde22ae932db7447d4ee8cb92fd Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sun, 2 Oct 2016 15:56:41 +0200 Subject: fixed description --- etc/zathura.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/zathura.profile b/etc/zathura.profile index f6651af09..b3a9b0af8 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,4 +1,4 @@ -# zathura viewer profile +# zathura document viewer profile # noblacklist ~/.config/zathura # noblacklist ~/.local/share/zathura include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From dfa025636778ee99a1c663a92cce1e061370156a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 3 Oct 2016 11:33:22 -0400 Subject: keepass, keepassx, 7z profiles --- README | 2 +- README.md | 4 ++-- RELNOTES | 2 +- etc/7z.profile | 10 ++++++++++ etc/keepass.profile | 22 ++++++++++++++++++++++ etc/keepassx.profile | 23 +++++++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 2 ++ 8 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 etc/7z.profile create mode 100644 etc/keepass.profile create mode 100644 etc/keepassx.profile (limited to 'etc') diff --git a/README b/README index 325ef2aa5..043e7445a 100644 --- a/README +++ b/README @@ -78,7 +78,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added DOSBox profile - evince profile enhancement vismir2 (https://github.com/vismir2) - - feh, ranger and zathura profiles + - feh, ranger, 7z, keepass, keepassx and zathura profiles - lots of profile fixes graywolf (https://github.com/graywolf) - spelling fix diff --git a/README.md b/README.md index 43aa183ef..6e50a7645 100644 --- a/README.md +++ b/README.md @@ -106,9 +106,9 @@ If you keep your Firejail profiles in a public repository, please give us a link ## New profile commands -x11 xpra, x11 xephyr, x11 none, x11 xorg allusers, join-or-start +x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles -qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura +qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx diff --git a/RELNOTES b/RELNOTES index df495c31a..bdafb6ff0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,7 +16,7 @@ firejail (0.9.43) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape - * new profiles: feh, ranger, zathura + * new profiles: feh, ranger, zathura, 7z, keepass, keepassx * bugfixes -- netblue30 Fri, 9 Sept 2016 08:00:00 -0500 diff --git a/etc/7z.profile b/etc/7z.profile new file mode 100644 index 000000000..c9455317a --- /dev/null +++ b/etc/7z.profile @@ -0,0 +1,10 @@ +# p7zip crompression tool profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +private-tmp +nosound diff --git a/etc/keepass.profile b/etc/keepass.profile new file mode 100644 index 000000000..b2085f53d --- /dev/null +++ b/etc/keepass.profile @@ -0,0 +1,22 @@ +# keepass password manager profile + +noblacklist ${HOME}/.config/keepass +noblacklist ${HOME}/.keepass + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/etc/keepassx.profile b/etc/keepassx.profile new file mode 100644 index 000000000..415160df3 --- /dev/null +++ b/etc/keepassx.profile @@ -0,0 +1,23 @@ +# keepassx password manager profile + +noblacklist ${HOME}/.config/keepassx +noblacklist ${HOME}/.keepassx +noblacklist ${HOME}/keepassx.kdbx + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/platform/debian/conffiles b/platform/debian/conffiles index af8e74ba8..03fb2fe75 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -152,3 +152,6 @@ /etc/firejail/xz.profile /etc/firejail/xzdec.profile /etc/firejail/zathura.profile +/etc/firejail/7z.profile +/etc/firejail/keepass.profile +/etc/firejail/keepassx.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9e5ff7f12..95d3d5caa 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -142,6 +142,8 @@ ssh atom-beta atom ranger +keepass +keepassx # weather/climate aweather -- cgit v1.2.3-70-g09d2 From ae4e4fa1e0e6c9383b9e580c023bfffd6bdacbe0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 3 Oct 2016 16:34:46 -0400 Subject: removed private-tmp from sysutils --- etc/7z.profile | 3 +-- etc/cpio.profile | 1 - etc/file.profile | 1 - etc/gzip.profile | 1 - etc/less.profile | 1 - etc/strings.profile | 1 - etc/tar.profile | 1 - etc/unzip.profile | 1 - etc/uudeview.profile | 2 -- etc/xzdec.profile | 1 - 10 files changed, 1 insertion(+), 12 deletions(-) (limited to 'etc') diff --git a/etc/7z.profile b/etc/7z.profile index c9455317a..0cb72ff8d 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -1,4 +1,4 @@ -# p7zip crompression tool profile +# 7zip crompression tool profile quiet ignore noroot include /etc/firejail/default.profile @@ -6,5 +6,4 @@ tracelog net none shell none private-dev -private-tmp nosound diff --git a/etc/cpio.profile b/etc/cpio.profile index 5772c7368..519bd244c 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -9,7 +9,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc private-dev -private-tmp seccomp caps.drop all net none diff --git a/etc/file.profile b/etc/file.profile index 860f7b104..2e54030b1 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -12,6 +12,5 @@ hostname file private-dev nosound no3d -private-tmp blacklist /tmp/.X11-unix diff --git a/etc/gzip.profile b/etc/gzip.profile index 4843839c5..5e73969c4 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -5,7 +5,6 @@ include /etc/firejail/default.profile tracelog net none shell none -private-tmp blacklist /tmp/.X11-unix private-dev nosound diff --git a/etc/less.profile b/etc/less.profile index 802e4196d..6dfae027e 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -6,5 +6,4 @@ tracelog net none shell none private-dev -private-tmp nosound diff --git a/etc/strings.profile b/etc/strings.profile index d013e7cb5..f99a65009 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -6,6 +6,5 @@ tracelog net none shell none private-dev -private-tmp nosound diff --git a/etc/tar.profile b/etc/tar.profile index 3f6599784..663ac3805 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -14,6 +14,5 @@ nosound no3d private-etc passwd,group,localtime hostname tar -private-tmp blacklist /tmp/.X11-unix diff --git a/etc/unzip.profile b/etc/unzip.profile index 957dbdd71..07224855f 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -12,6 +12,5 @@ hostname unzip private-dev nosound no3d -private-tmp blacklist /tmp/.X11-unix diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 51e413493..8ea9d5163 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,5 +1,4 @@ # uudeview profile -# the default profile will disable root user, enable seccomp filter etc. quiet ignore noroot include /etc/firejail/default.profile @@ -9,7 +8,6 @@ net none shell none private-bin uudeview private-dev -private-tmp private-etc nonexisting_fakefile_for_empty_etc hostname uudeview nosound diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 0647bddeb..a9d027c38 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -5,7 +5,6 @@ include /etc/firejail/default.profile tracelog net none shell none -private-tmp blacklist /tmp/.X11-unix private-dev nosound -- cgit v1.2.3-70-g09d2 From 94a3017d9b81d61216fabad875a49eb137fa1215 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 4 Oct 2016 12:07:40 -0400 Subject: apparmor fix --- etc/firejail-default | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/firejail-default b/etc/firejail-default index 8abf2400b..0b771f834 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -82,6 +82,8 @@ profile firejail-default { /usr/local/** ix, /usr/lib/** ix, /usr/games/** ix, +/opt/ r, +/opt/** r, /opt/** ix, #/home/** ix, -- cgit v1.2.3-70-g09d2 From cbe61efad39348acc81671a3c920232aa2d34277 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 5 Oct 2016 18:26:49 +0200 Subject: fixed recovery issue --- etc/libreoffice.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 75a52e9ff..d6aceb7a8 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -1,5 +1,6 @@ # Firejail profile for LibreOffice noblacklist ~/.config/libreoffice +noblacklist /usr/local/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -10,9 +11,9 @@ netfilter nogroups nonewprivs noroot -protocol unix,inet,inet6,netlink +protocol unix,inet,inet6 seccomp tracelog private-dev -whitelist /tmp/.X11-unix/ +# whitelist /tmp/.X11-unix/ -- cgit v1.2.3-70-g09d2 From fe3561f0d11032b3bad989a671ceb85b6142b5e2 Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:20:29 +0200 Subject: added emas and vim profiles --- etc/emacs.profile | 14 ++++++++++++++ etc/vim.profile | 14 ++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 etc/emacs.profile create mode 100644 etc/vim.profile (limited to 'etc') diff --git a/etc/emacs.profile b/etc/emacs.profile new file mode 100644 index 000000000..2cf614ca7 --- /dev/null +++ b/etc/emacs.profile @@ -0,0 +1,14 @@ +# emacs profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp diff --git a/etc/vim.profile b/etc/vim.profile new file mode 100644 index 000000000..b16939475 --- /dev/null +++ b/etc/vim.profile @@ -0,0 +1,14 @@ +# vim profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From f6f7ac56d27fee5a62ded9b396f13045e5d97deb Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:25:59 +0200 Subject: just a test --- etc/test | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/test (limited to 'etc') diff --git a/etc/test b/etc/test new file mode 100644 index 000000000..76e579ae4 --- /dev/null +++ b/etc/test @@ -0,0 +1,2 @@ +test + -- cgit v1.2.3-70-g09d2 From a2d80988d12762e4314b7a94fe57d1a74c872ac1 Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:26:53 +0200 Subject: another test --- etc/test2 | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/test2 (limited to 'etc') diff --git a/etc/test2 b/etc/test2 new file mode 100644 index 000000000..180cf8328 --- /dev/null +++ b/etc/test2 @@ -0,0 +1 @@ +test2 -- cgit v1.2.3-70-g09d2 From 425603923633eee1c5f553567a025b59dd64411e Mon Sep 17 00:00:00 2001 From: vis Date: Wed, 5 Oct 2016 20:28:02 +0200 Subject: 3.test --- etc/test3 | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/test3 (limited to 'etc') diff --git a/etc/test3 b/etc/test3 new file mode 100644 index 000000000..eefd60b4e --- /dev/null +++ b/etc/test3 @@ -0,0 +1,2 @@ +test3 + -- cgit v1.2.3-70-g09d2 From 1db14e970dc636b69a7d72dc1e04145ca36d6ffc Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 8 Oct 2016 07:47:41 -0400 Subject: fix keepass profile --- etc/keepass.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/keepass.profile b/etc/keepass.profile index b2085f53d..23f9a7b40 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -13,7 +13,7 @@ nogroups nonewprivs noroot nosound -protocol unix +protocol unix,inet,inet6 seccomp netfilter shell none -- cgit v1.2.3-70-g09d2 From ff4b558eefe0b7b96918529a23e5a9ff4ce8339f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 11:35:08 -0400 Subject: apparmor/appimage support --- etc/firejail-default | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/firejail-default b/etc/firejail-default index 0b771f834..1b0eb7658 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -31,6 +31,9 @@ profile firejail-default { /{,var/}run/user/**/pulse/ rw, /{,var/}run/user/**/pulse/** rw, /{,var/}run/firejail/mnt/fslogger r, +/{,var/}run/firejail/appimage r, +/{,var/}run/firejail/appimage/** r, +/{,var/}run/firejail/appimage/** ix, /{run,dev}/shm/ r, /{run,dev}/shm/** rmwk, -- cgit v1.2.3-70-g09d2 From 6226aeef298b58a8568acef2aff79d606ca0eec8 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 9 Oct 2016 18:37:30 +0200 Subject: fixed database not found error fix for https://github.com/netblue30/firejail/issues/850 --- etc/cherrytree.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 7c324a34b..5d8067553 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,6 +1,7 @@ # cherrytree note taking application noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* +noblacklist ${HOME}/.config/cherrytree/ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From e7fdfc50f6372ecf0949b12005d776d1180c71e4 Mon Sep 17 00:00:00 2001 From: Dara Adib Date: Sun, 9 Oct 2016 14:53:15 -0400 Subject: Allow evince to access /tmp firefox will save files under /tmp/mozilla_* and try to open them with evince when evince is the default PDF reader. --- etc/evince.profile | 1 - 1 file changed, 1 deletion(-) (limited to 'etc') diff --git a/etc/evince.profile b/etc/evince.profile index 374fa4aaa..894c7c70d 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -15,5 +15,4 @@ shell none tracelog private-bin evince,evince-previewer,evince-thumbnailer -whitelist /tmp/.X11-unix private-dev -- cgit v1.2.3-70-g09d2 From 457804e054aabc1ac530d452ddc9e73729ec4b67 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 19:49:10 -0400 Subject: cherrytree profile --- etc/cherrytree.profile | 9 --------- 1 file changed, 9 deletions(-) (limited to 'etc') diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 5d8067553..d16e7c067 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -16,13 +16,4 @@ seccomp protocol unix,inet,inet6,netlink tracelog -include /etc/firejail/whitelist-common.inc -# no private-bin support for various reasons: -#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree -#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree" -#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree -#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null -#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc -# it requires acces to browser to show the online help -# it doesn't play nicely with expect -- cgit v1.2.3-70-g09d2 From 105d3aec81be03c9b3e897142265b0a1cd12326d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 9 Oct 2016 19:55:59 -0400 Subject: vlc profile fix --- etc/vlc.profile | 1 - 1 file changed, 1 deletion(-) (limited to 'etc') diff --git a/etc/vlc.profile b/etc/vlc.profile index cdd098dd5..446e47864 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -14,7 +14,6 @@ noroot protocol unix,inet,inet6 seccomp shell none -tracelog private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev -- cgit v1.2.3-70-g09d2 From 81485bba858194306b076dab1668eb900fe7b174 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Mon, 10 Oct 2016 13:17:44 +0200 Subject: Create mutt.profile --- etc/mutt.profile | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 etc/mutt.profile (limited to 'etc') diff --git a/etc/mutt.profile b/etc/mutt.profile new file mode 100644 index 000000000..38874f6d8 --- /dev/null +++ b/etc/mutt.profile @@ -0,0 +1,31 @@ +# mutt email client profile + +noblacklist ~/.muttrc +noblacklist ~/.mutt/muttrc +noblacklist ~/.gnupg +noblacklist ~/.mail +noblacklist ~/.Mail +noblacklist ~/mail +noblacklist ~/Mail +noblacklist ~/.cache/mutt + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-bin mutt +private-dev +private-etc +# private-tmp +# whitelist /tmp/.X11-unix -- cgit v1.2.3-70-g09d2 From 193f38afa3066a2658b40ae92de27356df80afb4 Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:14:06 +0200 Subject: added mutt.prifile --- etc/mutt.profile | 16 +++++++++++----- etc/test | 2 -- etc/test2 | 1 - etc/test3 | 2 -- 4 files changed, 11 insertions(+), 10 deletions(-) delete mode 100644 etc/test delete mode 100644 etc/test2 delete mode 100644 etc/test3 (limited to 'etc') diff --git a/etc/mutt.profile b/etc/mutt.profile index 38874f6d8..7f92efebe 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,13 +1,23 @@ # mutt email client profile noblacklist ~/.muttrc -noblacklist ~/.mutt/muttrc +noblacklist ~/.mutt +noblacklist ~/.mailcap noblacklist ~/.gnupg noblacklist ~/.mail noblacklist ~/.Mail noblacklist ~/mail noblacklist ~/Mail +noblacklist ~/sent +noblacklist ~/postponed noblacklist ~/.cache/mutt +noblacklist ~/.w3m +noblacklist ~/.elinks +noblacklist ~/.vim +noblacklist ~/.viminfo +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.bogofilter include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc @@ -24,8 +34,4 @@ protocol unix,inet,inet6 seccomp shell none -private-bin mutt private-dev -private-etc -# private-tmp -# whitelist /tmp/.X11-unix diff --git a/etc/test b/etc/test deleted file mode 100644 index 76e579ae4..000000000 --- a/etc/test +++ /dev/null @@ -1,2 +0,0 @@ -test - diff --git a/etc/test2 b/etc/test2 deleted file mode 100644 index 180cf8328..000000000 --- a/etc/test2 +++ /dev/null @@ -1 +0,0 @@ -test2 diff --git a/etc/test3 b/etc/test3 deleted file mode 100644 index eefd60b4e..000000000 --- a/etc/test3 +++ /dev/null @@ -1,2 +0,0 @@ -test3 - -- cgit v1.2.3-70-g09d2 From a1d0712d1ae6fb629c509ff827ac42694163732c Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:17:16 +0200 Subject: added testfile --- etc/test | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/test (limited to 'etc') diff --git a/etc/test b/etc/test new file mode 100644 index 000000000..038d718da --- /dev/null +++ b/etc/test @@ -0,0 +1 @@ +testing -- cgit v1.2.3-70-g09d2 From 50c242a920f7a2cb1e27128de469714bbf518f1c Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:17:51 +0200 Subject: test --- etc/test | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/test b/etc/test index 038d718da..c9a2808b8 100644 --- a/etc/test +++ b/etc/test @@ -1 +1,4 @@ testing + +test2 + -- cgit v1.2.3-70-g09d2 From 96138a2bf56bf9f2469b302175f6a2fc1736651d Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:19:43 +0200 Subject: testing --- etc/test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/test b/etc/test index c9a2808b8..b2e6d6fbb 100644 --- a/etc/test +++ b/etc/test @@ -1,4 +1,4 @@ testing -test2 +test3 -- cgit v1.2.3-70-g09d2 From bfb22e2217a217ba4e914dcc3063774eadf9f167 Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:22:05 +0200 Subject: added git.profile --- etc/git.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/git.profile (limited to 'etc') diff --git a/etc/git.profile b/etc/git.profile new file mode 100644 index 000000000..2fb55377d --- /dev/null +++ b/etc/git.profile @@ -0,0 +1,27 @@ +# git profile + +noblacklist ~/.gitconfig +noblacklist ~/.ssh +noblacklist ~/.gnupg +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.viminfo +noblacklist ~/.vim + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +quiet + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev -- cgit v1.2.3-70-g09d2 From 4120b2ca2d8a32296bb955e1dbbd3824277afc57 Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 10 Oct 2016 14:35:40 +0200 Subject: added claws-mail profile --- etc/claws-mail.profile | 25 +++++++++++++++++++++++++ etc/mutt.profile | 1 + 2 files changed, 26 insertions(+) create mode 100644 etc/claws-mail.profile (limited to 'etc') diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile new file mode 100644 index 000000000..6dbf893ab --- /dev/null +++ b/etc/claws-mail.profile @@ -0,0 +1,25 @@ +# claws-mail profile + +noblacklist ~/.claws-mail +noblacklist ~/.signature +noblacklist ~/.ssh +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + diff --git a/etc/mutt.profile b/etc/mutt.profile index 7f92efebe..4c9a30dac 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -17,6 +17,7 @@ noblacklist ~/.vim noblacklist ~/.viminfo noblacklist ~/.emacs noblacklist ~/.emacs.d +noblacklist ~/.signature noblacklist ~/.bogofilter include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From 2edd1511b6c90b389fc541d42f23f95818230f97 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Mon, 10 Oct 2016 14:45:25 +0200 Subject: Delete test --- etc/test | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 etc/test (limited to 'etc') diff --git a/etc/test b/etc/test deleted file mode 100644 index b2e6d6fbb..000000000 --- a/etc/test +++ /dev/null @@ -1,4 +0,0 @@ -testing - -test3 - -- cgit v1.2.3-70-g09d2 From c555a359be85264aaf5df01ee87b2463129fbca5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 11 Oct 2016 09:40:23 -0400 Subject: cherrytree fix --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c13885739..126ebea80 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -33,6 +33,7 @@ blacklist ${HOME}/.synfig blacklist ${HOME}/.inkscape blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/cherrytree # Media players -- cgit v1.2.3-70-g09d2 From 55f787761b8b2940b8b5e13c7ce4b13481c4bf1a Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:54:01 +0200 Subject: Update emacs.profile allowed accces to own configuration files --- etc/emacs.profile | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/emacs.profile b/etc/emacs.profile index 2cf614ca7..cbdba7712 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,5 +1,8 @@ # emacs profile +noblacklist ~/.emacs +noblacklist ~/.emacs.d + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -- cgit v1.2.3-70-g09d2 From f4ab9ae4181373166c8eabb470dd0aeeb80a52e2 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:55:12 +0200 Subject: Update mutt.profile added vimrc config file --- etc/mutt.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/mutt.profile b/etc/mutt.profile index 4c9a30dac..cda7fc4bf 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -14,6 +14,7 @@ noblacklist ~/.cache/mutt noblacklist ~/.w3m noblacklist ~/.elinks noblacklist ~/.vim +noblacklist ~/.vimrc noblacklist ~/.viminfo noblacklist ~/.emacs noblacklist ~/.emacs.d -- cgit v1.2.3-70-g09d2 From 67afd0814f6d44b7fbbd48929c0bb675d36f3345 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:56:05 +0200 Subject: Update vim.profile allowed acces to own config files --- etc/vim.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/vim.profile b/etc/vim.profile index b16939475..3c1fefe41 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,10 +1,13 @@ # vim profile +noblacklist ~/.vim +noblacklist ~/.vimrc +noblacklist ~/.viminfo + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc - caps.drop all netfilter nonewprivs -- cgit v1.2.3-70-g09d2 From b360aff7b55079cca30dcf18eb2d3654bc536d72 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Tue, 11 Oct 2016 15:57:01 +0200 Subject: Update claws-mail.profile removed access to ssh files --- etc/claws-mail.profile | 1 - 1 file changed, 1 deletion(-) (limited to 'etc') diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 6dbf893ab..1b6d2f645 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -2,7 +2,6 @@ noblacklist ~/.claws-mail noblacklist ~/.signature -noblacklist ~/.ssh noblacklist ~/.gnupg include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From 06f4277d5c55d2e94381cd11add6e9691a159a2d Mon Sep 17 00:00:00 2001 From: Deelvesh Bunjun Date: Wed, 12 Oct 2016 23:06:03 +0400 Subject: add xpdf profile --- etc/xpdf.profile | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 etc/xpdf.profile (limited to 'etc') diff --git a/etc/xpdf.profile b/etc/xpdf.profile new file mode 100644 index 000000000..e4e1a8ec2 --- /dev/null +++ b/etc/xpdf.profile @@ -0,0 +1,25 @@ +################################ +# xpdf application profile +################################ +#include /etc/firejail/disable-common.inc +#include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +shell none + +nonewprivs +noroot +protocol unix +seccomp + + +noblacklist /etc/xpdfrc +noblacklist ${HOME}/.xpdfrc + + +private-dev +private-tmp + + + -- cgit v1.2.3-70-g09d2 From a2fb272b3e03d9fe60e35ab21c613897f5b67c67 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 12 Oct 2016 16:20:18 -0400 Subject: xpdf profile --- README | 2 ++ README.md | 2 +- etc/disable-programs.inc | 1 + etc/xpdf.profile | 16 ++++++---------- platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 12 insertions(+), 11 deletions(-) (limited to 'etc') diff --git a/README b/README index af09db5ca..46c314a64 100644 --- a/README +++ b/README @@ -77,6 +77,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement +Deelvesh Bunjun (https://github.com/DeelveshBunjun) + - added xpdf profile vismir2 (https://github.com/vismir2) - claws-mail, mutt, git, emacs, vim profiles Dara Adib (https://github.com/daradib) diff --git a/README.md b/README.md index a51651948..1038e1ef8 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim +claws-mail, mutt, git, emacs, vim, xpdf diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 126ebea80..369e4813c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -34,6 +34,7 @@ blacklist ${HOME}/.inkscape blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.xpdfrc # Media players diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e4e1a8ec2..e036fba21 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -1,25 +1,21 @@ ################################ # xpdf application profile ################################ -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +noblacklist ${HOME}/.xpdfrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all shell none - nonewprivs noroot protocol unix seccomp - - -noblacklist /etc/xpdfrc -noblacklist ${HOME}/.xpdfrc - - private-dev private-tmp +net none + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index de9ed4277..c6e243a03 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -160,4 +160,5 @@ /etc/firejail/git /etc/firejail/emacs /etc/firejail/vim +/etc/firejail/xpdf diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 95d3d5caa..31f6b2fd5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -134,6 +134,7 @@ Mathematica mathematica okular pix +xpdf xreader zathura -- cgit v1.2.3-70-g09d2 From d56c76569033f94b91b9ada3ba4241d19c3c9e11 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 14 Oct 2016 07:44:59 -0400 Subject: cherrytree fix --- etc/cherrytree.