diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 00000000000..0c9701d1cc8 --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1,4 @@ +# move whitelist/blacklist to allow/deny +fe0f975f447d59977d90c3226cc8c623b31b20b3 +# Revert "move whitelist/blacklist to allow/deny" +f43382f1e9707b4fd5e63c7bfe881912aa4ee994 diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 8b7aa120338..0f13afc51dd 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -7,36 +7,71 @@ assignees: '' --- -**Describe the bug** -A clear and concise description of what the bug is. +### Description -**Behavior change on disabling firejail** -Describe clear and concise what changed calling `firejail --noprofile PROGRAM` in a shell. +_Describe the bug_ -**To Reproduce** -Steps to reproduce the behavior: -1. Go to '...' +### Steps to Reproduce + +_Steps to reproduce the behavior_ + +1. Run in bash `LANG=C firejail PROGRAM` (`LANG=C` to get English messages that can be understood by everybody) 2. Click on '....' 3. Scroll down to '....' -4. See error +4. See error `ERROR` + +### Expected behavior + +_What you expected to happen_ + +### Actual behavior + +_What actually happened_ + +### Behavior without a profile + +_What changed calling `firejail --noprofile /path/to/program` in a terminal?_ + +### Additional context -**Expected behavior** -A clear and concise description of what you expected to happen. +_Any other detail that may help to understand/debug the problem_ -**Desktop (please complete the following information):** - - Linux distribution and version (ie output of `lsb_release -a`) - - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) +### Environment -**Additional context** -Add any other context about the problem here. +- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") +- Firejail version (`firejail --version`). +- If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`). -**Checklist** - - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. +### Checklist + +- [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). +- [ ] I can reproduce the issue without custom modifications (e.g. globals.local). +- [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) +- [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). +- [ ] I have performed a short search for similar issues (to avoid opening a duplicate). + - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. +- [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) + +### Log + +
+Output of firejail /path/to/program +

+ +``` +output goes here +``` + +

+
-
debug output +
+Output of firejail --debug /path/to/program +

``` -OUTPUT OF `firejail --debug PROGRAM` +output goes here ``` +

diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 00000000000..b8fe40acd1d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Question + url: https://github.com/netblue30/firejail/discussions + about: For questions you should use GitHub Discussions. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000000..a723cdbde01 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,23 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' +--- + +### Is your feature request related to a problem? Please describe. + +_A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]_ + +### Describe the solution you'd like + +_A clear and concise description of what you want to happen._ + +### Describe alternatives you've considered + +_A clear and concise description of any alternative solutions or features you've considered._ + +### Additional context + +_Add any other context or screenshots about the feature request here._ diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 71791c0008f..7cb92a93855 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,10 +1,9 @@ - If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. -If you make a PR for new profiles or changeing profiles please do the following: - - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). - > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository. - - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). +If you submit a PR for new profiles or changing profiles, please do the following: + - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). + > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. + - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). The path to it depends on your distro: | Distro | Path | diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml new file mode 100644 index 00000000000..fd1f2395423 --- /dev/null +++ b/.github/workflows/build-extra.yml @@ -0,0 +1,55 @@ +name: Build-extra CI + +on: + push: + branches: [ master ] + paths-ignore: + - CONTRIBUTING.md + - README + - README.md + - RELNOTES + - SECURITY.md + - 'etc/**' + - 'src/firecfg/firecfg.config' + - '.github/ISSUE_TEMPLATE/*' + - '.github/pull_request_template.md' + pull_request: + branches: [ master ] + paths-ignore: + - CONTRIBUTING.md + - README + - README.md + - RELNOTES + - SECURITY.md + - 'etc/**' + - 'src/firecfg/firecfg.config' + - '.github/ISSUE_TEMPLATE/*' + - '.github/pull_request_template.md' + +jobs: + build-clang: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: configure + run: CC=clang-11 ./configure --enable-fatal-warnings + - name: make + run: make + scan-build: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: install clang-tools-11 + run: sudo apt-get install clang-tools-11 + - name: configure + run: CC=clang-11 ./configure --enable-fatal-warnings + - name: scan-build + run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make + cppcheck: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: install cppcheck + run: sudo apt-get install cppcheck + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000000..141e4316884 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,35 @@ +name: Build CI + +on: + push: + branches: [ master ] + paths-ignore: + - CONTRIBUTING.md + - README + - README.md + - RELNOTES + - SECURITY.md + pull_request: + branches: [ master ] + paths-ignore: + - CONTRIBUTING.md + - README + - README.md + - RELNOTES + - SECURITY.md + +jobs: + build_and_test: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: install dependencies + run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec + - name: configure + run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr + - name: make + run: make + - name: make install + run: sudo make install + - name: run tests + run: SHELL=/bin/bash make test-github diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000000..4476963b5ed --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,75 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL" + +on: + push: + branches: [ master ] + paths-ignore: + - CONTRIBUTING.md + - README + - README.md + - RELNOTES + - SECURITY.md + - 'etc/**' + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + paths-ignore: + - CONTRIBUTING.md + - README + - README.md + - RELNOTES + - SECURITY.md + - 'etc/**' + schedule: + - cron: '0 7 * * 2' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + language: [ 'cpp', 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml new file mode 100644 index 00000000000..cfa40d2d2db --- /dev/null +++ b/.github/workflows/sort.yml @@ -0,0 +1,21 @@ +name: sort.py + +on: + push: + branches: [ master ] + paths: + - 'etc/**' + - 'contrib/sort.py' + pull_request: + branches: [ master ] + paths: + - 'etc/**' + - 'contrib/sort.py' + +jobs: + profile-sort: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: check profiles + run: ./contrib/sort.py etc/*/{*.inc,*.profile} diff --git a/.gitignore b/.gitignore index 39380446bf1..ace86f218cd 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,10 @@ *.rpm *.gcda *.gcno +*.DS_Store .directory +*.man +.vscode Makefile autom4te.cache/ config.log @@ -19,10 +22,13 @@ firejail-users.5 firejail.1 firemon.1 firecfg.1 +jailcheck.1 +mkdeb.sh src/firejail/firejail src/firemon/firemon src/firecfg/firecfg src/ftee/ftee +src/fids/fids src/tags src/faudit/faudit src/fnet/fnet @@ -33,7 +39,10 @@ src/fsec-optimize/fsec-optimize src/fcopy/fcopy src/fldd/fldd src/fbuilder/fbuilder -etc/profstats +src/profstats/profstats +src/bash_completion/firejail.bash_completion +src/zsh_completion/_firejail +src/jailcheck/jailcheck uids.h seccomp seccomp.debug diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2205c796ce9..03e18d26934 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,7 +9,7 @@ build_ubuntu_package: image: ubuntu:rolling script: - apt-get update -qq - - apt-get install -y -qq build-essential lintian pkg-config python3 + - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 gawk - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc @@ -17,15 +17,15 @@ build_debian_package: image: debian:stretch script: - apt-get update -qq - - apt-get install -y -qq build-essential lintian pkg-config + - apt-get install -y -qq build-essential lintian pkg-config gawk - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb -#build_redhat_package: -# image: centos:latest -# script: -# - yum update -y -# - yum install -y rpm-build gcc make -# - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm +build_redhat_package: + image: centos:latest + script: + - dnf update -y + - dnf install -y rpm-build gcc make + - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm build_fedora_package: image: fedora:latest @@ -40,7 +40,7 @@ build_src_package: script: - apk update - apk upgrade - - apk add build-base linux-headers python3 + - apk add build-base linux-headers python3 gawk - ./configure --prefix=/usr && make && make install-strip # - python3 contrib/sort.py etc/*.{profile,inc} @@ -48,16 +48,8 @@ build_apparmor: image: ubuntu:latest script: - apt-get update -qq - - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config - - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail-apparmor*.deb - -cppcheck: - image: debian:latest - before_script: - - apt-get -qq update - - apt-get -qq --no-install-recommends install cppcheck - script: - - cppcheck -q --force --error-exitcode=1 --enable=warning,performance . + - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk + - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb debian_ci: image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest @@ -75,10 +67,12 @@ debian_ci: - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* - rm -rf debian/patches/ + # next line is a temporary fix for dh_missing failure; remove it after next release + - echo "etc/firejail/*.config" >> debian/firejail.install - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar - git add debian && git commit -m "add debian/" - export CI_COMMIT_SHA=$(git rev-parse HEAD) script: - - apt-get --no-install-recommends install pkg-config + - apt-get --no-install-recommends install -y -qq gawk - gitlab-ci-git-buildpackage - gitlab-ci-lintian diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index f1590aaa27e..00000000000 --- a/.travis.yml +++ /dev/null @@ -1,12 +0,0 @@ -language: c -dist: trusty -sudo: true - -script: - - sudo apt-get -y install expect csh xzdec lintian fakeroot - - ( ./configure --enable-fatal-warnings --prefix=/usr && make && sudo make install && make test-travis ) - - ( sudo make install-strip DESTDIR=$(readlink -f appdir) ) -# # If successful, build release tarball -# - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) -# - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 -# - # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 07a9eef04be..0f868d6c47e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -25,7 +25,7 @@ ensure that **both** of the following were installed: firejail-profiles was not installed when installing firejail. We take security bugs very seriously. If you believe you have found one, please report it by -emailing us at netblue30@yahoo.com +emailing us at netblue30@protonmail.com # Opening an pull request: Pull requests with enhancements, bugfixes or new profiles are very welcome. @@ -34,6 +34,13 @@ If you want to write a new profile, the easiest way to do this is to use the [profile template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). If you have already written a profile, please make sure it follows the rules described in the template. +If you add a new command, here's the checklist: + + - [ ] Update manpages: firejail(1) and firejail-profile(5) + - [ ] Update shell completions + - [ ] Update vim syntax files + - [ ] Update --help + # Editing the wiki You are highly encouraged to add your own tips and tricks to the [wiki](https://github.com/netblue30/firejail/wiki). diff --git a/COPYING b/COPYING index b6e1c33e049..d159169d105 100644 --- a/COPYING +++ b/COPYING @@ -1,12 +1,12 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. - Preamble + Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public @@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to +the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not @@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. - - GNU GENERAL PUBLIC LICENSE + + GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains @@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions: License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) - + These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in @@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. - + 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is @@ -225,7 +225,7 @@ impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. - + 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License @@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. - NO WARRANTY + NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN @@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - END OF TERMS AND CONDITIONS + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/Makefile.in b/Makefile.in index c488cffa5d8..c94d8c7a460 100644 --- a/Makefile.in +++ b/Makefile.in @@ -10,23 +10,31 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ PACKAGE_TARNAME=@PACKAGE_TARNAME@ DOCDIR=@docdir@ -HAVE_SECCOMP=@HAVE_SECCOMP@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@ BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@ HAVE_SUID=@HAVE_SUID@ +HAVE_MAN=@HAVE_MAN@ -all: all_items man filters -APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon -SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/ftee/ftee -MYDIRS = src/lib src/profstats +ifneq ($(HAVE_MAN),no) +MAN_TARGET = man +MAN_SRC = src/man +endif + +COMPLETIONDIRS = src/zsh_completion src/bash_completion + +.PHONY: all +all: all_items mydirs $(MAN_TARGET) filters +APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck +SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids +SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter +MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so -MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 -ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) -SBOX_APPS += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp +COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion +MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 +SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 -endif -ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS) +ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) .PHONY: all_items $(ALL_ITEMS) all_items: $(ALL_ITEMS) @@ -38,29 +46,39 @@ mydirs: $(MYDIRS) $(MYDIRS): $(MAKE) -C $@ -$(MANPAGES): $(wildcard src/man/*.txt) - ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@ +$(MANPAGES): src/man + ./mkman.sh $(VERSION) src/man/$(basename $@).man $@ man: $(MANPAGES) -filters: $(SECCOMP_FILTERS) $(SBOX_APPS) -ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) -$(SECCOMP_FILTERS): $(SBOX_APPS) +filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) +seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize src/fseccomp/fseccomp default seccomp src/fsec-optimize/fsec-optimize seccomp + +seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize src/fseccomp/fseccomp default seccomp.debug allow-debuggers src/fsec-optimize/fsec-optimize seccomp.debug + +seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize src/fseccomp/fseccomp secondary 32 seccomp.32 src/fsec-optimize/fsec-optimize seccomp.32 + +seccomp.block_secondary: src/fseccomp/fseccomp src/fseccomp/fseccomp secondary block seccomp.block_secondary + +seccomp.mdwx: src/fseccomp/fseccomp src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx + +seccomp.mdwx.32: src/fseccomp/fseccomp src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 -endif +.PHONY: clean clean: for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ $(MAKE) -C $$dir clean; \ done + $(MAKE) -C test clean rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm rm -f $(SECCOMP_FILTERS) rm -f test/utils/index.html* @@ -75,76 +93,82 @@ clean: rm -f test/sysutils/firejail_t* cd test/compile; ./compile.sh --clean; cd ../.. +.PHONY: distclean distclean: clean for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \ $(MAKE) -C $$dir distclean; \ done - rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk + $(MAKE) -C test distclean + rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh realinstall: # firejail executable - install -m 0755 -d $(DESTDIR)/$(bindir) - install -c -m 0755 src/firejail/firejail $(DESTDIR)/$(bindir)/. + install -m 0755 -d $(DESTDIR)$(bindir) + install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir) ifeq ($(HAVE_SUID),yes) - chmod u+s $(DESTDIR)/$(bindir)/firejail + chmod u+s $(DESTDIR)$(bindir)/firejail endif # firemon executable - install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/. + install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir) # firecfg executable - install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/. + install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir) + # jailcheck executable + install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir) # libraries and plugins - install -m 0755 -d $(DESTDIR)/$(libdir)/firejail - install -m 0644 -t $(DESTDIR)/$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config - install -m 0755 -t $(DESTDIR)/$(libdir)/firejail $(SBOX_APPS) + install -m 0755 -d $(DESTDIR)$(libdir)/firejail + install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config + install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) + # plugins w/o read permission (non-dumpable) + install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) + install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh ifeq ($(HAVE_CONTRIB_INSTALL),yes) - install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/syscalls.sh $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0644 contrib/vim/ftdetect/firejail.vim $(datarootdir)/vim/vimfiles/ftdetect/. - install -c -m 0644 contrib/vim/syntax/firejail.vim $(datarootdir)/vim/vimfiles/syntax/. + # contrib scripts + install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh + # vim syntax + install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect + install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax + install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect + install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax endif # documents - install -m 0755 -d $(DESTDIR)/$(DOCDIR) - install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/. - install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/. - install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/. - install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/. - # etc files + install -m 0755 -d $(DESTDIR)$(DOCDIR) + install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/* + # profiles and settings + install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail + install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config + sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" ifeq ($(BUSYBOX_WORKAROUND),yes) - ./mketc.sh + ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc endif - install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail - install -m 0644 -t $(DESTDIR)/$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config - sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) # install apparmor profile sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" - install -c -m 0644 etc/apparmor/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. + install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" # install apparmor profile customization file - sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;" + sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" endif +ifneq ($(HAVE_MAN),no) # man pages - install -m 0755 -d $(DESTDIR)/$(mandir)/man1 - install -m 0755 -d $(DESTDIR)/$(mandir)/man5 + install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5 for man in $(MANPAGES); do \ rm -f $$man.gz; \ gzip -9n $$man; \ case "$$man" in \ - *.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \ - *.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \ + *.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \ + *.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \ esac; \ done rm -f $(MANPAGES) $(MANPAGES:%=%.gz) +endif # bash completion - install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions - install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail - install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon - install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg + install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions + install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail + install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon + install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg + # zsh completion + install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions + install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ install: all $(MAKE) realinstall @@ -154,26 +178,29 @@ install-strip: all $(MAKE) realinstall uninstall: - rm -f $(DESTDIR)/$(bindir)/firejail - rm -f $(DESTDIR)/$(bindir)/firemon - rm -f $(DESTDIR)/$(bindir)/firecfg - rm -fr $(DESTDIR)/$(libdir)/firejail - rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail + rm -f $(DESTDIR)$(bindir)/firejail + rm -f $(DESTDIR)$(bindir)/firemon + rm -f $(DESTDIR)$(bindir)/firecfg + rm -fr $(DESTDIR)$(libdir)/firejail + rm -fr $(DESTDIR)$(libdir)/jailcheck + rm -fr $(DESTDIR)$(datarootdir)/doc/firejail for man in $(MANPAGES); do \ - rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \ - rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \ + rm -f $(DESTDIR)$(mandir)/man5/$$man*; \ + rm -f $(DESTDIR)$(mandir)/man1/$$man*; \ done - rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail - rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon - rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg - @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038." + rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail + rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon + rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg + @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038." -DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES" -DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" +DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES" +DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot" dist: mv config.status config.status.old + mv mkdeb.sh mkdeb.sh.old make distclean + mv mkdeb.sh.old mkdeb.sh mv config.status.old config.status rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz mkdir -p $(NAME)-$(VERSION)/test @@ -187,16 +214,16 @@ dist: asc:; ./mkasc.sh $(VERSION) deb: dist - ./mkdeb.sh $(NAME) $(VERSION) + ./mkdeb.sh deb-apparmor: dist - ./mkdeb-apparmor.sh $(NAME) $(VERSION) + ./mkdeb.sh -apparmor test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) .PHONY: rpms -rpms: +rpms: src/man ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) extras: all @@ -208,96 +235,59 @@ cppcheck: clean scan-build: clean NO_EXTRA_CFLAGS="yes" scan-build make - # # make test # +TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter +TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) -test-profiles: - cd test/profiles; ./profiles.sh | grep TESTING - -test-private-lib: - cd test/private-lib; ./private-lib.sh | grep TESTING - -test-apps: - cd test/apps; ./apps.sh | grep TESTING - -test-apps-x11: - cd test/apps-x11; ./apps-x11.sh | grep TESTING - -test-apps-x11-xorg: - cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING - -test-sysutils: - cd test/sysutils; ./sysutils.sh | grep TESTING - -test-utils: - cd test/utils; ./utils.sh | grep TESTING - -test-environment: - cd test/environment; ./environment.sh | grep TESTING - -test-filters: -ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) - cd test/filters; ./filters.sh | grep TESTING -endif - -test-arguments: - cd test/arguments; ./arguments.sh | grep TESTING - -test-fs: - cd test/fs; ./fs.sh | grep TESTING - -test-fcopy: - cd test/fcopy; ./fcopy.sh | grep TESTING - -test-fnetfilter: - cd test/fnetfilter; ./fnetfilter.sh | grep TESTING +$(TEST_TARGETS): + $(MAKE) -C test $(subst test-,,$@) -test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" -test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" -test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments +test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment echo "TEST COMPLETE" ########################################## # Individual tests, some of them require root access -# The tests are very intrussive, by the time you are done +# The tests are very intrusive, by the time you are done # with them you will need to restart your computer. ########################################## # a firejail-test account is required, public/private key setup test-ssh: - cd test/ssh; ./ssh.sh | grep TESTING + $(MAKE) -C test $(subst test-,,$@) # requires root access test-chroot: - cd test/chroot; ./chroot.sh | grep testing + $(MAKE) -C test $(subst test-,,$@) # Huge appimage files, not included in "make dist" archive test-appimage: - cd test/appimage; ./appimage.sh | grep TESTING + $(MAKE) -C test $(subst test-,,$@) # Root access, network devices are created before the test # restart your computer to get rid of these devices test-network: - cd test/network; ./network.sh | grep TESTING + $(MAKE) -C test $(subst test-,,$@) # requires the same setup as test-network test-stress: - cd test/stress; ./stress.sh | grep TESTING + $(MAKE) -C test $(subst test-,,$@) -# Tesets running a root user +# Tests running a root user test-root: - cd test/root; su -c ./root.sh | grep TESTING + $(MAKE) -C test $(subst test-,,$@) # OverlayFS is not available on all platforms test-overlay: - cd test/overlay; ./overlay.sh | grep TESTING + $(MAKE) -C test $(subst test-,,$@) # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" diff --git a/README b/README index 48683ed8af9..3f8eb6136c2 100644 --- a/README +++ b/README @@ -1,21 +1,23 @@ -Firejail is a SUID sandbox program that reduces the risk of security -breaches by restricting the running environment of untrusted applications +Firejail is a SUID sandbox program that reduces the risk of security +breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It includes sandbox profiles for Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel, and XChat. -Firejail also expands the restricted shell facility found in bash by adding -Linux namespace support. It supports sandboxing specific users upon login. +Firejail also expands the restricted shell facility found in bash by adding +Linux namespace support. It supports sandboxing specific users upon login. Download: https://sourceforge.net/projects/firejail/files/ Build and install: ./configure && make && sudo make install Documentation and support: https://firejail.wordpress.com/ +Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA +Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ Development: https://github.com/netblue30/firejail License: GPL v2 - +Please report all security vulnerabilities at netblue30@protonmail.com Compile and install mainline version from GitHub: @@ -27,12 +29,12 @@ On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor development libraries and pkg-config are required when using --apparmor ./configure option: -$ sudo apt-get install git build-essential libapparmor-dev pkg-config +$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). Maintainer: -- netblue30 (netblue30@yahoo.com) +- netblue30 (netblue30@protonmail.com) Committers - chiraag-nataraj (https://github.com/chiraag-nataraj) @@ -40,16 +42,19 @@ Committers - curiosityseeker (https://github.com/curiosityseeker) - glitsj16 (https://github.com/glitsj16) - Fred-Barclay (https://github.com/Fred-Barclay) +- Kelvin M. Klann (https://github.com/kmk3) - Kristóf Marussy (https://github.com/kris7t) +- Neo00001 (https://github.com/Neo00001) +- pirate486743186 (https://github.com/pirate486743186) - Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) - rusty-snake (https://github.com/rusty-snake) -- smithsohu (https://github.com/smitsohu) +- smitsohu (https://github.com/smitsohu) - SkewedZeppelin (https://github.com/SkewedZeppelin) - startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches maintainer) - Topi Miettinen (https://github.com/topimiettinen) - veloute (https://github.com/veloute) - Vincent43 (https://github.com/Vincent43) -- netblue30 (netblue30@yahoo.com) +- netblue30 (netblue30@protonmail.com) @@ -63,13 +68,23 @@ Firejail Authors (alphabetical order) - fix flameshot raw screenshots 1dnrr (https://github.com/1dnrr) - add pybitmessage profile +a1346054 (https://github.com/a1346054) + - add missing final newlines in various files +Ádler Jonas Gross (https://github.com/adgross) + - AppArmor fix Adrian L. Shaw (https://github.com/adrianlshaw) - add profanity profile - add barrirer profile Aidan Gauland (https://github.com/aidalgol) - - added electron and riot-web profiles + - added electron, riot-web and npm profiles + - whitelist Bohemia Interactive config dir for Steam Akhil Hans Maulloo (https://github.com/kouul) - xz profile +Albin Kauffmann (https://github.com/albinou) + - Firefox and Chromium profile fixes + - info to allow screen sharing in profiles +Alex Leahu (https://github.com/alxjsn) + - fix screen sharing configuration on Wayland Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) - src/lib/libnetlink.c extracted from iproute2 software package Aleksey Manevich (https://github.com/manevich) @@ -97,6 +112,9 @@ Alexander Stein (https://github.com/ajstein) - added profile for qutebrowser Amin Vakil (https://github.com/aminvakil) - whois profile fix + - added profile for strawberry + - w3m profile fix + - disable seccomp in wireshark profile Andreas Hunkeler (https://github.com/Karneades) - Add profile for offical Linux Teams application Andrey Alekseenko (https://github.com/al42and) @@ -110,6 +128,8 @@ announ (https://github.com/announ) - mpv and youtube-dl profile fixes - git profile fix - evince profile fix +Anton Shestakov (https://github.com/antonv6) + - add whitelist items for uim Antonio Russo (https://github.com/aerusso) - enumerate root directories in apparmor profile - fix join-or-start @@ -118,6 +138,8 @@ Antonio Russo (https://github.com/aerusso) - manpage fixes aoand (https://github.com/aoand) - seccomp fix: allow numeric syscalls +Arne Welzel (https://github.com/awelzel) + - ignore SIGTTOU during flush_stdin() Atrate (https://github.com/Atrate) - BetterDiscord support Austin Morton (https://github.com/apmorton) @@ -142,18 +164,32 @@ avoidr (https://github.com/avoidr) - added mcabber profile - fixed mpv profile - various other fixes +backspac (https://github.com/backspac) + - firecfg fixes + - add steam-runtime alias Bader Zaidan (https://github.com/BaderSZ) - Telegram profile Bandie (https://github.com/Bandie) - fixed riot-desktop Barış Ekin Yıldırım (https://github.com/circuitshaker) - removing net none from code.profile +Bart Bakker (https://github.com/bjpbakker) + - multimc5: fix exec of LWJGL libraries +bbhtt (https://github.com/bbhtt) + - improvements to balsa,fractal,gajim,trojita profiles + - improvements to nheko, spectral, feh, links, lynx, smplayer profiles + - added alacarte, com.github.bleakgrey.tootle, photoflare profiles + - add profiles for MS Edge dev build for Linux and Librewolf + - fixes to cheese, authenticator, liferea + - add profile for straw-viewer + - email clients whitelisting and fixes Benjamin Kampmann (https://github.com/ligthyear) - Forward exit code from child process bitfreak25 (https://github.com/bitfreak25) - added PlayOnLinux profile - minetest profile fix - added sylpheed profile + bn0785ac (https://github.com/bn0785ac) - fixed bnox, dnox profiles - support all tor-browser langpacks @@ -165,12 +201,18 @@ BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Brad Ackerman - blacklist Bitwarden config in disable-passwdmgr.inc +briaeros (https://github.com/briaeros) + - fix command test in jail_prober.py +botherer (https://github.com/botherder) + - add CoyIM profile Bruno Nova (https://github.com/brunonova) - whitelist fix - bash arguments fix Bundy01 (https://github.com/Bundy01) - fixup geary - add gradio profile + - update virtualbox.profile + - Quodlibet profile BytesTuner (https://github.com/BytesTuner) - provided keepassxc profile caoliver (https://github.com/caoliver) @@ -178,10 +220,14 @@ caoliver (https://github.com/caoliver) Carlo Abelli (https://github.com/carloabelli) - fixed udiskie profile - Allow mbind syscall for GIMP + - fixed simple-scan Cat (https://github.com/ecat3) - prevent tmux connecting to an existing session +cayday (https://github.com/caydey) + - added ~/Private blacklist in disable-common.inc Christian Pinedo (https://github.com/chrpinedo) - added nicotine profile + - allow python3 in totem profile creideiki (https://github.com/creideiki) - make the sandbox process reap all children - tor browser profile fix @@ -199,10 +245,13 @@ Clayton Williams (https://github.com/gosre) corecontingency (https://https://github.com/corecontingency) - tighten private-bin and etc for torbrowser-launcher.profile - added i2prouter profile + - add several games to steam and disable-programs crass (https://github.com/crass) - extract_command_name fixes - update appimage size calculation to newest code from libappimage - firejail should look for processes with names exactly named +croket (https://github.com/crocket) + - fix librewolf profile curiosity-seeker (https://github.com/curiosity-seeker - old) curiosityseeker (https://github.com/curiosityseeker - new) - tightening unbound and dnscrypt-proxy profiles @@ -235,10 +284,18 @@ Danil Semelenov (https://github.com/sgtpep) Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix + - linphone profile fix +Dario Pellegrini (https://github.com/dpellegr) + - allowing links in netns David Thole (https://github.com/TheDarkTrumpet) - added profile for teams-for-linux Davide Beatrici (https://github.com/davidebeatrici) - steam.profile: correctly blacklist unneeded directories in user's home + - minetest fixes + - map /dev/input with "--private-dev", add "--no-input" option to disable it + - whitelist /usr/share/TelegramDesktop in telegram.profile +David Hyrule (https://github.com/Svaag) + - remove nou2f in ssh profile Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile Denys Havrysh (https://github.com/vutny) @@ -250,6 +307,7 @@ dewbasaur (https://github.com/dewbasaur) - Steam profile DiGitHubCap (https://github.com/DiGitHubCap) - deluge profile fix + - fix qt5ct colour schemes and QSS Disconnect3d (https://github.com/disconnect3d) - code cleanup dmfreemon (https://github.com/dmfreemon) @@ -266,6 +324,8 @@ Eduard Tolosa (https://github.com/Edu4rdSHL) - fixed gajim.profile emacsomancer (https://github.com/emacsomancer) - added profile for Conkeror browser +Emil Gedda (https://github.com/EmilGedda) + - fix multicast CIDR address in nolocal.net eventyrer (https://github.com/eventyrer) - update gnome-mplayer.profile Ethan R (https://github.com/AN3223) @@ -275,10 +335,13 @@ Fabian Würfl (https://github.com/BafDyce) - Liferea profile Felipe Barriga Richards (https://github.com/fbarriga) - --private-etc fix +fenuks (https://github.com/fenuks) + - fix sound in games using FMOD Florian Begusch (https://github.com/florianbegusch) - (la)tex profiles - fixed transmission-common.profile - fixed standardnotes-desktop.profile + - fix jailprober.py floxo (https://github.com/floxo) - fixed qml disk cache issue Franco (nextime) Lanza (https://github.com/nextime) @@ -388,14 +451,22 @@ hamzadis (https://github.com/hamzadis) - added --overlay-named=name and --overlay-path=path Hans-Christoph Steiner (https://github.com/eighthave) - added xournal profile +Harald Kubota (https://github.com/haraldkubota) + - zsh completion hawkey116477 (https://github.com/hawkeye116477) - added Waterfox profile - updated Cyberfox profile - updated Waterfox profile Helmut Grohne (https://github.com/helmutg) - compiler support in the build system - Debian bug #869707 +hhzek0014 (https://github.com/hhzek0014) + - updated bibletime.profile +hlein (https://github.com/hlein) + - strip out \r's from jail prober Holger Heinz (https://github.com/hheinz) - manpage work +Haowei Yu (https://github.com/sfc-gh-hyu) + - add configure options when building rpm Icaro Perseo (https://github.com/icaroperseo) - Icecat profile - several profile fixes @@ -407,11 +478,15 @@ Impyy (https://github.com/Impyy) - added mumble profile intika (https://github.com/intika) - added musixmatch profile +irandms (https://github.com/irandms) + - man firecfg fixes irregulator (https://github.com/irregulator) - thunderbird profile fixes for debian stretch Irvine (https://github.com/Irvinehimself) - added conky profile - added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles +Ivan (https://github.com/ordinary-dev) + - fix telegram profile Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Jaykishan Mutkawoa (https://github.com/jmutkawoa) @@ -421,6 +496,10 @@ James Elford (https://github.com/jelford) - removed shell none from ssh-agent configuration, fixing the infinite loop - added gcloud profile - blacklist sensitive cloud provider files in disable-common +Jan-Niclas (https://github.com/0x6a61) + - moved rules from firefox-common.profile to firefox.profile + - blacklist /*firefox* except for firefox itself + - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox Jean Lucas (https://github.com/flacks) - fix Discord profile - add AnyDesk profile @@ -439,6 +518,9 @@ Jean Lucas (https://github.com/flacks) - allow reading of system-wide Flatpak locale in gajim profile Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth) - fixed spotify.profile +Jeff Squyres (https://github.com/jsquyres) + - various manpage fixes + - cmdline.c: optionally quote the resulting command line Jericho (https://github.com/attritionorg) - spelling Jesse Smith (https://github.com/slicer69) @@ -454,6 +536,7 @@ John Mullee (https://github.com/jmullee) Jonas Heinrich (https://github.com/onny) - added signal-desktop profile - fixed franz profile + - remove /etc/hosts is_link check for NixOS Jose Riha (https://github.com/jose1711) - added meteo-qt profile - created qgis, links, xlinks profiles @@ -463,6 +546,7 @@ Jose Riha (https://github.com/jose1711) - Add davfs2 secrets file to blacklist - Add profile for udiskie - fix udiskie.profile + - improve hints for allowing browser access to Gnome extensions connector jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile @@ -475,6 +559,8 @@ juan (https://github.com/nyancat18) - profile hardening Kaan Genç (https://github.com/SeriousBug) - dynamic allocation of noblacklist buffer +Karoshi42 (https://github.com/karoshi42) + - update dino-im.profile KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter @@ -483,14 +569,33 @@ KellerFuchs (https://github.com/KellerFuchs) - added support for .local profile files in /etc/firejail - fixed Cryptocat profile - make ~/.local read-only +Kelvin (https://github.com/kmk3) + - disable ldns utilities, dnssec-*, khost, unbound-host + - sort DNS / RUNUSER paths + - improve bug_report.md + - fix keypassxc + - blacklist oksh shell in disable-shell.inc Kishore96in (https://github.com/Kishore96in) - added falkon profile + - kxmlgui fixes + - okular profile fixes + - jitsi-meet-desktop profile + - konversatin profile fix + - added Neochat profile + - added whitelist-1793-workaround.inc KOLANICH (https://github.com/KOLANICH) - added symlink fixer fix_private-bin.py in contrib section - update fix_private-bin.py - fix meld +kortewegdevries (https://github.com/kortewegdevries) + - a whole bunch of new profiles and fixes + - whitelisting evolution, kmail Kristóf Marussy (https://github.com/kris7t) - dns support +kuesji koesnu (https://github.com/kuesji) + - unit suffixes for rlimit-fsize and rlimit-as + - util.c and firejail.h fixes + - better parser for size strings Kunal Mehta (https://github.com/legoktm) - converted all links to https in manpages laniakea64 (https://github.com/laniakea64) @@ -501,16 +606,26 @@ Laurent Declercq (https://github.com/nuxwin) - fixed test for shell interpreter in chroots LaurentGH (https://github.com/LaurentGH) - allow private-bin parameters to be absolute paths +lecso7 (https://github.com/lecso7) + - added goldendict profile + - allow evince to read .cbz file format Loïc Damien (https://github.com/dzamlo) - small fixes Liorst4 (https://github.com/Liorst4) - Preserve CFLAGS given to configure in common.mk.in + - fix emacs config to load as read-write + - disable browser drm by default + - minetest fixes Lockdis (https://github.com/Lockdis) - Added crow, nyx, and google-earth-pro profiles Lukáš Krejčí (https://github.com/lskrejci) - fixed parsing of --keep-var-tmp luzpaz (https://github.com/luzpaz) - code spelling fixes +lxeiqr (https://github.com/lxeiqr) + - fix sndio support +Mace Muilman (https://github.com/mace015) + - google-chrome{,beta,unstable} flags maces (https://github.com/maces) - Franz messenger profile Madura A (https://github.com/manushanga) @@ -526,12 +641,16 @@ Martin Carpenter (https://github.com/mcarpenter) Martin Dosch (spam-debian@mdosch.de) - support for gnome-shell integration addon in Firefox (Bug-Debian: https://bugs.debian.org/872720) +Martynas Janonis (https://github.com/mjanonis) + - update wrc for Arch Linux Matt Parnell (https://github.com/ilikenwf) - whitelisting for core firefox related functionality Mattias Wadman (https://github.com/wader) - seccomp errno filter support Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes +Matthew Cline (https://github.com/matthew-cline) + - steam profile and dropbox profile fixes matu3ba (https://github.com/matu3ba) - evince hardening, dbus removed - fix dia profile @@ -543,32 +662,63 @@ Melvin Vermeeren (https://github.com/melvinvermeeren) - added --noautopulse command line option Michael Haas (https://github.com/mhaas) - bugfixes +Michael Hoffmann (https://github.com/brisad) + - added support for subdirs in private-etc Mike Frysinger (vapier@gentoo.org) - Gentoo compile patch +minus7 (https://github.com/minus7) + - fix hanging arp_check mirabellette (https://github.com/mirabellette) - add comment to thunderbird.profile to allow Firefox to load profiles mjudtmann (https://github.com/mjudtmann) - lock firejail configuration in disable-mgmt.inc mustaqimM (https://github.com/mustaqimM) - - added profile for Nylas Mail + - added profile for Nylas Mail n1trux (https://github.com/n1trux) - fix flashpeak-slimjet profile typos nblock (https://github.com/nblock) - cmus: allow access to resolv.conf +neirenoir (https://github.com/neirenoir) and noir + - fixed Blender profile being unable to import numpy +Neo00001 (https://github.com/Neo00001) + - add vmware profile + - update virtualbox profile + - update telegram profile + - add spectacle profile + - add kdiff3 profile +NetSysFire (https://github.com/NetSysFire) + - update weechat profile Nick Fox (https://github.com/njfox) - add a profile alias for code-oss - add code-oss config directory - fix wire-desktop.profile on arch NickMolloy (https://github.com/NickMolloy) - ARP address length fix +Nico (https://github.com/dr460nf1r3) + - added FireDragon profile +Nicola Davide Mannarelli (https://github.com/nidamanx) + - fix "Could not create AF_NETLINK socket" + - added nextcloud profiles + - Firefox, KeepassXC, Telegram fixes Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Niklas Goerke (https://github.com/Niklas974) - update QOwnNotes profile +Nikos Chantziaras (https://github.com/realnc) + - fix audio support for Discord +nolanl (https://github.com/nolanl) + - added localtime to signal-desktop's profile nyancat18 (https://github.com/nyancat18) - added ardour4, dooble, karbon, krita profiles Ondra Nekola (https://github.com/satai) - allow firefox theming with non-global themes +OndrejMalek (https://github.com/OndrejMalek) + - various manpage fixes +Ondřej Nový (https://github.com/onovy) + - allow video for Signal profile + - added Mattermost desktop profile + - hardened Zoom profile + - hardened Signal desktop profile Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec) - prevent thunderbird conflicts when firefox is running - add join-or-start to pluma to open multiple files in tabs @@ -582,7 +732,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/) Paul Moore -src/fsec-print/print.c extracted from libseccomp software package Paupiah Yash (https://github.com/CaffeinatedStud) - - gzip profile + - gzip profile Pawel (https://github.com/grimskies) - make --join return exit code of the invoked program Peter Millerchip (https://github.com/pmillerchip) @@ -605,6 +755,8 @@ Petter Reinholdtsen (pere@hungry.com) PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb) - fix quiterss profile - added profile for gnome-ring +pholodniak (https://github.com/pholodniak) + - profstats fixes pianoslum (https://github.com/pianoslum) - nodbus breaking evince two-page-view warning pirate486743186 (https://github.com/pirate486743186) @@ -612,6 +764,18 @@ pirate486743186 (https://github.com/pirate486743186) - mpsyt profile - fix youtube-dl and mpv - fix gnome-mpv profile + - fix gunzip profile + - reorganizing youtube-viewers + - fix pluma profile + - whitelist /var/lib/aspell + - mcomix fixes + - fixing engrampa profile + - adding qcomicbook and pipe-viewer in disable-programs + - newsboat/newsbeuter profiles + - fix atril profile + - reorganizing links browsers + - added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles + - w3m, zahura, profile.template fixes Pixel Fairy (https://github.com/xahare) - added fjclip.py, fjdisplay.py and fjresize.py in contrib section PizzaDude (https://github.com/pizzadude) @@ -645,8 +809,14 @@ Rahiel Kasim (https://github.com/rahiel) - added telegram-desktop profile Rahul Golam (https://github.com/technoLord) - strings profile +RandomVoid (https://github.com/RandomVoid) + - fix building C# projects in Godot + - fix Lutris profile + - fix running games with enabled Feral GameMode in Lutris Raphaël Droz (https://github.com/drzraf) - zoom profile fixes +realaltffour (https://github.com/realaltffour) + - add lynx support to newsboat profile Reiner Herrmann (https://github.com/reinerh) - a number of build patches - man page fixes @@ -666,6 +836,8 @@ RD PROJEKT (https://github.com/RDProjekt) - support AMD GPU by OpenCL in Blender rogshdo (https://github.com/rogshdo) - BitlBee profile +rootalc (https://github.com/rootalc) + - add nolocal6.net filter Ruan (https://github.com/ruany) - fixed hexchat profile rusty-snake (https://github.com/rusty-snake) @@ -682,6 +854,8 @@ rusty-snake (https://github.com/rusty-snake) - some typo fixes - added profile templates - added sort.py to contrib +sak96 (https://github.com/sak96) + - discord profile fixes Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) - fixed ktorrent profile sarneaud (https://github.com/sarneaud) @@ -696,6 +870,8 @@ Senemu (https://github.com/Senemu) Sergey Alirzaev (https://github.com/l29ah) - firejail.h enum fix - firefox-common-addons.inc: + tridactyl +Slava Monich (https://github.com/monich) + - added configure option to disable man pages Tobias Schmidl (https://github.com/schtobia) - added profile for webui-aria2 Simon Peter (https://github.com/probonopd) @@ -706,7 +882,11 @@ Simon Peter (https://github.com/probonopd) sinkuu (https://github.com/sinkuu) - blacklisting kwalletd - fix symlink invocation for programs placing symlinks in $PATH -smithsohu (https://github.com/smitsohu) +Simo Piiroinen (https://github.com/spiiroin) + - Jolla/SailfishOS patches +slowpeek (https://github.com/slowpeek) + - refine appimage example in docs +smitsohu (https://github.com/smitsohu) - read-only kde4 services directory - enhanced mediathekview profile - added tuxguitar profile @@ -724,7 +904,7 @@ soredake (https://github.com/soredake) - fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile - fix keepassxc.profile - fix qtox.profile - - add ocaltime to private-etc to make qtox show correct time + - add localtime to private-etc to make qtox show correct time - fixes for the keepassxc 2.2.5 version SkewedZeppelin (https://github.com/SkewedZeppelin) - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles @@ -780,7 +960,7 @@ SYN-cook (https://github.com/SYN-cook) - gnome-calculator changes startx2017 (https://github.com/startx2017) - syscall list update - - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, + - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old - enable/disable join support in /etc/firejail/firejail.config - firecfg fix: create ~/.local/share/applications directory if it doesn't exist @@ -821,6 +1001,8 @@ Tom Mellor (https://github.com/kalegrill) - mupen64plus profile Tomasz Jan Góralczyk (https://github.com/tjg) - fixed Steam profile +Tomi Leppänen (https://github.com/Tomin1) + - Jolla/SailfishOS patches Topi Miettinen (https://github.com/topimiettinen) - improved seccomp printing - improve mount handling, fix /run/user handling @@ -829,6 +1011,11 @@ Topi Miettinen (https://github.com/topimiettinen) - improve loading of seccomp filter and memory-deny-write-execute feature - private-lib feature - make --nodbus block also system D-Bus socket +Ted Robertson (https://github.com/tredondo) + - webstorm profile fixes + - added bcompare profile + - various documentation fixes + - blacklist Exodus wallet user1024 (user1024@tut.by) - electron profile whitelisting - fixed Rocket.Chat profile @@ -884,7 +1071,7 @@ vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - claws-mail, mutt, git, emacs, vim profiles - lots of profile fixes - - support for truecrypt and zuluCrypt + - support for truecrypt and zuluCrypt viq (https://github.com/viq) - discord-canary profile Vladimir Gorelov (https://github.com/larkvirtual) @@ -892,9 +1079,16 @@ Vladimir Gorelov (https://github.com/larkvirtual) Vladimir Schowalter (https://github.com/VladimirSchowalter20) - apparmor profile enhancements - various KDE profile enhancements - read-only kde5 services directory + - read-only kde5 services directory +Vladislav Nepogodin (https://github.com/vnepogodin) + - added Librewolf profiles + - added Sway profile + - fix CLion profile + - fixes for disable-programs.inc xee5ch (https://github.com/xee5ch) - skypeforlinux profile +Ypnose (https://github.com/Ypnose) + - disable-shell.inc: add mksh shell yumkam (https://github.com/yumkam) - add compile-time option to restrict --net= to root only - man page fixes @@ -917,4 +1111,7 @@ Zack Weinberg (https://github.com/zackw) with firejail --x11 - support for xpra-extra-params in firejail.config -Copyright (C) 2014-2020 Firejail Authors +zupatisc (https://github.com/zupatisc) + - patch-util fix + +Copyright (C) 2014-2021 Firejail Authors diff --git a/README.md b/README.md index c6226438546..0623d946305 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Firejail -[![Test Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail) [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/) +[![CodeQL](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL) +[![Build CI](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22) [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions) Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting @@ -21,21 +22,21 @@ implemented directly in Linux kernel and available on any Linux computer. @@ -43,13 +44,19 @@ alt="Firejail Intro video" width="240" height="180" border="10" />
Debian In +
-
Firejail Intro +
Firejail Intro
Firejail Demo +alt="Firejail Demo" width="240" height="180" border="10" />
Firejail Demo
Debian Install +alt="Debian Install" width="240" height="180" border="10" />
Debian Install
Arch Linux Install +alt="Arch Linux Install" width="240" height="180" border="10" />
Arch Linux Install
Disable Network Access +alt="Disable Network Access" width="240" height="180" border="10" />
Disable Network Access + +		 +
Firejail Security Deep Dive
@@ -66,32 +73,71 @@ FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions Wiki: https://github.com/netblue30/firejail/wiki -Travis-CI status: https://travis-ci.org/netblue30/firejail - GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/ +Video Channel: https://www.youtube.com/channel/UCi5u-syndQYyOeV4NZ04hNA + +Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/ ## Security vulnerabilities -We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com +We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com + +````` +Security Advisory - Feb 8, 2021 + +Summary: A vulnerability resulting in root privilege escalation was discovered in +Firejail's OverlayFS code, + +Versions affected: Firejail software versions starting with 0.9.30. +Long Term Support (LTS) Firejail branch is not affected by this bug. + +Workaround: Disable overlayfs feature at runtime. +In a text editor open /etc/firejail/firejail.config file, and set "overlayfs" entry to "no". + + $ grep overlayfs /etc/firejail/firejail.config + # Enable or disable overlayfs features, default enabled. + overlayfs no + +Fix: The bug is fixed in Firejail version 0.9.64.4 + +GitHub commit: (file configure.ac) +https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b + +Credit: Security researcher Roman Fiedler analyzed the code and discovered the vulnerability. +Functional PoC exploit code was provided to Firejail development team. +A description of the problem is here on Roman's blog: + +https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt +https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ +````` + +## Installing + +Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others. + +The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package. + +You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually: -## Compile and install ````` $ git clone https://github.com/netblue30/firejail.git $ cd firejail $ ./configure && make && sudo make install-strip ````` On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor -development libraries and pkg-config are required when using --apparmor +development libraries and pkg-config are required when using `--apparmor` ./configure option: ````` -$ sudo apt-get install git build-essential libapparmor-dev pkg-config +$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk ````` -For --selinux option, add libselinux1-dev (libselinux-devel for Fedora). +For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora). + +Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git). ## Running the sandbox -To start the sandbox, prefix your command with “firejail”: +To start the sandbox, prefix your command with `firejail`: ````` $ firejail firefox # starting Mozilla Firefox @@ -99,7 +145,7 @@ $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail /etc/init.d/nginx start ````` -Run "firejail --list" in a terminal to list all active sandboxes. Example: +Run `firejail --list` in a terminal to list all active sandboxes. Example: ````` $ firejail --list 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr @@ -142,49 +188,83 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh). We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. + +## Latest released version: 0.9.66 + +## Current development version: 0.9.67 + +Milestone page: https://github.com/netblue30/firejail/milestone/1 +Release discussion: https://github.com/netblue30/firejail/issues/3696 + +Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change! + +The old whitelist/blacklist will remain as aliasses for the next one or two releases +in order to give users a chance to switch their local profiles. +The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 + +### Intrusion Detection System ### + +We are adding IDS capabilities in the next release. We have the list of files in [/etc/firejail/ids.config](https://github.com/netblue30/firejail/blob/master/etc/ids.config), +and we generate a [BLAKE2](https://en.wikipedia.org/wiki/BLAKE_%28hash_function%29) checksum in /var/lib/firejail/username.ids. +The program runs as regular user, each user has his own file in /var/lib/firejail. + +Initialize the database: +````` +$ firejail --ids-init +Loading /etc/firejail/ids.config config file +500 1000 1500 2000 +2457 files scanned +IDS database initialized ````` +Later, we check it: ````` -## Latest released version: 0.9.62 +$ firejail --ids-check +Loading /etc/firejail/ids.config config file +500 1000 1500 +Warning: modified /home/netblue/.bashrc +2000 +2457 files scanned: modified 1, permissions 0, new 0, removed 0 +````` +The program will print the files that have been modified since the database was created, or the files with different access permissions. +New files and deleted files are also flagged. -## Current development version: 0.9.63 +Currently while scanning the file system symbolic links are not followed, and files the user doesn't have read access to are silently dropped. +The program can also be run as root (sudo firejail --ids-init/--ids-check). ### Profile Statistics -A small tool to print profile statistics. Compile as usual and run: -````` -$ make -$ cd etc +A small tool to print profile statistics. Compile as usual and run in /etc/profiles: +``` +$ sudo cp src/profstats/profstats /etc/firejail/. +$ cd /etc/firejail $ ./profstats *.profile - profiles 966 - include local profile 966 (include profile-name.local) - include globals 966 (include globals.local) - blacklist ~/.ssh 951 (include disable-common.inc) - seccomp 908 - capabilities 965 - noexec 830 (include disable-exec.inc) - memory-deny-write-execute 214 - apparmor 488 - private-bin 483 - private-dev 829 - private-etc 366 - private-tmp 726 - whitelist var 638 (include whitelist-var-common.inc) - whitelist run/user 282 (include whitelist-runuser-common.inc + profiles 1150 + include local profile 1150 (include profile-name.local) + include globals 1120 (include globals.local) + blacklist ~/.ssh 1026 (include disable-common.inc) + seccomp 1050 + capabilities 1146 + noexec 1030 (include disable-exec.inc) + noroot 959 + memory-deny-write-execute 253 + apparmor 681 + private-bin 667 + private-dev 1009 + private-etc 523 + private-tmp 883 + whitelist home directory 547 + whitelist var 818 (include whitelist-var-common.inc) + whitelist run/user 616 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 275 (include whitelist-usr-share-common.inc - net none 313 -````` - -Run ./profstats -h for help. + whitelist usr/share 591 (include whitelist-usr-share-common.inc + net none 391 + dbus-user none 641 + dbus-user filter 105 + dbus-system none 792 + dbus-system filter 7 +``` ### New profiles: -gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, -multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, -muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, -gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, -penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, -four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, -hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, -seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime +clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp diff --git a/RELNOTES b/RELNOTES index 12ca15b48ae..f52ce09f149 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,78 @@ -firejail (0.9.63) baseline; urgency=low +firejail (0.9.67) baseline; urgency=low * work in progress + * deprecated --disable-whitelist at compile time + * deprecated whitelist=yes/no in /etc/firejail/firejail.config + * remove (some) environment variables with auth-tokens + * new includes: whitelist-run-common.inc, disable-X11.inc + * removed includes: disable-passwordmgr.inc + * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim + * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl + * new profiles: yt-dlp + -- netblue30 Thu, 29 Jul 2021 09:00:00 -0500 + +firejail (0.9.66) baseline; urgency=low + * deprecated --audit options, relpaced by jailcheck utility + * deprecated follow-symlink-as-user from firejail.config + * new firejail.config settings: private-bin, private-etc + * new firejail.config settings: private-opt, private-srv + * new firejail.config settings: whitelist-disable-topdir + * new firejail.config settings: seccomp-filter-add + * removed kcmp syscall from seccomp default filter + * rename --noautopulse to keep-config-pulse + * filtering environment variables + * zsh completion + * command line: --mkdir, --mkfile + * --protocol now accumulates + * Jolla/SailfishOS patches + * private-lib rework + * whitelist rework + * jailtest utility for testing running sandboxes + * capabilities list update + * faccessat2 syscall support + * --private-dev keeps /dev/input + * added --noinput to disable /dev/input + * add support for subdirs in --private-etc + * compile time: --enable-force-nonewprivs + * compile time: --disable-output + * compile time: --enable-lts + * subdirs support in private-etc + * input devices support in private-dev, --no-input + * support trailing comments on profile lines + * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng + * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, + * avidemux, calligragemini, vmware-player, vmware-workstation + * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr + * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, sum + * bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum, sha256sum + * sha384sum, sha512sum, librewold-nightly, Quodlibet, tmux, sway + * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, + * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, + * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon + * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat, + * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer + * links2, xlinks2, googler, ddgr, tin + -- netblue30 Mon, 28 Jun 2021 09:00:00 -0500 + +firejail (0.9.64.4) baseline; urgency=low + * disabled overlayfs, pending multiple fixes (CVE-2021-26910) + -- netblue30 Sun, 7 Feb 2021 09:00:00 -0500 + +firejail (0.9.64.2) baseline; urgency=low + * allow --tmpfs inside $HOME for unprivileged users + * --disable-usertmpfs compile time option + * allow AF_BLUETOOTH via --protocol=bluetooth + * Setup guide for new users: contrib/firejail-welcome.sh + * implement netns in profiles + * added nolocal6.net IPv6 network filter + * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer + * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer + * new profiles: straw-viewer, lutris, dolphin-emu, authenticator-rs, servo + * new profiles: npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell, qnapi + * new profiles: guvcview, pkglog, kdiff3, CoyIM + -- netblue30 Tue, 26 Jan 2021 09:00:00 -0500 + +firejail (0.9.64) baseline; urgency=low + * replaced --nowrap option with --wrap in firemon * The blocking action of seccomp filters has been changed from killing the process to returning EPERM to the caller. To get the previous behaviour, use --seccomp-error-action=kill or @@ -7,14 +80,19 @@ firejail (0.9.63) baseline; urgency=low /etc/firejail/firejail.config file. * Fine-grained D-Bus sandboxing with xdg-dbus-proxy. xdg-dbus-proxy must be installed, if not D-Bus access will be allowed. - With this version Nodbus is deprecated, in favor of dbus-user none and + With this version nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support + * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles + * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory + * support ignore for include + * --include on the command line + * splitting up media players whitelists in whitelist-players.inc * new condition: HAS_NOSOUND * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl @@ -32,9 +110,21 @@ firejail (0.9.63) baseline; urgency=low * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski - * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop - * new profiles: nicontine - -- netblue30 Tue, 21 Apr 2020 08:00:00 -0500 + * new profiles: swell-foop, fdns, five-or-more, steam-runtime + * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im + * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper + * new profiles: gapplication, openarena_ded, element-desktop, cawbird + * new profiles: freetube, strawberry, jitsi-meet-desktop + * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash + * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx + * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar + * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube + * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi + * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube + * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send + * new profiles: qrencode, ytmdesktop, twitch + * new profiles: xournalpp, chromium-freeworld, equalx + -- netblue30 Wed, 21 Oct 2020 08:00:00 -0500 firejail (0.9.62) baseline; urgency=low * added file-copy-limit in /etc/firejail/firejail.config @@ -476,7 +566,7 @@ firejail (0.9.44) baseline; urgency=low * feature: disable 3D hardware acceleration (--no3d) * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands * feature: move files in sandbox (--put) - * feature: accept wildcard patterns in user name field of restricted + * feature: accept wildcard patterns in user name field of restricted shell login feature * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape * new profiles: feh, ranger, zathura, 7z, keepass, keepassx, @@ -518,7 +608,7 @@ firejail (0.9.42) baseline; urgency=low * compile time: disable whitelisting (--disable-whitelist) * compile time: disable global config (--disable-globalcfg) * run time: enable/disable overlayfs (overlayfs yes/no) - * run time: enable/disable quiet as default (quiet-by-default yes/no) + * run time: enable/disable quiet as default (quiet-by-default yes/no) * run time: user-defined network filter (netfilter-default) * run time: enable/disable whitelisting (whitelist yes/no) * run time: enable/disable remounting of /proc and /sys @@ -616,7 +706,7 @@ firejail (0.9.38) baseline; urgency=low -- netblue30 Tue, 2 Feb 2016 10:00:00 -0500 firejail (0.9.36) baseline; urgency=low - * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, + * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat, parole and rtorrent profiles * Google Chrome profile rework * added google-chrome-stable profile diff --git a/SECURITY.md b/SECURITY.md index 883f915ed28..ef9b9b5fbed 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,23 +2,25 @@ ## Supported Versions -| Version | Supported by us | EOL | Supported by distribution | -| ------- | ------------------ | ---- | --------------------------- -| 0.9.62 | :heavy_check_mark: | | :white_check_mark: Debian 11 (testing/unstable), 10 **backports**; Ubuntu 20.04 -| 0.9.60 | :x: | | :white_check_mark: Ubuntu 19.10 -| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, 10 -| 0.9.56 | :x: | 27 Jan 2019 | -| 0.9.54 | :x: | 18 Sep 2018 | -| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS -| 0.9.50 | :x: | 12 Dec 2017 | -| 0.9.48 | :x: | 09 Sep 2017 | -| 0.9.46 | :x: | 12 Jun 2017 | -| 0.9.44 | :x: | | :white_check_mark: Debian 9 -| 0.9.42 | :x: | 22 Oct 2016 | -| 0.9.40 | :x: | 09 Sep 2016 | -| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS -| <0.9.38 | :x: | Before 05 Feb 2016 | +| Version | Supported by us | EOL | Supported by distribution | +| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- | +| 0.9.66 | :heavy_check_mark: | | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable) | +| 0.9.64 | :x: | | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 | +| 0.9.62 | :x: | | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 | +| 0.9.60 | :x: | 29 Dec 2019 | | +| 0.9.58 | :x: | | :white_check_mark: Debian 9 **backports**, Debian 10 | +| 0.9.56 | :x: | 27 Jan 2019 | | +| 0.9.54 | :x: | 18 Sep 2018 | | +| 0.9.52 | :x: | | :white_check_mark: Ubuntu 18.04 LTS | +| 0.9.50 | :x: | 12 Dec 2017 | | +| 0.9.48 | :x: | 09 Sep 2017 | | +| 0.9.46 | :x: | 12 Jun 2017 | | +| 0.9.44 | :x: | | :white_check_mark: Debian 9 | +| 0.9.42 | :x: | 22 Oct 2016 | | +| 0.9.40 | :x: | 09 Sep 2016 | | +| 0.9.38 | :x: | | :white_check_mark: Ubuntu 16.04 LTS | +| <0.9.38 | :x: | Before 05 Feb 2016 | | ## Security vulnerabilities -We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com +We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com diff --git a/configure b/configure index f587bb25efc..33a4ca9fbed 100755 --- a/configure +++ b/configure @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.63. +# Generated by GNU Autoconf 2.69 for firejail 0.9.67. # -# Report bugs to . +# Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -267,10 +267,10 @@ fi $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and -$0: netblue30@yahoo.com about your system, including any -$0: error possibly output before this message. Then install -$0: a modern shell, or manually run the script under such a -$0: shell if you do have one." +$0: netblue30@protonmail.com about your system, including +$0: any error possibly output before this message. Then +$0: install a modern shell, or manually run the script +$0: under such a shell if you do have one." fi exit 1 fi @@ -580,9 +580,9 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.63' -PACKAGE_STRING='firejail 0.9.63' -PACKAGE_BUGREPORT='netblue30@yahoo.com' +PACKAGE_VERSION='0.9.67' +PACKAGE_STRING='firejail 