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index d16e7c067..ec6d0d69d 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,7 +1,7 @@ # cherrytree note taking application noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* -noblacklist ${HOME}/.config/cherrytree/ +noblacklist ${HOME}/.config/cherrytree include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 979fcbdc2e83f8d9541e49108511b2b40487d879 Mon Sep 17 00:00:00 2001 From: Rafael Cavalcanti Date: Sat, 15 Oct 2016 18:40:39 -0300 Subject: Whitelist Arch's chromium-flags.conf to Chromium --- etc/chromium.profile | 3 +++ 1 file changed, 3 insertions(+) (limited to 'etc') diff --git a/etc/chromium.profile b/etc/chromium.profile index 0d383aebf..4109af9a4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx whitelist ~/.lastpass whitelist ~/.config/lastpass +# specific to Arch +whitelist ~/.config/chromium-flags.conf + include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From a35b70acbd4794452596a74ed165d0b5feb7fa8c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:14:26 -0400 Subject: virtualbox profile --- README.md | 2 +- RELNOTES | 2 +- etc/virtualbox.profile | 12 ++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 etc/virtualbox.profile (limited to 'etc') diff --git a/README.md b/README.md index 1038e1ef8..3e765e556 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox diff --git a/RELNOTES b/RELNOTES index 23e44a14f..69d0a9b75 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim, xpdf + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile new file mode 100644 index 000000000..148b7efc8 --- /dev/null +++ b/etc/virtualbox.profile @@ -0,0 +1,12 @@ +# VirtualBox profile + +noblacklist ${HOME}/.VirtualBox +noblacklist ${HOME}/VirtualBox VMs +noblacklist ${HOME}/.config/VirtualBox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all + + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a8ed6f691..90f4839a2 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -161,3 +161,4 @@ /etc/firejail/emacs.profile /etc/firejail/vim.profile /etc/firejail/xpdf.profile +/etc/firejail/virtualbox.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 31f6b2fd5..aec0dc8a5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -76,6 +76,7 @@ unbound mupen64plus wine dosbox +virtualbox # games 0ad -- cgit v1.2.3-70-g09d2 From dbec13243bde95b488fe0e77d1c472b72d09ba43 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:36:54 -0400 Subject: openshot profile --- README.md | 2 +- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README.md b/README.md index 3e765e556..e0e283e2b 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot diff --git a/RELNOTES b/RELNOTES index 69d0a9b75..bc7d657d4 100644 --- a/RELNOTES +++ b/RELNOTES @@ -20,7 +20,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * feature: move files in sandbox (--put) * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, - * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox + * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 369e4813c..dda36abfe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -35,6 +35,7 @@ blacklist ${HOME}/.gimp* blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.openshot # Media players diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 90f4839a2..184aef75c 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -162,3 +162,4 @@ /etc/firejail/vim.profile /etc/firejail/xpdf.profile /etc/firejail/virtualbox.profile +/etc/firejail/openshot.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index aec0dc8a5..9548d40b4 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -138,6 +138,7 @@ pix xpdf xreader zathura +openshot # other ssh -- cgit v1.2.3-70-g09d2 From 99abcd61b06076d7d371cd1070343e0e317caf5e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 17 Oct 2016 13:44:41 -0400 Subject: flowblade profile --- README.md | 2 +- RELNOTES | 1 + etc/disable-programs.inc | 3 +++ etc/flowblade.profile | 13 +++++++++++++ etc/openshot.profile | 13 +++++++++++++ platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 7 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 etc/flowblade.profile create mode 100644 etc/openshot.profile (limited to 'etc') diff --git a/README.md b/README.md index e0e283e2b..5c061dad8 100644 --- a/README.md +++ b/README.md @@ -113,5 +113,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade diff --git a/RELNOTES b/RELNOTES index bc7d657d4..7aa3155e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -21,6 +21,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot + * new profiles: Flowblade * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index dda36abfe..1ff486509 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -36,6 +36,9 @@ blacklist ${HOME}/.config/zathura blacklist ${HOME}/.config/cherrytree blacklist ${HOME}/.xpdfrc blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.config/flowblade # Media players diff --git a/etc/flowblade.profile b/etc/flowblade.profile new file mode 100644 index 000000000..e1ec291bd --- /dev/null +++ b/etc/flowblade.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.flowblade +noblacklist ${HOME}/.config/flowblade +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/openshot.profile b/etc/openshot.profile new file mode 100644 index 000000000..f12bd7d11 --- /dev/null +++ b/etc/openshot.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.openshot +noblacklist ${HOME}/.openshot_qt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 184aef75c..2ffa6d035 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -163,3 +163,4 @@ /etc/firejail/xpdf.profile /etc/firejail/virtualbox.profile /etc/firejail/openshot.profile +/etc/firejail/flowblade.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 9548d40b4..0c46f2dfa 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -139,6 +139,7 @@ xpdf xreader zathura openshot +flowblade # other ssh -- cgit v1.2.3-70-g09d2 From 994dc7904dc7801c9ad3f0a032961d7bfba7be43 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 Oct 2016 08:40:45 -0400 Subject: typo --- etc/disable-devel.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 971857710..2ac367f37 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* # clang/llvm blacklist /usr/bin/clang* blacklist /usr/bin/llvm* -blacklist /usb/bin/lldb* +blacklist /usr/bin/lldb* blacklist /usr/lib/llvm* # tcc - Tiny C Compiler -- cgit v1.2.3-70-g09d2 From c9f3b36f73b2bcf4609f61ea53a77bc83e4e854e Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 18 Oct 2016 16:58:02 +0200 Subject: added profiles --- etc/eog.profile | 23 +++++++++++++++++++++++ etc/evolution.profile | 25 +++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 etc/eog.profile create mode 100644 etc/evolution.profile (limited to 'etc') diff --git a/etc/eog.profile b/etc/eog.profile new file mode 100644 index 000000000..32b54a042 --- /dev/null +++ b/etc/eog.profile @@ -0,0 +1,23 @@ +# eog (gnome image viewer) profile + +noblacklist ~/.config/eog + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix +seccomp +shell none + +private-bin eog +private-dev +private-etc fonts +private-tmp + diff --git a/etc/evolution.profile b/etc/evolution.profile new file mode 100644 index 000000000..cf581643d --- /dev/null +++ b/etc/evolution.profile @@ -0,0 +1,25 @@ +# evolution profile + +noblacklist ~/.config/evolution +noblacklist ~/.local/share/evolution +noblacklist ~/.cache/evolution +noblacklist ~/.pki +noblacklist ~/.pki/nssdb +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From b11e3ad8156e61ff72e0fe751a99a68feccb553f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 Oct 2016 14:34:41 -0400 Subject: eog and evolution profiles --- README | 1 + README.md | 4 +++- RELNOTES | 2 +- etc/disable-programs.inc | 4 ++++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 13 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index f9933f592..10b0ab61b 100644 --- a/README +++ b/README @@ -81,6 +81,7 @@ valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes - added support for /srv in --whitelist feature + - Eye of GNOME and Evolution profiles Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/README.md b/README.md index 5c061dad8..ec95a4e9b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,8 @@ If you keep your Firejail profiles in a public repository, please give us a link * https://github.com/chiraag-nataraj/firejail-profiles * https://github.com/triceratops1/fe + +Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825 ````` ````` @@ -113,5 +115,5 @@ x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start ## New profiles qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx, -claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade +claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot, Flowblade, Eye of GNOME (eog), Evolution diff --git a/RELNOTES b/RELNOTES index 7aa3155e1..f1d6a8da1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -21,7 +21,7 @@ firejail (0.9.44~rc1) baseline; urgency=low * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot - * new profiles: Flowblade + * new profiles: Flowblade, Eye of GNOME (eog), Evolution * bugfixes -- netblue30 Sat, 15 Sept 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1ff486509..0094c6d11 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -39,6 +39,7 @@ blacklist ${HOME}/.openshot blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/eog # Media players @@ -78,6 +79,9 @@ blacklist ${HOME}/.config/inox blacklist ${HOME}/.muttrc blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.cache/evolution # Instant Messaging blacklist ${HOME}/.config/hexchat diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2ffa6d035..6d444b90d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -164,3 +164,5 @@ /etc/firejail/virtualbox.profile /etc/firejail/openshot.profile /etc/firejail/flowblade.profile +/etc/firejail/eog.profile +/etc/firejail/evolution.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 0c46f2dfa..2d2c7b20e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -47,6 +47,7 @@ seamonkey-bin thunderbird vivaldi-beta vivaldi +evolution # chat/messaging bitlbee @@ -140,6 +141,7 @@ xreader zathura openshot flowblade +eog # other ssh -- cgit v1.2.3-70-g09d2 From b53b92cb0d21ca137b340c3d9a47a53d6cb00c45 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 19 Oct 2016 18:09:30 +0200 Subject: blacklisted common suid programms --- etc/disable-common.inc | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..506d4e258 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,29 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# disable common suid programms +blacklist ${PATH}/firejail +blacklist ${PATH}/sudo +blacklist ${PATH}/su +blacklist ${PATH}/mount +blacklist ${PATH}/umount +blacklist ${PATH}/fusermount +blacklist ${PATH}/passwd +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd -- cgit v1.2.3-70-g09d2 From 900ffe37394940efb405b16998392d8d69206574 Mon Sep 17 00:00:00 2001 From: Aleksey Manevich Date: Thu, 20 Oct 2016 01:05:06 +0300 Subject: fix mutt.profile --- etc/disable-programs.inc | 1 + etc/mutt.profile | 1 + 2 files changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0094c6d11..edd4ee374 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -77,6 +77,7 @@ blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.config/brave blacklist ${HOME}/.config/inox blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt blacklist ${HOME}/.mutt/muttrc blacklist ${HOME}/.msmtprc blacklist ${HOME}/.config/evolution diff --git a/etc/mutt.profile b/etc/mutt.profile index cda7fc4bf..b532ded67 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -2,6 +2,7 @@ noblacklist ~/.muttrc noblacklist ~/.mutt +noblacklist ~/.mutt/muttrc noblacklist ~/.mailcap noblacklist ~/.gnupg noblacklist ~/.mail -- cgit v1.2.3-70-g09d2 From 287dc95bac1abce140459a7ecd0213833626b800 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 20 Oct 2016 15:47:34 +0200 Subject: removed blacklist duplate --- etc/disable-common.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 506d4e258..19a23d764 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -138,11 +138,11 @@ blacklist /etc/ssh blacklist /var/backup # system management -blacklist ${PATH}/umount -blacklist ${PATH}/mount -blacklist ${PATH}/fusermount -blacklist ${PATH}/su -blacklist ${PATH}/sudo +# blacklist ${PATH}/umount +# blacklist ${PATH}/mount +# blacklist ${PATH}/fusermount +# blacklist ${PATH}/su +# blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev -- cgit v1.2.3-70-g09d2 From 81c570e8e975c8ff3f62c45caffa4e5749296e9d Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 23 Oct 2016 14:31:56 -0500 Subject: tightened Spotify profile --- README | 1 + etc/spotify.profile | 26 +++++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/README b/README index 10b0ab61b..f4fd52666 100644 --- a/README +++ b/README @@ -77,6 +77,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added gnome-chess profile - added DOSBox profile - evince profile enhancement + - tightened Spotify profile valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/etc/spotify.profile b/etc/spotify.profile index 73d427db3..24e5c1023 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# Whitelist the folders needed by Spotify - This is more restrictive -# than a blacklist though, but this is all spotify requires for -# streaming audio +# Whitelist the folders needed by Spotify mkdir ${HOME}/.config/spotify whitelist ${HOME}/.config/spotify mkdir ${HOME}/.local/share/spotify whitelist ${HOME}/.local/share/spotify mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify -include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -27,5 +24,24 @@ protocol unix,inet,inet6,netlink seccomp shell none -#private-bin spotify +private-bin spotify +private-etc fonts,machine-id,pulse,resolv.conf private-dev +private-tmp + +blacklist ${HOME}/.Xauthority +blacklist ${HOME}/.bashrc +blacklist /boot +blacklist /lost+found +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /root +blacklist /sbin +blacklist /srv +blacklist /sys +blacklist /var +blacklist /initrd.img +blacklist /initrd.img.old +blacklist /vmlinuz +blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From 3b8453d5301608386d9a933c0862e5e049c4879e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Mon, 24 Oct 2016 15:21:41 -0500 Subject: blacklisted kernel files --- etc/disable-common.inc | 4 ++++ etc/spotify.profile | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 4f854c8d8..29de8cca9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -172,3 +172,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd + +# kernel files +blacklist /vmlinuz* +blacklist /initrd* diff --git a/etc/spotify.profile b/etc/spotify.profile index 24e5c1023..6dbcc03ee 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -41,7 +41,3 @@ blacklist /sbin blacklist /srv blacklist /sys blacklist /var -blacklist /initrd.img -blacklist /initrd.img.old -blacklist /vmlinuz -blacklist /vmlinuz.old -- cgit v1.2.3-70-g09d2 From 88972056f4eb7919f41ca9412853725e80967240 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 23 Oct 2016 23:23:09 -0500 Subject: squash attempt 2 --- etc/atom-beta.profile | 2 +- etc/atom.profile | 2 +- etc/atril.profile | 2 +- etc/audacity.profile | 2 +- etc/aweather.profile | 2 +- etc/cherrytree.profile | 3 +-- etc/eog.profile | 3 +-- etc/evolution.profile | 2 +- etc/feh.profile | 6 +++--- etc/file.profile | 17 +++++++++-------- etc/filezilla.profile | 5 ++--- etc/flowblade.profile | 2 +- etc/franz.profile | 6 +++--- etc/gajim.profile | 2 +- etc/gimp.profile | 10 ++++++---- etc/git.profile | 4 ++-- etc/gpredict.profile | 2 +- etc/gwenview.profile | 5 +++-- etc/gzip.profile | 14 ++++++++------ etc/inkscape.profile | 10 ++++++---- etc/jitsi.profile | 2 +- etc/kmail.profile | 2 +- etc/less.profile | 6 ++++-- etc/luminance-hdr.profile | 14 ++++++++------ etc/okular.profile | 5 +++-- etc/pidgin.profile | 2 +- etc/pix.profile | 3 +-- etc/psi-plus.profile | 4 ++-- etc/qbittorrent.profile | 4 ++-- etc/qpdfview.profile | 2 +- etc/qtox.profile | 2 +- etc/quiterss.profile | 9 +++++---- etc/ranger.profile | 3 +-- etc/rhythmbox.profile | 2 +- etc/rtorrent.profile | 1 - etc/server.profile | 11 ++++++----- etc/slack.profile | 29 +++++++++++++++-------------- etc/strings.profile | 9 +++++---- etc/synfigstudio.profile | 6 ++++-- etc/tar.profile | 14 +++++++------- etc/telegram.profile | 1 - etc/transmission-gtk.profile | 2 +- etc/transmission-qt.profile | 5 +++-- etc/uget-gtk.profile | 13 ++++++------- etc/unrar.profile | 15 ++++++++------- etc/unzip.profile | 16 ++++++++-------- etc/uudeview.profile | 14 +++++++------- etc/vim.profile | 3 +-- etc/xpdf.profile | 9 +++------ etc/xplayer.profile | 2 +- etc/xzdec.profile | 14 ++++++++------ etc/zathura.profile | 6 +++--- 52 files changed, 171 insertions(+), 160 deletions(-) (limited to 'etc') diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 9a8d93875..fa0b316bb 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6,netlink diff --git a/etc/atom.profile b/etc/atom.profile index 3cb86847e..61930d5c1 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6,netlink diff --git a/etc/atril.profile b/etc/atril.profile index d9e10b072..fbcca0c1b 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix diff --git a/etc/audacity.profile b/etc/audacity.profile index be3fac9be..827fa4301 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix seccomp diff --git a/etc/aweather.profile b/etc/aweather.profile index 4e5c36f50..fa8654f1e 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -11,8 +11,8 @@ whitelist ~/.config/aweather caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index ec6d0d69d..139dec8ec 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot nosound seccomp protocol unix,inet,inet6,netlink tracelog - - diff --git a/etc/eog.profile b/etc/eog.profile index 32b54a042..7eb7fd127 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -9,9 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix seccomp shell none @@ -20,4 +20,3 @@ private-bin eog private-dev private-etc fonts private-tmp - diff --git a/etc/evolution.profile b/etc/evolution.profile index cf581643d..d097c0f34 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -14,9 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp shell none diff --git a/etc/feh.profile b/etc/feh.profile index 5fcb6bf25..e3b1ec528 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix netfilter net none +nogroups nonewprivs noroot -nogroups nosound +protocol unix +seccomp shell none private-bin feh diff --git a/etc/file.profile b/etc/file.profile index 2e54030b1..199a97fad 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,16 +1,17 @@ # file profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname file net none +no3d +nosound +quiet shell none +tracelog + +private-dev private-bin file private-etc magic.mgc,magic,localtime -hostname file -private-dev -nosound -no3d -blacklist /tmp/.X11-unix - diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 551c17a78..fe1d9d20d 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -13,10 +13,9 @@ noroot nosound protocol unix,inet,inet6 seccomp - shell none + private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp -whitelist /tmp/.X11-unix private-dev -nosound +whitelist /tmp/.X11-unix diff --git a/etc/flowblade.profile b/etc/flowblade.profile index e1ec291bd..12afdb0aa 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -1,4 +1,4 @@ -# OpenShot profile +# FlowBlade profile noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade include /etc/firejail/disable-common.inc diff --git a/etc/franz.profile b/etc/franz.profile index 3cb7942ab..0b3be551b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -#tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +#tracelog whitelist ${DOWNLOADS} mkdir ~/.config/Franz diff --git a/etc/gajim.profile b/etc/gajim.profile index 04902a734..809378ef9 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/gimp.profile b/etc/gimp.profile index 23361b771..cb441fc9d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp -nogroups -nosound + +private-dev +private-tmp diff --git a/etc/git.profile b/etc/git.profile index 2fb55377d..73122d347 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -quiet caps.drop all netfilter +nogroups nonewprivs noroot -nogroups nosound protocol unix,inet,inet6 +quiet seccomp shell none diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 353ecceae..0cc6c416b 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -11,8 +11,8 @@ whitelist ~/.config/Gpredict caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 67f10c4e1..c866c9e63 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups nonewprivs noroot -nogroups -private-dev protocol unix seccomp nosound +private-dev + #Experimental: #shell none #private-bin gwenview diff --git a/etc/gzip.profile b/etc/gzip.profile index 5e73969c4..d51b9a951 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,12 +1,14 @@ # gzip profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog -net none -shell none + blacklist /tmp/.X11-unix -private-dev -nosound + +net none no3d +nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cf885fba2..a0e86b6c9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp -nogroups -nosound + +private-dev +private-tmp diff --git a/etc/jitsi.profile b/etc/jitsi.profile index c61158f8b..046499abe 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/kmail.profile b/etc/kmail.profile index 8c8fd18c4..bc21ba604 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp diff --git a/etc/less.profile b/etc/less.profile index 6dfae027e..08758aead 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -2,8 +2,10 @@ quiet ignore noroot include /etc/firejail/default.profile -tracelog + net none +nosound shell none +tracelog + private-dev -nosound diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6e059ea52..76e864e0c 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +ipc-namespace netfilter -protocol unix +nogroups nonewprivs noroot +nosound +protocol unix seccomp shell none tracelog -private-tmp -private-dev + noexec ${HOME} noexec /tmp -nogroups -nosound -ipc-namespace + +private-tmp +private-dev diff --git a/etc/okular.profile b/etc/okular.profile index df142ccfc..b43a5fbea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot -private-dev protocol unix seccomp nosound +private-dev + #Experimental: #net none #shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 47be2b6ea..850706145 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/pix.profile b/etc/pix.profile index 80c05fd09..e21ddadc6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -20,4 +20,3 @@ tracelog private-bin pix whitelist /tmp/.X11-unix private-dev - diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 22c5bafc5..a9323448b 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+ mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ -include /etc/firejail/whitelist-common.inc - caps.drop all netfilter noroot protocol unix,inet,inet6 seccomp + +include /etc/firejail/whitelist-common.inc diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 138b6db55..67829c9ca 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -15,6 +15,6 @@ seccomp # there are some problems with "Open destination folder", see bug #536 #shell none #private-bin qbittorrent -whitelist /tmp/.X11-unix private-dev -nosound + +whitelist /tmp/.X11-unix diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 07ea173e6..06c0db206 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -18,5 +18,5 @@ shell none tracelog private-bin qpdfview -private-tmp private-dev +private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 927487037..81d8aa10e 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -11,8 +11,8 @@ whitelist ${DOWNLOADS} caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2ab5d8a8e..2b28fce73 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot -private-bin quiterss -private-dev nosound -#private-etc X11,ssl protocol unix,inet,inet6 seccomp shell none tracelog +private-bin quiterss +private-dev +#private-etc X11,ssl + include /etc/firejail/whitelist-common.inc diff --git a/etc/ranger.profile b/etc/ranger.profile index a040cd6bc..323e64dee 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter net none +nogroups nonewprivs noroot -nogroups protocol unix seccomp nosound private-tmp private-dev - diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0e8527ae7..e5e192486 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 15df2c374..1226a51cd 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -16,4 +16,3 @@ shell none private-bin rtorrent whitelist /tmp/.X11-unix private-dev -nosound diff --git a/etc/server.profile b/etc/server.profile index 22cef0a3c..b8a34feb2 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -private -private-dev -nosound -no3d -private-tmp blacklist /tmp/.X11-unix + +no3d +nosound seccomp +private +private-dev +private-tmp diff --git a/etc/slack.profile b/etc/slack.profile index 1009f7ee0..a85a28f03 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,3 +1,4 @@ +# Firejail profile for Slack noblacklist ${HOME}/.config/Slack noblacklist ${HOME}/Downloads @@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -mkdir ${HOME}/.config -mkdir ${HOME}/.config/Slack -whitelist ${HOME}/.config/Slack -whitelist ${HOME}/Downloads - -protocol unix,inet,inet6,netlink -private-dev -private-tmp -private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime -name slack blacklist /var -include /etc/firejail/whitelist-common.inc - caps.drop all -seccomp +name slack netfilter -nonewprivs nogroups +nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp shell none + private-bin slack +private-dev +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +private-tmp + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc diff --git a/etc/strings.profile b/etc/strings.profile index f99a65009..7c464bf88 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,10 +1,11 @@ # strings profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog + net none -shell none -private-dev nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index d46467b99..69b2a0db2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -11,7 +11,9 @@ nonewprivs noroot protocol unix seccomp -private-dev -private-tmp + noexec ${HOME} noexec /tmp + +private-dev +private-tmp diff --git a/etc/tar.profile b/etc/tar.profile index 663ac3805..91fdaf48d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,18 +1,18 @@ # tar profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname tar net none +no3d +nosound +quiet shell none +tracelog # support compressed archives private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev -nosound -no3d private-etc passwd,group,localtime -hostname tar -blacklist /tmp/.X11-unix - diff --git a/etc/telegram.profile b/etc/telegram.profile index 8e91e426b..7615c8eef 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -10,4 +10,3 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp - diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 0cfa4fcfc..316cdfec6 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -18,6 +18,6 @@ shell none tracelog private-bin transmission-gtk -whitelist /tmp/.X11-unix private-dev +whitelist /tmp/.X11-unix diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 754211a63..51c58e224 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -14,9 +14,10 @@ noroot nosound protocol unix,inet,inet6 seccomp +shell none tracelog -shell none private-bin transmission-qt -whitelist /tmp/.X11-unix private-dev + +whitelist /tmp/.X11-unix diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 522b4bd1e..f42e6c69a 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -9,17 +9,16 @@ caps.drop all netfilter nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp +shell none +private-bin uget-gtk +private-dev + +whitelist /tmp/.X11-unix whitelist ${DOWNLOADS} mkdir ~/.config/uGet whitelist ~/.config/uGet include /etc/firejail/whitelist-common.inc - -shell none -private-bin uget-gtk -whitelist /tmp/.X11-unix -private-dev -nosound - diff --git a/etc/unrar.profile b/etc/unrar.profile index f29d1b51b..0700cafe9 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,17 +1,18 @@ # unrar profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /tmp/.X11-unix + +hostname unrar net none +no3d +nosound +quiet shell none +tracelog + private-bin unrar private-dev -nosound -no3d private-etc passwd,group,localtime -hostname unrar private-tmp -blacklist /tmp/.X11-unix - diff --git a/etc/unzip.profile b/etc/unzip.profile index 07224855f..a43785795 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,16 +1,16 @@ # unzip profile -quiet ignore noroot include /etc/firejail/default.profile +blacklist /tmp/.X11-unix -tracelog +hostname unzip net none +no3d +nosound +quiet shell none +tracelog + private-bin unzip -private-etc passwd,group,localtime -hostname unzip private-dev -nosound -no3d -blacklist /tmp/.X11-unix - +private-etc passwd,group,localtime diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 8ea9d5163..5ba0896ab 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,15 +1,15 @@ # uudeview profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog +blacklist /etc + +hostname uudeview net none +nosound +quiet shell none +tracelog + private-bin uudeview private-dev -private-etc nonexisting_fakefile_for_empty_etc -hostname uudeview -nosound -uudeview - diff --git a/etc/vim.profile b/etc/vim.profile index 3c1fefe41..b161fcbb0 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,5 +1,4 @@ # vim profile - noblacklist ~/.vim noblacklist ~/.vimrc noblacklist ~/.viminfo @@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp diff --git a/etc/xpdf.profile b/etc/xpdf.profile index e036fba21..7ea368bbe 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -7,15 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -shell none +net none nonewprivs noroot protocol unix +shell none seccomp + private-dev private-tmp -net none - - - - diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 54d5ed89b..191d2f67f 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/xzdec.profile b/etc/xzdec.profile index a9d027c38..04f98cef6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,12 +1,14 @@ # xzdec profile -quiet ignore noroot include /etc/firejail/default.profile -tracelog -net none -shell none + blacklist /tmp/.X11-unix -private-dev -nosound + +net none no3d +nosound +quiet +shell none +tracelog +private-dev diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..ab2e99dbc 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix netfilter +nogroups nonewprivs noroot -nogroups nosound shell none +seccomp +protocol unix private-bin zathura private-dev -- cgit v1.2.3-70-g09d2 From b588020b4540480fdd3aaa11da8bd472b2dfdb60 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 25 Oct 2016 12:26:17 -0400 Subject: fixes --- README | 2 ++ etc/disable-common.inc | 27 ++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/README b/README index f4fd52666..6ed82907f 100644 --- a/README +++ b/README @@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich) - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) + - lots of profile fixes - added Vivaldi, Atril profiles - added PaleMoon profile - split Icedove and Thunderbird profiles @@ -83,6 +84,7 @@ valoq (https://github.com/valoq) - cherrytree profile fixes - added support for /srv in --whitelist feature - Eye of GNOME and Evolution profiles + - blacklist suid binaries in disable-common.inc Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 29de8cca9..3c0b2160c 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -137,6 +137,11 @@ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + # system management blacklist ${PATH}/umount blacklist ${PATH}/mount @@ -149,11 +154,23 @@ blacklist ${PATH}/xev blacklist ${PATH}/strace blacklist ${PATH}/nc blacklist ${PATH}/ncat - -# system directories -blacklist /sbin -blacklist /usr/sbin -blacklist /usr/local/sbin +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/rsh +blacklist ${PATH}/rlogin +blacklist ${PATH}/rcp +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/ping +blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* -- cgit v1.2.3-70-g09d2 From 7e20af49b10d716154b21d5b19abf3a312a31c7e Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 12:23:23 -0500 Subject: Added gpredict, TBB, and xiphos --- etc/gpredict.profile | 8 ++++---- etc/start-tor-browser.profile | 20 ++++++++++++++++++++ etc/xiphos.profile | 30 ++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 etc/start-tor-browser.profile create mode 100644 etc/xiphos.profile (limited to 'etc') diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 0cc6c416b..f62bf11aa 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -6,20 +6,20 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # Whitelist -mkdir ~/.config/Gpredict whitelist ~/.config/Gpredict caps.drop all netfilter -nogroups nonewprivs +nogroups noroot nosound protocol unix,inet,inet6 seccomp -shell none +#shell none tracelog -private-bin gpredict +#private-bin gpredict +private-etc fonts,resolv.conf private-dev private-tmp diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile new file mode 100644 index 000000000..ee19cee25 --- /dev/null +++ b/etc/start-tor-browser.profile @@ -0,0 +1,20 @@ +# Firejail profile for the Tor Brower Bundle +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-etc fonts +private-dev +private-tmp diff --git a/etc/xiphos.profile b/etc/xiphos.profile new file mode 100644 index 000000000..b7fb6ecf3 --- /dev/null +++ b/etc/xiphos.profile @@ -0,0 +1,30 @@ +# Firejail profile for xiphos +noblacklist ~/.sword +noblacklist ~/.xiphos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +blacklist ~/.bashrc +blacklist ~/.Xauthority + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin xiphos +private-etc fonts,resolv.conf,sword +private-dev +private-tmp + +whitelist ${HOME}/.sword +whitelist ${HOME}/.xiphos -- cgit v1.2.3-70-g09d2 From 388e2b9e4c36e65098e7c3ba43dbf1c0e7f4671f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 12:33:15 -0500 Subject: Extra profile files --- README | 3 ++- README.md | 5 +++++ RELNOTES | 1 + etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 14 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/README b/README index 6ed82907f..cbd15f02a 100644 --- a/README +++ b/README @@ -70,7 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added audacity profile - fixed Telegram and qtox profiles - added Atom Beta and Atom profiles - - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles. + - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles - several private-bin conversions - added jitsi profile - pidgin private-bin conversion @@ -79,6 +79,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added DOSBox profile - evince profile enhancement - tightened Spotify profile + - added xiphos and Tor Browser Bundle profiles valoq (https://github.com/valoq) - LibreOffice profile fixes - cherrytree profile fixes diff --git a/README.md b/README.md index fe7c91f01..ff1b2e8ba 100644 --- a/README.md +++ b/README.md @@ -48,4 +48,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` # Current development version: 0.9.45 +````` + +````` +## New Profiles +xiphos, Tor Browser Bundle diff --git a/RELNOTES b/RELNOTES index 6e1f502c7..c0fb8b20b 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.45) baseline; urgency=low * development version, work in progress -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 + * new profiles: xiphos, Tor Browser Bundle firejail (0.9.44) baseline; urgency=low * CVE-2016-7545 submitted by Aleksey Manevich diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index edd4ee374..6e22fe04d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -7,6 +7,8 @@ blacklist ${HOME}/.wine blacklist ${HOME}/.Mathematica blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.stellarium +blacklist ${HOME}/.sword +blacklist ${HOME}/.xiphos blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6d444b90d..0c2e85904 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -166,3 +166,5 @@ /etc/firejail/flowblade.profile /etc/firejail/eog.profile /etc/firejail/evolution.profile +/etc/firejail/start-tor-browser.profile +/etc/firejail/xiphos.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2d2c7b20e..e3e333497 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -42,6 +42,7 @@ opera-beta opera palemoon qutebrowser +start-tor-browser seamonkey seamonkey-bin thunderbird @@ -150,6 +151,7 @@ atom ranger keepass keepassx +xiphos # weather/climate aweather -- cgit v1.2.3-70-g09d2 From f7cbeea6b3e3dcdfe2a2b9f92d459913c5fc69a2 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 14:14:06 -0500 Subject: Fixed testing typo --- etc/gpredict.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/gpredict.profile b/etc/gpredict.profile index f62bf11aa..8dcfee2c4 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -16,10 +16,10 @@ noroot nosound protocol unix,inet,inet6 seccomp -#shell none +shell none tracelog -#private-bin gpredict +private-bin gpredict private-etc fonts,resolv.conf private-dev private-tmp -- cgit v1.2.3-70-g09d2 From b1221c082cf5d7423cf3fe58c552a1469cac3d2d Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 25 Oct 2016 14:16:10 -0500 Subject: typo #2 --- etc/gpredict.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 8dcfee2c4..801304c18 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -10,8 +10,8 @@ whitelist ~/.config/Gpredict caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix,inet,inet6 -- cgit v1.2.3-70-g09d2 From 834da29e4c467ca074209b51effef38f8a238e84 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 26 Oct 2016 09:15:50 -0400 Subject: removed ping blacklisting --- etc/disable-common.inc | 1 - 1 file changed, 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 3c0b2160c..848513454 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -169,7 +169,6 @@ blacklist ${PATH}/chsh blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry -blacklist ${PATH}/ping blacklist ${PATH}/unix_chkpwd # prevent lxterminal connecting to an existing lxterminal session -- cgit v1.2.3-70-g09d2 From ef0b9705614d061f6e974155fa1799964bc313ee Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 26 Oct 2016 18:10:30 +0200 Subject: minor fixes --- etc/disable-common.inc | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 82398473d..38a8b86d6 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -1,6 +1,7 @@ # History files in $HOME blacklist-nolog ${HOME}/.history blacklist-nolog ${HOME}/.*_history +blacklist-nolog ${HOME}/.bash_history blacklist ${HOME}/.local/share/systemd blacklist-nolog ${HOME}/.adobe blacklist-nolog ${HOME}/.macromedia @@ -23,6 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment blacklist ${HOME}/.gnomerc blacklist /etc/X11/Xsession.d/ +blacklist ${HOME}/.xpra # VirtualBox blacklist ${HOME}/.VirtualBox @@ -96,9 +98,6 @@ read-only ${HOME}/.emacs.d read-only ${HOME}/.nano read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc -read-only ${HOME}/.muttrc -read-only ${HOME}/.mutt/muttrc -read-only ${HOME}/.msmtprc read-only ${HOME}/.reportbugrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver @@ -143,11 +142,11 @@ blacklist /usr/sbin blacklist /usr/local/sbin # system management -# blacklist ${PATH}/umount -# blacklist ${PATH}/mount -# blacklist ${PATH}/fusermount -# blacklist ${PATH}/su -# blacklist ${PATH}/sudo +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev -- cgit v1.2.3-70-g09d2 From 5e5686588744eb93db9e8e33e7737adabae54945 Mon Sep 17 00:00:00 2001 From: "Vadim A. Misbakh-Soloviov" Date: Fri, 28 Oct 2016 15:55:02 +0700 Subject: Adding XDG-compat fontconfig's fonts path --- etc/whitelist-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index fd44c2528..e533fe596 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -14,6 +14,7 @@ whitelist ~/.fonts.d whitelist ~/.fontconfig whitelist ~/.fonts.conf whitelist ~/.fonts.conf.d +whitelist ~/.local/share/fonts whitelist ~/.config/fontconfig whitelist ~/.cache/fontconfig -- cgit v1.2.3-70-g09d2 From 397b4e86f3e1581f8910efb0639c515d3420a21c Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 29 Oct 2016 17:22:51 +0200 Subject: added profile for display - imagemagick --- etc/display.profile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/display.profile (limited to 'etc') diff --git a/etc/display.profile b/etc/display.profile new file mode 100644 index 000000000..ec041bff7 --- /dev/null +++ b/etc/display.profile @@ -0,0 +1,23 @@ +# display (ImageMagick tool) image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +net none +nonewprivs +noroot +nogroups +nosound +shell none +x11 xorg + +private-bin display +private-tmp +private-dev +private-etc none + -- cgit v1.2.3-70-g09d2 From 9fd22cec3ba42475c773b792105f70f4bf783d39 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 29 Oct 2016 19:10:06 +0200 Subject: added profile for wire --- etc/Wire.profile | 22 ++++++++++++++++++++++ etc/disable-programs.inc | 1 + 2 files changed, 23 insertions(+) create mode 100644 etc/Wire.profile (limited to 'etc') diff --git a/etc/Wire.profile b/etc/Wire.profile new file mode 100644 index 000000000..b488d75e4 --- /dev/null +++ b/etc/Wire.profile @@ -0,0 +1,22 @@ +# wire messenger profile + +noblacklist ~/.config/Wire + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-tmp +private-dev + +# please note: the wire binary is currently identified with a capital W. This might change in future versions diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6e22fe04d..0d9bd1bb4 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -106,6 +106,7 @@ blacklist ${HOME}/.config/Slack blacklist ${HOME}/.cache/gajim blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.config/gajim +blacklist ${HOME}/.config/Wire # Games blacklist ${HOME}/.hedgewars -- cgit v1.2.3-70-g09d2 From 5d71a091b27cfab5a159842f9a660ee09c61ebde Mon Sep 17 00:00:00 2001 From: Impyy Date: Mon, 31 Oct 2016 23:12:53 +0100 Subject: Added a profile for mumble --- etc/mumble.profile | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 etc/mumble.profile (limited to 'etc') diff --git a/etc/mumble.profile b/etc/mumble.profile new file mode 100644 index 000000000..ddd70822d --- /dev/null +++ b/etc/mumble.profile @@ -0,0 +1,26 @@ +# mumble profile +noblacklist ${HOME}/.config/Mumble +noblacklist ${HOME}/.local/share/data/Mumble +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config/Mumble +mkdir ${HOME}/.local/share/data/Mumble +whitelist ${HOME}/.config/Mumble +whitelist ${HOME}/.local/share/data/Mumble +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin mumble +private-tmp -- cgit v1.2.3-70-g09d2 From ccfe7a291eaa83b6d4d3f799a3d9b942a27b085a Mon Sep 17 00:00:00 2001 From: vismir2 Date: Thu, 3 Nov 2016 14:59:24 +0100 Subject: Improvements for Zathura profile --- etc/zathura.profile | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'etc') diff --git a/etc/zathura.profile b/etc/zathura.profile index 7093c52b2..d29762889 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -18,3 +18,8 @@ shell none private-bin zathura private-dev +private-etc fonts +whitelist /tmp/.X11-unix + +read-only ~/ +read-write ~/.local/share/zathura/ -- cgit v1.2.3-70-g09d2 From 7d1fbcb6ab703562455883b17e345cbf8a4fdd69 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 3 Nov 2016 21:35:24 +0100 Subject: added nosound --- etc/eog.profile | 1 + etc/evolution.profile | 1 + 2 files changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/eog.profile b/etc/eog.profile index 7eb7fd127..68e950bd7 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -12,6 +12,7 @@ netfilter nogroups nonewprivs noroot +nosound protocol unix seccomp shell none diff --git a/etc/evolution.profile b/etc/evolution.profile index d097c0f34..d63eeed74 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -17,6 +17,7 @@ netfilter nogroups nonewprivs noroot +nosound protocol unix,inet,inet6 seccomp shell none -- cgit v1.2.3-70-g09d2 From 7165f68e3430ccce0bfa0618200310db19e69d30 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 3 Nov 2016 23:51:36 +0100 Subject: private-tmp changes --- etc/deluge.profile | 3 +-- etc/evince.profile | 4 ++++ etc/fbreader.profile | 3 +-- etc/feh.profile | 2 +- etc/filezilla.profile | 3 +-- etc/firefox.profile | 6 +++++- etc/gthumb.profile | 2 +- etc/mupdf.profile | 4 ++++ etc/pix.profile | 2 +- etc/qbittorrent.profile | 3 +-- etc/rtorrent.profile | 2 +- etc/transmission-gtk.profile | 3 +-- etc/transmission-qt.profile | 3 +-- etc/uget-gtk.profile | 2 +- etc/wesnoth.profile | 3 +-- etc/zathura.profile | 3 ++- src/man/firejail-profile.txt | 2 +- src/man/firejail.txt | 2 +- 18 files changed, 29 insertions(+), 23 deletions(-) (limited to 'etc') diff --git a/etc/deluge.profile b/etc/deluge.profile index 8fde9acf9..b82bd4936 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -15,7 +15,6 @@ seccomp shell none private-bin deluge,sh,python,uname -whitelist /tmp/.X11-unix private-dev -nosound +private-tmp diff --git a/etc/evince.profile b/etc/evince.profile index 894c7c70d..9a9113c70 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,6 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +net none nogroups nonewprivs noroot @@ -16,3 +18,5 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev +private-etc fonts +private-tmp \ No newline at end of file diff --git a/etc/fbreader.profile b/etc/fbreader.profile index de31ce8de..ec098d5fe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -16,6 +16,5 @@ seccomp shell none private-bin fbreader,FBReader -whitelist /tmp/.X11-unix private-dev -nosound +private-tmp diff --git a/etc/feh.profile b/etc/feh.profile index e3b1ec528..2812effc9 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -16,6 +16,6 @@ seccomp shell none private-bin feh -whitelist /tmp/.X11-unix private-dev private-etc feh +private-tmp \ No newline at end of file diff --git a/etc/filezilla.profile b/etc/filezilla.profile index fe1d9d20d..a40fceec1 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -17,5 +17,4 @@ shell none private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/firefox.profile b/etc/firefox.profile index 170d0fe10..7875ca6b9 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -47,4 +47,8 @@ whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + +private-bin firefox,which,sh,dbus-launch,dbus-send,env +private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-dev +private-tmp diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 3ffd10add..055d78935 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -17,5 +17,5 @@ shell none tracelog private-bin gthumb -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/mupdf.profile b/etc/mupdf.profile index d1a157c3c..65e6a8978 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -12,12 +12,16 @@ nosound protocol unix seccomp netfilter +net none shell none tracelog +seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev + private-bin mupdf private-tmp private-dev +private-etc fonts # mupdf will never write anything read-only ${HOME} diff --git a/etc/pix.profile b/etc/pix.profile index e21ddadc6..dc8192b01 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -18,5 +18,5 @@ shell none tracelog private-bin pix -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 67829c9ca..89e0e4c78 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -16,5 +16,4 @@ seccomp #shell none #private-bin qbittorrent private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 1226a51cd..55bfcd77f 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -14,5 +14,5 @@ seccomp shell none private-bin rtorrent -whitelist /tmp/.X11-unix private-dev +private-tmp \ No newline at end of file diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 316cdfec6..fa54ea81b 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -19,5 +19,4 @@ tracelog private-bin transmission-gtk private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 51c58e224..100fadc27 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -19,5 +19,4 @@ tracelog private-bin transmission-qt private-dev - -whitelist /tmp/.X11-unix +private-tmp diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index f42e6c69a..3ba28f772 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -16,8 +16,8 @@ shell none private-bin uget-gtk private-dev +private-tmp -whitelist /tmp/.X11-unix whitelist ${DOWNLOADS} mkdir ~/.config/uGet whitelist ~/.config/uGet diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 2ddb59d11..bb489ddeb 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -15,8 +15,7 @@ protocol unix,inet,inet6 seccomp private-dev - -whitelist /tmp/.X11-unix +private-tmp mkdir ${HOME}/.local/share/wesnoth mkdir ${HOME}/.config/wesnoth diff --git a/etc/zathura.profile b/etc/zathura.profile index 99a8ea90d..6c93a2480 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +net none nogroups nonewprivs noroot @@ -19,7 +20,7 @@ protocol unix private-bin zathura private-dev private-etc fonts -whitelist /tmp/.X11-unix +private-tmp read-only ~/ read-write ~/.local/share/zathura/ diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 09dc46bbc..d6113218c 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -200,7 +200,7 @@ filesystem, and copy the files and directories in the list. All modifications are discarded when the sandbox is closed. .TP \fBprivate-tmp -Mount an empty temporary filesystem on top of /tmp directory. +Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .TP \fBread-only file_or_directory Make directory or file read-only. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 666a6a8ef..74e8ef4fe 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1180,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf .TP \fB\-\-private-tmp -Mount an empty temporary filesystem on top of /tmp directory. +Mount an empty filesystem on top of /tmp directory whitelisting /tmp/.X11-unix. .br .br -- cgit v1.2.3-70-g09d2 From 562c966460a554f16cded0294f41e42ad9226ff8 Mon Sep 17 00:00:00 2001 From: BogDan Vatra Date: Sat, 5 Nov 2016 08:04:19 +0200 Subject: Added profile for zoom.us messanger Check https://zoom.us for more info --- etc/zoom.profile | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/zoom.profile (limited to 'etc') diff --git a/etc/zoom.profile b/etc/zoom.profile new file mode 100644 index 000000000..f5831dd88 --- /dev/null +++ b/etc/zoom.profile @@ -0,0 +1,23 @@ +# Firejail profile for zoom.us + +noblacklist ~/.config/zoomus.conf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + + +# Whitelists + +mkdir ~/.zoom +whitelist ~/.zoom + + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-tmp -- cgit v1.2.3-70-g09d2 From d43eb028d90d3417a70e9a5eb5e44ea3e3faa5a0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 5 Nov 2016 09:44:50 -0400 Subject: profile fixes --- README | 4 ++++ README.md | 2 +- etc/evince.profile | 2 +- etc/firefox.profile | 3 +-- etc/mupdf.profile | 2 +- platform/debian/conffiles | 1 + 6 files changed, 9 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/README b/README index 50bc00099..7599f4cf1 100644 --- a/README +++ b/README @@ -80,6 +80,8 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +BogDan Vatra (https://github.com/bog-dan-ro) + - zoom profile Impyy (https://github.com/Impyy) - added mumble profile valoq (https://github.com/valoq) @@ -88,6 +90,8 @@ valoq (https://github.com/valoq) - added support for /srv in --whitelist feature - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - blacklist suid binaries in disable-common.inc + - fix man pages + - various profile improvements Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) diff --git a/README.md b/README.md index c6484d3b7..931b27ef3 100644 --- a/README.md +++ b/README.md @@ -52,5 +52,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom diff --git a/etc/evince.profile b/etc/evince.profile index 9a9113c70..cbb2083f4 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -net none +#net none - creates some problems on some distributions nogroups nonewprivs noroot diff --git a/etc/firefox.profile b/etc/firefox.profile index 7875ca6b9..3fb56fd0e 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -47,8 +47,7 @@ whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features - -private-bin firefox,which,sh,dbus-launch,dbus-send,env +#private-bin firefox,which,sh,dbus-launch,dbus-send,env private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-dev private-tmp diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 65e6a8978..e022866e8 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,7 +16,7 @@ net none shell none tracelog -seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev private-bin mupdf private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index df660ab4f..ae8db5a67 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -171,3 +171,4 @@ /etc/firejail/display.profile /etc/firejail/Wire.profile /etc/firejail/mumble.profile +/etc/firejail/zoom.profile -- cgit v1.2.3-70-g09d2 From 646d046c4c42004f007ad1bce1a94e1633e7c57f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 6 Nov 2016 08:13:44 -0500 Subject: cleanup --- etc/firefox.profile | 2 +- src/firejail/sbox.c | 15 +++++++++++++++ src/fnet/Makefile.in | 4 ++-- src/fseccomp/Makefile.in | 4 ++-- 4 files changed, 20 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/firefox.profile b/etc/firefox.profile index 3fb56fd0e..7862bd010 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -48,6 +48,6 @@ include /etc/firejail/whitelist-common.inc # experimental features #private-bin firefox,which,sh,dbus-launch,dbus-send,env -private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-dev private-tmp diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 65ca5c443..b16736dee 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -136,6 +136,21 @@ int sbox_run(unsigned filter, int num, ...) { if (child < 0) errExit("fork"); if (child == 0) { + // clean the new process + clearenv(); + int max = 20; // getdtablesize() is overkill for a firejail process + for (i = 3; i < max; i++) + close(i); // close open files + int fd = open("/dev/null",O_RDWR, 0); + if (fd != -1) { + dup2 (fd, STDIN_FILENO); + if (fd > 2) + close (fd); + } + else // the user could run the sandbox without /dev/null + close(STDIN_FILENO); + umask(027); + // apply filters if (filter & SBOX_CAPS_NONE) { caps_drop_all(); diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index b515d2333..bba4406d4 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) +fnet: $(OBJS) ../lib/libnetlink.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) clean:; rm -f *.o fnet diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 110d2c95f..1878ad2f3 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in @@ -33,8 +33,8 @@ LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ -fseccomp: $(OBJS) ../lib/libnetlink.o ../lib/common.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +fseccomp: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) clean:; rm -f *.o fseccomp -- cgit v1.2.3-70-g09d2 From 9cccd6594cdee4e7230b1e18af4ae9db54fd8432 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 6 Nov 2016 19:50:29 +0100 Subject: adopted wire profile to recent changes --- etc/Wire.profile | 21 +-------------------- etc/wire.profile | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 20 deletions(-) create mode 100644 etc/wire.profile (limited to 'etc') diff --git a/etc/Wire.profile b/etc/Wire.profile index b488d75e4..bd9645c7f 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile @@ -1,22 +1,3 @@ # wire messenger profile -noblacklist ~/.config/Wire - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc - -caps.drop all -netfilter -nonewprivs -nogroups -noroot -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-tmp -private-dev - -# please note: the wire binary is currently identified with a capital W. This might change in future versions +include /etc/firejail/wire.profile diff --git a/etc/wire.profile b/etc/wire.profile new file mode 100644 index 000000000..d3fd46b68 --- /dev/null +++ b/etc/wire.profile @@ -0,0 +1,23 @@ +# wire messenger profile + +noblacklist ~/.config/Wire + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-tmp +private-dev + +# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. +# To use wire with firejail run "firejail /opt/Wire/wire" -- cgit v1.2.3-70-g09d2 From 569c938cadbb7d9970794515f8b000f1d522fc03 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 6 Nov 2016 20:52:17 +0100 Subject: minor fix --- etc/wire.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/wire.profile b/etc/wire.profile index d3fd46b68..c84b4cc28 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,6 +1,7 @@ # wire messenger profile noblacklist ~/.config/Wire +noblacklist ~/.config/wire include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From 971218bd209081d7093fd0ed0f59a356239ebdd0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 6 Nov 2016 19:08:09 -0600 Subject: Blacklist ecryptfs files --- etc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 38a8b86d6..e77f2d369 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -106,6 +106,8 @@ read-only ${HOME}/.xscreensaver read-only ${HOME}/bin # top secret +blacklist ${HOME}/.ecryptfs +blacklist ${HOME}/.Private blacklist ${HOME}/.ssh blacklist ${HOME}/.cert blacklist ${HOME}/.gnome2/keyrings -- cgit v1.2.3-70-g09d2 From de5b53608af7b120608ce89e63e46f5d689bc6d0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 7 Nov 2016 08:25:02 -0500 Subject: profiles --- etc/disable-common.inc | 9 ++++++++- etc/virtualbox.profile | 1 + platform/debian/conffiles | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index e77f2d369..071d217bb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -42,6 +42,7 @@ blacklist ${HOME}/.VeraCrypt # var blacklist /var/spool/cron blacklist /var/spool/anacron +blacklist /var/mail blacklist /var/run/acpid.socket blacklist /var/run/minissdpd.sock blacklist /var/run/rpcbind.sock @@ -52,7 +53,7 @@ blacklist /var/lib/mysql/mysql.sock blacklist /var/run/docker.sock # etc -blacklist /etc/cron.* +blacklist /etc/cron* blacklist /etc/profile.d blacklist /etc/rc.local blacklist /etc/anacrontab @@ -147,6 +148,8 @@ blacklist /usr/local/sbin blacklist ${PATH}/umount blacklist ${PATH}/mount blacklist ${PATH}/fusermount +blacklist ${PATH}/ntfs-3g +blacklist ${PATH}/at blacklist ${PATH}/su blacklist ${PATH}/sudo blacklist ${PATH}/xinput @@ -171,6 +174,10 @@ blacklist ${PATH}/chfn blacklist ${PATH}/chage blacklist ${PATH}/expiry blacklist ${PATH}/unix_chkpwd +blacklist ${PATH}/procmail + +# other SUID binaries +blacklist /usr/lib/virtualbox # prevent lxterminal connecting to an existing lxterminal session blacklist /tmp/.lxterminal-socket* diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 148b7efc8..49f8f8b24 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -3,6 +3,7 @@ noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/VirtualBox VMs noblacklist ${HOME}/.config/VirtualBox +noblacklist /usr/bin/virtualbox include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ae8db5a67..ff3909c17 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -170,5 +170,6 @@ /etc/firejail/xiphos.profile /etc/firejail/display.profile /etc/firejail/Wire.profile +/etc/firejail/wire.profile /etc/firejail/mumble.profile /etc/firejail/zoom.profile -- cgit v1.2.3-70-g09d2 From b5c5d48e88bf24544ad65336df6cf713c65384ba Mon Sep 17 00:00:00 2001 From: vis Date: Mon, 7 Nov 2016 18:27:23 +0100 Subject: completed ecryptfs blacklist --- etc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 071d217bb..0dad8b385 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -138,6 +138,7 @@ blacklist /etc/shadow+ blacklist /etc/gshadow+ blacklist /etc/ssh blacklist /var/backup +blacklist /home/.ecryptfs # system directories blacklist /sbin -- cgit v1.2.3-70-g09d2 From a3ff32d628b3409ae30f189c2401b66859763cf8 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Mon, 7 Nov 2016 17:27:25 -0800 Subject: do not blacklist msmtprc in mutt I need to be able to send mail too! --- etc/mutt.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/mutt.profile b/etc/mutt.profile index b532ded67..54cf828b1 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -21,6 +21,7 @@ noblacklist ~/.emacs noblacklist ~/.emacs.d noblacklist ~/.signature noblacklist ~/.bogofilter +noblacklist ~/.msmtprc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From 1609377f8fd912b8534d302b1fbe33390b79f77b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 10:03:59 -0500 Subject: whitelist kde icons --- README | 1 + etc/whitelist-common.inc | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/README b/README index 7599f4cf1..2051f2901 100644 --- a/README +++ b/README @@ -136,6 +136,7 @@ Peter Hogg (https://github.com/pigmonkey) - WeeChat profile - rtorrent profile - bitlbee profile fixes + - mutt profile fixes Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index e533fe596..d4e69948e 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc @@ -31,5 +31,8 @@ whitelist ~/.kde/share/config/gtkrc-2.0 mkdir ~/.config/dconf whitelist ~/.config/dconf -# qt +# qt/kde whitelist ~/.config/kdeglobals +whitelist ~/.kde/share/config/oxygenrc +whitelist ~/.kde/share/config/kdeglobals +whitelist ~/.kde/share/icons -- cgit v1.2.3-70-g09d2 From 18eecb825caf94d2d1b69146821591027c67263d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 10:11:50 -0500 Subject: bugfix: crashing vlc when pressing Ctrl-O --- etc/vlc.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/vlc.profile b/etc/vlc.profile index 446e47864..2fd763f25 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -11,7 +11,7 @@ netfilter nogroups nonewprivs noroot -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp shell none -- cgit v1.2.3-70-g09d2 From bce524f98f380ab7f47a75ebebf651bd8f1df515 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:13:25 -0500 Subject: support pdf viewers in firefox profile --- etc/firefox.profile | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/firefox.profile b/etc/firefox.profile index 7862bd010..6bb581f4f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -2,6 +2,9 @@ noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.config/qpdfview +noblacklist ~/.local/share/qpdfview +noblacklist ~/.kde/share/apps/okular include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -29,6 +32,9 @@ whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.pki +whitelist ~/.config/qpdfview +whitelist ~/.local/share/qpdfview +whitelist ~/.kde/share/apps/okular # lastpass, keepassx whitelist ~/.keepassx -- cgit v1.2.3-70-g09d2 From f2b984eadf02909fe80c9a345c384dcc3cf2bb31 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 12 Nov 2016 08:16:04 -0500 Subject: deluge profile fix --- etc/deluge.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/deluge.profile b/etc/deluge.profile index b82bd4936..c6ddec3ec 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -14,7 +14,7 @@ protocol unix,inet,inet6 seccomp shell none -private-bin deluge,sh,python,uname +#private-bin deluge,sh,python,uname private-dev private-tmp -- cgit v1.2.3-70-g09d2 From a27f943aa7098d95c3b810278bfd607b7165d9e1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 14 Nov 2016 08:18:39 -0500 Subject: fix thunderbird profile --- etc/icedove.profile | 3 +++ etc/thunderbird.profile | 3 +++ 2 files changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/icedove.profile b/etc/icedove.profile index 23254751b..310684bdb 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -14,5 +14,8 @@ noblacklist ~/.cache/icedove mkdir ~/.cache/icedove whitelist ~/.cache/icedove +# allow browsers +ignore private-tmp include /etc/firejail/firefox.profile +#include /etc/firejail/chromium.profile - chromium runs as suid! diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 5db50da4d..54d9a3d4d 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -14,5 +14,8 @@ noblacklist ~/.cache/thunderbird mkdir ~/.cache/thunderbird whitelist ~/.cache/thunderbird +# allow browsers +ignore private-tmp include /etc/firejail/firefox.profile +include /etc/firejail/chromium.profile -- cgit v1.2.3-70-g09d2 From 547df291ba581825ac46b842aa5b05456d71c3d3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 14 Nov 2016 08:19:16 -0500 Subject: fix thunderbird profile --- etc/thunderbird.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 54d9a3d4d..568343ba6 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -17,5 +17,5 @@ whitelist ~/.cache/thunderbird # allow browsers ignore private-tmp include /etc/firejail/firefox.profile -include /etc/firejail/chromium.profile +#include /etc/firejail/chromium.profile - chromium runs as suid! -- cgit v1.2.3-70-g09d2 From 2509b0f8d740b9384d30aa95d3eaf64fbe27bf27 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 15 Nov 2016 10:01:54 -0500 Subject: added Guayadeque profile --- README | 13 +++++++------ README.md | 2 +- RELNOTES | 3 ++- etc/disable-programs.inc | 1 + etc/guayadeque.profile | 19 +++++++++++++++++++ platform/debian/conffiles | 1 + 6 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 etc/guayadeque.profile (limited to 'etc') diff --git a/README b/README index 69e5e6337..e21e96bc7 100644 --- a/README +++ b/README @@ -80,6 +80,13 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +curiosity-seeker (https://github.com/curiosity-seeker) + - tightening unbound and dnscrypt-proxy profiles + - dnsmasq profile + - okular and gwenview profiles + - cherrytree profile fixes + - added quiterss profile + - added guayadeque profile Simon Peter (https://github.com/probonopd) - set $APPIMAGE and $APPDIR environment variables - AppImage version detection @@ -194,12 +201,6 @@ Vasya Novikov (https://github.com/vn971) - manpage fixes - fixed firecfg clean/clear issue - found the ugliest bug so far -curiosity-seeker (https://github.com/curiosity-seeker) - - tightening unbound and dnscrypt-proxy profiles - - dnsmasq profile - - okular and gwenview profiles - - cherrytree profile fixes - - added quiterss profile Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/README.md b/README.md index 931b27ef3..ad90639e2 100644 --- a/README.md +++ b/README.md @@ -52,5 +52,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque diff --git a/RELNOTES b/RELNOTES index 922296fd7..e726674ec 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,7 +6,8 @@ firejail (0.9.45) baseline; urgency=low * security: split most of networking code in a separate executable * security: split seccomp filter code configuration in a separate executable * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm) - * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire + * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, + * new profiles: mumble, zoom, Guayadeque * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d9bd1bb4..f4e66dc66 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -53,6 +53,7 @@ blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.guayadeque # HTTP / FTP / Mail blacklist ${HOME}/.icedove diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile new file mode 100644 index 000000000..0c6ad00be --- /dev/null +++ b/etc/guayadeque.profile @@ -0,0 +1,19 @@ +noblacklist ${HOME}/.guayadeque + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin guayadeque +private-dev +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index ff3909c17..321a96f80 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -173,3 +173,4 @@ /etc/firejail/wire.profile /etc/firejail/mumble.profile /etc/firejail/zoom.profile +/etc/firejail/guayadeque.profile -- cgit v1.2.3-70-g09d2 From 4d2059df3b50b8eb8897ef66f702f55f0d54eabc Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Nov 2016 21:23:04 +0100 Subject: various fixes --- etc/empathy.profile | 2 ++ etc/keepass2.profile | 6 ++++++ etc/kmail.profile | 2 +- etc/mupdf.profile | 2 +- etc/qemu-launcher.profile | 20 ++++++++++++++++++++ etc/qemu-system-x86_64.profile | 18 ++++++++++++++++++ platform/debian/conffiles | 3 +++ src/firecfg/firecfg.config | 3 +++ 8 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 etc/keepass2.profile create mode 100644 etc/qemu-launcher.profile create mode 100644 etc/qemu-system-x86_64.profile (limited to 'etc') diff --git a/etc/empathy.profile b/etc/empathy.profile index 371100814..2a0a6389c 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -6,5 +6,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs +nogroups +noroot protocol unix,inet,inet6 seccomp diff --git a/etc/keepass2.profile b/etc/keepass2.profile new file mode 100644 index 000000000..fd390f7ed --- /dev/null +++ b/etc/keepass2.profile @@ -0,0 +1,6 @@ +# keepass password manager profile + +#noblacklist ${HOME}/.config/KeePass +#noblacklist ${HOME}/.keepass + +include /etc/firejail/keepass.profile diff --git a/etc/kmail.profile b/etc/kmail.profile index bc21ba604..410ff36c6 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -16,4 +16,4 @@ seccomp tracelog private-dev -private-tmp +# private-tmp diff --git a/etc/mupdf.profile b/etc/mupdf.profile index e022866e8..dc23d5840 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,7 +16,7 @@ net none shell none tracelog -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev private-bin mupdf private-tmp diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile new file mode 100644 index 000000000..9fa8a91d4 --- /dev/null +++ b/etc/qemu-launcher.profile @@ -0,0 +1,20 @@ +# qemu-launcher profile + +noblacklist ~/.qemu-launcher + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp + diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile new file mode 100644 index 000000000..3d4587fb1 --- /dev/null +++ b/etc/qemu-system-x86_64.profile @@ -0,0 +1,18 @@ +# qemu profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c6187628c..6377c7426 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -79,6 +79,7 @@ /etc/firejail/inox.profile /etc/firejail/jitsi.profile /etc/firejail/keepass.profile +/etc/firejail/keepass2.profile /etc/firejail/keepassx.profile /etc/firejail/kmail.profile /etc/firejail/konversation.profile @@ -117,6 +118,8 @@ /etc/firejail/polari.profile /etc/firejail/psi-plus.profile /etc/firejail/qbittorrent.profile +/etc/firejail/qemu-launcher.profile +/etc/firejail/qemu-system-x86_64.profile /etc/firejail/qpdfview.profile /etc/firejail/qtox.profile /etc/firejail/quassel.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f18bf8c86..d10d59657 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -82,6 +82,8 @@ mupen64plus wine dosbox virtualbox +qemu-launcher +qemu-system-x86_64 # games 0ad @@ -154,6 +156,7 @@ atom-beta atom ranger keepass +keepass2 keepassx xiphos -- cgit v1.2.3-70-g09d2 From fe8ed9b3abb32ec8b6dff8a0ae36038504ebc0e8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 19 Nov 2016 11:12:38 -0500 Subject: fix vivaldi profile, more testing --- etc/vivaldi.profile | 1 - test/fcopy/dircopy.exp | 30 +++++++++++++++++++++++++----- test/fcopy/fcopy.sh | 2 +- 3 files changed, 26 insertions(+), 7 deletions(-) (limited to 'etc') diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 3c608dccb..08b046847 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -6,7 +6,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc netfilter -nonewprivs whitelist ${DOWNLOADS} mkdir ~/.config/vivaldi diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index b87f24a59..00b0204ae 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp @@ -55,28 +55,48 @@ after 100 send -- "ls -al dest\r" expect { timeout {puts "TESTING ERROR 8\n";exit} - "drwx--x--x" + "drwxr-xr-x" } expect { timeout {puts "TESTING ERROR 9\n";exit} - "rwxrwxrwx" + "a" } expect { timeout {puts "TESTING ERROR 10\n";exit} + "lrwxrwxrwx" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "dircopy.exp" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "rwxr-xr-x" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "file1" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} "rw-r--r--" } +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "file2" +} after 100 send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r" expect { - timeout {puts "TESTING ERROR 11\n";exit} - "differ" {puts "TESTING ERROR 12\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} + "differ" {puts "TESTING ERROR 17\n";exit} "done" } send -- "file dest/dircopy.exp\r" expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 18\n";exit} "symbolic link" } diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index 9961d6317..dcda5ca31 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh @@ -6,7 +6,7 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -rm -fr dest/* +mkdir dest echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)" ./cmdline.exp -- cgit v1.2.3-70-g09d2 From fa10ab0e093a4224b16491273b0162b0e0a77a3a Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 21:57:42 +0100 Subject: many new profiles --- README.md | 4 +++ etc/amarok.profile | 19 ++++++++++++++ etc/ark.profile | 23 +++++++++++++++++ etc/atool.profile | 24 +++++++++++++++++ etc/bleachbit.profile | 21 +++++++++++++++ etc/brasero.profile | 23 +++++++++++++++++ etc/dolphin.profile | 23 +++++++++++++++++ etc/dragon.profile | 22 ++++++++++++++++ etc/elinks.profile | 24 +++++++++++++++++ etc/enchant.profile | 23 +++++++++++++++++ etc/exiftool.profile | 28 ++++++++++++++++++++ etc/file-roller.profile | 21 +++++++++++++++ etc/gedit.profile | 26 +++++++++++++++++++ etc/gjs.profile | 28 ++++++++++++++++++++ etc/gnome-books.profile | 26 +++++++++++++++++++ etc/gnome-clocks.profile | 22 ++++++++++++++++ etc/gnome-documents.profile | 24 +++++++++++++++++ etc/gnome-maps.profile | 24 +++++++++++++++++ etc/gnome-music.profile | 22 ++++++++++++++++ etc/gnome-photos.profile | 26 +++++++++++++++++++ etc/gnome-weather.profile | 26 +++++++++++++++++++ etc/goobox.profile | 20 +++++++++++++++ etc/gpa.profile | 23 +++++++++++++++++ etc/gpg-agent.profile | 24 +++++++++++++++++ etc/gpg.profile | 24 +++++++++++++++++ etc/highlight.profile | 24 +++++++++++++++++ etc/img2txt.profile | 24 +++++++++++++++++ etc/k3b.profile | 21 +++++++++++++++ etc/kate.profile | 28 ++++++++++++++++++++ etc/lynx.profile | 22 ++++++++++++++++ etc/mediainfo.profile | 26 +++++++++++++++++++ etc/nautilus.profile | 26 +++++++++++++++++++ etc/odt2txt.profile | 24 +++++++++++++++++ etc/okular.profile | 16 ++++++------ etc/pdftotext.profile | 22 ++++++++++++++++ etc/simple-scan.profile | 23 +++++++++++++++++ etc/skanlite.profile | 21 +++++++++++++++ etc/ssh-agent.profile | 15 +++++++++++ etc/tracker.profile | 24 +++++++++++++++++ etc/transmission-cli.profile | 24 +++++++++++++++++ etc/transmission-show.profile | 24 +++++++++++++++++ etc/w3m.profile | 23 +++++++++++++++++ etc/xfburn.profile | 23 +++++++++++++++++ etc/xpra.profile | 21 +++++++++++++++ platform/debian/conffiles | 42 ++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 60 +++++++++++++++++++++++++++++++++++++++++-- 46 files changed, 1093 insertions(+), 10 deletions(-) create mode 100644 etc/amarok.profile create mode 100644 etc/ark.profile create mode 100644 etc/atool.profile create mode 100644 etc/bleachbit.profile create mode 100644 etc/brasero.profile create mode 100644 etc/dolphin.profile create mode 100644 etc/dragon.profile create mode 100644 etc/elinks.profile create mode 100644 etc/enchant.profile create mode 100644 etc/exiftool.profile create mode 100644 etc/file-roller.profile create mode 100644 etc/gedit.profile create mode 100644 etc/gjs.profile create mode 100644 etc/gnome-books.profile create mode 100644 etc/gnome-clocks.profile create mode 100644 etc/gnome-documents.profile create mode 100644 etc/gnome-maps.profile create mode 100644 etc/gnome-music.profile create mode 100644 etc/gnome-photos.profile create mode 100644 etc/gnome-weather.profile create mode 100644 etc/goobox.profile create mode 100644 etc/gpa.profile create mode 100644 etc/gpg-agent.profile create mode 100644 etc/gpg.profile create mode 100644 etc/highlight.profile create mode 100644 etc/img2txt.profile create mode 100644 etc/k3b.profile create mode 100644 etc/kate.profile create mode 100644 etc/lynx.profile create mode 100644 etc/mediainfo.profile create mode 100644 etc/nautilus.profile create mode 100644 etc/odt2txt.profile create mode 100644 etc/pdftotext.profile create mode 100644 etc/simple-scan.profile create mode 100644 etc/skanlite.profile create mode 100644 etc/ssh-agent.profile create mode 100644 etc/tracker.profile create mode 100644 etc/transmission-cli.profile create mode 100644 etc/transmission-show.profile create mode 100644 etc/w3m.profile create mode 100644 etc/xfburn.profile create mode 100644 etc/xpra.profile (limited to 'etc') diff --git a/README.md b/README.md index ad90639e2..87a5b3f63 100644 --- a/README.md +++ b/README.md @@ -53,4 +53,8 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque +amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, exiftool, file-roller, gedit +gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather +goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext +simple-scan, skanlite, ssh-agent, transmission-cli, transmission-show, w3m, xfburn, xpra diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..962865790 --- /dev/null +++ b/etc/amarok.profile @@ -0,0 +1,19 @@ +# amorak profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +#seccomp +protocol unix,inet,inet6 + +#private-bin amorak +private-dev +private-tmp +#private-etc none diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile @@ -0,0 +1,23 @@ +# ark profile +noblacklist ~/.config/arkrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile @@ -0,0 +1,24 @@ +# atool profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin atool +private-tmp +private-dev +private-etc none + + diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile @@ -0,0 +1,21 @@ +# bleachbit profile +include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile @@ -0,0 +1,23 @@ +# brasero profile +noblacklist ~/.config/brasero + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin brasero +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile @@ -0,0 +1,23 @@ +# dolphin profile +noblacklist ~/.config/dolphinrc +noblacklist ~/.local/share/dolphin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile @@ -0,0 +1,22 @@ +# dragon player profile +noblacklist ~/.config/dragonplayerrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix,inet,inet6 + +private-bin dragon +private-dev +private-tmp +# private-etc + diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile @@ -0,0 +1,24 @@ +# elinks profile +noblacklist ~/.elinks + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin elinks +private-tmp +private-dev +# private-etc none + diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile @@ -0,0 +1,23 @@ +# enchant profile +noblacklist ~/.config/enchant + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin enchant +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile @@ -0,0 +1,28 @@ +# exiftool profile +noblacklist /usr/bin/perl +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin exiftool,perl +private-tmp +private-dev +private-etc none + + diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile @@ -0,0 +1,21 @@ +# file-roller profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin file-roller +# private-tmp +private-dev +# private-etc fonts diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile @@ -0,0 +1,26 @@ +# gedit profile + +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it + +noblacklist ~/.config/gedit + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gedit +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile @@ -0,0 +1,28 @@ +# gjs (gnome javascript bindings) profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books +noblacklist ~/.config/libreoffice +noblacklist ~/.local/share/gnome-photos +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile @@ -0,0 +1,26 @@ +# gnome-books profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-books +private-tmp +private-dev +private-etc fonts diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..30adadda1 --- /dev/null +++ b/etc/gnome-clocks.profile @@ -0,0 +1,22 @@ +# gnome-clocks profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-clocks +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile @@ -0,0 +1,24 @@ +# gnome-documents profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.config/libreoffice + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +private-tmp +private-dev diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile @@ -0,0 +1,24 @@ +# gnome-maps profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-maps +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile @@ -0,0 +1,22 @@ +# gnome-music profile +noblacklist ~/.local/share/gnome-music + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-music,python3 +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile @@ -0,0 +1,26 @@ +# gnome-photos profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.local/share/gnome-photos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-photos +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile @@ -0,0 +1,26 @@ +# gnome-weather profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile @@ -0,0 +1,20 @@ +# goobox profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin goobox +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile @@ -0,0 +1,23 @@ +# gpa profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gpa,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..31ed8812e --- /dev/null +++ b/etc/gpg-agent.profile @@ -0,0 +1,24 @@ +# gpg-agent profile + +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gpg-agent,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile @@ -0,0 +1,24 @@ +# gpg profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin gpg,gpg-agent +private-tmp +private-dev +# private-etc none diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile @@ -0,0 +1,24 @@ +# highlight profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin highlight +private-tmp +private-dev + + + diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile @@ -0,0 +1,24 @@ +# img2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +#private-bin img2txt +private-tmp +private-dev +#private-etc none + + diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..6e16d233c --- /dev/null +++ b/etc/k3b.profile @@ -0,0 +1,21 @@ +# k3b profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile @@ -0,0 +1,28 @@ +# kate profile +noblacklist ~/.local/share/kate +noblacklist ~/.config/katerc +noblacklist ~/.config/katepartrc +noblacklist ~/.config/kateschemarc +noblacklist ~/.config/katesyntaxhighlightingrc +noblacklist ~/.config/katevirc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin kate +private-tmp +private-dev +# private-etc fonts diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile @@ -0,0 +1,22 @@ +# lynx profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin lynx +private-tmp +private-dev +# private-etc none + diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile @@ -0,0 +1,26 @@ +# mediainfo profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin mediainfo +private-tmp +private-dev +private-etc none + + + + diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile @@ -0,0 +1,26 @@ +# nautilus profile + +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. + +noblacklist ~/.config/nautilus + +include /etc/firejail/disable-common.inc +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin nautilus +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile @@ -0,0 +1,24 @@ +# odt2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin odt2txt +private-tmp +private-dev +private-etc none + +read-only ${HOME} diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups +netfilter nonewprivs +nogroups noroot +nosound protocol unix seccomp -nosound +shell none +tracelog +# private-bin okular,kbuildsycoca4,kbuildsycoca5 +# private-etc X11 private-dev - -#Experimental: -#net none -#shell none -#private-bin okular,kbuildsycoca4,kbuildsycoca5 -#private-etc X11 +private-tmp diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile @@ -0,0 +1,22 @@ +# pdftotext profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin pdftotext +private-tmp +private-dev +private-etc none diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile @@ -0,0 +1,23 @@ +# simple-scan profile +noblacklist ~/.cache/simple-scan + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +#seccomp +netfilter +shell none +tracelog + +# private-bin simple-scan +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..6e8face75 --- /dev/null +++ b/etc/skanlite.profile @@ -0,0 +1,21 @@ +# skanlite profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +#seccomp +protocol unix + +private-bin skanlite +# private-dev +# private-tmp +# private-etc + diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile @@ -0,0 +1,15 @@ +# ssh-agent +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile @@ -0,0 +1,24 @@ +# tracker profile + +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin tracker +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile @@ -0,0 +1,24 @@ +# transmission-cli bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +#private-bin transmission-cli +private-tmp +private-dev +private-etc none diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile @@ -0,0 +1,24 @@ +# transmission-show profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +# private-bin +private-tmp +private-dev +private-etc none diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile @@ -0,0 +1,23 @@ +# w3m profile +noblacklist ~/.w3m + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin w3m +private-tmp +private-dev +private-etc none diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile @@ -0,0 +1,23 @@ +# xfburn profile +noblacklist ~/.config/xfburn + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin xfburn +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile @@ -0,0 +1,21 @@ +# xpra profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix,inet,inet6 + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 6377c7426..60b4e0508 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -5,13 +5,18 @@ /etc/firejail/Telegram.profile /etc/firejail/Wire.profile /etc/firejail/abrowser.profile +/etc/firejail/amarok.profile +/etc/firejail/ark.profile /etc/firejail/atom-beta.profile /etc/firejail/atom.profile +/etc/firejail/atool.profile /etc/firejail/atril.profile /etc/firejail/audacious.profile /etc/firejail/audacity.profile /etc/firejail/aweather.profile /etc/firejail/bitlbee.profile +/etc/firejail/bleachbit.profile +/etc/firejail/brasero.profile /etc/firejail/brave.profile /etc/firejail/cherrytree.profile /etc/firejail/chromium-browser.profile @@ -34,17 +39,23 @@ /etc/firejail/display.profile /etc/firejail/dnscrypt-proxy.profile /etc/firejail/dnsmasq.profile +/etc/firejail/dolphin.profile /etc/firejail/dosbox.profile +/etc/firejail/dragon.profile /etc/firejail/dropbox.profile +/etc/firejail/elinks.profile /etc/firejail/emacs.profile /etc/firejail/empathy.profile +/etc/firejail/enchant.profile /etc/firejail/eog.profile /etc/firejail/eom.profile /etc/firejail/epiphany.profile /etc/firejail/evince.profile /etc/firejail/evolution.profile +/etc/firejail/exiftool.profile /etc/firejail/fbreader.profile /etc/firejail/feh.profile +/etc/firejail/file-roller.profile /etc/firejail/file.profile /etc/firejail/filezilla.profile /etc/firejail/firefox-esr.profile @@ -54,16 +65,29 @@ /etc/firejail/flowblade.profile /etc/firejail/franz.profile /etc/firejail/gajim.profile +/etc/firejail/gedit.profile /etc/firejail/gimp.profile /etc/firejail/git.profile /etc/firejail/gitter.profile +/etc/firejail/gjs.profile +/etc/firejail/gnome-books.profile /etc/firejail/gnome-chess.profile +/etc/firejail/gnome-clocks.profile +/etc/firejail/gnome-documents.profile +/etc/firejail/gnome-maps.profile /etc/firejail/gnome-mplayer.profile +/etc/firejail/gnome-music.profile +/etc/firejail/gnome-photos.profile +/etc/firejail/gnome-weather.profile +/etc/firejail/goobox.profile /etc/firejail/google-chrome-beta.profile /etc/firejail/google-chrome-stable.profile /etc/firejail/google-chrome-unstable.profile /etc/firejail/google-chrome.profile /etc/firejail/google-play-music-desktop-player.profile +/etc/firejail/gpa.profile +/etc/firejail/gpg-agent.profile +/etc/firejail/gpg.profile /etc/firejail/gpredict.profile /etc/firejail/gtar.profile /etc/firejail/gthumb.profile @@ -72,12 +96,16 @@ /etc/firejail/gzip.profile /etc/firejail/hedgewars.profile /etc/firejail/hexchat.profile +/etc/firejail/highlight.profile /etc/firejail/icecat.profile /etc/firejail/icedove.profile /etc/firejail/iceweasel.profile +/etc/firejail/img2txt.profile /etc/firejail/inkscape.profile /etc/firejail/inox.profile /etc/firejail/jitsi.profile +/etc/firejail/k3b.profile +/etc/firejail/kate.profile /etc/firejail/keepass.profile /etc/firejail/keepass2.profile /etc/firejail/keepassx.profile @@ -96,16 +124,20 @@ /etc/firejail/lowriter.profile /etc/firejail/luminance-hdr.profile /etc/firejail/lxterminal.profile +/etc/firejail/lynx.profile /etc/firejail/mathematica.profile /etc/firejail/mcabber.profile +/etc/firejail/mediainfo.profile /etc/firejail/midori.profile /etc/firejail/mpv.profile /etc/firejail/mumble.profile /etc/firejail/mupdf.profile /etc/firejail/mupen64plus.profile /etc/firejail/mutt.profile +/etc/firejail/nautilus.profile /etc/firejail/netsurf.profile /etc/firejail/nolocal.net +/etc/firejail/odt2txt.profile /etc/firejail/okular.profile /etc/firejail/openbox.profile /etc/firejail/openshot.profile @@ -113,6 +145,7 @@ /etc/firejail/opera.profile /etc/firejail/palemoon.profile /etc/firejail/parole.profile +/etc/firejail/pdftotext.profile /etc/firejail/pidgin.profile /etc/firejail/pix.profile /etc/firejail/polari.profile @@ -131,12 +164,15 @@ /etc/firejail/seamonkey-bin.profile /etc/firejail/seamonkey.profile /etc/firejail/server.profile +/etc/firejail/simple-scan.profile +/etc/firejail/skanlite.profile /etc/firejail/skype.profile /etc/firejail/skypeforlinux.profile /etc/firejail/slack.profile /etc/firejail/snap.profile /etc/firejail/soffice.profile /etc/firejail/spotify.profile +/etc/firejail/ssh-agent.profile /etc/firejail/ssh.profile /etc/firejail/start-tor-browser.profile /etc/firejail/steam.profile @@ -147,8 +183,11 @@ /etc/firejail/telegram.profile /etc/firejail/thunderbird.profile /etc/firejail/totem.profile +/etc/firejail/tracker.profile +/etc/firejail/transmission-cli.profile /etc/firejail/transmission-gtk.profile /etc/firejail/transmission-qt.profile +/etc/firejail/transmission-show.profile /etc/firejail/uget-gtk.profile /etc/firejail/unbound.profile /etc/firejail/unrar.profile @@ -159,6 +198,7 @@ /etc/firejail/vivaldi-beta.profile /etc/firejail/vivaldi.profile /etc/firejail/vlc.profile +/etc/firejail/w3m.profile /etc/firejail/warzone2100.profile /etc/firejail/webserver.net /etc/firejail/weechat-curses.profile @@ -168,9 +208,11 @@ /etc/firejail/wine.profile /etc/firejail/wire.profile /etc/firejail/xchat.profile +/etc/firejail/xfburn.profile /etc/firejail/xiphos.profile /etc/firejail/xpdf.profile /etc/firejail/xplayer.profile +/etc/firejail/xpra.profile /etc/firejail/xreader.profile /etc/firejail/xviewer.profile /etc/firejail/xz.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d10d59657..7d7fad0a6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -14,6 +14,8 @@ qbittorrent rtorrent transmission-gtk transmission-qt +transmission-cli +transmission-show uget-gtk # browsers/email @@ -51,6 +53,9 @@ thunderbird vivaldi-beta vivaldi evolution +elinks +lynx +w3m # chat/messaging bitlbee @@ -94,21 +99,41 @@ wesnot warzone2100 # Media +amarok audacious audacity +bleachbit +brasero clementine cmus deadbeef display +dolphin +dragon +exiftool feh +gjs +gnome-books +gnome-clocks +gnome-documents +gnome-maps gnome-mplayer +gnome-music +goobox google-play-music-desktop-player +img2txt +k3b +mediainfo mpv +nautilus parole rhythmbox +simple-scan +skanlite spotify totem vlc +xfburn xplayer xviewer eom @@ -121,10 +146,13 @@ atril cherrytree evince fbreader +gedit gimp gthumb gwenview +highlight inkscape +kate libreoffice localc lodraw @@ -141,7 +169,9 @@ soffice synfigstudio Mathematica mathematica +odt2txt okular +pdftotext pix xpdf xreader @@ -151,14 +181,40 @@ flowblade eog # other -ssh -atom-beta atom +atom-beta +gpa +gpg +# don't run ssh-agent and gpg-agent with firejail by default +# this will break many processes using them in the background +# ssh-agent +# gpg-agent +git ranger keepass keepass2 keepassx +ssh +tracker xiphos +xpra # weather/climate aweather +gnome-weather + +# compressing tools +ark +atool +file-roller + +# when used by other processes in the background, it will break stuff +#7z +#cpio +#gtar +#gzip +#tar +#unrar +#unzip +#xz +#xzdec -- cgit v1.2.3-70-g09d2 From ecd3b2191b573081c41cec0c497f8043790d50be Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 22:22:19 +0100 Subject: fixed spacing in profiles --- etc/abrowser.profile | 1 - etc/brave.profile | 1 - etc/claws-mail.profile | 1 - etc/corebird.profile | 1 - etc/cyberfox.profile | 1 - etc/dillo.profile | 1 - etc/emacs.profile | 1 - etc/eog.profile | 1 - etc/evolution.profile | 1 - etc/firefox.profile | 1 - etc/gajim.profile | 1 - etc/git.profile | 1 - etc/gnome-clocks.profile | 1 - etc/gpg-agent.profile | 1 - etc/icecat.profile | 1 - etc/keepass.profile | 1 - etc/keepass2.profile | 1 - etc/keepassx.profile | 1 - etc/konversation.profile | 1 - etc/lxterminal.profile | 1 - etc/mutt.profile | 1 - etc/netsurf.profile | 1 - etc/psi-plus.profile | 1 - etc/qemu-launcher.profile | 1 - etc/qemu-system-x86_64.profile | 1 - etc/qutebrowser.profile | 1 - etc/virtualbox.profile | 1 - etc/wire.profile | 1 - etc/xviewer.profile | 1 + etc/zoom.profile | 1 - 30 files changed, 1 insertion(+), 29 deletions(-) (limited to 'etc') diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 4aa18aa90..481301420 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -1,5 +1,4 @@ # Firejail profile for Abrowser - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla include /etc/firejail/disable-common.inc diff --git a/etc/brave.profile b/etc/brave.profile index 4fc3a5bb0..21ea7f908 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -1,5 +1,4 @@ # Profile for Brave browser - noblacklist ~/.config/brave include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 1b6d2f645..8921bb25e 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -1,5 +1,4 @@ # claws-mail profile - noblacklist ~/.claws-mail noblacklist ~/.signature noblacklist ~/.gnupg diff --git a/etc/corebird.profile b/etc/corebird.profile index 077ae30d0..6fb8219e8 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -1,5 +1,4 @@ # Firejail corebird profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index ae487fa3c..84021dab3 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,5 +1,4 @@ # Firejail profile for Cyberfox (based on Mozilla Firefox) - noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios include /etc/firejail/disable-common.inc diff --git a/etc/dillo.profile b/etc/dillo.profile index 2ddd363cb..108787920 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -1,5 +1,4 @@ # Firejail profile for Dillo web browser - noblacklist ~/.dillo include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/emacs.profile b/etc/emacs.profile index cbdba7712..2b9c5805c 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,5 +1,4 @@ # emacs profile - noblacklist ~/.emacs noblacklist ~/.emacs.d diff --git a/etc/eog.profile b/etc/eog.profile index 68e950bd7..d463f3a97 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -1,5 +1,4 @@ # eog (gnome image viewer) profile - noblacklist ~/.config/eog include /etc/firejail/disable-common.inc diff --git a/etc/evolution.profile b/etc/evolution.profile index d63eeed74..ab6dd7a4a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -1,5 +1,4 @@ # evolution profile - noblacklist ~/.config/evolution noblacklist ~/.local/share/evolution noblacklist ~/.cache/evolution diff --git a/etc/firefox.profile b/etc/firefox.profile index 6bb581f4f..4f971f330 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -1,5 +1,4 @@ # Firejail profile for Mozilla Firefox (Iceweasel in Debian) - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla noblacklist ~/.config/qpdfview diff --git a/etc/gajim.profile b/etc/gajim.profile index 809378ef9..b030a68b4 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,5 +1,4 @@ # Firejail profile for Gajim - mkdir ${HOME}/.cache/gajim mkdir ${HOME}/.local/share/gajim mkdir ${HOME}/.config/gajim diff --git a/etc/git.profile b/etc/git.profile index 73122d347..edb59ce13 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,5 +1,4 @@ # git profile - noblacklist ~/.gitconfig noblacklist ~/.ssh noblacklist ~/.gnupg diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 30adadda1..6cccf9d32 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -1,5 +1,4 @@ # gnome-clocks profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 31ed8812e..b0ebdf43c 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -1,5 +1,4 @@ # gpg-agent profile - noblacklist ~/.gnupg include /etc/firejail/disable-common.inc diff --git a/etc/icecat.profile b/etc/icecat.profile index 2f8e2df7f..0348076da 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,5 +1,4 @@ # Firejail profile for GNU Icecat - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla include /etc/firejail/disable-common.inc diff --git a/etc/keepass.profile b/etc/keepass.profile index 23f9a7b40..18a5f4ebd 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -1,5 +1,4 @@ # keepass password manager profile - noblacklist ${HOME}/.config/keepass noblacklist ${HOME}/.keepass diff --git a/etc/keepass2.profile b/etc/keepass2.profile index fd390f7ed..9daa014e3 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile @@ -1,5 +1,4 @@ # keepass password manager profile - #noblacklist ${HOME}/.config/KeePass #noblacklist ${HOME}/.keepass diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 415160df3..d8621773f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,5 +1,4 @@ # keepassx password manager profile - noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx noblacklist ${HOME}/keepassx.kdbx diff --git a/etc/konversation.profile b/etc/konversation.profile index e9546fd1b..c00b91c18 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -1,5 +1,4 @@ # Firejail konversation profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index d1d0b8a0d..12765c299 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -1,5 +1,4 @@ # lxterminal (LXDE) profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/mutt.profile b/etc/mutt.profile index 54cf828b1..2718421c5 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,5 +1,4 @@ # mutt email client profile - noblacklist ~/.muttrc noblacklist ~/.mutt noblacklist ~/.mutt/muttrc diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 1ed2163c2..2071e5519 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -1,5 +1,4 @@ # Firejail profile for Mozilla Firefox (Iceweasel in Debian) - noblacklist ~/.config/netsurf noblacklist ~/.cache/netsurf include /etc/firejail/disable-common.inc diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index a9323448b..e4e69b9f6 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -1,5 +1,4 @@ # Firejail profile for Psi+ - noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ include /etc/firejail/disable-common.inc diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 9fa8a91d4..f9c8e6345 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -1,5 +1,4 @@ # qemu-launcher profile - noblacklist ~/.qemu-launcher include /etc/firejail/disable-common.inc diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 3d4587fb1..65e1e44ea 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -1,5 +1,4 @@ # qemu profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 0efb7b629..eabbe0f3e 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -1,5 +1,4 @@ # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser - noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser include /etc/firejail/disable-common.inc diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 49f8f8b24..36a1e0704 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -1,5 +1,4 @@ # VirtualBox profile - noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/VirtualBox VMs noblacklist ${HOME}/.config/VirtualBox diff --git a/etc/wire.profile b/etc/wire.profile index c84b4cc28..ec8ed8771 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,5 +1,4 @@ # wire messenger profile - noblacklist ~/.config/Wire noblacklist ~/.config/wire diff --git a/etc/xviewer.profile b/etc/xviewer.profile index cbb59d16e..ca380b4c7 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -1,3 +1,4 @@ +# xviewer profile noblacklist ~/.config/xviewer include /etc/firejail/disable-common.inc diff --git a/etc/zoom.profile b/etc/zoom.profile index f5831dd88..4c08868cf 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -1,5 +1,4 @@ # Firejail profile for zoom.us - noblacklist ~/.config/zoomus.conf include /etc/firejail/disable-common.inc -- cgit v1.2.3-70-g09d2 From b93b223507d3cb1a8b8f1c96657134d4c23da9a1 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:06:57 +0100 Subject: fixed typo --- etc/amarok.profile | 4 ++-- etc/k3b.profile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/amarok.profile b/etc/amarok.profile index 962865790..8d5b35d47 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -1,4 +1,4 @@ -# amorak profile +# amarok profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -13,7 +13,7 @@ shell none #seccomp protocol unix,inet,inet6 -#private-bin amorak +#private-bin amarok private-dev private-tmp #private-etc none diff --git a/etc/k3b.profile b/etc/k3b.profile index 6e16d233c..8a5fff0c6 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -15,7 +15,7 @@ seccomp protocol unix # private-bin -private-dev -private-tmp +# private-dev +# private-tmp # private-etc -- cgit v1.2.3-70-g09d2 From 35cf892b0bcb9b5a88e70c211c5dab3b65b86c2b Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:10:01 +0100 Subject: minor fix --- etc/skanlite.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 6e8face75..4dcfa64d9 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -12,7 +12,7 @@ noroot nosound shell none #seccomp -protocol unix +protocol unix,inet,inet6 private-bin skanlite # private-dev -- cgit v1.2.3-70-g09d2 From 84230c5ed4a507f4262ab764475eab962624e032 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:19:45 +0100 Subject: reversed incorrect changes --- etc/evince.