0.9.67' +PACKAGE_BUGREPORT='netblue30@protonmail.com' PACKAGE_URL='https://firejail.wordpress.com' ac_unique_file="src/firejail/main.c" @@ -624,29 +624,33 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS -HAVE_SECCOMP_H EGREP GREP CPP -HAVE_SELINUX +HAVE_LTS +HAVE_FORCE_NONEWPRIVS HAVE_CONTRIB_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS HAVE_SUID -HAVE_WHITELIST HAVE_FILE_TRANSFER HAVE_X11 HAVE_USERNS HAVE_NETWORK HAVE_GLOBALCFG HAVE_CHROOT -HAVE_SECCOMP HAVE_PRIVATE_HOME HAVE_FIRETUNNEL +HAVE_GAWK +HAVE_MAN +HAVE_USERTMPFS +HAVE_OUTPUT HAVE_OVERLAYFS +HAVE_DBUSPROXY EXTRA_LDFLAGS EXTRA_CFLAGS +HAVE_SELINUX HAVE_APPARMOR AA_LIBS AA_CFLAGS @@ -706,24 +710,28 @@ SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking +enable_analyzer enable_apparmor -enable_overlayfs +enable_selinux +enable_dbusproxy +enable_output +enable_usertmpfs +enable_man enable_firetunnel enable_private_home -enable_seccomp enable_chroot enable_globalcfg enable_network enable_userns enable_x11 enable_file_transfer -enable_whitelist enable_suid enable_fatal_warnings enable_busybox_workaround enable_gcov enable_contrib_install -enable_selinux +enable_force_nonewprivs +enable_lts ' ac_precious_vars='build_alias host_alias @@ -1289,7 +1297,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.63 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.67 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1351,7 +1359,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.63:";; + short | recursive ) echo "Configuration of firejail 0.9.67:";; esac cat <<\_ACEOF @@ -1359,11 +1367,15 @@ Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --enable-analyzer enable GCC static analyzer --enable-apparmor enable apparmor - --disable-overlayfs disable overlayfs + --enable-selinux SELinux labeling support + --disable-dbusproxy disable dbus proxy + --disable-output disable --output logging + --disable-usertmpfs disable tmpfs as regular user + --disable-man disable man pages --disable-firetunnel disable firetunnel --disable-private-home disable private home feature - --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-globalcfg if the global config file firejail.cfg is not present, continue the program using defaults @@ -1371,7 +1383,6 @@ Optional Features: --disable-userns disable user namespace --disable-x11 disable X11 sandboxing support --disable-file-transfer disable file transfer - --disable-whitelist disable whitelist --disable-suid install as a non-SUID executable --enable-fatal-warnings -W -Wall -Werror --enable-busybox-workaround @@ -1379,7 +1390,9 @@ Optional Features: --enable-gcov Gcov instrumentation --enable-contrib-install install contrib scripts - --enable-selinux SELinux labeling support + --enable-force-nonewprivs + enable force nonewprivs + --enable-lts enable long-term support software version (LTS) Some influential environment variables: CC C compiler command @@ -1401,7 +1414,7 @@ Some influential environment variables: Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to . +Report bugs to . firejail home page: . _ACEOF ac_status=$? @@ -1465,7 +1478,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.63 +firejail configure 0.9.67 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1670,9 +1683,9 @@ $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -( $as_echo "## ---------------------------------- ## -## Report this to netblue30@yahoo.com ## -## ---------------------------------- ##" +( $as_echo "## --------------------------------------- ## +## Report this to netblue30@protonmail.com ## +## --------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac @@ -1767,7 +1780,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.63, which was +It was created by firejail $as_me 0.9.67, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3155,7 +3168,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5 $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; } if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" else : @@ -3191,7 +3204,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 $as_echo "$ax_cv_check_cflags___mretpoline" >&6; } if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" else : @@ -3227,7 +3240,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5 $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; } if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" else : @@ -3263,13 +3276,24 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5 $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; } if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then : - HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong" + HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong" else : fi +# Check whether --enable-analyzer was given. +if test "${enable_analyzer+set}" = set; then : + enableval=$enable_analyzer; +fi + +if test "x$enable_analyzer" = "xyes"; then : + + EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak" + +fi + HAVE_APPARMOR="" # Check whether --enable-apparmor was given. if test "${enable_apparmor+set}" = set; then : @@ -3488,26 +3512,131 @@ else AA_LIBS=$pkg_cv_AA_LIBS { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS" + EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS" +fi + + +fi + +HAVE_SELINUX="" +# Check whether --enable-selinux was given. +if test "${enable_selinux+set}" = set; then : + enableval=$enable_selinux; +fi + +if test "x$enable_selinux" = "xyes"; then : + + HAVE_SELINUX="-DHAVE_SELINUX" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux " + + fi + + + +HAVE_DBUSPROXY="" +# Check whether --enable-dbusproxy was given. +if test "${enable_dbusproxy+set}" = set; then : + enableval=$enable_dbusproxy; fi +if test "x$enable_dbusproxy" != "xno"; then : + HAVE_DBUSPROXY="-DHAVE_DBUSPROXY" +fi +# overlayfs features temporarily disabled pending fixes HAVE_OVERLAYFS="" -# Check whether --enable-overlayfs was given. -if test "${enable_overlayfs+set}" = set; then : - enableval=$enable_overlayfs; + +# +#AC_ARG_ENABLE([overlayfs], +# AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])) +#AS_IF([test "x$enable_overlayfs" != "xno"], [ +# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" +# AC_SUBST(HAVE_OVERLAYFS) +#]) + +HAVE_OUTPUT="" +# Check whether --enable-output was given. +if test "${enable_output+set}" = set; then : + enableval=$enable_output; +fi + +if test "x$enable_output" != "xno"; then : + + HAVE_OUTPUT="-DHAVE_OUTPUT" + + +fi + +HAVE_USERTMPFS="" +# Check whether --enable-usertmpfs was given. +if test "${enable_usertmpfs+set}" = set; then : + enableval=$enable_usertmpfs; +fi + +if test "x$enable_usertmpfs" != "xno"; then : + + HAVE_USERTMPFS="-DHAVE_USERTMPFS" + + fi -if test "x$enable_overlayfs" != "xno"; then : +HAVE_MAN="no" +# Check whether --enable-man was given. +if test "${enable_man+set}" = set; then : + enableval=$enable_man; +fi + +if test "x$enable_man" != "xno"; then : + + HAVE_MAN="-DHAVE_MAN" + + # Extract the first word of "gawk", so it can be a program name with args. +set dummy gawk; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_HAVE_GAWK+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$HAVE_GAWK"; then + ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_HAVE_GAWK="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no" +fi +fi +HAVE_GAWK=$ac_cv_prog_HAVE_GAWK +if test -n "$HAVE_GAWK"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5 +$as_echo "$HAVE_GAWK" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi - HAVE_OVERLAYFS="-DHAVE_OVERLAYFS" + if test "x$HAVE_GAWK" != "xyes"; then : + as_fn_error $? "\"*** gawk not found ***\"" "$LINENO" 5 +fi fi @@ -3535,19 +3664,6 @@ if test "x$enable_private_home" != "xno"; then : HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME" -fi - -HAVE_SECCOMP="" -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -if test "x$enable_seccomp" != "xno"; then : - - HAVE_SECCOMP="-DHAVE_SECCOMP" - - fi HAVE_CHROOT="" @@ -3626,19 +3742,6 @@ if test "x$enable_file_transfer" != "xno"; then : HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER" -fi - -HAVE_WHITELIST="" -# Check whether --enable-whitelist was given. -if test "${enable_whitelist+set}" = set; then : - enableval=$enable_whitelist; -fi - -if test "x$enable_whitelist" != "xno"; then : - - HAVE_WHITELIST="-DHAVE_WHITELIST" - - fi HAVE_SUID="" @@ -3691,7 +3794,7 @@ fi if test "x$enable_gcov" = "xyes"; then : HAVE_GCOV="--coverage -DHAVE_GCOV " - EXTRA_LDFLAGS+=" -lgcov --coverage " + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage " fi @@ -3710,20 +3813,80 @@ else fi -HAVE_SELINUX="" -# Check whether --enable-selinux was given. -if test "${enable_selinux+set}" = set; then : - enableval=$enable_selinux; +HAVE_FORCE_NONEWPRIVS="" +# Check whether --enable-force-nonewprivs was given. +if test "${enable_force_nonewprivs+set}" = set; then : + enableval=$enable_force_nonewprivs; fi -if test "x$enable_selinux" = "xyes"; then : +if test "x$enable_force_nonewprivs" = "xyes"; then : - HAVE_SELINUX="-DHAVE_SELINUX" - EXTRA_LDFLAGS+=" -lselinux " + HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS" + + +fi + +HAVE_LTS="" +# Check whether --enable-lts was given. +if test "${enable_lts+set}" = set; then : + enableval=$enable_lts; +fi + +if test "x$enable_lts" = "xyes"; then : + + HAVE_LTS="-DHAVE_LTS" + + + HAVE_DBUSPROXY="" + + + HAVE_OVERLAYFS="" + + + HAVE_OUTPUT="" + + + HAVE_USERTMPFS="" + + + HAVE_MAN="-DHAVE_MAN" + + + HAVE_FIRETUNNEL="" + + + HAVE_PRIVATEHOME="" + + + HAVE_CHROOT="" + + + HAVE_GLOBALCFG="" + + + HAVE_USERNS="" + + + HAVE_X11="" + + + HAVE_FILE_TRANSFER="" + + + HAVE_SUID="yes" + + + BUSYBOX_WORKAROUND="no" + + + HAVE_CONTRIB_INSTALL="no", fi + + + # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 $as_echo_n "checking for main in -lpthread... " >&6; } @@ -4173,20 +4336,21 @@ fi ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : - HAVE_SECCOMP_H="-DHAVE_SECCOMP_H" + else - HAVE_SECCOMP_H="" + as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5 fi - # set sysconfdir if test "$prefix" = /usr; then test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" +ac_config_files="$ac_config_files mkdeb.sh" + +ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4730,7 +4894,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.63, which was +This file was extended by firejail $as_me 0.9.67, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4777,14 +4941,14 @@ Usage: $0 [OPTION]... [TAG]... Configuration files: $config_files -Report bugs to . +Report bugs to . firejail home page: ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.63 +firejail config.status 0.9.67 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -4895,6 +5059,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 for ac_config_target in $ac_config_targets do case $ac_config_target in + "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;; "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;; @@ -4909,12 +5074,17 @@ do "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; - "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; + "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; + "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;; + "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;; + "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;; + "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;; + "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac @@ -5333,6 +5503,11 @@ which seems to be undefined. Please make sure it is defined" >&2;} esac + + case $ac_file$ac_mode in + "mkdeb.sh":F) chmod +x mkdeb.sh ;; + + esac done # for ac_tag @@ -5370,30 +5545,48 @@ $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi -echo -echo "Configuration options:" -echo " prefix: $prefix" -echo " sysconfdir: $sysconfdir" -echo " seccomp: $HAVE_SECCOMP" -echo " : $HAVE_SECCOMP_H" -echo " apparmor: $HAVE_APPARMOR" -echo " global config: $HAVE_GLOBALCFG" -echo " chroot: $HAVE_CHROOT" -echo " network: $HAVE_NETWORK" -echo " user namespace: $HAVE_USERNS" -echo " X11 sandboxing support: $HAVE_X11" -echo " whitelisting: $HAVE_WHITELIST" -echo " private home support: $HAVE_PRIVATE_HOME" -echo " file transfer support: $HAVE_FILE_TRANSFER" -echo " overlayfs support: $HAVE_OVERLAYFS" -echo " firetunnel support: $HAVE_FIRETUNNEL" -echo " busybox workaround: $BUSYBOX_WORKAROUND" -echo " Spectre compiler patch: $HAVE_SPECTRE" -echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" -echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" -echo " Gcov instrumentation: $HAVE_GCOV" -echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" -echo " SELinux labeling support: $HAVE_SELINUX" -echo " Install as a SUID executable: $HAVE_SUID" -echo +cat <: $HAVE_SECCOMP_H" -echo " apparmor: $HAVE_APPARMOR" -echo " global config: $HAVE_GLOBALCFG" -echo " chroot: $HAVE_CHROOT" -echo " network: $HAVE_NETWORK" -echo " user namespace: $HAVE_USERNS" -echo " X11 sandboxing support: $HAVE_X11" -echo " whitelisting: $HAVE_WHITELIST" -echo " private home support: $HAVE_PRIVATE_HOME" -echo " file transfer support: $HAVE_FILE_TRANSFER" -echo " overlayfs support: $HAVE_OVERLAYFS" -echo " firetunnel support: $HAVE_FIRETUNNEL" -echo " busybox workaround: $BUSYBOX_WORKAROUND" -echo " Spectre compiler patch: $HAVE_SPECTRE" -echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" -echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" -echo " Gcov instrumentation: $HAVE_GCOV" -echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" -echo " SELinux labeling support: $HAVE_SELINUX" -echo " Install as a SUID executable: $HAVE_SUID" -echo +src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ +src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \ +src/jailcheck/Makefile src/fids/Makefile]) +AC_OUTPUT + +cat </dev/null; then + echo "Please install zenity." + exit 1 +fi +if ! command -v sudo >/dev/null; then + echo "Please install sudo." + exit 1 +fi + +export LANG=en_US.UTF8 + +zenity --title=firejail-welcome.sh --text-info --width=750 --height=500 <.local in ~/.config/firejal. + +Firejail's own configuration can be found at /etc/firejail/firejail.config. + +Please note that running this script a second time can set new options, but does not unset options +set in a previous run. + +Website: https://firejail.wordpress.com +Bug-Tracker: https://github.com/netblue30/firejail/issues +Documentation: +- https://github.com/netblue30/firejail/wiki +- https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions +- https://firejail.wordpress.com/documentation-2 +- man:firejail(1) and man:firejail-profile(5) + +PS: If you have any improvements for this script, open an issue or pull request. +EOM +[[ $? -eq 1 ]] && exit 0 + +sed_scripts=() + +read -r -d $'\0' MSG_Q_BROWSER_DISABLE_U2F <Should browsers be allowed to access u2f hardware? +EOM + +read -r -d $'\0' MSG_Q_BROWSER_ALLOW_DRM <Should browsers be able to play DRM content? + +\$HOME is noexec,nodev,nosuid by default for the most sandboxes. This means that executing programs which are located in \$HOME, +is forbidden, the setuid attribute on files is ignored and device files inside \$HOME don't work. Browsers install proprietary +DRM plug-ins such as Widevine under \$HOME by default. In order to use them, \$HOME must be mounted exec inside the sandbox to +allow their execution. Clearly, this may help an attacker to start malicious code. + +NOTE: Other software written in an interpreter language such as bash, python or java can always be started from \$HOME. + +HINT: If /home has its own partition, you can mount it nodev,nosuid for all programs. +EOM + +read -r -d $'\0' MSG_L_ADVANCED_OPTIONS <Should most programs be started in firejail by default? +EOM + +read -r -d $'\0' MSG_I_ROOT_REQUIRED < None: - """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" + """The main function. Parses the commandline args, shows messages and calls the function actually doing the work.""" if len(sys.argv) > 2 or (len(sys.argv) == 2 and (sys.argv[1] == "-h" or sys.argv[1] == "--help")): printHelp() diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py index 429cb9db427..b4a94753548 100755 --- a/contrib/fj-mkdeb.py +++ b/contrib/fj-mkdeb.py @@ -1,16 +1,20 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # This script automates the workaround for https://github.com/netblue30/firejail/issues/772 -import os, re, shlex, subprocess, sys +import os, shlex, subprocess, sys def run(srcdir, args): if srcdir: os.chdir(srcdir) + if not (os.path.isfile('./mkdeb.sh.in')): + print('Error: Not a firejail source tree? Exiting.') + return 1 + dry_run = False escaped_args = [] # We need to modify the list as we go. So be sure to copy the list to be iterated! @@ -25,23 +29,21 @@ def run(srcdir, args): else: escaped_args.append(shlex.quote(a)) - # Fix up mkdeb.sh to include custom configure options. + # Run configure to generate mkdeb.sh. + first_config = subprocess.call(['./configure', '--prefix=/usr'] + args) + if first_config != 0: + return first_config + + # Fix up dynamically-generated mkdeb.sh to include custom configure options. with open('mkdeb.sh', 'rb') as f: sh = str(f.read(), 'utf_8') - rx = re.compile(r'^\./configure\s.*$', re.M) with open('mkdeb.sh', 'wb') as f: - f.write( - bytes( - rx.sub('./configure --prefix=/usr ' + (' '.join(escaped_args)), - sh), 'utf_8')) + f.write(bytes(sh.replace('./configure $CONFIG_ARGS', + './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8')) if dry_run: return 0 - # now run configure && make - if subprocess.call(['./configure', '--prefix=/usr'] + args) == 0: - subprocess.call(['make', 'deb']) - - return 0 + return subprocess.call(['make', 'deb']) if __name__ == '__main__': @@ -71,9 +73,9 @@ def run(srcdir, args): if not (srcdir): # srcdir not manually specified, try to auto-detect srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..')) - if not (os.path.isfile(srcdir + '/mkdeb.sh')): + if not (os.path.isfile(srcdir + '/mkdeb.sh.in')): # Script is probably installed. Check the cwd. - if os.path.isfile('./mkdeb.sh'): + if os.path.isfile('./mkdeb.sh.in'): srcdir = None else: print( diff --git a/contrib/fjclip.py b/contrib/fjclip.py index 66038430dca..3e99d71e9b8 100755 --- a/contrib/fjclip.py +++ b/contrib/fjclip.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 import sys diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py index f1880283b2e..294bde99714 100755 --- a/contrib/fjdisplay.py +++ b/contrib/fjdisplay.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 import re diff --git a/contrib/fjresize.py b/contrib/fjresize.py index 6ab963c58df..d656f5c917c 100755 --- a/contrib/fjresize.py +++ b/contrib/fjresize.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 import sys diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index 7a351c065cc..686bdc2c087 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set -x @@ -21,4 +21,4 @@ else fi bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & -sudo gdb -e "$FIREJAIL" -p "$!" +sudo gdb -e "$FIREJAIL" -p "$!" diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py index 6f8e98b6a21..f89f97ac451 100755 --- a/contrib/jail_prober.py +++ b/contrib/jail_prober.py @@ -1,166 +1,206 @@ -#!/usr/bin/env python3 -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 -""" -Figure out which profile options may be causing a particular program to break -when run in firejail. - -Instead of having to comment out each line in a profile by hand, and then -enable each line individually until the bad line or lines are found, this -largely automates the process. Users only have to provide the path to the -profile, program name, and answer 'y' for yes or 'n' for no when prompted. - -After completion, you'll be provided with some information to copy and then -paste into a GitHub issue in the Firejail project repository: -https://github.com/netblue30/firejail/issues - -Paths to the profile should be absolute. If the program is in your path, then -you only have to type the profile name. Else, you'll need to provide the -absolute path to the profile. - -Examples: -python jail_prober.py /etc/firejail/spotify.profile spotify -python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox -""" - -import sys -import os -import subprocess - - -def check_params(profilePath): - """ - Ensure the path to the profile is valid and that an actual profile has been - passed (as opposed to a config or .local file). - - :params profilePath: The absolute path to the problematic profile. - """ - if not os.path.isfile(profilePath): - raise FileNotFoundError( - 'The path %s is not a valid system path.' % profilePath) - if not profilePath.endswith('.profile'): - raise ValueError('%s is not a valid Firejail profile.' % profilePath) - - -def get_args(profilePath): - """ - Read the profile, stripping out comments and newlines - - :params profilePath: The absolute path to the problematic profile. - - :returns profile: A list containing all active profile arguments - """ - with open(profilePath, 'r') as f: - profile = f.readlines() - profile = [ - arg.strip() for arg in profile - if not arg.startswith('#') and arg.strip() != '' - ] - - return profile - - -def arg_converter(argList, style): - """ - Convert between firejail command-line arguments (--example=something) and - profile arguments (example something) - - :params argList: A list of firejail arguments - - :params style: Whether to convert arguments to command-line form or profile - form - """ - if style == 'to_profile': - oldSep = '=' - newSep = ' ' - prefix = '' - elif style == 'to_commandline': - oldSep = ' ' - newSep = '=' - prefix = '--' - newArgs = [prefix + word.replace(oldSep, newSep) for word in argList] - # Additional strip of '--' if converting to profile form - if style == 'to_profile': - newArgs = [word[2:] for word in newArgs] - - # Remove invalid '--include' args if converting to command-line form - elif style == 'to_commandline': - newArgs = [word for word in newArgs if 'include' not in word] - - return newArgs - - -def run_firejail(program, allArgs): - """ - Attempt to run the program in firejail, incrementally adding to the number - of firejail arguments. Initial run has no additional params besides - noprofile. - - :params program: The program name. If it doesn't exist in the user's path - then the full path should be provided. - - :params allArgs: A list of all Firejail arguments to try, in command-line - format. - - :returns goodArgs: A list of arguments that the user has reported to not - affect the program - - :returns badArgs: A list of arguments that the user has reported to break - the program when sandboxing with Firejail - """ - goodArgs = ['firejail', '--noprofile', program] - badArgs = [] - print('Attempting to run %s in Firejail' % program) - for arg in allArgs: - print('Running with', arg) - subprocess.call(goodArgs) - ans = input('Did %s run correctly? [y]/n ' % program) - if ans in ['n', 'N']: - badArgs.append(arg) - else: - goodArgs.insert(-1, arg) - print('\n') - # Don't include 'firejail', '--noprofile', or program name in arguments - goodArgs = goodArgs[2:-1] - - return goodArgs, badArgs - - -def main(): - profilePath = sys.argv[1] - program = sys.argv[2] - # Quick error check and extract arguments - check_params(profilePath) - profile = get_args(profilePath) - allArgs = arg_converter(profile, 'to_commandline') - # Find out which profile options break the program when running in firejail - goodArgs, badArgs = run_firejail(program, allArgs) - - goodArgs = arg_converter(goodArgs, 'to_profile') - badArgs = arg_converter(badArgs, 'to_profile') - - print('\n###########################') - print('Debugging completed.') - print( - 'Please copy the following and report it to the Firejail development', - 'team on GitHub at %s \n\n' % - 'https://github.com/netblue30/firejail/issues') - - subprocess.call(['firejail', '--version']) - - print('These profile options break the program.') - print('```') - for item in badArgs: - print(item) - print('```\n\n\n') - - print('This is a minimal working profile:') - print('```') - for item in goodArgs: - print(item) - print('```') - - -if __name__ == '__main__': - main() +#!