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/evince.profile b/etc/evince.profile index cbb2083f4..12ea358be 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -19,4 +19,5 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev private-etc fonts -private-tmp \ No newline at end of file +# evince needs access to /tmp/mozilla* to work in firefox +# private-tmp -- cgit v1.2.3-70-g09d2 From bedf08d73c59ac95e2de56ccf279108a038cb313 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 20 Nov 2016 12:38:38 +0100 Subject: updated default.profile --- etc/default.profile | 10 ++++++++-- etc/file.profile | 19 ++++++++++++++----- 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'etc') diff --git a/etc/default.profile b/etc/default.profile index a2de72695..487e80c64 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -5,11 +5,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -#blacklist ${HOME}/.wine - caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +# private-bin program +# private-etc none +# private-dev +# private-tmp + diff --git a/etc/file.profile b/etc/file.profile index 199a97fad..f709e7f0c 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,16 +1,25 @@ # file profile -ignore noroot -include /etc/firejail/default.profile - -blacklist /tmp/.X11-unix +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all hostname file +netfilter net none no3d +nogroups +nonewprivs +#noroot nosound -quiet +protocol unix +seccomp shell none tracelog +quiet +x11 none + +blacklist /tmp/.X11-unix private-dev private-bin file -- cgit v1.2.3-70-g09d2 From a9e69fe9e65f44f1f9fa4088842ff2af3cd8d6ca Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 20 Nov 2016 12:40:52 +0100 Subject: fixed mudpf profile for debian --- etc/mupdf.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/mupdf.profile b/etc/mupdf.profile index dc23d5840..7116fa1a6 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -18,7 +18,7 @@ tracelog #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev -private-bin mupdf +private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts -- cgit v1.2.3-70-g09d2 From aaa9bcb02fae1eb9ffb765080d6b466f52918285 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 11:19:25 -0500 Subject: profiles --- README | 34 +++++++++++++++++++--------------- etc/default.profile | 7 +++++-- etc/mupdf.profile | 8 +++++--- src/fseccomp/main.c | 4 ++-- 4 files changed, 31 insertions(+), 22 deletions(-) (limited to 'etc') diff --git a/README b/README index bd32034a3..45d021008 100644 --- a/README +++ b/README @@ -80,6 +80,25 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +valoq (https://github.com/valoq) + - lots of profile fixes + - added support for /srv in --whitelist feature + - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles + - blacklist suid binaries in disable-common.inc + - fix man pages + - added keypass2, qemu profiles + - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles + - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles + - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles + - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles + - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles +Vasya Novikov (https://github.com/vn971) + - Wesnoth profile + - Hedegewars profile + - manpage fixes + - fixed firecfg clean/clear issue + - found the ugliest bug so far + - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile @@ -95,15 +114,6 @@ BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Impyy (https://github.com/Impyy) - added mumble profile -valoq (https://github.com/valoq) - - LibreOffice profile fixes - - cherrytree profile fixes - - added support for /srv in --whitelist feature - - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - - blacklist suid binaries in disable-common.inc - - fix man pages - - various profile improvements - - added keypass2, qemu profiles Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) @@ -196,12 +206,6 @@ avoidr (https://github.com/avoidr) - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile -Vasya Novikov (https://github.com/vn971) - - Wesnoth profile - - Hedegewars profile - - manpage fixes - - fixed firecfg clean/clear issue - - found the ugliest bug so far Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/etc/default.profile b/etc/default.profile index 487e80c64..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp -shell none +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none # private-bin program # private-etc none # private-dev diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7116fa1a6..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,9 +16,6 @@ net none shell none tracelog -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev - -private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts @@ -26,3 +23,8 @@ private-etc fonts # mupdf will never write anything read-only ${HOME} +# +# Experimental: +# +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +# private-bin mupdf,sh,tempfile,rm diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 471e0b193..2f85a786b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -//#if 0 +#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -//#endif +#endif if (argc < 2) { usage(); return 1; -- cgit v1.2.3-70-g09d2 From d6b2ab7e97f9d07be86076beb7e00ada2d587dca Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 22 Nov 2016 12:53:02 +0100 Subject: added wget profile --- etc/transmission-cli.profile | 3 +-- etc/wget.profile | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 etc/wget.profile (limited to 'etc') diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 88ded649c..6cbc3415c 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -net none nonewprivs noroot nosound -protocol unix +protocol unix,inet,inet6 seccomp shell none tracelog diff --git a/etc/wget.profile b/etc/wget.profile new file mode 100644 index 000000000..ad2b03b33 --- /dev/null +++ b/etc/wget.profile @@ -0,0 +1,21 @@ +# wget profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + + +# private-bin wget +# private-etc resolv.conf +private-dev +private-tmp + -- cgit v1.2.3-70-g09d2 From eb01b2602cc57f4bc4587ca1fc4fa69ebd8761bd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 24 Nov 2016 08:36:30 -0500 Subject: ssh fix --- etc/disable-common.inc | 3 --- etc/ssh-agent.profile | 1 + etc/ssh.profile | 1 + src/firejail/fs.c | 9 +++++++-- 4 files changed, 9 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0dad8b385..f18b0d396 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -165,9 +165,6 @@ blacklist ${PATH}/newgrp blacklist ${PATH}/newuidmap blacklist ${PATH}/pkexec blacklist ${PATH}/sg -blacklist ${PATH}/rsh -blacklist ${PATH}/rlogin -blacklist ${PATH}/rcp blacklist ${PATH}/crontab blacklist ${PATH}/ksu blacklist ${PATH}/chsh diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 485bd8f3b..548ede37d 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -2,6 +2,7 @@ quiet noblacklist ~/.ssh noblacklist /tmp/ssh-* +noblacklist /etc/ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ssh.profile b/etc/ssh.profile index d3558ead3..b7a8ed2b9 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -2,6 +2,7 @@ quiet noblacklist ~/.ssh noblacklist /tmp/ssh-* +noblacklist /etc/ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 8c776bad5..6f9b5a60c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -111,8 +111,12 @@ static void disable_file(OPERATION op, const char *filename) { fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); } else { - if (arg_debug) - printf("Disable %s\n", fname); + if (arg_debug) { + if (strcmp(filename, fname)) + printf("Disable %s (requesterd %s)\n", fname, filename); + else + printf("Disable %s\n", fname); + } else if (arg_debug_blacklists) { printf("Disable %s", fname); if (op == BLACKLIST_FILE) @@ -120,6 +124,7 @@ static void disable_file(OPERATION op, const char *filename) { else printf(" - no logging\n"); } + if (S_ISDIR(s.st_mode)) { if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) errExit("disable file"); -- cgit v1.2.3-70-g09d2 From e0bc50dc4138450dd7dca2e96289372d51592f41 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sat, 26 Nov 2016 11:04:40 -0600 Subject: added pluma and xed profiles --- etc/pluma.profile | 21 +++++++++++++++++++++ etc/xed.profile | 21 +++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 etc/pluma.profile create mode 100644 etc/xed.profile (limited to 'etc') diff --git a/etc/pluma.profile b/etc/pluma.profile new file mode 100644 index 000000000..895cc2369 --- /dev/null +++ b/etc/pluma.profile @@ -0,0 +1,21 @@ +# Firejail profile for Xed +noblacklist ${HOME}/.config/pluma + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin pluma +private-dev +private-tmp diff --git a/etc/xed.profile b/etc/xed.profile new file mode 100644 index 000000000..051710a70 --- /dev/null +++ b/etc/xed.profile @@ -0,0 +1,21 @@ +# Firejail profile for Xed +noblacklist ${HOME}/.config/xed + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin xed +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From f88e0fcf806d17b7ef6822b3f1a7d4b672877be1 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sat, 26 Nov 2016 11:12:07 -0600 Subject: additional files for pluma and xed --- README | 1 + README.md | 13 ++++++------- RELNOTES | 2 +- etc/disable-programs.inc | 2 ++ platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 2 ++ 6 files changed, 14 insertions(+), 8 deletions(-) (limited to 'etc') diff --git a/README b/README index 1fdd267a5..4d09a0a2c 100644 --- a/README +++ b/README @@ -80,6 +80,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles + - added xed and pluma profiles valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 642bac678..7fc552f1e 100644 --- a/README.md +++ b/README.md @@ -56,10 +56,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is ````` ## New Profiles -xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom,Guayadeque, qemu, keypass2 -amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit -gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather -goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext -simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget - - +xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, +amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool, file-roller, gedit, +gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, +goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, +simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, +xed, pluma diff --git a/RELNOTES b/RELNOTES index 3a7c398c2..c5872f676 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,7 +10,7 @@ firejail (0.9.45) baseline; urgency=low * feature: AppImage type 2 support * feature: test coverage (gcov) support * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, - * new profiles: mumble, zoom, Guayadeque, qemu, keypass2 + * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f4e66dc66..e2b7a4929 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -23,6 +23,8 @@ blacklist ${HOME}/.config/xviewer blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/mate/eom +blacklist ${HOME}/.config/xed +blacklist %{HOME}/.config/pluma blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 2c1164a43..5776f3889 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -148,6 +148,7 @@ /etc/firejail/pdftotext.profile /etc/firejail/pidgin.profile /etc/firejail/pix.profile +/etc/firejail/pluma.profile /etc/firejail/polari.profile /etc/firejail/psi-plus.profile /etc/firejail/qbittorrent.profile @@ -208,6 +209,7 @@ /etc/firejail/wine.profile /etc/firejail/wire.profile /etc/firejail/xchat.profile +/etc/firejail/xed.profile /etc/firejail/xfburn.profile /etc/firejail/xiphos.profile /etc/firejail/xpdf.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index c6a2bad83..764e9e501 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -195,9 +195,11 @@ ranger keepass keepass2 keepassx +pluma ssh tracker xiphos +xed xpra # weather/climate -- cgit v1.2.3-70-g09d2 From a4fd0e433ace4bbdafe808a56550d55431b882d2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 27 Nov 2016 10:36:49 -0500 Subject: fixes --- etc/disable-programs.inc | 2 +- src/faudit/dbus.c | 2 +- src/faudit/pid.c | 2 - src/firecfg/main.c | 1 + src/firejail/appimage.c | 15 ++++-- src/firejail/checkcfg.c | 5 +- src/firejail/fs.c | 1 + src/firejail/fs_bin.c | 1 + src/firejail/fs_home.c | 1 + src/firejail/fs_hostname.c | 4 +- src/firejail/fs_mkdir.c | 2 + src/firejail/fs_var.c | 10 ++-- src/firejail/fs_whitelist.c | 2 + src/firejail/ls.c | 5 ++ src/firejail/netfilter.c | 111 +++++++++++++++++++++++------------------- src/firejail/no_sandbox.c | 2 +- src/firejail/profile.c | 1 + src/firejail/pulseaudio.c | 1 + src/firejail/run_symlink.c | 1 + src/firejail/sbox.c | 1 + src/firejail/util.c | 9 ++-- src/firejail/x11.c | 1 + src/fseccomp/seccomp_print.c | 48 ++++++++++-------- src/lib/common.c | 2 + src/libtracelog/libtracelog.c | 2 +- todo | 2 - 26 files changed, 143 insertions(+), 91 deletions(-) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e2b7a4929..1ac926e3f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -24,7 +24,7 @@ blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/xed -blacklist %{HOME}/.config/pluma +blacklist ${HOME}/.config/pluma blacklist ${HOME}/.kde/share/apps/okular blacklist ${HOME}/.kde/share/config/okularrc blacklist ${HOME}/.kde/share/config/okularpartrc diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 4debf2ff6..d92660536 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -35,7 +35,7 @@ int check_unix(const char *sockfile) { struct sockaddr_un remote; memset(&remote, 0, sizeof(struct sockaddr_un)); remote.sun_family = AF_UNIX; - strcpy(remote.sun_path, sockfile); + strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path)); int len = strlen(remote.sun_path) + sizeof(remote.sun_family); if (*sockfile == '@') remote.sun_path[0] = '\0'; diff --git a/src/faudit/pid.c b/src/faudit/pid.c index a0fb1d921..84b23fe0a 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -46,7 +46,6 @@ void pid_test(void) { /* coverity[toctou] */ FILE *fp = fopen(fname, "r"); if (!fp) { -// fprintf(stderr, "Warning: cannot open %s\n", fname); free(fname); continue; } @@ -54,7 +53,6 @@ void pid_test(void) { // read file char buf[100]; if (fgets(buf, 10, fp) == NULL) { -// fprintf(stderr, "Warning: cannot read %s\n", fname); fclose(fp); free(fname); continue; diff --git a/src/firecfg/main.c b/src/firecfg/main.c index d2566ce22..15ee78384 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -342,6 +342,7 @@ static void fix_desktop_files(void) { if (stat(filename, &sb) == -1) errExit("stat"); + /* coverity[toctou] */ int fd = open(filename, O_RDONLY); if (fd == -1) errExit("open"); diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 6a9ca1679..0d1f8cb4d 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -51,6 +51,7 @@ void appimage_set(const char *appimage) { printf("AppImage ELF size %lu\n", size); // open appimage file + /* coverity[toctou] */ int ffd = open(appimage, O_RDONLY|O_CLOEXEC); if (ffd == -1) { fprintf(stderr, "Error: cannot open AppImage file\n"); @@ -74,6 +75,10 @@ void appimage_set(const char *appimage) { errExit("asprintf"); int lfd = open(devloop, O_RDONLY); + if (lfd == -1) { + fprintf(stderr, "Error: cannot open %s\n", devloop); + exit(1); + } if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) { fprintf(stderr, "Error: cannot configure the loopback device\n"); exit(1); @@ -118,7 +123,7 @@ void appimage_set(const char *appimage) { EUID_USER(); // set environment - if (appimage && setenv("APPIMAGE", appimage, 1) < 0) + if (setenv("APPIMAGE", appimage, 1) < 0) errExit("setenv"); if (mntdir && setenv("APPDIR", mntdir, 1) < 0) errExit("setenv"); @@ -170,8 +175,10 @@ void appimage_clear(void) { if (devloop) { int lfd = open(devloop, O_RDONLY); - rv = ioctl(lfd, LOOP_CLR_FD, 0); - (void) rv; - close(lfd); + if (lfd != -1) { + rv = ioctl(lfd, LOOP_CLR_FD, 0); + (void) rv; + close(lfd); + } } } diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 963d95bed..974fbb8a3 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -32,6 +32,7 @@ char *netfilter_default = NULL; int checkcfg(int val) { assert(val < CFG_MAX); int line = 0; + FILE *fp = NULL; if (!initialized) { // initialize defaults @@ -47,7 +48,7 @@ int checkcfg(int val) { if (asprintf(&fname, "%s/firejail.config", SYSCONFDIR) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + fp = fopen(fname, "r"); if (!fp) { #ifdef HAVE_GLOBALCFG fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); @@ -285,6 +286,8 @@ int checkcfg(int val) { return cfg_val[val]; errout: + if (fp) + fclose(fp); fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line ); exit(1); } diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6f9b5a60c..9a2f4facc 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -717,6 +717,7 @@ void fs_overlayfs(void) { } } else { + /* coverity[toctou] */ if (mkdir(basedir, 0755) != 0) { fprintf(stderr, "Error: cannot create overlay directory\n"); exit(1); diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 421df717d..7c56d524e 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -59,6 +59,7 @@ static char *check_dir_or_file(const char *name) { if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories // check symlink to firejail executable in /usr/local/bin if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { + /* coverity[toctou] */ char *actual_path = realpath(fname, NULL); if (actual_path) { char *ptr = strstr(actual_path, "/firejail"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 1f8da398e..0872bf0d0 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -137,6 +137,7 @@ static int store_asoundrc(void) { if (stat(src, &s) == 0) { if (is_link(src)) { // make sure the real path of the file is inside the home directory + /* coverity[toctou] */ char* rp = realpath(src, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", src); diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index dcf06fc6f..b2e1b4a99 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -52,8 +52,10 @@ void fs_hostname(const char *hostname) { goto errexit; FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); - if (!fp2) + if (!fp2) { + fclose(fp1); goto errexit; + } char buf[4096]; int done = 0; diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 6bcb3f33e..5b6ceae90 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -37,6 +37,7 @@ static void mkdir_recursive(char *path) { subdir = strtok(path, "/"); while(subdir) { if (stat(subdir, &s) == -1) { + /* coverity[toctou] */ if (mkdir(subdir, 0700) == -1) { fprintf(stderr, "Warning: cannot create %s directory\n", subdir); return; @@ -118,6 +119,7 @@ void fs_mkfile(const char *name) { // drop privileges drop_privs(0); + /* coverity[toctou] */ FILE *fp = fopen(expanded, "w"); if (!fp) fprintf(stderr, "Warning: cannot create %s file\n", expanded); diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index ca50685ad..2aa4a1b54 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -128,16 +128,18 @@ void fs_var_log(void) { // create an empty /var/log/wtmp file /* coverity[toctou] */ FILE *fp = fopen("/var/log/wtmp", "w"); - SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); - if (fp) + if (fp) { + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); fclose(fp); + } fs_logger("touch /var/log/wtmp"); // create an empty /var/log/btmp file fp = fopen("/var/log/btmp", "w"); - SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); - if (fp) + if (fp) { + SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); fclose(fp); + } fs_logger("touch /var/log/btmp"); } else diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 564dc8290..7b32021be 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -350,6 +350,8 @@ void fs_whitelist(void) { } // replace ~/ or ${HOME} into /home/username +// if (new_name) +// free(new_name); new_name = expand_home(entry->data + 10, cfg.homedir); assert(new_name); if (arg_debug) diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 5444ad9c2..4b4ae1de2 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -259,6 +259,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // check access + /* coverity[toctou] */ if (access(fname1, R_OK) == -1) { fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); @@ -392,6 +393,10 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // create a user-owned temporary file in /run/firejail directory char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; int fd = mkstemp(tmp_fname); + if (fd == -1) { + fprintf(stderr, "Error: cannot create temporary file %s\n", tmp_fname); + exit(1); + } SET_PERMS_FD(fd, getuid(), getgid(), 0600); close(fd); diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 1df4b7a0f..0136ab1f8 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -69,31 +69,33 @@ void netfilter(const char *fname) { if (netfilter_default) fname = netfilter_default; if (fname) { - // buffer the filter - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: cannot find network filter file %s\n", fname); - exit(1); - } - - filter = malloc(s.st_size + 1); // + '\0' - if (!filter) - errExit("malloc"); - memset(filter, 0, s.st_size + 1); - - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open network filter file %s\n", fname); - exit(1); - } - - size_t sz = fread(filter, 1, s.st_size, fp); - if ((off_t)sz != s.st_size) { - fprintf(stderr, "Error: cannot read network filter file %s\n", fname); - exit(1); + assert(fname); + + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; + + // read filter + filter = malloc(size + 1); // + '\0' + if (filter == NULL) + goto errexit; + memset(&filter[0], 0, sizeof(filter)); + int rd = 0; + while (rd < size) { + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; + rd += rv; } - fclose(fp); + + // close file + close(fd); allocated = 1; } @@ -178,6 +180,11 @@ doexit: if (allocated) free(filter); + return; + +errexit: + fprintf(stderr, "Error: cannot read network filter %s\n", fname); + exit(1); } void netfilter6(const char *fname) { @@ -186,38 +193,38 @@ void netfilter6(const char *fname) { char *filter; - // buffer the filter - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: cannot find network filter file %s\n", fname); - exit(1); - } - - filter = malloc(s.st_size + 1); // + '\0' - if (!filter) - errExit("malloc"); - memset(filter, 0, s.st_size + 1); - - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open network filter file %s\n", fname); - exit(1); - } - - size_t sz = fread(filter, 1, s.st_size, fp); - if ((off_t)sz != s.st_size) { - fprintf(stderr, "Error: cannot read network filter file %s\n", fname); - exit(1); + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; + + // read filter + filter = malloc(size + 1); // + '\0' + if (filter == NULL) + goto errexit; + memset(&filter[0], 0, sizeof(filter)); + int rd = 0; + while (rd < size) { + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; + rd += rv; } - fclose(fp); + + // close file + close(fd); // temporarily mount a tempfs on top of /tmp directory if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) errExit("mounting /tmp"); // create the filter file - fp = fopen("/tmp/netfilter6", "w"); + FILE *fp = fopen("/tmp/netfilter6", "w"); if (!fp) { fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); exit(1); @@ -228,6 +235,7 @@ void netfilter6(const char *fname) { // find iptables command char *ip6tables = NULL; char *ip6tables_restore = NULL; + struct stat s; if (stat("/sbin/ip6tables", &s) == 0) { ip6tables = "/sbin/ip6tables"; ip6tables_restore = "/sbin/ip6tables-restore"; @@ -284,4 +292,9 @@ doexit: // unmount /tmp umount("/tmp"); free(filter); + return; + +errexit: + fprintf(stderr, "Error: cannot read network filter %s\n", fname); + exit(1); } diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index aae490c34..8af555ea2 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -232,7 +232,7 @@ void run_no_sandbox(int argc, char **argv) { // use $SHELL to get shell used in sandbox if (!arg_shell_none && !cfg.shell) { char *shell = getenv("SHELL"); - if (access(shell, R_OK) == 0) + if (shell && access(shell, R_OK) == 0) cfg.shell = shell; } // guess shell otherwise diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 694509511..9acb1b813 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -990,6 +990,7 @@ void profile_read(const char *fname) { // process quiet if (strcmp(ptr, "quiet") == 0) { arg_quiet = 1; + free(ptr); continue; } if (!msg_printed) { diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 6ec590eaa..f890dd534 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -137,6 +137,7 @@ void pulseaudio_init(void) { if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) errExit("asprintf"); if (stat(dir1, &s) == -1) { + /* coverity[toctou] */ int rv = mkdir(dir1, 0700); if (rv == 0) { if (set_perms(dir1, getuid(), getgid(), 0700)) diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 8aa2fe53f..a4dce405d 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -59,6 +59,7 @@ void run_symlink(int argc, char **argv) { struct stat s; if (stat(name, &s) == 0) { + /* coverity[toctou] */ char* rp = realpath(name, NULL); if (!rp) errExit("realpath"); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 430ffb86e..dbfdd445a 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -150,6 +150,7 @@ int sbox_run(unsigned filter, int num, ...) { } else // the user could run the sandbox without /dev/null close(STDIN_FILENO); + close(fd); } umask(027); diff --git a/src/firejail/util.c b/src/firejail/util.c index 03f52fabb..c3e00a110 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -683,11 +683,12 @@ int remove_directory(const char *path) { void flush_stdin(void) { if (isatty(STDIN_FILENO)) { int cnt = 0; - ioctl(STDIN_FILENO, FIONREAD, &cnt); - if (cnt) { + int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); + if (rv == 0 && cnt) { if (!arg_quiet) printf("Warning: removing %d bytes from stdin\n", cnt); - ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + (void) rv; } } } @@ -700,6 +701,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { if (stat(dir, &s)) { if (arg_debug) printf("Creating empty %s directory\n", dir); + /* coverity[toctou] */ if (mkdir(dir, mode) == -1) errExit("mkdir"); if (set_perms(dir, 0, 0, mode)) @@ -717,6 +719,7 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { if (arg_debug) printf("Creating empty %s file\n", fname); + /* coverity[toctou] */ FILE *fp = fopen(fname, "w"); if (!fp) errExit("fopen"); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 9da6d3e30..807f2d5f0 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -151,6 +151,7 @@ void fs_x11(void) { fs_logger("tmpfs /tmp/.X11-unix"); // create an empty file + /* coverity[toctou] */ FILE *fp = fopen(x11file, "w"); if (!fp) { fprintf(stderr, "Error: cannot create empty file in x11 directory\n"); diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 7dc983b12..af240307c 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c @@ -26,35 +26,41 @@ static int filter_cnt = 0; static void load_seccomp(const char *fname) { assert(fname); + + // open filter file + int fd = open(fname, O_RDONLY); + if (fd == -1) + goto errexit; - // check file - struct stat s; - if (stat(fname, &s) == -1) { - fprintf(stderr, "Error fseccomp: cannot read protocol filter file\n"); - exit(1); - } - int size = s.st_size; + // calculate the number of entries + int size = lseek(fd, 0, SEEK_END); + if (size == -1) + goto errexit; + if (lseek(fd, 0 , SEEK_SET) == -1) + goto errexit; unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); filter_cnt = entries; -//printf("size %d, entries %d\n", s.st_size, entries); - - filter = malloc(sizeof(struct sock_filter) * entries); - if (!filter) - errExit("malloc"); - + // read filter - memset(filter, 0, sizeof(struct sock_filter) * entries); - int src = open(fname, O_RDONLY); + filter = malloc(size); + if (filter == NULL) + goto errexit; + memset(&filter[0], 0, sizeof(filter)); int rd = 0; while (rd < size) { - int rv = read(src, (unsigned char *) filter + rd, size - rd); - if (rv == -1) { - fprintf(stderr, "Error fseccomp: cannot read %s file\n", fname); - exit(1); - } + int rv = read(fd, (unsigned char *) filter + rd, size - rd); + if (rv == -1) + goto errexit; rd += rv; } - close(src); + + // close file + close(fd); + return; + +errexit: + fprintf(stderr, "Error fseccomp: cannot read %s\n", fname); + exit(1); } // debug filter diff --git a/src/lib/common.c b/src/lib/common.c index add4ff087..3f66fa72a 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -203,6 +203,8 @@ char *pid_proc_cmdline(const pid_t pid) { int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { // if comm is not firejail return 0 char *comm = pid_proc_comm(pid); + if (comm == NULL) + return 0; if (strcmp(comm, "firejail") != 0) { free(comm); return 0; diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index ca496d41c..90fe726de 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -191,7 +191,7 @@ static void load_blacklist(void) { char *ptr = strchr(buf, '\n'); if (ptr) *ptr = '\0'; - if (sandbox_name_str == NULL); + if (sandbox_name_str == NULL) sandbox_name_str = strdup(buf + 14); } else if (strncmp(buf, "blacklist ", 10) == 0) { diff --git a/todo b/todo index e18ef3e34..253704fcf 100644 --- a/todo +++ b/todo @@ -286,6 +286,4 @@ removable media, partitions, software RAID volumes, logical volumes, and files. 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* -30. /* coverity[toctou] */ -31. test dillo, sandbox.c:240 -- cgit v1.2.3-70-g09d2 From ae52d274c79ef5e9719940e4d76d8bd9c9b0a2d4 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 27 Nov 2016 15:12:37 -0600 Subject: Cryptocat profile --- etc/Cryptocat.profile | 20 ++++++++++++++++++++ etc/cryptocat.profile | 1 + 2 files changed, 21 insertions(+) create mode 100644 etc/Cryptocat.profile create mode 100644 etc/cryptocat.profile (limited to 'etc') diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile new file mode 100644 index 000000000..3db34c03c --- /dev/null +++ b/etc/Cryptocat.profile @@ -0,0 +1,20 @@ +# Firejail profile for +noblacklist ${HOME}/.config/Cryptocat + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile new file mode 100644 index 000000000..0d392b272 --- /dev/null +++ b/etc/cryptocat.profile @@ -0,0 +1 @@ +include /etc/Cryptocat.profile -- cgit v1.2.3-70-g09d2 From cdc413f256f692a877623f059e67e3a2bbacfad6 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Sun, 27 Nov 2016 15:22:02 -0600 Subject: extra Cryptocat files --- README | 1 + README.md | 2 +- RELNOTES | 3 ++- etc/disable-programs.inc | 1 + platform/debian/conffiles | 1 + src/firecfg/firecfg.config | 1 + 6 files changed, 7 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index 4d09a0a2c..5308ab022 100644 --- a/README +++ b/README @@ -81,6 +81,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles - added xed and pluma profiles + - added Cryptocat profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 7fc552f1e..981582ebf 100644 --- a/README.md +++ b/README.md @@ -61,4 +61,4 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, -xed, pluma +xed, pluma, Cryptocat diff --git a/RELNOTES b/RELNOTES index c5872f676..d20326121 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,7 +10,8 @@ firejail (0.9.45) baseline; urgency=low * feature: AppImage type 2 support * feature: test coverage (gcov) support * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, - * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma + * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, + * new profiles: Cryptocat * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1ac926e3f..76a4c4607 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -110,6 +110,7 @@ blacklist ${HOME}/.cache/gajim blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/Cryptocat # Games blacklist ${HOME}/.hedgewars diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 5776f3889..4dcbc28f6 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -27,6 +27,7 @@ /etc/firejail/conkeror.profile /etc/firejail/corebird.profile /etc/firejail/cpio.profile +/etc/firejail/Cryptocat.profile /etc/firejail/cyberfox.profile /etc/firejail/deadbeef.profile /etc/firejail/default.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 764e9e501..40dda07ff 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -61,6 +61,7 @@ w3m # chat/messaging bitlbee corebird +# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this empathy gitter hexchat -- cgit v1.2.3-70-g09d2 From 69009709796704a6d67827758be8b382672cf8f2 Mon Sep 17 00:00:00 2001 From: Tad Date: Tue, 29 Nov 2016 06:47:23 -0500 Subject: Add 10 new profiles Added profiles for Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, and Xonotic --- etc/bless.profile | 20 ++++++++++++++++++++ etc/disable-programs.inc | 7 +++++++ etc/gnome-2048.profile | 25 +++++++++++++++++++++++++ etc/gnome-calculator.profile | 19 +++++++++++++++++++ etc/gnome-contacts.profile | 19 +++++++++++++++++++ etc/jd-gui.profile | 19 +++++++++++++++++++ etc/lollypop.profile | 20 ++++++++++++++++++++ etc/multimc5.profile | 27 +++++++++++++++++++++++++++ etc/pdfsam.profile | 17 +++++++++++++++++ etc/pithos.profile | 19 +++++++++++++++++++ etc/xonotic-glx.profile | 5 +++++ etc/xonotic-sdl.profile | 5 +++++ etc/xonotic.profile | 25 +++++++++++++++++++++++++ 13 files changed, 227 insertions(+) create mode 100644 etc/bless.profile create mode 100644 etc/gnome-2048.profile create mode 100644 etc/gnome-calculator.profile create mode 100644 etc/gnome-contacts.profile create mode 100644 etc/jd-gui.profile create mode 100644 etc/lollypop.profile create mode 100644 etc/multimc5.profile create mode 100644 etc/pdfsam.profile create mode 100644 etc/pithos.profile create mode 100644 etc/xonotic-glx.profile create mode 100644 etc/xonotic-sdl.profile create mode 100644 etc/xonotic.profile (limited to 'etc') diff --git a/etc/bless.profile b/etc/bless.profile new file mode 100644 index 000000000..752edadf7 --- /dev/null +++ b/etc/bless.profile @@ -0,0 +1,20 @@ +# +#Profile for bless +# + +#No Blacklist Paths +noblacklist ${HOME}/.config/bless + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 76a4c4607..f46274545 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -10,6 +10,7 @@ blacklist ${HOME}/.stellarium blacklist ${HOME}/.sword blacklist ${HOME}/.xiphos blacklist ${HOME}/.config/Atom +blacklist ${HOME}/.config/bless blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/mupen64plus blacklist ${HOME}/.config/transmission @@ -44,6 +45,7 @@ blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/eog +blacklist ${HOME}/.config/jd-gui.cfg # Media players @@ -56,6 +58,7 @@ blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.audacity-data blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.local/share/lollypop # HTTP / FTP / Mail blacklist ${HOME}/.icedove @@ -119,6 +122,10 @@ blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad blacklist ${HOME}/.warzone2100-3.1 blacklist ${HOME}/.dosbox +blacklist ${HOME}/.local/share/gnome-2048 +blacklist ${HOME}/.local/share/multimc5 +blacklist ${HOME}/.multimc5 +blacklist ${HOME}/.xonotic # Cryptocoins blacklist ${HOME}/.*coin diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile new file mode 100644 index 000000000..f9982da61 --- /dev/null +++ b/etc/gnome-2048.profile @@ -0,0 +1,25 @@ +# +#Profile for gnome-2048 +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/gnome-2048 + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.local/share/gnome-2048 +whitelist ${HOME}/.local/share/gnome-2048 +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile new file mode 100644 index 000000000..49e068171 --- /dev/null +++ b/etc/gnome-calculator.profile @@ -0,0 +1,19 @@ +# +#Profile for gnome-calculator +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile new file mode 100644 index 000000000..9dc25b26c --- /dev/null +++ b/etc/gnome-contacts.profile @@ -0,0 +1,19 @@ +# +#Profile for gnome-contacts +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile new file mode 100644 index 000000000..1d6eb41f8 --- /dev/null +++ b/etc/jd-gui.profile @@ -0,0 +1,19 @@ +# +#Profile for jd-gui +# + +noblacklist ${HOME}/.config/jd-gui.cfg + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/lollypop.profile b/etc/lollypop.profile new file mode 100644 index 000000000..41a662bca --- /dev/null +++ b/etc/lollypop.profile @@ -0,0 +1,20 @@ +# +#Profile for lollypop +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/lollypop + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/multimc5.profile b/etc/multimc5.profile new file mode 100644 index 000000000..cc310f294 --- /dev/null +++ b/etc/multimc5.profile @@ -0,0 +1,27 @@ +# +#Profile for multimc5 +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/multimc5 +noblacklist ${HOME}/.multimc5 + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.local/share/multimc5 +whitelist ${HOME}/.local/share/multimc5 +mkdir ${HOME}/.multimc5 +whitelist ${HOME}/.multimc5 +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile new file mode 100644 index 000000000..6e50f37cf --- /dev/null +++ b/etc/pdfsam.profile @@ -0,0 +1,17 @@ +# +#Profile for pdfsam +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/pithos.profile b/etc/pithos.profile new file mode 100644 index 000000000..8270b8bee --- /dev/null +++ b/etc/pithos.profile @@ -0,0 +1,19 @@ +# +#Profile for pithos +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile new file mode 100644 index 000000000..b255ffdbb --- /dev/null +++ b/etc/xonotic-glx.profile @@ -0,0 +1,5 @@ +# +#Profile for xonotic:xonotic-glx +# + +include /etc/firejail/xonotic.profile diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile new file mode 100644 index 000000000..783667304 --- /dev/null +++ b/etc/xonotic-sdl.profile @@ -0,0 +1,5 @@ +# +#Profile for xonotic:xonotic-sdl +# + +include /etc/firejail/xonotic.profile diff --git a/etc/xonotic.profile b/etc/xonotic.profile new file mode 100644 index 000000000..75d649619 --- /dev/null +++ b/etc/xonotic.profile @@ -0,0 +1,25 @@ +# +#Profile for xonotic +# + +#No Blacklist Paths +noblacklist ${HOME}/.xonotic + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.xonotic +whitelist ${HOME}/.xonotic +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-70-g09d2 From 422ab86d878bbc285d538703f6a7cc1a03ee4eae Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 11:17:34 -0500 Subject: xpra fix --- etc/disable-common.inc | 2 +- src/firecfg/firecfg.config | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f18b0d396..bc2f6869d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -24,7 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart blacklist ${HOME}/.config/openbox/environment blacklist ${HOME}/.gnomerc blacklist /etc/X11/Xsession.d/ -blacklist ${HOME}/.xpra +# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs # VirtualBox blacklist ${HOME}/.VirtualBox diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 40dda07ff..47ba677fd 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -201,7 +201,6 @@ ssh tracker xiphos xed -xpra # weather/climate aweather -- cgit v1.2.3-70-g09d2 From 5dd8b1f19e71534643ec560113f8c005a8ac2db2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 11:23:33 -0500 Subject: quiet fix --- etc/file.profile | 2 +- etc/git.profile | 2 +- etc/gzip.profile | 2 +- etc/strings.profile | 2 +- etc/tar.profile | 2 +- etc/unrar.profile | 2 +- etc/unzip.profile | 2 +- etc/uudeview.profile | 2 +- etc/xzdec.profile | 2 +- src/firejail/run_symlink.c | 2 -- 10 files changed, 9 insertions(+), 11 deletions(-) (limited to 'etc') diff --git a/etc/file.profile b/etc/file.profile index f709e7f0c..d145fe12a 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,4 +1,5 @@ # file profile +quiet include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,7 +17,6 @@ protocol unix seccomp shell none tracelog -quiet x11 none blacklist /tmp/.X11-unix diff --git a/etc/git.profile b/etc/git.profile index edb59ce13..d60e58c03 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,4 +1,5 @@ # git profile +quiet noblacklist ~/.gitconfig noblacklist ~/.ssh noblacklist ~/.gnupg @@ -19,7 +20,6 @@ nonewprivs noroot nosound protocol unix,inet,inet6 -quiet seccomp shell none diff --git a/etc/gzip.profile b/etc/gzip.profile index d51b9a951..feb27c150 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,4 +1,5 @@ # gzip profile +quiet ignore noroot include /etc/firejail/default.profile @@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix net none no3d nosound -quiet shell none tracelog diff --git a/etc/strings.profile b/etc/strings.profile index 7c464bf88..2b7724b11 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,10 +1,10 @@ # strings profile +quiet ignore noroot include /etc/firejail/default.profile net none nosound -quiet shell none tracelog diff --git a/etc/tar.profile b/etc/tar.profile index 91fdaf48d..3addb02fb 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,4 +1,5 @@ # tar profile +quiet ignore noroot include /etc/firejail/default.profile @@ -8,7 +9,6 @@ hostname tar net none no3d nosound -quiet shell none tracelog diff --git a/etc/unrar.profile b/etc/unrar.profile index 0700cafe9..bde6f4e22 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,4 +1,5 @@ # unrar profile +quiet ignore noroot include /etc/firejail/default.profile @@ -8,7 +9,6 @@ hostname unrar net none no3d nosound -quiet shell none tracelog diff --git a/etc/unzip.profile b/etc/unzip.profile index a43785795..8c10d11a0 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,4 +1,5 @@ # unzip profile +quiet ignore noroot include /etc/firejail/default.profile blacklist /tmp/.X11-unix @@ -7,7 +8,6 @@ hostname unzip net none no3d nosound -quiet shell none tracelog diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 5ba0896ab..d5b750a13 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,4 +1,5 @@ # uudeview profile +quiet ignore noroot include /etc/firejail/default.profile @@ -7,7 +8,6 @@ blacklist /etc hostname uudeview net none nosound -quiet shell none tracelog diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 04f98cef6..6164e3200 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,4 +1,5 @@ # xzdec profile +quiet ignore noroot include /etc/firejail/default.profile @@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix net none no3d nosound -quiet shell none tracelog diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index a4dce405d..753c50208 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -90,8 +90,6 @@ void run_symlink(int argc, char **argv) { if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) errExit("asprintf"); - printf("Redirecting symlink to %s\n", program); - // drop privileges if (setgid(getgid()) < 0) errExit("setgid/getgid"); -- cgit v1.2.3-70-g09d2 From 1a944eae59bf61c6f59be0f10e1865749842d38e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 14:29:20 -0500 Subject: fixes --- etc/wget.profile | 1 + src/firecfg/firecfg.config | 17 ----------------- 2 files changed, 1 insertion(+), 17 deletions(-) (limited to 'etc') diff --git a/etc/wget.profile b/etc/wget.profile index ad2b03b33..d9bca2acc 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -1,4 +1,5 @@ # wget profile +quiet include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 47ba677fd..369abdc20 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -17,7 +17,6 @@ transmission-qt transmission-cli transmission-show uget-gtk -wget # browsers/email abrowser @@ -187,17 +186,11 @@ atom atom-beta gpa gpg -# don't run ssh-agent and gpg-agent with firejail by default -# this will break many processes using them in the background -# ssh-agent -# gpg-agent -git ranger keepass keepass2 keepassx pluma -ssh tracker xiphos xed @@ -211,13 +204,3 @@ ark atool file-roller -# when used by other processes in the background, it will break stuff -#7z -#cpio -#gtar -#gzip -#tar -#unrar -#unzip -#xz -#xzdec -- cgit v1.2.3-70-g09d2 From 11857ffe069ea49a02a8c3091cc4ad3f2d2b35e1 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 30 Nov 2016 12:28:57 +0100 Subject: gajim fix --- etc/gajim.profile | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/gajim.profile b/etc/gajim.profile index b030a68b4..eb60f858b 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,4 +1,8 @@ # Firejail profile for Gajim +noblacklist ${HOME}/.cache/gajim +noblacklist ${HOME}/.local/share/gajim +noblacklist ${HOME}/.config/gajim + mkdir ${HOME}/.cache/gajim mkdir ${HOME}/.local/share/gajim mkdir ${HOME}/.config/gajim @@ -29,4 +33,6 @@ seccomp shell none #private-bin python2.7 gajim +#private-etc fonts private-dev +#private-tmp -- cgit v1.2.3-70-g09d2 From abc77414d8e1f864db6af55d46629f1e9f301f61 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 1 Dec 2016 12:09:19 +0100 Subject: blacklisted various program files --- etc/disable-common.inc | 1 + etc/disable-passwdmgr.inc | 3 +++ etc/disable-programs.inc | 34 +++++++++++++++++++++++++++++++++- etc/evince.profile | 2 ++ etc/gnome-chess.profile | 2 +- 5 files changed, 40 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index bc2f6869d..8886a0bc3 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -194,6 +194,7 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd +blacklist ${PATH}/konsole # kernel files blacklist /vmlinuz* diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc index 6db9073ab..045b4d92b 100644 --- a/etc/disable-passwdmgr.inc +++ b/etc/disable-passwdmgr.inc @@ -1,7 +1,10 @@ blacklist ${HOME}/.pki/nssdb blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx +blacklist ${HOME}/.keepass blacklist ${HOME}/.password-store blacklist ${HOME}/keepassx.kdbx blacklist ${HOME}/.config/keepassx +blacklist ${HOME}/.config/keepass +blacklist ${HOME}/.config/KeePass diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 76a4c4607..f87053b7c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -44,7 +44,27 @@ blacklist ${HOME}/.openshot_qt blacklist ${HOME}/.flowblade blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/eog - +blacklist ${HOME}/.config/arkrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/brasero +blacklist ${HOME}/.config/enchant +blacklist ${HOME}/.config/gedit +blacklist ${HOME}/.config/Cryptocat +blacklist ${HOME}/.config/dolphinrc +blacklist ${HOME}/.config/katerc +blacklist ${HOME}/.config/katepartrc +blacklist ${HOME}/.config/kateschemarc +blacklist ${HOME}/.config/katesyntaxhighlightingrc +blacklist ${HOME}/.config/katevirc +blacklist ${HOME}/.config/nautilus +blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/evince +blacklist ${HOME}/.emacs +blacklist ${HOME}/.emacs.d +blacklist ${HOME}/.claws-mail +blacklist ${HOME}/.config/ranger +blacklist ${HOME}/.qemu-launcher # Media players blacklist ${HOME}/.config/cmus @@ -56,6 +76,7 @@ blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.audacity-data blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.config/dragonplayerrc # HTTP / FTP / Mail blacklist ${HOME}/.icedove @@ -88,6 +109,8 @@ blacklist ${HOME}/.msmtprc blacklist ${HOME}/.config/evolution blacklist ${HOME}/.local/share/evolution blacklist ${HOME}/.cache/evolution +blacklist ${HOME}/.elinks +blacklist ${HOME}/.w3m # Instant Messaging blacklist ${HOME}/.config/hexchat @@ -110,6 +133,7 @@ blacklist ${HOME}/.cache/gajim blacklist ${HOME}/.local/share/gajim blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/wire blacklist ${HOME}/.config/Cryptocat # Games @@ -119,6 +143,7 @@ blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/0ad blacklist ${HOME}/.warzone2100-3.1 blacklist ${HOME}/.dosbox +blacklist ${HOME}/.local/share/gnome-chess # Cryptocoins blacklist ${HOME}/.*coin @@ -151,6 +176,9 @@ blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/simple-scan +blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/org.gnome.Books # share blacklist ${HOME}/.local/share/epiphany @@ -166,6 +194,10 @@ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/zathura +blacklist ${HOME}/.local/share/gnome-music +blacklist ${HOME}/.local/share/gnome-photos +blacklist ${HOME}/.local/share/kate +blacklist ${HOME}/.local/share/dolphin # ssh blacklist /tmp/ssh-* diff --git a/etc/evince.profile b/etc/evince.profile index 12ea358be..1ec384947 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -1,4 +1,6 @@ # evince pdf reader profile +noblacklist ~/.config/evince + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 297f7e6a9..4db485ea7 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -1,5 +1,5 @@ # Firejail profile for gnome-chess -noblacklist /.local/share/gnome-chess +noblacklist ~/.local/share/gnome-chess include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -- cgit v1.2.3-70-g09d2 From 5a066e991cb22635b6f7e51bfae009570bac7f72 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 1 Dec 2016 14:36:45 +0100 Subject: added warning for dolphin --- etc/dolphin.profile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 1a6abb71d..09a86f811 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -1,9 +1,13 @@ # dolphin profile + +# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 + noblacklist ~/.config/dolphinrc noblacklist ~/.local/share/dolphin include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -- cgit v1.2.3-70-g09d2 From 5c0f1b10f9324d5ab50dcdea99283ce8bdff3fe0 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 1 Dec 2016 14:45:10 +0100 Subject: fixed ranger --- etc/ranger.profile | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/ranger.profile b/etc/ranger.profile index 323e64dee..3538f3eb2 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -3,6 +3,7 @@ noblacklist /usr/bin/perl #noblacklist /usr/bin/cpan* noblacklist /usr/share/perl* noblacklist /usr/lib/perl* +noblacklist ~/.config/ranger include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -- cgit v1.2.3-70-g09d2 From 4bfd6b8d93c957b676de6b3710da5b44190ec779 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 2 Dec 2016 12:16:14 +0100 Subject: removed duplicates --- etc/disable-programs.inc | 4 ---- 1 file changed, 4 deletions(-) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8d0d75d63..777e122a0 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -47,12 +47,9 @@ blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/eog blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/arkrc -blacklist ${HOME}/.config/atril -blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/brasero blacklist ${HOME}/.config/enchant blacklist ${HOME}/.config/gedit -blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/dolphinrc blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/katepartrc @@ -198,7 +195,6 @@ blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/totem blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/pix -blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/zathura blacklist ${HOME}/.local/share/gnome-music -- cgit v1.2.3-70-g09d2 From 6bf6d5ed51fa6f4247f10e83e85ca0b69650e389 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 2 Dec 2016 12:58:48 +0100 Subject: updated program files --- etc/disable-programs.inc | 408 +++++++++++++++++++++++++++-------------------- 1 file changed, 235 insertions(+), 173 deletions(-) (limited to 'etc') diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 777e122a0..48701b520 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -1,206 +1,268 @@ -# various programs +blacklist ${HOME}/.