/usr/bin/env python3 +# This file is part of Firejail project +# Copyright (C) 2014-2021 Firejail Authors +# License GPL v2 +""" +Figure out which profile options may be causing a particular program to break +when run in firejail. + +Instead of having to comment out each line in a profile by hand, and then +enable each line individually until the bad line or lines are found, this +largely automates the process. Users only have to provide the path to the +profile, program name, and answer 'y' for yes or 'n' for no when prompted. + +After completion, you'll be provided with some information to copy and then +paste into a GitHub issue in the Firejail project repository: +https://github.com/netblue30/firejail/issues + +Paths to the profile should be absolute. If the program is in your path, then +you only have to type the profile name. Else, you'll need to provide the +absolute path to the profile. + +Examples: +python jail_prober.py /etc/firejail/spotify.profile spotify +python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox +""" + +import sys +import os +import subprocess + + +def check_params(profile_path): + """ + Ensure the path to the profile is valid and that an actual profile has been + passed (as opposed to a config or .local file). + + Args: + profile_path: The absolute path to the problematic profile + + Raises: + FileNotFoundError: If the provided path isn't real + + ValueError: If the provided path is real but doesn't point to + a Firejail profile + """ + if not os.path.isfile(profile_path): + raise FileNotFoundError('The path %s is not a valid system path.' % + profile_path) + if not profile_path.endswith('.profile'): + raise ValueError('%s is not a valid Firejail profile.' % profile_path) + + +def get_args(profile_path): + """ + Read the profile, stripping out comments and newlines + + Args: + profile_path: The absolute path to the problematic profile. + + Returns: + A list containing all active profile arguments + """ + with open(profile_path, 'r') as f: + profile = f.readlines() + profile = [ + arg.strip() for arg in profile + if not arg.startswith('#') and arg.strip() != '' + ] + + return profile + + +def absolute_include(word): + home = os.environ['HOME'] + path = home + '/.config/firejail/' + + option, filename = word.split('=') + absolute_filename = path + filename + + if not os.path.isfile(absolute_filename): + absolute_filename = '${CFG}/' + filename + + return option + '=' + absolute_filename + + +def arg_converter(arg_list, style): + """ + Convert between firejail command-line arguments (--example=something) and + profile arguments (example something) + + Args: + arg_list: A list of firejail arguments + + style: String, one of {'to_profile', 'to_commandline'}. Whether to + convert arguments to command-line form or profile form + """ + if style == 'to_profile': + old_sep = '=' + new_sep = ' ' + prefix = '' + elif style == 'to_commandline': + old_sep = ' ' + new_sep = '=' + prefix = '--' + new_args = [prefix + word.replace(old_sep, new_sep) for word in arg_list] + # Additional strip of '--' if converting to profile form + if style == 'to_profile': + new_args = [word[2:] for word in new_args] + + elif style == 'to_commandline': + new_args = [ + absolute_include(word) if word.startswith('--include') + else word + for word in new_args + ] + + return new_args + + +def run_firejail(program, all_args): + """ + Attempt to run the program in firejail, incrementally adding to the number + of firejail arguments. Initial run has no additional params besides + noprofile. + + Args: + program: String, the program name. If it doesn't exist in $PATH then + the full path to the program should be provided + + all_args: List, all Firejail arguments to try, in command-line format + (i.e. prefixed by '--') + + Returns: + good_args: List, all Firejail arguments that the user has reported to + not adversely affect the program + + bad_args: List, all Firejail arguments that the user has reported to + break the program + """ + good_args = ['firejail', '--noprofile', program] + bad_args = [] + all_args.insert(0, "") + print('Attempting to run %s in Firejail' % program) + for arg in all_args: + if arg: + print('Running with', arg) + else: + print('Running without profile') + #We are adding the argument in a copy of the actual list to avoid modify it now. + myargs = good_args.copy() + if arg: + myargs.insert(-1, arg) + subprocess.call(myargs) + ans = input('Did %s run correctly? [y]/n ' % program) + if ans in ['n', 'N']: + bad_args.append(arg) + elif arg: + good_args.insert(-1, arg) + print('\n') + # Don't include 'firejail', '--noprofile', or program name in arguments + good_args = good_args[2:-1] + + return good_args, bad_args + + +def main(): + try: + profile_path = sys.argv[1] + program = sys.argv[2] + except IndexError: + print('USAGE: jail_prober.py ') + sys.exit() + # Quick error check and extract arguments + check_params(profile_path) + profile = get_args(profile_path) + all_args = arg_converter(profile, 'to_commandline') + # Find out which profile options break the program when running in firejail + good_args, bad_args = run_firejail(program, all_args) + + good_args = arg_converter(good_args, 'to_profile') + bad_args = arg_converter(bad_args, 'to_profile') + + print('\n###########################') + print('Debugging completed.') + print( + 'Please copy the following and report it to the Firejail development', + 'team on GitHub at %s \n\n' % + 'https://github.com/netblue30/firejail/issues') + + subprocess.call(['firejail', '--version']) + + print('These profile options break the program.') + print('```') + for item in bad_args: + print(item) + print('```\n\n\n') + + print('This is a minimal working profile:') + print('```') + for item in good_args: + print(item) + print('```') + + +if __name__ == '__main__': + main() diff --git a/contrib/sort.py b/contrib/sort.py index e2f82012b9d..4af9c674c6a 100755 --- a/contrib/sort.py +++ b/contrib/sort.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 """ Sort the items of multi-item options in profiles, the following options are supported: @@ -24,7 +24,7 @@ # Requirements: # python >= 3.6 -from sys import argv +from sys import argv, exit as sys_exit def sort_alphabetical(raw_items): @@ -34,39 +34,17 @@ def sort_alphabetical(raw_items): def sort_protocol(protocols): - """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet""" + """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth""" + # shortcut for common protocol lines if protocols in ("unix", "unix,inet,inet6"): return protocols + fixed_protocols = "" - present_protocols = { - "unix": False, - "inet": False, - "inet6": False, - "netlink": False, - "packet": False, - } - for protocol in protocols.split(","): - if protocol == "unix": - present_protocols["unix"] = True - elif protocol == "inet": - present_protocols["inet"] = True - elif protocol == "inet6": - present_protocols["inet6"] = True - elif protocol == "netlink": - present_protocols["netlink"] = True - elif protocol == "packet": - present_protocols["packet"] = True - if present_protocols["unix"]: - fixed_protocols += "unix," - if present_protocols["inet"]: - fixed_protocols += "inet," - if present_protocols["inet6"]: - fixed_protocols += "inet6," - if present_protocols["netlink"]: - fixed_protocols += "netlink," - if present_protocols["packet"]: - fixed_protocols += "packet," + for protocol in ("unix", "inet", "inet6", "netlink", "packet", "bluetooth"): + for prefix in ("", "-", "+", "="): + if f",{prefix}{protocol}," in f",{protocols},": + fixed_protocols += f"{prefix}{protocol}," return fixed_protocols[:-1] @@ -75,7 +53,7 @@ def fix_profile(filename): lines = profile.read().split("\n") was_fixed = False fixed_profile = [] - for line in lines: + for lineno, line in enumerate(lines): if line[:12] in ("private-bin ", "private-etc ", "private-lib "): fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}" elif line[:13] in ("seccomp.drop ", "seccomp.keep "): @@ -90,6 +68,10 @@ def fix_profile(filename): fixed_line = line if fixed_line != line: was_fixed = True + print( + f"{filename}:{lineno + 1}:-{line}\n" + f"{filename}:{lineno + 1}:+{fixed_line}" + ) fixed_profile.append(fixed_line) if was_fixed: profile.seek(0) @@ -103,6 +85,7 @@ def fix_profile(filename): def main(args): exit_code = 0 + print(f"sort.py: checking {len(args)} {'profiles' if len(args) != 1 else 'profile'}...") for filename in args: try: if exit_code not in (1, 101): @@ -115,11 +98,11 @@ def main(args): except PermissionError: print(f"[ Error ] Can't read/write `{filename}'") exit_code = 1 - except: - print(f"[ Error ] An error occurred while processing `{filename}'") + except Exception as err: + print(f"[ Error ] An error occurred while processing `{filename}': {err}") exit_code = 1 return exit_code if __name__ == "__main__": - exit(main(argv[1:])) + sys_exit(main(argv[1:])) diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh index b990ac23cd6..728ff5a7823 100755 --- a/contrib/syscalls.sh +++ b/contrib/syscalls.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt" diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh index d417a09eaf3..4c715aaf7fa 100755 --- a/contrib/update_deb.sh +++ b/contrib/update_deb.sh @@ -1,16 +1,24 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # Purpose: Fetch, compile, and install firejail from GitHub source. For # Debian-based distros only (Ubuntu, Mint, etc). set -e + git clone --depth=1 https://github.com/netblue30/firejail.git cd firejail -./configure --prefix=/usr +./configure --enable-apparmor --prefix=/usr + +# Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920 +sed -i \ + -e "s/# cgroup .*/cgroup no/" \ + -e "s/# restricted-network .*/restricted-network yes/" \ + etc/firejail.config + make deb sudo dpkg -i firejail*.deb -echo "Firejail was updated!" +echo "Firejail updated." cd .. rm -rf firejail diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim index a8ba5cd75d8..2edc741dacb 100644 --- a/contrib/vim/ftdetect/firejail.vim +++ b/contrib/vim/ftdetect/firejail.vim @@ -1,6 +1,6 @@ -autocmd BufNewFile,BufRead /etc/firejail/*.profile set filetype=firejail -autocmd BufNewFile,BufRead /etc/firejail/*.local set filetype=firejail -autocmd BufNewFile,BufRead /etc/firejail/*.inc set filetype=firejail -autocmd BufNewFile,BufRead ~/.config/firejail/*.profile set filetype=firejail -autocmd BufNewFile,BufRead ~/.config/firejail/*.local set filetype=firejail -autocmd BufNewFile,BufRead ~/.config/firejail/*.inc set filetype=firejail +autocmd BufNewFile,BufRead /etc/firejail/*.profile setfiletype firejail +autocmd BufNewFile,BufRead /etc/firejail/*.local setfiletype firejail +autocmd BufNewFile,BufRead /etc/firejail/*.inc setfiletype firejail +autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail +autocmd BufNewFile,BufRead ~/.config/firejail/*.local setfiletype firejail +autocmd BufNewFile,BufRead ~/.config/firejail/*.inc setfiletype firejail diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index 9563e62ef87..d07690ee23f 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim @@ -20,19 +20,20 @@ syn match fjCapabilityList /,/ nextgroup=fjCapability contained syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained syn match fjProtocolList /,/ nextgroup=fjProtocol contained -" Syscalls grabbed from: src/include/syscall.h -" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' ' -syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained +" Syscalls grabbed from: src/include/syscall*.h +" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' ' +syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained " Syscall groups grabbed from: src/fseccomp/syscall.c -" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|' -syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained +" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|' +syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained " Errnos grabbed from: src/fseccomp/errno.c -" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/fseccomp/errno.c | sort -u | tr $'\n' '|' +" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|' syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained syn match fjSyscallList /,/ nextgroup=fjSyscall contained syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained +syn keyword fjSeccompAction kill log ERRNO contained syn match fjEnvVar "[A-Za-z0-9_]\+=" contained syn match fjRmenvVar "[A-Za-z0-9_]\+" contained @@ -40,6 +41,7 @@ syn match fjRmenvVar "[A-Za-z0-9_]\+" contained syn keyword fjAll all contained syn keyword fjNone none contained syn keyword fjLo lo contained +syn keyword fjFilter filter contained " Variable names grabbed from: src/firejail/macros.c " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|' @@ -47,27 +49,30 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES " Commands grabbed from: src/firejail/profile.c " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) -syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained +syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below -syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained +syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained -syn match fjCommand /\vseccomp(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained +syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained syn match fjCommand /shell / nextgroup=fjNone skipwhite contained syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained syn match fjCommand /ip / nextgroup=fjNone skipwhite contained +syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained +syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained +syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained " Commands that can't be inside a ?CONDITIONAL: statement syn match fjCommandNoCond /include / skipwhite contained syn match fjCommandNoCond /quiet$/ contained " Conditionals grabbed from: src/firejail/profile.c " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|' -syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NODBUS) ?:/ nextgroup=fjCommand skipwhite contained +syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained " A line is either a command, a conditional or a comment syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment @@ -88,6 +93,8 @@ hi def link fjRmenvVar Type hi def link fjAll Type hi def link fjNone Type hi def link fjLo Type +hi def link fjFilter Type +hi def link fjSeccompAction Type let b:current_syntax = "firejail" diff --git a/dummy.c b/dummy.c deleted file mode 100644 index fbf3dd775be..00000000000 --- a/dummy.c +++ /dev/null @@ -1,7 +0,0 @@ -// This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors -// License GPL v2 - -int main(void) { - return 0; -} diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile new file mode 100644 index 00000000000..87ffdced96a --- /dev/null +++ b/etc-fixes/0.9.52/atom.profile @@ -0,0 +1,31 @@ +# Firejail profile for atom +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/atom.local +# Persistent global definitions +include /etc/firejail/globals.local + +# blacklist /run/user/*/bus + +noblacklist ${HOME}/.atom +noblacklist ${HOME}/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.keep sys_admin,sys_chroot +# net none +netfilter +nodvd +nogroups +nosound +notv +novideo +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile new file mode 100644 index 00000000000..1cc9b011600 --- /dev/null +++ b/etc-fixes/0.9.58/atom.profile @@ -0,0 +1,35 @@ +# Firejail profile for atom +# Description: A hackable text editor for the 21st Century +# This file is overwritten after every install/update +# Persistent local customizations +include atom.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.atom +noblacklist ${HOME}/.config/Atom +noblacklist ${HOME}/.cargo/config +noblacklist ${HOME}/.cargo/registry + +include disable-common.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.keep sys_admin,sys_chroot +# net none +netfilter +nodbus +nodvd +nogroups +nosound +notv +nou2f +novideo +shell none + +private-cache +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile new file mode 100644 index 00000000000..c8929127b6e --- /dev/null +++ b/etc-fixes/0.9.60/atom.profile @@ -0,0 +1,37 @@ +# Firejail profile for atom +# Description: A hackable text editor for the 21st Century +# This file is overwritten after every install/update +# Persistent local customizations +include atom.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.atom +noblacklist ${HOME}/.config/Atom +noblacklist ${HOME}/.config/git +noblacklist ${HOME}/.cargo/config +noblacklist ${HOME}/.cargo/registry +noblacklist ${HOME}/.gitconfig +noblacklist ${HOME}/.git-credentials +noblacklist ${HOME}/.pythonrc.py + +include disable-common.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.keep sys_admin,sys_chroot +# net none +netfilter +nodbus +nodvd +nogroups +nosound +notv +nou2f +novideo +shell none + +private-cache +private-dev +private-tmp diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README index 9f85a0e0003..15596eca793 100644 --- a/etc-fixes/seccomp-join-bug/README +++ b/etc-fixes/seccomp-join-bug/README @@ -8,4 +8,3 @@ on May 21, 2019: The original discussion thread: https://github.com/netblue30/firejail/issues/2718 The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134 - diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index e68e51c6338..a7044152efd 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default @@ -2,6 +2,10 @@ # Generic Firejail AppArmor profile ######################################### +# AppArmor 3.0 uses the @{run} variable in +# and . +#include + ########## # A simple PID declaration based on Ubuntu's @{pid} # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. @@ -19,6 +23,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { #include #include dbus, +# Add rule in order to avoid dbus-*=filter breakage (#3432) +owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, ########## # With ptrace it is possible to inspect and hijack running programs. @@ -47,6 +53,10 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, +# Allow writing to /var/mail and /var/spool/mail (for mail clients) +# Uncomment to enable +#owner /var/{mail,spool/mail}/** w, + # Allow writing to removable media owner /{,var/}run/media/** w, @@ -74,7 +84,8 @@ owner /proc/@{PID}/clear_refs w, ########## # Allow running programs only from well-known system directories. If you need -# to run programs from your home directory, uncomment /home line. +# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix," +# or similar to /etc/apparmor.d/local/firejail-default (without the quotes). ########## /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, @@ -102,7 +113,8 @@ network inet6, network unix, network netlink, network raw, -# needed for wireshark +# needed for wireshark, tcpdump etc +network bluetooth, network packet, ########## @@ -115,41 +127,15 @@ signal (receive), # We let Firejail deal with capabilities, but ensure that # some AppArmor related capabilities will not be available. ########## -capability chown, -capability dac_override, -capability dac_read_search, -capability fowner, -capability fsetid, -capability kill, -capability setgid, -capability setuid, -capability setpcap, -capability linux_immutable, -capability net_bind_service, -capability net_broadcast, -capability net_admin, -capability net_raw, -capability ipc_lock, -capability ipc_owner, -capability sys_module, -capability sys_rawio, -capability sys_chroot, -capability sys_ptrace, -capability sys_pacct, -capability sys_admin, -capability sys_boot, -capability sys_nice, -capability sys_resource, -capability sys_time, -capability sys_tty_config, -capability mknod, -capability lease, -#capability audit_write, -#capability audit_control, -capability setfcap, -#capability mac_override, -#capability mac_admin, +# The list of recognized capabilities varies from one apparmor version to another. +# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available +# We allow all caps by default and remove the ones we don't like: +capability, +deny capability audit_write, +deny capability audit_control, +deny capability mac_override, +deny capability mac_admin, # Site-specific additions and overrides. See local/README for details. -#include +#include } diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index f086653f8de..3dfd3d0eacf 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local @@ -1,2 +1,15 @@ # Site-specific additions and overrides for 'firejail-default'. # For more details, please see /etc/apparmor.d/local/README. + +# Here are some examples to allow running programs from home directory. +# Don't enable all of these, just pick a specific one or write a custom rule +# instead as done below for torbrowser-launcher. +#owner @HOME/** ix, +#owner @HOME/bin/** ix +#owner @HOME/.local/bin/** ix + +# Uncomment to opt-in to apparmor for brave + tor +#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix, + +# Uncomment to opt-in to apparmor for torbrowser-launcher +#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, diff --git a/etc/firejail.config b/etc/firejail.config index 589109c64fd..aec152b8587 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -27,7 +27,7 @@ # Enable or disable chroot support, default enabled. # chroot yes -# Enable or disable dbus handling by --nodbus flag, default enabled. +# Enable or disable dbus handling, default enabled. # dbus yes # Disable /mnt, /media, /run/mount and /run/media access. By default access @@ -35,23 +35,12 @@ # cannot be overridden by --noblacklist or --ignore. # disable-mnt no -# Set the limit for file copy in several --private-* options. The size is set -# in megabytes. By default we allow up to 500MB. -# Note: the files are copied in RAM. -# file-copy-limit 500 - # Enable or disable file transfer support, default enabled. # file-transfer yes # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no -# Follow symlink as user. While using --whitelist feature, -# symlinks pointing outside home directory are followed only -# if both the link and the real file are owned by the user. -# Enabled by default -# follow-symlink-as-user yes - # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration @@ -74,7 +63,7 @@ # a file argument, the default filter is hardcoded (see man 1 firejail). This # configuration entry allows the user to change the default by specifying # a file containing the filter configuration. The filter file format is the -# format of iptables-save and iptable-restore commands. Example: +# format of iptables-save and iptables-restore commands. Example: # netfilter-default /etc/iptables.iptables.rules # Enable or disable networking features, default enabled. @@ -83,18 +72,35 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes +# Set the limit for file copy in several --private-* options. The size is set +# in megabytes. By default we allow up to 500MB. +# Note: the files are copied in RAM. +# file-copy-limit 500 + +# Enable or disable private-bin feature, default enabled. +# private-bin yes + # Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no # Enable or disable private-cache feature, default enabled # private-cache yes +# Enable or disable private-etc feature, default enabled. +# private-etc yes + # Enable or disable private-home feature, default enabled # private-home yes # Enable or disable private-lib feature, default enabled # private-lib yes +# Enable or disable private-opt feature, default enabled. +# private-opt yes + +# Enable or disable private-srv feature, default enabled. +# private-srv yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no @@ -107,14 +113,19 @@ # Enable or disable seccomp support, default enabled. # seccomp yes -# Seccomp error action, kill or errno (EPERM, ENOSYS etc) +# Add rules to the default seccomp filter. Same syntax as for --seccomp= +# None by default; this is an example. +# seccomp-filter-add !chroot,kcmp,mincore + +# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) # seccomp-error-action EPERM # Enable or disable user namespace support, default enabled. # userns yes -# Enable or disable whitelisting support, default enabled. -# whitelist yes +# Disable whitelist top level directories, in addition to those +# that are disabled out of the box. None by default; this is an example. +# whitelist-disable-topdir /etc,/usr/etc # Enable or disable X11 sandboxing support, default enabled. # x11 yes diff --git a/etc/ids.config b/etc/ids.config new file mode 100644 index 00000000000..09b0ae91280 --- /dev/null +++ b/etc/ids.config @@ -0,0 +1,142 @@ +# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System +# This config file is overwritten when a new version of Firejail is installed. +# For global customization use /etc/firejail/ids.config.local. +include ids.config.local +# +# Each line is a file or directory name such as +# /usr/bin +# or +# ${HOME}/Desktop/*.desktop +# +# ${HOME} is expanded to the user's home directory, and * is the regular +# globbing match for zero or more characters. +# +# File or directory names starting with ! are not scanned. For example +# !${HOME}/.ssh/known_hosts +# ${HOME}/.ssh +# will scan all files in ~/.ssh directory with the exception of known_hosts + +### system executables ### +/bin +/sbin +/usr/bin +/usr/games +/usr/libexec +/usr/sbin + +### user executables ### +#/opt +#/usr/local + +### system libraries ### +#/lib +#/usr/lib +#/usr/lib32 +#/usr/lib64 +#/usr/libx32 + +### shells local ### +# bash +${HOME}/.bash_login +${HOME}/.bash_logout +${HOME}/.bash_profile +${HOME}/.bashrc +# fish +${HOME}/.config/fish/config.fish +# others +${HOME}/.cshrc +${HOME}/.kshrc +${HOME}/.login +${HOME}/.logout +${HOME}/.profile +${HOME}/.tcshrc +# zsh +${HOME}/.zlogin +${HOME}/.zlogout +${HOME}/.zshenv +${HOME}/.zshprofile +${HOME}/.zshrc + +### shells global ### +# all +/etc/dircolors +/etc/environment +/etc/profile +/etc/profile.d +/etc/shells +/etc/skel +# bash +/etc/bash_completion* +/etc/bash.bashrc +/etc/bashrc +# fish +/etc/fish +# ksh +/etc/ksh.kshrc +# tcsh +/etc/complete.tcsh +/etc/csh.cshrc +/etc/csh.login +/etc/csh.logout +# zsh +/etc/zlogin +/etc/zlogout +/etc/zprofile +/etc/zshenv +/etc/zshrc + +### X11 ### +/etc/X11 +${HOME}/.xinitrc +${HOME}/.xmodmaprc +${HOME}/.xprofile +${HOME}/.Xresources +${HOME}/.xserverrc +${HOME}/.Xsession +${HOME}/.xsession +${HOME}/.xsessionrc + +### window/desktop manager ### +${HOME}/Desktop/*.desktop +${HOME}/.config/autostart +${HOME}/.config/lxsession/LXDE/autostart +${HOME}/.gnomerc +${HOME}/.gtkrc +${HOME}/.kderc + +### security ### +/etc/aide +/etc/apparmor* +/etc/chkrootkit.conf +/etc/cracklib +/etc/libaudit.conf +/etc/group* +/etc/gshadow* +/etc/pam.* +/etc/passwd* +/etc/rkhunter* +/etc/securetty +/etc/security +/etc/selinux +/etc/shadow* +/etc/sudoers* +/etc/tripwire +${HOME}/.config/firejail +${HOME}/.gnupg + +### network security ### +/etc/ca-certificates* +/etc/hosts.* +/etc/services +/etc/snort +/etc/ssh +/etc/ssl +/etc/wireshark +!${HOME}/.ssh/known_hosts # excluding +${HOME}/.ssh +/usr/share/ca-certificates + +### system config ### +/etc/cron.* +/etc/crontab +/etc/default diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc new file mode 100644 index 00000000000..d6c295414ed --- /dev/null +++ b/etc/inc/allow-bin-sh.inc @@ -0,0 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-bin-sh.local + +noblacklist ${PATH}/bash +noblacklist ${PATH}/dash +noblacklist ${PATH}/sh diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 7cd087b14e7..011bbe226b8 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -11,6 +11,16 @@ noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gradle noblacklist ${HOME}/.java +# Node.js +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + # Python noblacklist ${HOME}/.pylint.d noblacklist ${HOME}/.python-history @@ -18,10 +28,4 @@ noblacklist ${HOME}/.python_history noblacklist ${HOME}/.pythonhist # Rust -noblacklist ${HOME}/.cargo/advisory-db -noblacklist ${HOME}/.cargo/config -noblacklist ${HOME}/.cargo/git -noblacklist ${HOME}/.cargo/registry -noblacklist ${HOME}/.cargo/.crates.toml -noblacklist ${HOME}/.cargo/.crates2.json -noblacklist ${HOME}/.cargo/.package-cache +noblacklist ${HOME}/.cargo/* diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc index f4f9926cd31..c1366e09336 100644 --- a/etc/inc/allow-gjs.inc +++ b/etc/inc/allow-gjs.inc @@ -5,7 +5,8 @@ include allow-gjs.local noblacklist ${PATH}/gjs noblacklist ${PATH}/gjs-console noblacklist /usr/lib/gjs -noblacklist /usr/lib64/gjs noblacklist /usr/lib/libgjs* +noblacklist /usr/lib/libmozjs-* +noblacklist /usr/lib64/gjs noblacklist /usr/lib64/libgjs* noblacklist /usr/lib64/libmozjs-* diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc index 9df8e8d32bf..4b6dd8a53a3 100644 --- a/etc/inc/allow-lua.inc +++ b/etc/inc/allow-lua.inc @@ -6,5 +6,6 @@ noblacklist ${PATH}/lua* noblacklist /usr/include noblacklist /usr/lib/liblua* noblacklist /usr/lib/lua -noblacklist /usr/share/lua +noblacklist /usr/lib64/liblua* +noblacklist /usr/lib64/lua noblacklist /usr/share/lua* diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc new file mode 100644 index 00000000000..351c94ab86e --- /dev/null +++ b/etc/inc/allow-nodejs.inc @@ -0,0 +1,10 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-nodejs.local + +noblacklist ${PATH}/node +noblacklist /usr/include/node + +# Allow python for node-gyp (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc new file mode 100644 index 00000000000..5d2d6c5c18d --- /dev/null +++ b/etc/inc/allow-opengl-game.inc @@ -0,0 +1,7 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-opengl-game.local + +noblacklist ${PATH}/bash +whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh +private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc index f44e1e3cc18..5a1952c94e3 100644 --- a/etc/inc/allow-perl.inc +++ b/etc/inc/allow-perl.inc @@ -8,4 +8,5 @@ noblacklist ${PATH}/perl noblacklist ${PATH}/site_perl noblacklist ${PATH}/vendor_perl noblacklist /usr/lib/perl* +noblacklist /usr/lib64/perl* noblacklist /usr/share/perl* diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc new file mode 100644 index 00000000000..67c78a4832f --- /dev/null +++ b/etc/inc/allow-ssh.inc @@ -0,0 +1,8 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-ssh.local + +noblacklist ${HOME}/.ssh +noblacklist /etc/ssh +noblacklist /etc/ssh/ssh_config +noblacklist /tmp/ssh-* diff --git a/etc/inc/disable-X11.inc b/etc/inc/disable-X11.inc new file mode 100644 index 00000000000..d227c7a0bc7 --- /dev/null +++ b/etc/inc/disable-X11.inc @@ -0,0 +1,15 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include disable-X11.local + +blacklist /tmp/.X11-unix +blacklist ${HOME}/.Xauthority +blacklist ${RUNUSER}/gdm/Xauthority +blacklist ${RUNUSER}/.mutter-Xwaylandauth* +blacklist ${RUNUSER}/xauth_* +#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] +blacklist /tmp/xauth* +blacklist /tmp/.ICE-unix +blacklist ${RUNUSER}/ICEauthority +rmenv DISPLAY +rmenv XAUTHORITY diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 3fd3cc7b29e..ae84ee38a01 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -34,6 +34,7 @@ blacklist ${HOME}/.config/autostart blacklist ${HOME}/.config/autostart-scripts blacklist ${HOME}/.config/awesome blacklist ${HOME}/.config/i3 +blacklist ${HOME}/.config/sway blacklist ${HOME}/.config/lxsession/LXDE/autostart blacklist ${HOME}/.config/openbox blacklist ${HOME}/.config/plasma-workspace @@ -64,10 +65,12 @@ blacklist /etc/xdg/autostart read-only ${HOME}/.Xauthority # Session manager -?HAS_X11: blacklist ${HOME}/.ICEauthority -?HAS_X11: blacklist /tmp/.ICE-unix +# see #3358 +#?HAS_X11: blacklist ${HOME}/.ICEauthority +#?HAS_X11: blacklist /tmp/.ICE-unix # KDE config +blacklist ${HOME}/.cache/konsole blacklist ${HOME}/.config/khotkeysrc blacklist ${HOME}/.config/krunnerrc blacklist ${HOME}/.config/kscreenlockerrc @@ -75,6 +78,7 @@ blacklist ${HOME}/.config/ksslcertificatemanager blacklist ${HOME}/.config/kwalletrc blacklist ${HOME}/.config/kwinrc blacklist ${HOME}/.config/kwinrulesrc +blacklist ${HOME}/.config/plasma-locale-settings.sh blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc blacklist ${HOME}/.config/plasmashellrc blacklist ${HOME}/.config/plasmavaultrc @@ -105,6 +109,7 @@ blacklist ${HOME}/.local/share/kwin blacklist ${HOME}/.local/share/plasma blacklist ${HOME}/.local/share/plasmashell blacklist ${HOME}/.local/share/solid +blacklist /tmp/konsole-*.history read-only ${HOME}/.cache/ksycoca5_* read-only ${HOME}/.config/*notifyrc read-only ${HOME}/.config/kdeglobals @@ -136,31 +141,41 @@ read-only ${HOME}/.local/share/kssl blacklist ${RUNUSER}/*.slave-socket blacklist ${RUNUSER}/kdeinit5__* blacklist ${RUNUSER}/kdesud_* -?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* -?HAS_NODBUS: blacklist /tmp/ksocket-* +# see #3358 +#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-* +#?HAS_NODBUS: blacklist /tmp/ksocket-* # gnome # contains extensions, last used times of applications, and notifications blacklist ${HOME}/.local/share/gnome-shell +# contains recently used files and serials of static/removable storage +blacklist ${HOME}/.local/share/gvfs-metadata # no direct modification of dconf database read-only ${HOME}/.config/dconf +blacklist ${RUNUSER}/gnome-session-leader-fifo +blacklist ${RUNUSER}/gnome-shell +blacklist ${RUNUSER}/gsconnect # systemd blacklist ${HOME}/.config/systemd blacklist ${HOME}/.local/share/systemd -blacklist /var/lib/systemd +blacklist ${PATH}/systemctl blacklist ${PATH}/systemd-run +blacklist ${RUNUSER}/systemd +blacklist /etc/systemd/network +blacklist /etc/systemd/system +blacklist /var/lib/systemd # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf #blacklist /var/run/systemd # openrc -blacklist /etc/runlevels/ -blacklist /etc/init.d/ +blacklist /etc/init.d blacklist /etc/rc.conf +blacklist /etc/runlevels # VirtualBox -blacklist ${HOME}/.VirtualBox blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.VirtualBox blacklist ${HOME}/VirtualBox VMs # GNOME Boxes @@ -175,6 +190,13 @@ blacklist /var/cache/libvirt blacklist /var/lib/libvirt blacklist /var/log/libvirt +# OCI-Containers / Podman +blacklist ${RUNUSER}/containers +blacklist ${RUNUSER}/crun +blacklist ${RUNUSER}/libpod +blacklist ${RUNUSER}/runc +blacklist ${RUNUSER}/toolbox + # VeraCrypt blacklist ${HOME}/.VeraCrypt blacklist ${PATH}/veracrypt @@ -223,20 +245,34 @@ blacklist /var/spool/cron blacklist /var/spool/mail # etc +blacklist /etc/adduser.conf blacklist /etc/anacrontab +blacklist /etc/apparmor* blacklist /etc/cron* +blacklist /etc/default +blacklist /etc/dkms +blacklist /etc/grub* +blacklist /etc/kernel* +blacklist /etc/logrotate* +blacklist /etc/modules* blacklist /etc/profile.d blacklist /etc/rc.local # rc1.d, rc2.d, ... blacklist /etc/rc?.d -blacklist /etc/kernel* -blacklist /etc/grub* -blacklist /etc/dkms -blacklist /etc/apparmor* -blacklist /etc/selinux -blacklist /etc/modules* -blacklist /etc/logrotate* -blacklist /etc/adduser.conf +blacklist /etc/sysconfig + +# hide config for various intrusion detection systems +blacklist /etc/aide +blacklist /etc/aide.conf +blacklist /etc/chkrootkit.conf +blacklist /etc/fail2ban.conf +blacklist /etc/logcheck +blacklist /etc/lynis +blacklist /etc/rkhunter.* +blacklist /etc/snort +blacklist /etc/suricata +blacklist /etc/tripwire +blacklist /var/lib/rkhunter # Startup files read-only ${HOME}/.antigen @@ -250,9 +286,11 @@ read-only ${HOME}/.config/fish read-only ${HOME}/.csh_files read-only ${HOME}/.cshrc read-only ${HOME}/.forward +read-only ${HOME}/.kshrc read-only ${HOME}/.local/share/fish read-only ${HOME}/.login read-only ${HOME}/.logout +read-only ${HOME}/.mkshrc read-only ${HOME}/.oh-my-zsh read-only ${HOME}/.pam_environment read-only ${HOME}/.pgpkey @@ -260,6 +298,7 @@ read-only ${HOME}/.plan read-only ${HOME}/.profile read-only ${HOME}/.project read-only ${HOME}/.tcshrc +read-only ${HOME}/.zfunc read-only ${HOME}/.zlogin read-only ${HOME}/.zlogout read-only ${HOME}/.zprofile @@ -270,7 +309,15 @@ read-only ${HOME}/.zshrc read-only ${HOME}/.zshrc.local # Remote access -read-only ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.rhosts +blacklist ${HOME}/.shosts +blacklist ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.ssh/authorized_keys2 +blacklist ${HOME}/.ssh/environment +blacklist ${HOME}/.ssh/rc +blacklist /etc/hosts.equiv +read-only ${HOME}/.ssh/config +read-only ${HOME}/.ssh/config.d # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc @@ -282,12 +329,14 @@ read-only ${HOME}/.exrc read-only ${HOME}/.gvimrc read-only ${HOME}/.homesick read-only ${HOME}/.iscreenrc +read-only ${HOME}/.local/lib read-only ${HOME}/.local/share/cool-retro-term read-only ${HOME}/.mailcap read-only ${HOME}/.msmtprc read-only ${HOME}/.mutt/muttrc read-only ${HOME}/.muttrc read-only ${HOME}/.nano +read-only ${HOME}/.npmrc read-only ${HOME}/.pythonrc.py read-only ${HOME}/.reportbugrc read-only ${HOME}/.tmux.conf @@ -296,19 +345,22 @@ read-only ${HOME}/.viminfo read-only ${HOME}/.vimrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver +read-only ${HOME}/.yarnrc read-only ${HOME}/_exrc read-only ${HOME}/_gvimrc read-only ${HOME}/_vimrc read-only ${HOME}/dotfiles # Make directories commonly found in $PATH read-only +read-only ${HOME}/.bin +read-only ${HOME}/.cargo/bin read-only ${HOME}/.gem +read-only ${HOME}/.local/bin read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages +read-only ${HOME}/.nvm +read-only ${HOME}/.rustup read-only ${HOME}/bin -read-only ${HOME}/.bin -read-only ${HOME}/.local/bin -read-only ${HOME}/.cargo/bin # Write-protection for desktop entries read-only ${HOME}/.config/menus @@ -323,14 +375,36 @@ read-only ${HOME}/.local/share/mime # Write-protection for thumbnailer dir read-only ${HOME}/.local/share/thumbnailers +# prevent access to ssh-agent +blacklist /tmp/ssh-* + # top secret +blacklist /.fscrypt +blacklist /etc/davfs2/secrets +blacklist /etc/group+ +blacklist /etc/group- +blacklist /etc/gshadow +blacklist /etc/gshadow+ +blacklist /etc/gshadow- +blacklist /etc/passwd+ +blacklist /etc/passwd- +blacklist /etc/shadow +blacklist /etc/shadow+ +blacklist /etc/shadow- +blacklist /etc/ssh +blacklist /etc/ssh/* +blacklist /home/.ecryptfs +blacklist /home/.fscrypt blacklist ${HOME}/*.kdb blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.key +blacklist ${HOME}/Private blacklist ${HOME}/.Private blacklist ${HOME}/.caff blacklist ${HOME}/.cargo/credentials +blacklist ${HOME}/.cargo/credentials.toml blacklist ${HOME}/.cert +blacklist ${HOME}/.config/hub blacklist ${HOME}/.config/keybase blacklist ${HOME}/.davfs2/secrets blacklist ${HOME}/.ecryptfs @@ -340,39 +414,36 @@ blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.git-credentials blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnupg -blacklist ${HOME}/.config/hub blacklist ${HOME}/.kde/share/apps/kwallet blacklist ${HOME}/.kde4/share/apps/kwallet blacklist ${HOME}/.local/share/keyrings blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.local/share/pki blacklist ${HOME}/.local/share/plasma-vault +blacklist ${HOME}/.minisign blacklist ${HOME}/.msmtprc blacklist ${HOME}/.mutt blacklist ${HOME}/.muttrc blacklist ${HOME}/.netrc blacklist ${HOME}/.nyx blacklist ${HOME}/.pki -blacklist ${HOME}/.local/share/pki blacklist ${HOME}/.smbcredentials blacklist ${HOME}/.ssh blacklist ${HOME}/.vaults -blacklist /.fscrypt -blacklist /etc/davfs2/secrets -blacklist /etc/group+ -blacklist /etc/group- -blacklist /etc/gshadow -blacklist /etc/gshadow+ -blacklist /etc/gshadow- -blacklist /etc/passwd+ -blacklist /etc/passwd- -blacklist /etc/shadow -blacklist /etc/shadow+ -blacklist /etc/shadow- -blacklist /etc/ssh -blacklist /home/.ecryptfs -blacklist /home/.fscrypt blacklist /var/backup +# Remove environment variables with auth tokens. +# Note however that the sandbox might still have access to the +# files where these variables are set. +rmenv GH_TOKEN +rmenv GITHUB_TOKEN +rmenv GH_ENTERPRISE_TOKEN +rmenv GITHUB_ENTERPRISE_TOKEN +rmenv CARGO_REGISTRY_TOKEN +rmenv RESTIC_KEY_HINT +rmenv RESTIC_PASSWORD_COMMAND +rmenv RESTIC_PASSWORD_FILE + # cloud provider configuration blacklist ${HOME}/.aws blacklist ${HOME}/.boto @@ -389,6 +460,7 @@ blacklist /usr/sbin # system management blacklist ${PATH}/at +blacklist ${PATH}/busybox blacklist ${PATH}/chage blacklist ${PATH}/chfn blacklist ${PATH}/chsh @@ -405,6 +477,7 @@ blacklist ${PATH}/mount blacklist ${PATH}/mount.ecryptfs_private blacklist ${PATH}/nc blacklist ${PATH}/ncat +blacklist ${PATH}/nmap blacklist ${PATH}/newgidmap blacklist ${PATH}/newgrp blacklist ${PATH}/newuidmap @@ -415,6 +488,7 @@ blacklist ${PATH}/sg blacklist ${PATH}/strace blacklist ${PATH}/su blacklist ${PATH}/sudo +blacklist ${PATH}/tcpdump blacklist ${PATH}/umount blacklist ${PATH}/unix_chkpwd blacklist ${PATH}/xev @@ -430,10 +504,12 @@ blacklist /tmp/.lxterminal-socket* blacklist /tmp/tmux-* # disable terminals running as server resulting in sandbox escape -blacklist ${PATH}/lxterminal blacklist ${PATH}/gnome-terminal blacklist ${PATH}/gnome-terminal.wrapper +# blacklist ${PATH}/konsole +# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 blacklist ${PATH}/lilyterm +blacklist ${PATH}/lxterminal blacklist ${PATH}/mate-terminal blacklist ${PATH}/mate-terminal.wrapper blacklist ${PATH}/pantheon-terminal @@ -445,8 +521,6 @@ blacklist ${PATH}/urxvtc blacklist ${PATH}/urxvtcd blacklist ${PATH}/xfce4-terminal blacklist ${PATH}/xfce4-terminal.wrapper -# blacklist ${PATH}/konsole -# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 # kernel files blacklist /initrd* @@ -458,24 +532,24 @@ blacklist /.snapshots # flatpak blacklist ${HOME}/.cache/flatpak blacklist ${HOME}/.config/flatpak -blacklist ${HOME}/.local/share/flatpak/app -blacklist ${HOME}/.local/share/flatpak/appstream -blacklist ${HOME}/.local/share/flatpak/db +noblacklist ${HOME}/.local/share/flatpak/exports read-only ${HOME}/.local/share/flatpak/exports -blacklist ${HOME}/.local/share/flatpak/oci -blacklist ${HOME}/.local/share/flatpak/overrides -blacklist ${HOME}/.local/share/flatpak/repo -blacklist ${HOME}/.local/share/flatpak/runtime +blacklist ${HOME}/.local/share/flatpak/* blacklist ${HOME}/.var -blacklist ${RUNUSER}/app -blacklist ${RUNUSER}/doc +# most of the time bwrap is SUID binary +blacklist ${PATH}/bwrap blacklist ${RUNUSER}/.dbus-proxy blacklist ${RUNUSER}/.flatpak +blacklist ${RUNUSER}/.flatpak-cache blacklist ${RUNUSER}/.flatpak-helper +blacklist ${RUNUSER}/app +blacklist ${RUNUSER}/doc blacklist /usr/share/flatpak -blacklist /var/lib/flatpak -# most of the time bwrap is SUID binary -blacklist ${PATH}/bwrap +noblacklist /var/lib/flatpak/exports +blacklist /var/lib/flatpak/* + +# snap +blacklist ${RUNUSER}/snapd-session-agent.socket # mail directories used by mutt blacklist ${HOME}/.Mail @@ -492,12 +566,24 @@ blacklist /proc/config.gz # prevent DNS malware attempting to communicate with the server # using regular DNS tools blacklist ${PATH}/dig -blacklist ${PATH}/kdig -blacklist ${PATH}/nslookup -blacklist ${PATH}/host blacklist ${PATH}/dlint -blacklist ${PATH}/dnswalk blacklist ${PATH}/dns2tcp +blacklist ${PATH}/dnssec-* +blacklist ${PATH}/dnswalk +blacklist ${PATH}/drill +blacklist ${PATH}/host blacklist ${PATH}/iodine +blacklist ${PATH}/kdig +blacklist ${PATH}/khost blacklist ${PATH}/knsupdate +blacklist ${PATH}/ldns-* +blacklist ${PATH}/ldnsd +blacklist ${PATH}/nslookup blacklist ${PATH}/resolvectl +blacklist ${PATH}/unbound-host + +# rest of ${RUNUSER} +blacklist ${RUNUSER}/*.lock +blacklist ${RUNUSER}/inaccessible +blacklist ${RUNUSER}/pk-debconf-socket +blacklist ${RUNUSER}/update-notifier.pid diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index e1ba13380b1..98bf5ecc84d 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc @@ -49,6 +49,7 @@ blacklist ${PATH}/openssl-1.0 blacklist ${PATH}/rust-gdb blacklist ${PATH}/rust-lldb blacklist ${PATH}/rustc +blacklist ${HOME}/.rustup # tcc - Tiny C Compiler blacklist ${PATH}/tcc @@ -59,9 +60,7 @@ blacklist /usr/lib/tcc blacklist ${PATH}/valgrind* blacklist /usr/lib/valgrind - # Source-Code - blacklist /usr/src blacklist /usr/local/src blacklist /usr/include diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc index ee33917305c..9b5c40a2bb5 100644 --- a/etc/inc/disable-exec.inc +++ b/etc/inc/disable-exec.inc @@ -4,6 +4,7 @@ include disable-exec.local noexec ${HOME} noexec ${RUNUSER} +noexec /dev/mqueue noexec /dev/shm noexec /tmp # /var is noexec by default for unprivileged users diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 59e9c7de3e4..5d8a236fbf8 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc @@ -6,8 +6,8 @@ include disable-interpreters.local blacklist ${PATH}/gjs blacklist ${PATH}/gjs-console blacklist /usr/lib/gjs -blacklist /usr/lib64/gjs blacklist /usr/lib/libgjs* +blacklist /usr/lib64/gjs blacklist /usr/lib64/libgjs* # Lua @@ -15,9 +15,12 @@ blacklist ${PATH}/lua* blacklist /usr/include/lua* blacklist /usr/lib/liblua* blacklist /usr/lib/lua +blacklist /usr/lib64/liblua* +blacklist /usr/lib64/lua blacklist /usr/share/lua* # mozjs +blacklist /usr/lib/libmozjs-* blacklist /usr/lib64/libmozjs-* # Node.js @@ -28,12 +31,13 @@ blacklist /usr/include/node blacklist ${HOME}/.nvm # Perl -blacklist ${PATH}/cpan* blacklist ${PATH}/core_perl +blacklist ${PATH}/cpan* blacklist ${PATH}/perl blacklist ${PATH}/site_perl blacklist ${PATH}/vendor_perl blacklist /usr/lib/perl* +blacklist /usr/lib64/perl* blacklist /usr/share/perl* # PHP diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc deleted file mode 100644 index 316378cb829..00000000000 --- a/etc/inc/disable-passwdmgr.inc +++ /dev/null @@ -1,18 +0,0 @@ -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include disable-passwdmgr.local - -blacklist ${HOME}/.config/Bitwarden -blacklist ${HOME}/.config/KeePass -blacklist ${HOME}/.config/keepass -blacklist ${HOME}/.config/keepassx -blacklist ${HOME}/.config/keepassxc -blacklist ${HOME}/.config/Sinew Software Systems -blacklist ${HOME}/.fpm -blacklist ${HOME}/.keepass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.keepassxc -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.local/share/KeePass -blacklist ${HOME}/.local/share/keepass -blacklist ${HOME}/.password-store diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 89189b53337..511d8730e5c 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -2,17 +2,6 @@ # Persistent customizations should go in a .local file. include disable-programs.local -blacklist ${HOME}/Arduino -blacklist ${HOME}/i2p -blacklist ${HOME}/Monero/wallets -blacklist ${HOME}/Nextcloud/Notes -blacklist ${HOME}/SoftMaker -blacklist ${HOME}/Standard Notes Backups -blacklist ${HOME}/TeamSpeak3-Client-linux_x86 -blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 -blacklist ${HOME}/hyperrogue.ini -blacklist ${HOME}/mps -blacklist ${HOME}/wallet.dat blacklist ${HOME}/.