*coin +blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.Atom -blacklist ${HOME}/.remmina -blacklist ${HOME}/.tconn blacklist ${HOME}/.FBReader -blacklist ${HOME}/.wine +blacklist ${HOME}/.LuminanceHDR blacklist ${HOME}/.Mathematica +blacklist ${HOME}/.Natron +blacklist ${HOME}/.Skype +blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.Wolfram Research -blacklist ${HOME}/.stellarium -blacklist ${HOME}/.sword -blacklist ${HOME}/.xiphos +blacklist ${HOME}/.arduino15 +blacklist ${HOME}/.atom +blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.bcast5 +blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/INRIA +blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/champlain +blacklist ${HOME}/.cache/chromium +blacklist ${HOME}/.cache/chromium-dev +blacklist ${HOME}/.cache/darktable +blacklist ${HOME}/.cache/epiphany +blacklist ${HOME}/.cache/evolution +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.cache/google-chrome +blacklist ${HOME}/.cache/google-chrome-beta +blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/inox +blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/midori +blacklist ${HOME}/.cache/mozilla +blacklist ${HOME}/.cache/mutt +blacklist ${HOME}/.cache/netsurf +blacklist ${HOME}/.cache/opera +blacklist ${HOME}/.cache/opera-beta +blacklist ${HOME}/.cache/org.gnome.Books +blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/simple-scan +blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/spotify +blacklist ${HOME}/.cache/telepathy +blacklist ${HOME}/.cache/thunderbird +blacklist ${HOME}/.cache/torbrowser +blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/vivaldi +blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.claws-mail +blacklist ${HOME}/.config/0ad blacklist ${HOME}/.config/Atom -blacklist ${HOME}/.config/bless -blacklist ${HOME}/.config/gthumb -blacklist ${HOME}/.config/mupen64plus -blacklist ${HOME}/.config/transmission -blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/Brackets +blacklist ${HOME}/.config/Cryptocat +blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.config/Gitter +blacklist ${HOME}/.config/Google blacklist ${HOME}/.config/Gpredict -blacklist ${HOME}/.config/aweather -blacklist ${HOME}/.config/stellarium -blacklist ${HOME}/.config/atril -blacklist ${HOME}/.config/xreader -blacklist ${HOME}/.config/xviewer -blacklist ${HOME}/.config/libreoffice -blacklist ${HOME}/.config/pix -blacklist ${HOME}/.config/mate/eom -blacklist ${HOME}/.config/xed -blacklist ${HOME}/.config/pluma -blacklist ${HOME}/.kde/share/apps/okular -blacklist ${HOME}/.kde/share/config/okularrc -blacklist ${HOME}/.kde/share/config/okularpartrc -blacklist ${HOME}/.kde/share/apps/gwenview -blacklist ${HOME}/.kde/share/config/gwenviewrc -blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/INRIA blacklist ${HOME}/.config/Luminance -blacklist ${HOME}/.config/synfig -blacklist ${HOME}/.synfig -blacklist ${HOME}/.inkscape -blacklist ${HOME}/.gimp* -blacklist ${HOME}/.config/zathura -blacklist ${HOME}/.config/cherrytree -blacklist ${HOME}/.xpdfrc -blacklist ${HOME}/.openshot -blacklist ${HOME}/.openshot_qt -blacklist ${HOME}/.flowblade -blacklist ${HOME}/.config/flowblade -blacklist ${HOME}/.config/eog -blacklist ${HOME}/.config/jd-gui.cfg +blacklist ${HOME}/.config/Meltytech +blacklist ${HOME}/.config/Mumble +blacklist ${HOME}/.config/QuiteRss +blacklist ${HOME}/.config/QuiteRssrc +blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/ardour4 +blacklist ${HOME}/.config/ardour5 blacklist ${HOME}/.config/arkrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/autostart +blacklist ${HOME}/.config/autostart/dropbox.desktop +blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/blender +blacklist ${HOME}/.config/bless blacklist ${HOME}/.config/brasero +blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.config/chromium +blacklist ${HOME}/.config/chromium-dev +blacklist ${HOME}/.config/chromium-flags.conf +blacklist ${HOME}/.config/cmus +blacklist ${HOME}/.config/darktable +blacklist ${HOME}/.config/deadbeef +blacklist ${HOME}/.config/dolphinrc +blacklist ${HOME}/.config/dragonplayerrc blacklist ${HOME}/.config/enchant +blacklist ${HOME}/.config/eog +blacklist ${HOME}/.config/epiphany +blacklist ${HOME}/.config/evince +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.config/filezilla +blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/gedit -blacklist ${HOME}/.config/dolphinrc -blacklist ${HOME}/.config/katerc +blacklist ${HOME}/.config/google-chrome +blacklist ${HOME}/.config/google-chrome-beta +blacklist ${HOME}/.config/google-chrome-unstable +blacklist ${HOME}/.config/gthumb +blacklist ${HOME}/.config/hexchat +blacklist ${HOME}/.config/inox +blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/katepartrc +blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/kateschemarc blacklist ${HOME}/.config/katesyntaxhighlightingrc blacklist ${HOME}/.config/katevirc -blacklist ${HOME}/.config/nautilus -blacklist ${HOME}/.config/xfburn -blacklist ${HOME}/.config/evince -blacklist ${HOME}/.emacs -blacklist ${HOME}/.emacs.d -blacklist ${HOME}/.claws-mail -blacklist ${HOME}/.config/ranger -blacklist ${HOME}/.qemu-launcher - -# Media players -blacklist ${HOME}/.config/cmus -blacklist ${HOME}/.config/deadbeef -blacklist ${HOME}/.config/spotify -blacklist ${HOME}/.config/vlc -blacklist ${HOME}/.config/mpv -blacklist ${HOME}/.config/totem -blacklist ${HOME}/.config/xplayer -blacklist ${HOME}/.audacity-data -blacklist ${HOME}/.guayadeque -blacklist ${HOME}/.config/dragonplayerrc -blacklist ${HOME}/.local/share/lollypop - -# HTTP / FTP / Mail -blacklist ${HOME}/.icedove -blacklist ${HOME}/.thunderbird -blacklist ${HOME}/.sylpheed-2.0 +blacklist ${HOME}/.config/libreoffice +blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/midori -blacklist ${HOME}/.mozilla -blacklist ${HOME}/.config/chromium -blacklist ${HOME}/.config/google-chrome -blacklist ${HOME}/.config/google-chrome-beta -blacklist ${HOME}/.config/google-chrome-unstable +blacklist ${HOME}/.config/mpv +blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/nautilus +blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta -blacklist ${HOME}/.opera -blacklist ${HOME}/.config/vivaldi -blacklist ${HOME}/.filezilla -blacklist ${HOME}/.config/filezilla -blacklist ${HOME}/.dillo -blacklist ${HOME}/.conkeror.mozdev.org -blacklist ${HOME}/.config/epiphany -blacklist ${HOME}/.config/slimjet -blacklist ${HOME}/.config/qutebrowser -blacklist ${HOME}/.8pecxstudios -blacklist ${HOME}/.config/brave -blacklist ${HOME}/.config/inox -blacklist ${HOME}/.muttrc -blacklist ${HOME}/.mutt -blacklist ${HOME}/.mutt/muttrc -blacklist ${HOME}/.msmtprc -blacklist ${HOME}/.config/evolution -blacklist ${HOME}/.local/share/evolution -blacklist ${HOME}/.cache/evolution -blacklist ${HOME}/.elinks -blacklist ${HOME}/.w3m - -# Instant Messaging -blacklist ${HOME}/.config/hexchat -blacklist ${HOME}/.mcabber -blacklist ${HOME}/.mcabberrc -blacklist ${HOME}/.purple +blacklist ${HOME}/.config/pix +blacklist ${HOME}/.config/pluma blacklist ${HOME}/.config/psi+ -blacklist ${HOME}/.retroshare -blacklist ${HOME}/.weechat -blacklist ${HOME}/.config/xchat -blacklist ${HOME}/.Skype +blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/qutebrowser +blacklist ${HOME}/.config/ranger +blacklist ${HOME}/.config/redshift.conf blacklist ${HOME}/.config/skypeforlinux +blacklist ${HOME}/.config/slimjet +blacklist ${HOME}/.config/spotify +blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/synfig +blacklist ${HOME}/.config/telepathy-account-widgets +blacklist ${HOME}/.config/torbrowser +blacklist ${HOME}/.config/totem blacklist ${HOME}/.config/tox -blacklist ${HOME}/.TelegramDesktop -blacklist ${HOME}/.config/Gitter -blacklist ${HOME}/.config/Franz -blacklist ${HOME}/.jitsi -blacklist ${HOME}/.config/Slack -blacklist ${HOME}/.cache/gajim -blacklist ${HOME}/.local/share/gajim -blacklist ${HOME}/.config/gajim -blacklist ${HOME}/.config/Wire -blacklist ${HOME}/.config/wire -blacklist ${HOME}/.config/Cryptocat - -# Games -blacklist ${HOME}/.hedgewars -blacklist ${HOME}/.steam +blacklist ${HOME}/.config/transmission +blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/vivaldi +blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth -blacklist ${HOME}/.config/0ad -blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.config/wire +blacklist ${HOME}/.config/xchat +blacklist ${HOME}/.config/xed +blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/xplayer +blacklist ${HOME}/.config/xreader +blacklist ${HOME}/.config/xviewer +blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/zoomus.conf +blacklist ${HOME}/.conkeror.mozdev.org +blacklist ${HOME}/.dillo blacklist ${HOME}/.dosbox -blacklist ${HOME}/.local/share/gnome-chess -blacklist ${HOME}/.local/share/gnome-2048 -blacklist ${HOME}/.local/share/multimc5 -blacklist ${HOME}/.multimc5 -blacklist ${HOME}/.xonotic - -# Cryptocoins -blacklist ${HOME}/.*coin +blacklist ${HOME}/.dropbox-dist blacklist ${HOME}/.electrum* -blacklist ${HOME}/wallet.dat - -# git, subversion -blacklist ${HOME}/.subversion -blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.elinks +blacklist ${HOME}/.emacs +blacklist ${HOME}/.emacs.d +blacklist ${HOME}/.filezilla +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.fltk +blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache - -# cache -blacklist ${HOME}/.cache/mozilla -blacklist ${HOME}/.cache/chromium -blacklist ${HOME}/.cache/google-chrome -blacklist ${HOME}/.cache/google-chrome-beta -blacklist ${HOME}/.cache/google-chrome-unstable -blacklist ${HOME}/.cache/opera -blacklist ${HOME}/.cache/opera-beta -blacklist ${HOME}/.cache/vivaldi -blacklist ${HOME}/.cache/epiphany -blacklist ${HOME}/.cache/slimjet -blacklist ${HOME}/.cache/qutebrowser -blacklist ${HOME}/.cache/spotify -blacklist ${HOME}/.cache/thunderbird -blacklist ${HOME}/.cache/icedove -blacklist ${HOME}/.cache/transmission -blacklist ${HOME}/.cache/wesnoth -blacklist ${HOME}/.cache/0ad -blacklist ${HOME}/.cache/8pecxstudios -blacklist ${HOME}/.cache/xreader -blacklist ${HOME}/.cache/Franz -blacklist ${HOME}/.cache/simple-scan -blacklist ${HOME}/.cache/libgweather -blacklist ${HOME}/.cache/org.gnome.Books - -# share +blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.googleearth/Cache/ +blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/myplaces.backup.kml +blacklist ${HOME}/.googleearth/myplaces.kml +blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.hedgewars +blacklist ${HOME}/.icedove +blacklist ${HOME}/.inkscape +blacklist ${HOME}/.jitsi +blacklist ${HOME}/.kde/share/apps/gwenview +blacklist ${HOME}/.kde/share/apps/okular +blacklist ${HOME}/.kde/share/config/gwenviewrc +blacklist ${HOME}/.kde/share/config/okularpartrc +blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.killingfloor +blacklist ${HOME}/.linphone-history.db +blacklist ${HOME}/.linphonerc +blacklist ${HOME}/.lmmsrc.xml +blacklist ${HOME}/.local/.share/maps-places.json +blacklist ${HOME}/.local/lib/python2.7/site-packages +blacklist ${HOME}/.local/share/0ad +blacklist ${HOME}/.local/share/3909/PapersPlease +blacklist ${HOME}/.local/share/Empathy +blacklist ${HOME}/.local/share/Mumble +blacklist ${HOME}/.local/share/QuiteRss +blacklist ${HOME}/.local/share/Ricochet +blacklist ${HOME}/.local/share/Steam +blacklist ${HOME}/.local/share/SuperHexagon +blacklist ${HOME}/.local/share/Terraria +blacklist ${HOME}/.local/share/TpLogger +blacklist ${HOME}/.local/share/aspyr-media +blacklist ${HOME}/.local/share/cdprojektred +blacklist ${HOME}/.local/share/data/Mumble +blacklist ${HOME}/.local/share/dolphin blacklist ${HOME}/.local/share/epiphany +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.local/share/feral-interactive +blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.local/share/gnome-2048 +blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/gnome-music +blacklist ${HOME}/.local/share/gnome-photos +blacklist ${HOME}/.local/share/kate +blacklist ${HOME}/.local/share/lollypop +blacklist ${HOME}/.local/share/multimc5 blacklist ${HOME}/.local/share/mupen64plus +blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam +blacklist ${HOME}/.local/share/telepathy +blacklist ${HOME}/.local/share/torbrowser +blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/vpltd +blacklist ${HOME}/.local/share/vulkan blacklist ${HOME}/.local/share/wesnoth -blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/xplayer -blacklist ${HOME}/.local/share/totem -blacklist ${HOME}/.local/share/psi+ -blacklist ${HOME}/.local/share/pix -blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/xreader blacklist ${HOME}/.local/share/zathura -blacklist ${HOME}/.local/share/gnome-music -blacklist ${HOME}/.local/share/gnome-photos -blacklist ${HOME}/.local/share/kate -blacklist ${HOME}/.local/share/dolphin - -# ssh +blacklist ${HOME}/.lv2 +blacklist ${HOME}/.mcabber +blacklist ${HOME}/.mcabberrc +blacklist ${HOME}/.mozilla +blacklist ${HOME}/.mozilla/seamonkey +blacklist ${HOME}/.mpdconf +blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.multimc5 +blacklist ${HOME}/.mutt +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.nv +blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.opera +blacklist ${HOME}/.opera-beta +blacklist ${HOME}/.pki +blacklist ${HOME}/.purple +blacklist ${HOME}/.qemu-launcher +blacklist ${HOME}/.remmina +blacklist ${HOME}/.retroshare +blacklist ${HOME}/.scribus +blacklist ${HOME}/.steam +blacklist ${HOME}/.steampath +blacklist ${HOME}/.steampid +blacklist ${HOME}/.stellarium +blacklist ${HOME}/.subversion +blacklist ${HOME}/.sword +blacklist ${HOME}/.sylpheed-2.0 +blacklist ${HOME}/.synfig +blacklist ${HOME}/.tconn +blacklist ${HOME}/.thunderbird +blacklist ${HOME}/.ts3client +blacklist ${HOME}/.vst +blacklist ${HOME}/.w3m +blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.weechat +blacklist ${HOME}/.wine +blacklist ${HOME}/.wine64 +blacklist ${HOME}/.xiphos +blacklist ${HOME}/.xonotic +blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.zoom +blacklist ${HOME}/wallet.dat blacklist /tmp/ssh-* -- cgit v1.2.3-70-g09d2 From d4f83991b0b76a30ee452279e7858acd439c18a6 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sat, 3 Dec 2016 14:37:32 +0100 Subject: Added profile Added truecrypt and zuluCrypt --- etc/disable-common.inc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 8886a0bc3..aad75bb4a 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -39,6 +39,21 @@ blacklist /usr/share/applications/veracrypt.* blacklist /usr/share/pixmaps/veracrypt.* blacklist ${HOME}/.VeraCrypt +# TrueCrypt +blacklist ${PATH}/truecrypt +blacklist ${PATH}/truecrypt-uninstall.sh +blacklist /usr/share/truecrypt +blacklist /usr/share/applications/truecrypt.* +blacklist /usr/share/pixmaps/truecrypt.* +blacklist ${HOME}/.TrueCrypt + +# zuluCrypt +blacklist ${HOME}/.zuluCrypt +blacklist ${HOME}/.zuluCrypt-socket +blacklist ${PATH}/zuluCrypt-cli +blacklist ${PATH}/zuluMount-cli +blacklist ${PATH}/mount.ecryptfs_private + # var blacklist /var/spool/cron blacklist /var/spool/anacron -- cgit v1.2.3-70-g09d2 From 210b0c09dce90d9c68c15b80309e8cd93c988f54 Mon Sep 17 00:00:00 2001 From: vismir2 Date: Sat, 3 Dec 2016 18:07:04 +0100 Subject: Update disable-common.inc --- etc/disable-common.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index aad75bb4a..95af0aa34 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -51,8 +51,7 @@ blacklist ${HOME}/.TrueCrypt blacklist ${HOME}/.zuluCrypt blacklist ${HOME}/.zuluCrypt-socket blacklist ${PATH}/zuluCrypt-cli -blacklist ${PATH}/zuluMount-cli -blacklist ${PATH}/mount.ecryptfs_private +blacklist ${PATH}/zuluMount-cli # var blacklist /var/spool/cron @@ -188,6 +187,7 @@ blacklist ${PATH}/chage blacklist ${PATH}/expiry blacklist ${PATH}/unix_chkpwd blacklist ${PATH}/procmail +blacklist ${PATH}/mount.ecryptfs_private # other SUID binaries blacklist /usr/lib/virtualbox -- cgit v1.2.3-70-g09d2 From 523a1471c071cb783674369ac03377b44d1b3c79 Mon Sep 17 00:00:00 2001 From: Lari Rauno Date: Mon, 5 Dec 2016 11:56:34 +0200 Subject: Whitelist required folders when running qutebrowser with webengine backend --- etc/qutebrowser.profile | 2 ++ 1 file changed, 2 insertions(+) (limited to 'etc') diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index eabbe0f3e..dcacd4f29 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -18,4 +18,6 @@ mkdir ~/.config/qutebrowser whitelist ~/.config/qutebrowser mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser +mkdir ~/.local/share/qutebrowser +whitelist ~/.local/share/qutebrowser include /etc/firejail/whitelist-common.inc -- cgit v1.2.3-70-g09d2 From 7b8843fa8720e23351c2f0f3f29976cfc3fd964d Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Wed, 7 Dec 2016 11:32:03 -0600 Subject: Wireshark profile --- etc/wireshark.profile | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 etc/wireshark.profile (limited to 'etc') diff --git a/etc/wireshark.profile b/etc/wireshark.profile new file mode 100644 index 000000000..898fc787e --- /dev/null +++ b/etc/wireshark.profile @@ -0,0 +1,22 @@ +# Firejail profile for +noblacklist ${HOME}/.config/wireshark + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin wireshark +private-dev +private-tmp -- cgit v1.2.3-70-g09d2 From 135ed96ca18fba8662591171e8cd944b8398d29e Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Wed, 7 Dec 2016 11:37:18 -0600 Subject: Extra wireshark files --- README | 1 + README.md | 4 ++-- RELNOTES | 2 +- etc/disable-programs.inc | 1 + platform/debian/conffiles | 2 ++ src/firecfg/firecfg.config | 1 + 6 files changed, 8 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/README b/README index 7570cc3f6..10136207d 100644 --- a/README +++ b/README @@ -82,6 +82,7 @@ Fred-Barclay (https://github.com/Fred-Barclay) - added xiphos and Tor Browser Bundle profiles - added xed and pluma profiles - added Cryptocat profile + - added wireshark profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature diff --git a/README.md b/README.md index 16f84493b..609533a91 100644 --- a/README.md +++ b/README.md @@ -88,5 +88,5 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget, -xed, pluma, Cryptocat Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, -PDFSam, Pithos, Xonotic +xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, +PDFSam, Pithos, Xonotic, wireshark diff --git a/RELNOTES b/RELNOTES index c3a077c5e..28aa1f4e1 100644 --- a/RELNOTES +++ b/RELNOTES @@ -16,7 +16,7 @@ firejail (0.9.45) baseline; urgency=low * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, - * new profies: Xonotic + * new profies: Xonotic, wireshark * bugfixes -- netblue30 Sun, 23 Oct 2016 08:00:00 -0500 diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 48701b520..a9ca487c5 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -139,6 +139,7 @@ blacklist ${HOME}/.config/vivaldi blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth blacklist ${HOME}/.config/wire +blacklist ${HOME}/.config/wireshark blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed blacklist ${HOME}/.config/xfburn diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 551e7ad36..97e7cf884 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -27,6 +27,7 @@ /etc/firejail/conkeror.profile /etc/firejail/corebird.profile /etc/firejail/cpio.profile +/etc/firejail/cryptocat.profile /etc/firejail/Cryptocat.profile /etc/firejail/cyberfox.profile /etc/firejail/deadbeef.profile @@ -209,6 +210,7 @@ /etc/firejail/whitelist-common.inc /etc/firejail/wine.profile /etc/firejail/wire.profile +/etc/firejail/wireshark.profile /etc/firejail/xchat.profile /etc/firejail/xed.profile /etc/firejail/xfburn.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 369abdc20..c4f52e256 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -192,6 +192,7 @@ keepass2 keepassx pluma tracker +wireshark xiphos xed -- cgit v1.2.3-70-g09d2 From 74980fb9d796d76f87e75561f6a08ad55960a3dd Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Dec 2016 15:20:21 -0500 Subject: remove konsole from the list of restricted terminals in disable-common.inc --- etc/disable-common.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 95af0aa34..b86c6f998 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -209,7 +209,8 @@ blacklist ${PATH}/roxterm-config blacklist ${PATH}/terminix blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd -blacklist ${PATH}/konsole +#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 +#blacklist ${PATH}/konsole # kernel files blacklist /vmlinuz* -- cgit v1.2.3-70-g09d2 From 8355c8aef298f877eb3ad86b50e9f90fe8765a9e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 10 Dec 2016 11:41:40 -0500 Subject: quiterss fixes --- README | 1 + etc/quiterss.profile | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/README b/README index 476ec40c6..d20503974 100644 --- a/README +++ b/README @@ -111,6 +111,7 @@ Vasya Novikov (https://github.com/vn971) - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles + - correct and tighten QuiteRss profile - dnsmasq profile - okular and gwenview profiles - cherrytree profile fixes diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 2b28fce73..47ab77675 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -1,3 +1,8 @@ +noblacklist ${HOME}/.cache/QuiteRss +noblacklist ${HOME}/.config/QuiteRss +noblacklist ${HOME}/.config/QuiteRssrc +noblacklist ${HOME}/.local/share/QuiteRss + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -7,8 +12,9 @@ whitelist ${HOME}/quiterssfeeds.opml mkdir ~/.config/QuiteRss whitelist ${HOME}/.config/QuiteRss/ whitelist ${HOME}/.config/QuiteRssrc -mkdir ~/.local/share -whitelist ${HOME}/.local/share/ +mkdir ~/.local/share/data +mkdir ~/.local/share/data/QuiteRss +whitelist ${HOME}/.local/share/data/QuiteRss mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss -- cgit v1.2.3-70-g09d2 From 9a7acfd771e17bd7d2ca935fc17fa50ef579cce3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 11 Dec 2016 08:10:04 -0500 Subject: config support for firejail prompt in terminals --- RELNOTES | 1 + etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 10 ++++++++++ src/firejail/env.c | 14 +++++++++++--- src/firejail/firejail.h | 1 + 5 files changed, 26 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/RELNOTES b/RELNOTES index 7755ae3a6..064553f98 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,6 +13,7 @@ firejail (0.9.45) baseline; urgency=low * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) * feature: spoof machine-id + * feature: config support for firejail prompt in terminal * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/etc/firejail.config b/etc/firejail.config index 2ea767f37..824e3f503 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -17,6 +17,9 @@ # Enable or disable file transfer support, default enabled. # file-transfer yes +# Enable Firejail green prompt in terminal, default disabled +# firejail-prompt no + # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6565f488a..098e8e967 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -43,6 +43,7 @@ int checkcfg(int val) { cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default + cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default // open configuration file char *fname; @@ -126,6 +127,15 @@ int checkcfg(int val) { else goto errout; } + // prompt + else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { + if (strcmp(ptr + 16, "yes") == 0) + cfg_val[CFG_FIREJAIL_PROMPT] = 1; + else if (strcmp(ptr + 16, "no") == 0) + cfg_val[CFG_FIREJAIL_PROMPT] = 0; + else + goto errout; + } // nonewprivs else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { if (strcmp(ptr + 17, "yes") == 0) diff --git a/src/firejail/env.c b/src/firejail/env.c index a02c67ae1..783f019a6 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -129,13 +129,21 @@ void env_defaults(void) { errExit("setenv"); // set prompt color to green - char *prompt = getenv("FIREJAIL_PROMPT"); - if (prompt && strcmp(prompt, "yes") == 0) { + int set_prompt = 0; + if (checkcfg(CFG_FIREJAIL_PROMPT)) + set_prompt = 1; + else { // check FIREJAIL_PROMPT="yes" environment variable + char *prompt = getenv("FIREJAIL_PROMPT"); + if (prompt && strcmp(prompt, "yes") == 0) + set_prompt = 1; + } + + if (set_prompt) { //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) errExit("setenv"); } - + // set the window title if (!arg_quiet) printf("\033]0;firejail %s\007", cfg.window_title); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 368e0d88d..8fede5a69 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -661,6 +661,7 @@ enum { CFG_CHROOT_DESKTOP, CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, + CFG_FIREJAIL_PROMPT, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; -- cgit v1.2.3-70-g09d2 From 71fa2e283c4721230569e8611ac0470916fc75d0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 14 Dec 2016 09:09:29 -0500 Subject: snap profile fix --- etc/snap.profile | 2 -- src/firejail/fs_var.c | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/snap.profile b/etc/snap.profile index 270fdf1a5..e2ada3a99 100644 --- a/etc/snap.profile +++ b/etc/snap.profile @@ -9,6 +9,4 @@ whitelist ~/snap whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc -caps.keep chown,sys_admin - diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 86122e1c0..f742e7e22 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -106,8 +106,7 @@ static void build_dirs(void) { void fs_var_log(void) { build_list("/var/log"); - // note: /var/log is not created here, if it does not exist, this section fails. Intended? - + // note: /var/log is not created here, if it does not exist, this section fails. // create /var/log if it doesn't exit if (is_dir("/var/log")) { // extract group id for /var/log/wtmp -- cgit v1.2.3-70-g09d2