*coin blacklist ${HOME}/.8pecxstudios blacklist ${HOME}/.AndroidStudio* @@ -38,6 +27,9 @@ blacklist ${HOME}/.WebStorm* blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.ZAP blacklist ${HOME}/.aMule +blacklist ${HOME}/.abook +blacklist ${HOME}/.addressbook +blacklist ${HOME}/.alpine-smime blacklist ${HOME}/.android blacklist ${HOME}/.anydesk blacklist ${HOME}/.arduino15 @@ -49,20 +41,19 @@ blacklist ${HOME}/.asunder_album_title blacklist ${HOME}/.atom blacklist ${HOME}/.attic blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.avidemux6 +blacklist ${HOME}/.ballbuster.hs +blacklist ${HOME}/.balsa blacklist ${HOME}/.bcast5 blacklist ${HOME}/.bibletime blacklist ${HOME}/.bitcoin +blacklist ${HOME}/.blobby blacklist ${HOME}/.bogofilter blacklist ${HOME}/.bzf -blacklist ${HOME}/.cargo/advisory-db -blacklist ${HOME}/.cargo/config -blacklist ${HOME}/.cargo/git -blacklist ${HOME}/.cargo/registry -blacklist ${HOME}/.cargo/.crates.toml -blacklist ${HOME}/.cargo/.crates2.json -blacklist ${HOME}/.cargo/.package-cache +blacklist ${HOME}/.cargo/* blacklist ${HOME}/.claws-mail blacklist ${HOME}/.cliqz +blacklist ${HOME}/.clion* blacklist ${HOME}/.clonk blacklist ${HOME}/.config/0ad blacklist ${HOME}/.config/2048-qt @@ -81,10 +72,17 @@ blacklist ${HOME}/.config/Code Industry blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/Debauchee/Barrier.conf blacklist ${HOME}/.config/Dharkael +blacklist ${HOME}/.config/ENCOM +blacklist ${HOME}/.config/Element +blacklist ${HOME}/.config/Element (Riot) blacklist ${HOME}/.config/Enox +blacklist ${HOME}/.config/Epic +blacklist ${HOME}/.config/Exodus blacklist ${HOME}/.config/Ferdi +blacklist ${HOME}/.config/Flavio Tordini blacklist ${HOME}/.config/Franz blacklist ${HOME}/.config/FreeCAD +blacklist ${HOME}/.config/FreeTube blacklist ${HOME}/.config/Fritzing blacklist ${HOME}/.config/GIMP blacklist ${HOME}/.config/GitHub Desktop @@ -95,39 +93,63 @@ blacklist ${HOME}/.config/Gpredict blacklist ${HOME}/.config/INRIA blacklist ${HOME}/.config/InSilmaril blacklist ${HOME}/.config/Jitsi Meet +blacklist ${HOME}/.config/JetBrains/CLion* +blacklist ${HOME}/.config/KDE/neochat +blacklist ${HOME}/.config/KeePass +blacklist ${HOME}/.config/KeePassXCrc blacklist ${HOME}/.config/Kid3 blacklist ${HOME}/.config/Kingsoft +blacklist ${HOME}/.config/LibreCAD +blacklist ${HOME}/.config/Loop_Hero blacklist ${HOME}/.config/Luminance +blacklist ${HOME}/.config/LyX +blacklist ${HOME}/.config/Mattermost blacklist ${HOME}/.config/Meltytech blacklist ${HOME}/.config/Mendeley Ltd. +blacklist ${HOME}/.config/Microsoft blacklist ${HOME}/.config/Min +blacklist ${HOME}/.config/ModTheSpire blacklist ${HOME}/.config/Mousepad blacklist ${HOME}/.config/Mumble blacklist ${HOME}/.config/MusE blacklist ${HOME}/.config/MuseScore blacklist ${HOME}/.config/MusicBrainz blacklist ${HOME}/.config/Nathan Osman +blacklist ${HOME}/.config/Nextcloud +blacklist ${HOME}/.config/NitroShare blacklist ${HOME}/.config/Nylas Mail blacklist ${HOME}/.config/PBE +blacklist ${HOME}/.config/PacmanLogViewer +blacklist ${HOME}/.config/PawelStolowski blacklist ${HOME}/.config/Philipp Schmieder +blacklist ${HOME}/.config/Pinta blacklist ${HOME}/.config/QGIS blacklist ${HOME}/.config/QMediathekView blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc +blacklist ${HOME}/.config/Quotient blacklist ${HOME}/.config/Rambox blacklist ${HOME}/.config/Riot blacklist ${HOME}/.config/Rocket.Chat +blacklist ${HOME}/.config/RogueLegacy +blacklist ${HOME}/.config/RogueLegacyStorageContainer blacklist ${HOME}/.config/Signal blacklist ${HOME}/.config/Sinew Software Systems blacklist ${HOME}/.config/Slack blacklist ${HOME}/.config/Standard Notes blacklist ${HOME}/.config/SubDownloader blacklist ${HOME}/.config/Thunar +blacklist ${HOME}/.config/Twitch blacklist ${HOME}/.config/Unknown Organization blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.config/Whalebird blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/Youtube +blacklist ${HOME}/.config/ZeGrapher Project blacklist ${HOME}/.config/Zeal +blacklist ${HOME}/.config/Zulip +blacklist ${HOME}/.config/aacs blacklist ${HOME}/.config/abiword blacklist ${HOME}/.config/agenda blacklist ${HOME}/.config/akonadi* @@ -143,10 +165,12 @@ blacklist ${HOME}/.config/asunder blacklist ${HOME}/.config/atril blacklist ${HOME}/.config/audacious blacklist ${HOME}/.config/autokey +blacklist ${HOME}/.config/avidemux3_qt5rc blacklist ${HOME}/.config/aweather blacklist ${HOME}/.config/backintime blacklist ${HOME}/.config/baloofilerc blacklist ${HOME}/.config/baloorc +blacklist ${HOME}/.config/bcompare blacklist ${HOME}/.config/blender blacklist ${HOME}/.config/bless blacklist ${HOME}/.config/bnox @@ -158,16 +182,26 @@ blacklist ${HOME}/.config/caja blacklist ${HOME}/.config/calibre blacklist ${HOME}/.config/cantata blacklist ${HOME}/.config/catfish +blacklist ${HOME}/.config/cawbird blacklist ${HOME}/.config/celluloid blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.config/chrome-beta-flags.conf +blacklist ${HOME}/.config/chrome-beta-flags.config +blacklist ${HOME}/.config/chrome-flags.conf +blacklist ${HOME}/.config/chrome-flags.config +blacklist ${HOME}/.config/chrome-unstable-flags.conf +blacklist ${HOME}/.config/chrome-unstable-flags.config blacklist ${HOME}/.config/chromium blacklist ${HOME}/.config/chromium-dev blacklist ${HOME}/.config/chromium-flags.conf blacklist ${HOME}/.config/clipit blacklist ${HOME}/.config/cliqz blacklist ${HOME}/.config/cmus +blacklist ${HOME}/.config/com.github.bleakgrey.tootle blacklist ${HOME}/.config/corebird blacklist ${HOME}/.config/cower +blacklist ${HOME}/.config/coyim +blacklist ${HOME}/.config/d-feet blacklist ${HOME}/.config/darktable blacklist ${HOME}/.config/deadbeef blacklist ${HOME}/.config/deluge @@ -178,32 +212,39 @@ blacklist ${HOME}/.config/discord blacklist ${HOME}/.config/discordcanary blacklist ${HOME}/.config/dkl blacklist ${HOME}/.config/dnox +blacklist ${HOME}/.config/dolphin-emu blacklist ${HOME}/.config/dolphinrc blacklist ${HOME}/.config/dragonplayerrc blacklist ${HOME}/.config/draw.io -blacklist ${HOME}/.config/d-feet blacklist ${HOME}/.config/electron-mail blacklist ${HOME}/.config/emaildefaults blacklist ${HOME}/.config/emailidentities +blacklist ${HOME}/.config/emilia blacklist ${HOME}/.config/enchant blacklist ${HOME}/.config/eog blacklist ${HOME}/.config/epiphany +blacklist ${HOME}/.config/equalx blacklist ${HOME}/.config/evince blacklist ${HOME}/.config/evolution blacklist ${HOME}/.config/falkon blacklist ${HOME}/.config/filezilla +blacklist ${HOME}/.config/flameshot +blacklist ${HOME}/.config/flaska.net blacklist ${HOME}/.config/flowblade blacklist ${HOME}/.config/font-manager blacklist ${HOME}/.config/freecol blacklist ${HOME}/.config/gajim blacklist ${HOME}/.config/galculator +blacklist ${HOME}/.config/gallery-dl blacklist ${HOME}/.config/gconf blacklist ${HOME}/.config/geany +blacklist ${HOME}/.config/geary blacklist ${HOME}/.config/gedit blacklist ${HOME}/.config/geeqie blacklist ${HOME}/.config/ghb blacklist ${HOME}/.config/ghostwriter blacklist ${HOME}/.config/git +blacklist ${HOME}/.config/git-cola blacklist ${HOME}/.config/glade.conf blacklist ${HOME}/.config/globaltime blacklist ${HOME}/.config/gmpc @@ -216,6 +257,7 @@ blacklist ${HOME}/.config/gnome-mplayer blacklist ${HOME}/.config/gnome-mpv blacklist ${HOME}/.config/gnome-pie blacklist ${HOME}/.config/gnome-session +blacklist ${HOME}/.config/gnote blacklist ${HOME}/.config/godot blacklist ${HOME}/.config/google-chrome blacklist ${HOME}/.config/google-chrome-beta @@ -223,13 +265,16 @@ blacklist ${HOME}/.config/google-chrome-unstable blacklist ${HOME}/.config/gpicview blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/gummi +blacklist ${HOME}/.config/guvcview2 blacklist ${HOME}/.config/gwenviewrc blacklist ${HOME}/.config/hexchat +blacklist ${HOME}/.config/homebank blacklist ${HOME}/.config/i2p blacklist ${HOME}/.config/inkscape blacklist ${HOME}/.config/inox blacklist ${HOME}/.config/iridium blacklist ${HOME}/.config/itch +blacklist ${HOME}/.config/jami blacklist ${HOME}/.config/jd-gui.cfg blacklist ${HOME}/.config/k3brc blacklist ${HOME}/.config/kaffeinerc @@ -240,8 +285,14 @@ blacklist ${HOME}/.config/katerc blacklist ${HOME}/.config/kateschemarc blacklist ${HOME}/.config/katesyntaxhighlightingrc blacklist ${HOME}/.config/katevirc +blacklist ${HOME}/.config/kazam blacklist ${HOME}/.config/kdeconnect blacklist ${HOME}/.config/kdenliverc +blacklist ${HOME}/.config/kdiff3fileitemactionrc +blacklist ${HOME}/.config/kdiff3rc +blacklist ${HOME}/.config/keepass +blacklist ${HOME}/.config/keepassx +blacklist ${HOME}/.config/keepassxc blacklist ${HOME}/.config/kfindrc blacklist ${HOME}/.config/kgetrc blacklist ${HOME}/.config/kid3rc @@ -251,68 +302,89 @@ blacklist ${HOME}/.config/kmail2rc blacklist ${HOME}/.config/kmailsearchindexingrc blacklist ${HOME}/.config/kmplayerrc blacklist ${HOME}/.config/knotesrc +blacklist ${HOME}/.config/konversation.notifyrc blacklist ${HOME}/.config/konversationrc blacklist ${HOME}/.config/kritarc blacklist ${HOME}/.config/ktorrentrc blacklist ${HOME}/.config/ktouch2rc +blacklist ${HOME}/.config/kube blacklist ${HOME}/.config/kwriterc blacklist ${HOME}/.config/leafpad blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/liferea +blacklist ${HOME}/.config/linphone blacklist ${HOME}/.config/lugaru +blacklist ${HOME}/.config/lutris blacklist ${HOME}/.config/lximage-qt blacklist ${HOME}/.config/mailtransports blacklist ${HOME}/.config/mana blacklist ${HOME}/.config/mate-calc blacklist ${HOME}/.config/mate/eom blacklist ${HOME}/.config/mate/mate-dictionary +blacklist ${HOME}/.config/matrix-mirage +blacklist ${HOME}/.config/mcomix blacklist ${HOME}/.config/meld -blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/menulibre.cfg +blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/mfusion -blacklist ${HOME}/.config/Microsoft +blacklist ${HOME}/.config/microsoft-edge-beta +blacklist ${HOME}/.config/microsoft-edge-dev blacklist ${HOME}/.config/midori +blacklist ${HOME}/.config/mirage blacklist ${HOME}/.config/mono blacklist ${HOME}/.config/mpDris2 blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mps-youtube blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/mutt blacklist ${HOME}/.config/mutter blacklist ${HOME}/.config/mypaint blacklist ${HOME}/.config/nano blacklist ${HOME}/.config/nautilus blacklist ${HOME}/.config/nemo +blacklist ${HOME}/.config/neochat.notifyrc +blacklist ${HOME}/.config/neochatrc +blacklist ${HOME}/.config/neomutt blacklist ${HOME}/.config/netsurf blacklist ${HOME}/.config/newsbeuter +blacklist ${HOME}/.config/newsboat +blacklist ${HOME}/.config/newsflash blacklist ${HOME}/.config/nheko -blacklist ${HOME}/.config/NitroShare blacklist ${HOME}/.config/nomacs +blacklist ${HOME}/.config/nuclear blacklist ${HOME}/.config/obs-studio blacklist ${HOME}/.config/okularpartrc blacklist ${HOME}/.config/okularrc +blacklist ${HOME}/.config/onboard blacklist ${HOME}/.config/onionshare blacklist ${HOME}/.config/onlyoffice +blacklist ${HOME}/.config/openmw blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta blacklist ${HOME}/.config/orage blacklist ${HOME}/.config/org.gabmus.gfeeds.json +blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles blacklist ${HOME}/.config/org.kde.gwenviewrc +blacklist ${HOME}/.config/otter blacklist ${HOME}/.config/pavucontrol-qt blacklist ${HOME}/.config/pavucontrol.ini blacklist ${HOME}/.config/pcmanfm blacklist ${HOME}/.config/pdfmod -blacklist ${HOME}/.config/Pinta +blacklist ${HOME}/.config/pipe-viewer blacklist ${HOME}/.config/pitivi blacklist ${HOME}/.config/pix blacklist ${HOME}/.config/pluma blacklist ${HOME}/.config/ppsspp blacklist ${HOME}/.config/pragha blacklist ${HOME}/.config/profanity +blacklist ${HOME}/.config/psi blacklist ${HOME}/.config/psi+ blacklist ${HOME}/.config/qBittorrent blacklist ${HOME}/.config/qBittorrentrc +blacklist ${HOME}/.config/qnapi.ini blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/quodlibet blacklist ${HOME}/.config/qupzilla blacklist ${HOME}/.config/qutebrowser blacklist ${HOME}/.config/ranger @@ -324,19 +396,25 @@ blacklist ${HOME}/.config/rtv blacklist ${HOME}/.config/scribus blacklist ${HOME}/.config/scribusrc blacklist ${HOME}/.config/sinew.in +blacklist ${HOME}/.config/sink blacklist ${HOME}/.config/skypeforlinux blacklist ${HOME}/.config/slimjet blacklist ${HOME}/.config/smplayer blacklist ${HOME}/.config/smtube +blacklist ${HOME}/.config/smuxi blacklist ${HOME}/.config/snox blacklist ${HOME}/.config/sound-juicer blacklist ${HOME}/.config/specialmailcollectionsrc +blacklist ${HOME}/.config/spectaclerc blacklist ${HOME}/.config/spotify blacklist ${HOME}/.config/sqlitebrowser blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/straw-viewer +blacklist ${HOME}/.config/strawberry blacklist ${HOME}/.config/supertuxkart blacklist ${HOME}/.config/synfig blacklist ${HOME}/.config/teams +blacklist ${HOME}/.config/teams-for-linux blacklist ${HOME}/.config/telepathy-account-widgets blacklist ${HOME}/.config/torbrowser blacklist ${HOME}/.config/totem @@ -344,27 +422,30 @@ blacklist ${HOME}/.config/tox blacklist ${HOME}/.config/transgui blacklist ${HOME}/.config/transmission blacklist ${HOME}/.config/truecraft +blacklist ${HOME}/.config/tuta_integration +blacklist ${HOME}/.config/tutanota-desktop blacklist ${HOME}/.config/tvbrowser blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/ungoogled-chromium blacklist ${HOME}/.config/uzbl blacklist ${HOME}/.config/viewnior blacklist ${HOME}/.config/vivaldi blacklist ${HOME}/.config/vivaldi-snapshot blacklist ${HOME}/.config/vlc blacklist ${HOME}/.config/wesnoth -blacklist ${HOME}/.config/wormux -blacklist ${HOME}/.config/Whalebird blacklist ${HOME}/.config/wireshark +blacklist ${HOME}/.config/wormux blacklist ${HOME}/.config/xchat blacklist ${HOME}/.config/xed blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/xfce4-dict blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc blacklist ${HOME}/.config/xfce4/xfce4-notes.rc blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml -blacklist ${HOME}/.config/xfce4-dict blacklist ${HOME}/.config/xiaoyong blacklist ${HOME}/.config/xmms2 +blacklist ${HOME}/.config/xournalpp blacklist ${HOME}/.config/xplayer blacklist ${HOME}/.config/xreader blacklist ${HOME}/.config/xviewer @@ -372,12 +453,18 @@ blacklist ${HOME}/.config/yandex-browser blacklist ${HOME}/.config/yandex-browser-beta blacklist ${HOME}/.config/yelp blacklist ${HOME}/.config/youtube-dl +blacklist ${HOME}/.config/youtube-dlg +blacklist ${HOME}/.config/youtube-music-desktop-app +blacklist ${HOME}/.config/youtube-viewer +blacklist ${HOME}/.config/youtubemusic-nativefier-040164 +blacklist ${HOME}/.config/yt-dlp blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/zim blacklist ${HOME}/.config/zoomus.conf -blacklist ${HOME}/.config/Zulip blacklist ${HOME}/.conkeror.mozdev.org blacklist ${HOME}/.crawl blacklist ${HOME}/.cups +blacklist ${HOME}/.curl-hsts blacklist ${HOME}/.curlrc blacklist ${HOME}/.dashcore blacklist ${HOME}/.devilspie @@ -393,31 +480,37 @@ blacklist ${HOME}/.electrum* blacklist ${HOME}/.elinks blacklist ${HOME}/.emacs blacklist ${HOME}/.emacs.d +blacklist ${HOME}/.equalx blacklist ${HOME}/.ethereum blacklist ${HOME}/.etr blacklist ${HOME}/.filezilla +blacklist ${HOME}/.firedragon blacklist ${HOME}/.flowblade blacklist ${HOME}/.fltk blacklist ${HOME}/.fossamail +blacklist ${HOME}/.fpm blacklist ${HOME}/.freeciv blacklist ${HOME}/.freecol blacklist ${HOME}/.freemind blacklist ${HOME}/.frogatto blacklist ${HOME}/.frozen-bubble +blacklist ${HOME}/.funnyboat +blacklist ${HOME}/.gallery-dl.conf +blacklist ${HOME}/.geekbench5 blacklist ${HOME}/.gimp* blacklist ${HOME}/.gist blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.gl-117 +blacklist ${HOME}/.glaxiumrc blacklist ${HOME}/.gnome/gnome-schedule -blacklist ${HOME}/.googleearth/Cache -blacklist ${HOME}/.googleearth/Temp -blacklist ${HOME}/.googleearth/myplaces.backup.kml -blacklist ${HOME}/.googleearth/myplaces.kml +blacklist ${HOME}/.goldendict +blacklist ${HOME}/.googleearth blacklist ${HOME}/.gradle blacklist ${HOME}/.gramps blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hashcat -blacklist ${HOME}/.hex-a-hop blacklist ${HOME}/.hedgewars +blacklist ${HOME}/.hex-a-hop blacklist ${HOME}/.hugin blacklist ${HOME}/.i2p blacklist ${HOME}/.icedove @@ -493,14 +586,21 @@ blacklist ${HOME}/.kde4/share/config/kopeterc blacklist ${HOME}/.kde4/share/config/ktorrentrc blacklist ${HOME}/.kde4/share/config/okularpartrc blacklist ${HOME}/.kde4/share/config/okularrc +blacklist ${HOME}/.keepass +blacklist ${HOME}/.keepassx +blacklist ${HOME}/.keepassxc blacklist ${HOME}/.killingfloor blacklist ${HOME}/.kingsoft blacklist ${HOME}/.kino-history blacklist ${HOME}/.kinorc blacklist ${HOME}/.klatexformula +blacklist ${HOME}/.klei blacklist ${HOME}/.kodi +blacklist ${HOME}/.lastpass +blacklist ${HOME}/.librewolf blacklist ${HOME}/.lincity-ng blacklist ${HOME}/.links +blacklist ${HOME}/.links2 blacklist ${HOME}/.linphone-history.db blacklist ${HOME}/.linphonerc blacklist ${HOME}/.lmmsrc.xml @@ -508,40 +608,61 @@ blacklist ${HOME}/.local/lib/vivaldi blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/3909/PapersPlease blacklist ${HOME}/.local/share/Anki2 +blacklist ${HOME}/.local/share/Dredmor blacklist ${HOME}/.local/share/Empathy blacklist ${HOME}/.local/share/Enpass +blacklist ${HOME}/.local/share/FasterThanLight +blacklist ${HOME}/.local/share/Flavio Tordini +blacklist ${HOME}/.local/share/IntoTheBreach blacklist ${HOME}/.local/share/JetBrains +blacklist ${HOME}/.local/share/KDE/neochat +blacklist ${HOME}/.local/share/KeePass blacklist ${HOME}/.local/share/Kingsoft +blacklist ${HOME}/.local/share/LibreCAD blacklist ${HOME}/.local/share/Mendeley Ltd. blacklist ${HOME}/.local/share/Mumble +blacklist ${HOME}/.local/share/Nextcloud blacklist ${HOME}/.local/share/PBE +blacklist ${HOME}/.local/share/Paradox Interactive +blacklist ${HOME}/.local/share/PawelStolowski +blacklist ${HOME}/.local/share/PillarsOfEternity +blacklist ${HOME}/.local/share/Psi blacklist ${HOME}/.local/share/QGIS blacklist ${HOME}/.local/share/QMediathekView blacklist ${HOME}/.local/share/QuiteRss blacklist ${HOME}/.local/share/Ricochet +blacklist ${HOME}/.local/share/RogueLegacy +blacklist ${HOME}/.local/share/RogueLegacyStorageContainer blacklist ${HOME}/.local/share/Shortwave blacklist ${HOME}/.local/share/Steam +blacklist ${HOME}/.local/share/SteamWorld Dig 2 +blacklist ${HOME}/.local/share/SteamWorldDig blacklist ${HOME}/.local/share/SuperHexagon blacklist ${HOME}/.local/share/TelegramDesktop blacklist ${HOME}/.local/share/Terraria blacklist ${HOME}/.local/share/TpLogger blacklist ${HOME}/.local/share/Zeal +blacklist ${HOME}/.local/share/agenda blacklist ${HOME}/.local/share/akonadi* blacklist ${HOME}/.local/share/akregator -blacklist ${HOME}/.local/share/agenda blacklist ${HOME}/.local/share/apps/korganizer blacklist ${HOME}/.local/share/aspyr-media +blacklist ${HOME}/.local/share/authenticator-rs blacklist ${HOME}/.local/share/autokey blacklist ${HOME}/.local/share/backintime blacklist ${HOME}/.local/share/baloo blacklist ${HOME}/.local/share/barrier blacklist ${HOME}/.local/share/bibletime +blacklist ${HOME}/.local/share/bijiben +blacklist ${HOME}/.local/share/bohemiainteractive blacklist ${HOME}/.local/share/caja-python +blacklist ${HOME}/.local/share/calligragemini blacklist ${HOME}/.local/share/cantata blacklist ${HOME}/.local/share/cdprojektred blacklist ${HOME}/.local/share/clipit blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate blacklist ${HOME}/.local/share/contacts +blacklist ${HOME}/.local/share/cor-games blacklist ${HOME}/.local/share/data/Mendeley Ltd. blacklist ${HOME}/.local/share/data/Mumble blacklist ${HOME}/.local/share/data/MusE @@ -550,6 +671,7 @@ blacklist ${HOME}/.local/share/data/nomacs blacklist ${HOME}/.local/share/data/qBittorrent blacklist ${HOME}/.local/share/dino blacklist ${HOME}/.local/share/dolphin +blacklist ${HOME}/.local/share/dolphin-emu blacklist ${HOME}/.local/share/emailidentities blacklist ${HOME}/.local/share/epiphany blacklist ${HOME}/.local/share/evolution @@ -577,14 +699,18 @@ blacklist ${HOME}/.local/share/gnome-recipes blacklist ${HOME}/.local/share/gnome-ring blacklist ${HOME}/.local/share/gnome-sudoku blacklist ${HOME}/.local/share/gnome-twitch +blacklist ${HOME}/.local/share/gnote blacklist ${HOME}/.local/share/godot blacklist ${HOME}/.local/share/gradio blacklist ${HOME}/.local/share/gwenview blacklist ${HOME}/.local/share/i2p +blacklist ${HOME}/.local/share/io.github.lainsce.Notejot +blacklist ${HOME}/.local/share/jami blacklist ${HOME}/.local/share/kaffeine blacklist ${HOME}/.local/share/kalgebra blacklist ${HOME}/.local/share/kate blacklist ${HOME}/.local/share/kdenlive +blacklist ${HOME}/.local/share/keepass blacklist ${HOME}/.local/share/kget blacklist ${HOME}/.local/share/kiwix blacklist ${HOME}/.local/share/kiwix-desktop @@ -596,16 +722,25 @@ blacklist ${HOME}/.local/share/krita blacklist ${HOME}/.local/share/ktorrent blacklist ${HOME}/.local/share/ktorrentrc blacklist ${HOME}/.local/share/ktouch +blacklist ${HOME}/.local/share/kube blacklist ${HOME}/.local/share/kwrite +blacklist ${HOME}/.local/share/kxmlgui5/* blacklist ${HOME}/.local/share/liferea +blacklist ${HOME}/.local/share/linphone blacklist ${HOME}/.local/share/local-mail blacklist ${HOME}/.local/share/lollypop blacklist ${HOME}/.local/share/love blacklist ${HOME}/.local/share/lugaru +blacklist ${HOME}/.local/share/lutris +blacklist ${HOME}/.local/share/man blacklist ${HOME}/.local/share/mana blacklist ${HOME}/.local/share/maps-places.json +blacklist ${HOME}/.local/share/matrix-mirage +blacklist ${HOME}/.local/share/mcomix blacklist ${HOME}/.local/share/meld blacklist ${HOME}/.local/share/midori +blacklist ${HOME}/.local/share/minder +blacklist ${HOME}/.local/share/mirage blacklist ${HOME}/.local/share/multimc blacklist ${HOME}/.local/share/multimc5 blacklist ${HOME}/.local/share/mupen64plus @@ -614,26 +749,37 @@ blacklist ${HOME}/.local/share/nautilus blacklist ${HOME}/.local/share/nautilus-python blacklist ${HOME}/.local/share/nemo blacklist ${HOME}/.local/share/nemo-python +blacklist ${HOME}/.local/share/news-flash +blacklist ${HOME}/.local/share/newsbeuter +blacklist ${HOME}/.local/share/newsboat +blacklist ${HOME}/.local/share/nheko blacklist ${HOME}/.local/share/nomacs blacklist ${HOME}/.local/share/notes blacklist ${HOME}/.local/share/ocenaudio blacklist ${HOME}/.local/share/okular blacklist ${HOME}/.local/share/onlyoffice +blacklist ${HOME}/.local/share/openmw blacklist ${HOME}/.local/share/orage blacklist ${HOME}/.local/share/org.kde.gwenview blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/plasma_notes blacklist ${HOME}/.local/share/profanity +blacklist ${HOME}/.local/share/psi blacklist ${HOME}/.local/share/psi+ blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/quadrapassel blacklist ${HOME}/.local/share/qutebrowser blacklist ${HOME}/.local/share/remmina blacklist ${HOME}/.local/share/rhythmbox blacklist ${HOME}/.local/share/rtv blacklist ${HOME}/.local/share/scribus +blacklist ${HOME}/.local/share/shotwell blacklist ${HOME}/.local/share/signal-cli +blacklist ${HOME}/.local/share/sink +blacklist ${HOME}/.local/share/smuxi blacklist ${HOME}/.local/share/spotify blacklist ${HOME}/.local/share/steam +blacklist ${HOME}/.local/share/strawberry blacklist ${HOME}/.local/share/supertux2 blacklist ${HOME}/.local/share/supertuxkart blacklist ${HOME}/.local/share/swell-foop @@ -651,15 +797,20 @@ blacklist ${HOME}/.local/share/wormux blacklist ${HOME}/.local/share/xplayer blacklist ${HOME}/.local/share/xreader blacklist ${HOME}/.local/share/zathura +blacklist ${HOME}/.local/state/pipewire blacklist ${HOME}/.lv2 +blacklist ${HOME}/.lyx blacklist ${HOME}/.magicor blacklist ${HOME}/.masterpdfeditor +blacklist ${HOME}/.mbwarband blacklist ${HOME}/.mcabber blacklist ${HOME}/.mcabberrc blacklist ${HOME}/.mediathek3 blacklist ${HOME}/.megaglest +blacklist ${HOME}/.minecraft blacklist ${HOME}/.minetest blacklist ${HOME}/.mirrormagic +blacklist ${HOME}/.moc blacklist ${HOME}/.moonchild productions/basilisk blacklist ${HOME}/.moonchild productions/pale moon blacklist ${HOME}/.mozilla @@ -674,8 +825,13 @@ blacklist ${HOME}/.netactview blacklist ${HOME}/.neverball blacklist ${HOME}/.newsbeuter blacklist ${HOME}/.newsboat +blacklist ${HOME}/.newsrc blacklist ${HOME}/.nicotine +blacklist ${HOME}/.node-gyp +blacklist ${HOME}/.npm +blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv +blacklist ${HOME}/.nvm blacklist ${HOME}/.nylas-mail blacklist ${HOME}/.openarena blacklist ${HOME}/.opencity @@ -686,8 +842,19 @@ blacklist ${HOME}/.openttd blacklist ${HOME}/.opera blacklist ${HOME}/.opera-beta blacklist ${HOME}/.ostrichriders +blacklist ${HOME}/.paradoxinteractive blacklist ${HOME}/.parallelrealities/blobwars +blacklist ${HOME}/.password-store +blacklist ${HOME}/.pcsxr blacklist ${HOME}/.penguin-command +blacklist ${HOME}/.pine-crash +blacklist ${HOME}/.pine-debug1 +blacklist ${HOME}/.pine-debug2 +blacklist ${HOME}/.pine-debug3 +blacklist ${HOME}/.pine-debug4 +blacklist ${HOME}/.pine-interrupted-mail +blacklist ${HOME}/.pinerc +blacklist ${HOME}/.pinercex blacklist ${HOME}/.pingus blacklist ${HOME}/.pioneer blacklist ${HOME}/.purple @@ -697,6 +864,7 @@ blacklist ${HOME}/.qgis2 blacklist ${HOME}/.qmmp blacklist ${HOME}/.quodlibet blacklist ${HOME}/.redeclipse +blacklist ${HOME}/.rednotebook blacklist ${HOME}/.remmina blacklist ${HOME}/.repo_.gitconfig.json blacklist ${HOME}/.repoconfig @@ -714,17 +882,18 @@ blacklist ${HOME}/.steampid blacklist ${HOME}/.stellarium blacklist ${HOME}/.subversion blacklist ${HOME}/.surf +blacklist ${HOME}/.suve/colorful blacklist ${HOME}/.swb.ini blacklist ${HOME}/.sword blacklist ${HOME}/.sylpheed-2.0 blacklist ${HOME}/.synfig -blacklist ${HOME}/.config/teams-for-linux blacklist ${HOME}/.tb blacklist ${HOME}/.tconn blacklist ${HOME}/.teeworlds -blacklist ${HOME}/.texlive2018 +blacklist ${HOME}/.texlive20* blacklist ${HOME}/.thunderbird blacklist ${HOME}/.tilp +blacklist ${HOME}/.tin blacklist ${HOME}/.tooling blacklist ${HOME}/.tor-browser* blacklist ${HOME}/.torcs @@ -737,6 +906,7 @@ blacklist ${HOME}/.viking blacklist ${HOME}/.viking-maps blacklist ${HOME}/.vim blacklist ${HOME}/.vimrc +blacklist ${HOME}/.vmware blacklist ${HOME}/.vscode blacklist ${HOME}/.vscode-oss blacklist ${HOME}/.vst @@ -758,11 +928,29 @@ blacklist ${HOME}/.xmind blacklist ${HOME}/.xmms blacklist ${HOME}/.xmr-stak blacklist ${HOME}/.xonotic +blacklist ${HOME}/.xournalpp blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.yarn +blacklist ${HOME}/.yarn-config +blacklist ${HOME}/.yarncache +blacklist ${HOME}/.yarnrc blacklist ${HOME}/.zoom -blacklist /tmp/akonadi-* -blacklist /tmp/ssh-* +blacklist ${HOME}/Arduino +blacklist ${HOME}/Monero/wallets +blacklist ${HOME}/Nextcloud +blacklist ${HOME}/Nextcloud/Notes +blacklist ${HOME}/SoftMaker +blacklist ${HOME}/Standard Notes Backups +blacklist ${HOME}/TeamSpeak3-Client-linux_amd64 +blacklist ${HOME}/TeamSpeak3-Client-linux_x86 +blacklist ${HOME}/hyperrogue.ini +blacklist ${HOME}/i2p +blacklist ${HOME}/mps +blacklist ${HOME}/wallet.dat +blacklist ${HOME}/yt-dlp.conf +blacklist ${RUNUSER}/*firefox* blacklist /tmp/.wine-* +blacklist /tmp/akonadi-* blacklist /var/games/nethack blacklist /var/games/slashem blacklist /var/games/vulturesclaw @@ -775,13 +963,24 @@ blacklist ${HOME}/.cache/8pecxstudios blacklist ${HOME}/.cache/Authenticator blacklist ${HOME}/.cache/BraveSoftware blacklist ${HOME}/.cache/Clementine +blacklist ${HOME}/.cache/ENCOM/Spectral blacklist ${HOME}/.cache/Enox blacklist ${HOME}/.cache/Enpass blacklist ${HOME}/.cache/Ferdi +blacklist ${HOME}/.cache/Flavio Tordini blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/GoldenDict blacklist ${HOME}/.cache/INRIA +blacklist ${HOME}/.cache/INRIA/Natron +blacklist ${HOME}/.cache/KDE/neochat +blacklist ${HOME}/.cache/Mendeley Ltd. blacklist ${HOME}/.cache/MusicBrainz +blacklist ${HOME}/.cache/NewsFlashGTK +blacklist ${HOME}/.cache/Otter +blacklist ${HOME}/.cache/PawelStolowski +blacklist ${HOME}/.cache/Psi blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/Quotient/quaternion blacklist ${HOME}/.cache/Shortwave blacklist ${HOME}/.cache/Tox blacklist ${HOME}/.cache/Zeal @@ -804,17 +1003,23 @@ blacklist ${HOME}/.cache/deja-dup blacklist ${HOME}/.cache/discover blacklist ${HOME}/.cache/dnox blacklist ${HOME}/.cache/dolphin +blacklist ${HOME}/.cache/dolphin-emu blacklist ${HOME}/.cache/ephemeral blacklist ${HOME}/.cache/epiphany blacklist ${HOME}/.cache/evolution blacklist ${HOME}/.cache/falkon blacklist ${HOME}/.cache/feedreader +blacklist ${HOME}/.cache/firedragon +blacklist ${HOME}/.cache/flaska.net/trojita +blacklist ${HOME}/.cache/folks blacklist ${HOME}/.cache/font-manager blacklist ${HOME}/.cache/fossamail +blacklist ${HOME}/.cache/fractal blacklist ${HOME}/.cache/freecol blacklist ${HOME}/.cache/gajim -blacklist ${HOME}/.cache/gegl-0.4 +blacklist ${HOME}/.cache/geary blacklist ${HOME}/.cache/geeqie +blacklist ${HOME}/.cache/gegl-0.4 blacklist ${HOME}/.cache/gfeeds blacklist ${HOME}/.cache/gimp blacklist ${HOME}/.cache/gnome-boxes @@ -831,12 +1036,14 @@ blacklist ${HOME}/.cache/google-chrome-unstable blacklist ${HOME}/.cache/gradio blacklist ${HOME}/.cache/gummi blacklist ${HOME}/.cache/icedove -blacklist ${HOME}/.cache/INRIA/Natron blacklist ${HOME}/.cache/inkscape blacklist ${HOME}/.cache/inox +blacklist ${HOME}/.cache/io.github.lainsce.Notejot blacklist ${HOME}/.cache/iridium +blacklist ${HOME}/.cache/JetBrains/CLion* blacklist ${HOME}/.cache/kcmshell5 blacklist ${HOME}/.cache/kdenlive +blacklist ${HOME}/.cache/keepassxc blacklist ${HOME}/.cache/kfind blacklist ${HOME}/.cache/kinfocenter blacklist ${HOME}/.cache/kmail2 @@ -845,12 +1052,19 @@ blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* blacklist ${HOME}/.cache/kscreenlocker_greet blacklist ${HOME}/.cache/ksmserver-logout-greeter blacklist ${HOME}/.cache/ksplashqml +blacklist ${HOME}/.cache/kube blacklist ${HOME}/.cache/kwin blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/librewolf blacklist ${HOME}/.cache/liferea -blacklist ${HOME}/.cache/Mendeley Ltd. +blacklist ${HOME}/.cache/lutris +blacklist ${HOME}/.cache/marker +blacklist ${HOME}/.cache/matrix-mirage +blacklist ${HOME}/.cache/microsoft-edge-beta +blacklist ${HOME}/.cache/microsoft-edge-dev blacklist ${HOME}/.cache/midori blacklist ${HOME}/.cache/minetest +blacklist ${HOME}/.cache/mirage blacklist ${HOME}/.cache/moonchild productions/basilisk blacklist ${HOME}/.cache/moonchild productions/pale moon blacklist ${HOME}/.cache/mozilla @@ -863,8 +1077,8 @@ blacklist ${HOME}/.cache/ms-skype-online blacklist ${HOME}/.cache/ms-word-online blacklist ${HOME}/.cache/mutt blacklist ${HOME}/.cache/mypaint -blacklist ${HOME}/.cache/nheko/nheko blacklist ${HOME}/.cache/netsurf +blacklist ${HOME}/.cache/nheko blacklist ${HOME}/.cache/okular blacklist ${HOME}/.cache/opera blacklist ${HOME}/.cache/opera-beta @@ -874,30 +1088,45 @@ blacklist ${HOME}/.cache/org.gnome.Maps blacklist ${HOME}/.cache/pdfmod blacklist ${HOME}/.cache/peek blacklist ${HOME}/.cache/pip +blacklist ${HOME}/.cache/pipe-viewer blacklist ${HOME}/.cache/plasmashell blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* +blacklist ${HOME}/.cache/psi blacklist ${HOME}/.cache/qBittorrent +blacklist ${HOME}/.cache/quodlibet blacklist ${HOME}/.cache/qupzilla blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/rednotebook blacklist ${HOME}/.cache/rhythmbox +blacklist ${HOME}/.cache/shotwell blacklist ${HOME}/.cache/simple-scan blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/smuxi blacklist ${HOME}/.cache/snox blacklist ${HOME}/.cache/spotify +blacklist ${HOME}/.cache/straw-viewer +blacklist ${HOME}/.cache/strawberry blacklist ${HOME}/.cache/supertuxkart blacklist ${HOME}/.cache/systemsettings blacklist ${HOME}/.cache/telepathy blacklist ${HOME}/.cache/thunderbird blacklist ${HOME}/.cache/torbrowser blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/ungoogled-chromium blacklist ${HOME}/.cache/vivaldi blacklist ${HOME}/.cache/vivaldi-snapshot blacklist ${HOME}/.cache/vlc +blacklist ${HOME}/.cache/vmware blacklist ${HOME}/.cache/warsow-2.1 blacklist ${HOME}/.cache/waterfox blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/winetricks blacklist ${HOME}/.cache/xmms2 +blacklist ${HOME}/.cache/xournalpp blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.cache/yandex-browser blacklist ${HOME}/.cache/yandex-browser-beta blacklist ${HOME}/.cache/youtube-dl +blacklist ${HOME}/.cache/youtube-viewer +blacklist ${HOME}/.cache/yt-dlp +blacklist ${HOME}/.cache/zim diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc new file mode 100644 index 00000000000..8274b021597 --- /dev/null +++ b/etc/inc/disable-shell.inc @@ -0,0 +1,15 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include disable-shell.local + +blacklist ${PATH}/bash +blacklist ${PATH}/csh +blacklist ${PATH}/dash +blacklist ${PATH}/fish +blacklist ${PATH}/ksh +blacklist ${PATH}/mksh +blacklist ${PATH}/oksh +blacklist ${PATH}/sh +blacklist ${PATH}/tclsh +blacklist ${PATH}/tcsh +blacklist ${PATH}/zsh diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc new file mode 100644 index 00000000000..01f57cb0f2a --- /dev/null +++ b/etc/inc/disable-write-mnt.inc @@ -0,0 +1,8 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include disable-write-mnt.local + +read-only /media +read-only /mnt +read-only /run/media +read-only /run/mount diff --git a/etc/inc/feh-network.inc b/etc/inc/feh-network.inc deleted file mode 100644 index e94e7205c63..00000000000 --- a/etc/inc/feh-network.inc +++ /dev/null @@ -1,4 +0,0 @@ -ignore net none -netfilter -protocol unix,inet,inet6 -private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc new file mode 100644 index 00000000000..862837f1233 --- /dev/null +++ b/etc/inc/whitelist-1793-workaround.inc @@ -0,0 +1,29 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include whitelist-1793-workaround.local +# This works around bug 1793, and allows whitelisting to be used for some KDE applications. + +noblacklist ${HOME}/.config/ibus +noblacklist ${HOME}/.config/mimeapps.list +noblacklist ${HOME}/.config/pkcs11 +noblacklist ${HOME}/.config/user-dirs.dirs +noblacklist ${HOME}/.config/user-dirs.locale +noblacklist ${HOME}/.config/dconf +noblacklist ${HOME}/.config/fontconfig +noblacklist ${HOME}/.config/gtk-2.0 +noblacklist ${HOME}/.config/gtk-3.0 +noblacklist ${HOME}/.config/gtk-4.0 +noblacklist ${HOME}/.config/gtkrc +noblacklist ${HOME}/.config/gtkrc-2.0 +noblacklist ${HOME}/.config/Kvantum +noblacklist ${HOME}/.config/Trolltech.conf +noblacklist ${HOME}/.config/QtProject.conf +noblacklist ${HOME}/.config/kdeglobals +noblacklist ${HOME}/.config/kio_httprc +noblacklist ${HOME}/.config/kioslaverc +noblacklist ${HOME}/.config/ksslcablacklist +noblacklist ${HOME}/.config/qt5ct +noblacklist ${HOME}/.config/qtcurve + +blacklist ${HOME}/.config/* +whitelist ${HOME}/.config diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index a691b306cad..fedfb2bc2a1 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc @@ -1,9 +1,11 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include whitelist-common.local # common whitelist for all profiles whitelist ${HOME}/.XCompose +whitelist ${HOME}/.alsaequal.bin whitelist ${HOME}/.asoundrc whitelist ${HOME}/.config/ibus whitelist ${HOME}/.config/mimeapps.list @@ -11,6 +13,8 @@ whitelist ${HOME}/.config/pkcs11 read-only ${HOME}/.config/pkcs11 whitelist ${HOME}/.config/user-dirs.dirs read-only ${HOME}/.config/user-dirs.dirs +whitelist ${HOME}/.config/user-dirs.locale +read-only ${HOME}/.config/user-dirs.locale whitelist ${HOME}/.drirc whitelist ${HOME}/.icons ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit @@ -19,6 +23,8 @@ read-only ${HOME}/.local/share/applications whitelist ${HOME}/.local/share/icons whitelist ${HOME}/.local/share/mime whitelist ${HOME}/.mime.types +whitelist ${HOME}/.sndio/cookie +whitelist ${HOME}/.uim.d # dconf mkdir ${HOME}/.config/dconf @@ -57,11 +63,13 @@ whitelist ${HOME}/.themes whitelist ${HOME}/.cache/kioexec/krun whitelist ${HOME}/.config/Kvantum whitelist ${HOME}/.config/Trolltech.conf +whitelist ${HOME}/.config/QtProject.conf whitelist ${HOME}/.config/kdeglobals whitelist ${HOME}/.config/kio_httprc whitelist ${HOME}/.config/kioslaverc whitelist ${HOME}/.config/ksslcablacklist whitelist ${HOME}/.config/qt5ct +whitelist ${HOME}/.config/qtcurve whitelist ${HOME}/.kde/share/config/kdeglobals whitelist ${HOME}/.kde/share/config/kio_httprc whitelist ${HOME}/.kde/share/config/kioslaverc diff --git a/etc/inc/whitelist-player-common.inc b/etc/inc/whitelist-player-common.inc new file mode 100644 index 00000000000..e5bf3680408 --- /dev/null +++ b/etc/inc/whitelist-player-common.inc @@ -0,0 +1,11 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include whitelist-player-common.local + +# common whitelist for all media players + +whitelist ${DESKTOP} +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +whitelist ${PICTURES} +whitelist ${VIDEOS} diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc new file mode 100644 index 00000000000..224d2106491 --- /dev/null +++ b/etc/inc/whitelist-run-common.inc @@ -0,0 +1,11 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include whitelist-run-common.local + +whitelist /run/NetworkManager/resolv.conf +whitelist /run/cups/cups.sock +whitelist /run/dbus/system_bus_socket +whitelist /run/media +whitelist /run/resolvconf/resolv.conf +whitelist /run/systemd/resolve/resolv.conf +whitelist /run/systemd/resolve/stub-resolv.conf diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc index f2a510e9dfd..a8cab8d07cd 100644 --- a/etc/inc/whitelist-runuser-common.inc +++ b/etc/inc/whitelist-runuser-common.inc @@ -1,4 +1,5 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include whitelist-runuser-common.local # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles @@ -9,4 +10,7 @@ whitelist ${RUNUSER}/gdm/Xauthority whitelist ${RUNUSER}/ICEauthority whitelist ${RUNUSER}/.mutter-Xwaylandauth.* whitelist ${RUNUSER}/pulse/native -whitelist ${RUNUSER}/wayland-0 +whitelist ${RUNUSER}/pipewire-? +whitelist ${RUNUSER}/wayland-? +whitelist ${RUNUSER}/xauth_* +whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index 193b00a2a11..0049ce8047e 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc @@ -1,4 +1,5 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include whitelist-usr-share-common.local # common /usr/share whitelist for all profiles @@ -16,6 +17,7 @@ whitelist /usr/share/enchant-2 whitelist /usr/share/file whitelist /usr/share/fontconfig whitelist /usr/share/fonts +whitelist /usr/share/fonts-config whitelist /usr/share/gir-1.0 whitelist /usr/share/gjs-1.0 whitelist /usr/share/glib-2.0 @@ -41,6 +43,9 @@ whitelist /usr/share/misc whitelist /usr/share/Modules whitelist /usr/share/myspell whitelist /usr/share/p11-kit +whitelist /usr/share/perl +whitelist /usr/share/perl5 +whitelist /usr/share/pipewire whitelist /usr/share/pixmaps whitelist /usr/share/pki whitelist /usr/share/plasma @@ -48,6 +53,7 @@ whitelist /usr/share/publicsuffix whitelist /usr/share/qt whitelist /usr/share/qt4 whitelist /usr/share/qt5 +whitelist /usr/share/qt5ct whitelist /usr/share/sounds whitelist /usr/share/tcl8.6 whitelist /usr/share/tcltk @@ -56,6 +62,9 @@ whitelist /usr/share/texlive whitelist /usr/share/texmf whitelist /usr/share/themes whitelist /usr/share/thumbnail.so +whitelist /usr/share/uim +whitelist /usr/share/vulkan whitelist /usr/share/X11 whitelist /usr/share/xml +whitelist /usr/share/zenity whitelist /usr/share/zoneinfo diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc index e2210057b21..d8ba84ad041 100644 --- a/etc/inc/whitelist-var-common.inc +++ b/etc/inc/whitelist-var-common.inc @@ -1,10 +1,14 @@ -# Local customizations come here +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. include whitelist-var-common.local # common /var whitelist for all profiles +whitelist /var/lib/aspell +whitelist /var/lib/ca-certificates whitelist /var/lib/dbus whitelist /var/lib/menu-xdg +whitelist /var/lib/uim whitelist /var/cache/fontconfig whitelist /var/tmp whitelist /var/run diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net index 8955f740d51..0eb9f97841d 100644 --- a/etc/net/nolocal.net +++ b/etc/net/nolocal.net @@ -32,5 +32,5 @@ -A OUTPUT -d 172.16.0.0/12 -j DROP # drop multicast traffic --A OUTPUT -d 244.0.0.0/4 -j DROP +-A OUTPUT -d 224.0.0.0/4 -j DROP COMMIT diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net new file mode 100644 index 00000000000..5a6678d034d --- /dev/null +++ b/etc/net/nolocal6.net @@ -0,0 +1,41 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +################################################################### +# Client filter rejecting local network traffic, with the exception of +# DNS traffic +# +# Usage: +# firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox +# +################################################################### + +#allow all loopback traffic +-A INPUT -i lo -j ACCEPT + +# no incoming connections +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ping etc. +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT +# required for ipv6 +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT + +# accept dns requests going out to a server on the local network +-A OUTPUT -p udp --dport 53 -j ACCEPT + +# drop all local network traffic +-A OUTPUT -d FC00::/7 -j DROP + +# drop multicast traffic +# required for ipv6 +-A OUTPUT -d ff02::2 -j ACCEPT +-A OUTPUT -d ff00::/8 -j DROP +COMMIT diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 6869ea63135..ddc7ecad545 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile @@ -10,12 +10,14 @@ noblacklist ${HOME}/.cache/0ad noblacklist ${HOME}/.config/0ad noblacklist ${HOME}/.local/share/0ad +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/0ad mkdir ${HOME}/.config/0ad @@ -33,6 +35,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -40,6 +43,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile index 12268706aed..80b032aee0b 100644 --- a/etc/profile-a-l/2048-qt.profile +++ b/etc/profile-a-l/2048-qt.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/2048-qt @@ -28,6 +27,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/7z.profile b/etc/profile-a-l/7z.profile index 02a2e7ea060..0d31255ad0f 100644 --- a/etc/profile-a-l/7z.profile +++ b/etc/profile-a-l/7z.profile @@ -7,41 +7,8 @@ include 7z.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* +# Included in archiver-common.profile +ignore include disable-shell.inc -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname 7z -ipc-namespace -machine-id -net none -no3d -nodvd -#nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -#private-bin 7z,7z*,p7zip -private-cache -private-dev - -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile new file mode 100644 index 00000000000..76fd21d32a4 --- /dev/null +++ b/etc/profile-a-l/Books.profile @@ -0,0 +1,7 @@ +# Firejail profile for gnome-books +# This file is overwritten after every install/update + + +# Temporary fix for https://github.com/netblue30/firejail/issues/2624 +# Redirect +include gnome-books.profile diff --git a/etc/profile-a-l/Builder.profile b/etc/profile-a-l/Builder.profile index 54b43744114..e97267bbc89 100644 --- a/etc/profile-a-l/Builder.profile +++ b/etc/profile-a-l/Builder.profile @@ -1,5 +1,10 @@ # Firejail profile for gnome-builder # This file is overwritten after every install/update +# Persistent local customizations +include Builder.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-a-l/Cheese.profile b/etc/profile-a-l/Cheese.profile index 5bb5064f02c..32aeb4f697b 100644 --- a/etc/profile-a-l/Cheese.profile +++ b/etc/profile-a-l/Cheese.profile @@ -1,5 +1,10 @@ # Firejail profile for cheese # This file is overwritten after every install/update +# Persistent local customizations +include Cheese.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile index e9cc07bd790..39b39667c5c 100644 --- a/etc/profile-a-l/Cryptocat.profile +++ b/etc/profile-a-l/Cryptocat.profile @@ -10,13 +10,13 @@ noblacklist ${HOME}/.config/Cryptocat include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile index 26a4348c907..5564207fceb 100644 --- a/etc/profile-a-l/Cyberfox.profile +++ b/etc/profile-a-l/Cyberfox.profile @@ -1,5 +1,10 @@ # Firejail profile alias for cyberfox # This file is overwritten after every install/update +# Persistent local customizations +include Cyberfox.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cyberfox.profile diff --git a/etc/profile-a-l/Documents.profile b/etc/profile-a-l/Documents.profile index 171ab43572c..780416d7f35 100644 --- a/etc/profile-a-l/Documents.profile +++ b/etc/profile-a-l/Documents.profile @@ -1,5 +1,10 @@ # Firejail profile for gnome-documents # This file is overwritten after every install/update +# Persistent local customizations +include Documents.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-a-l/FossaMail.profile b/etc/profile-a-l/FossaMail.profile index 9e1f614219a..3a584ed4ea7 100644 --- a/etc/profile-a-l/FossaMail.profile +++ b/etc/profile-a-l/FossaMail.profile @@ -1,5 +1,10 @@ # Firejail profile alias for fossamail # This file is overwritten after every install/update +# Persistent local customizations +include FossaMail.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include fossamail.profile diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile index d318da8857a..3fe2ddcd5b6 100644 --- a/etc/profile-a-l/Fritzing.profile +++ b/etc/profile-a-l/Fritzing.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/Gitter.profile b/etc/profile-a-l/Gitter.profile index a8bcb6a5447..96b91430c71 100644 --- a/etc/profile-a-l/Gitter.profile +++ b/etc/profile-a-l/Gitter.profile @@ -1,5 +1,10 @@ # Firejail profile alias for Gitter # This file is overwritten after every install/update +# Persistent local customizations +include Gitter.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gitter.profile diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile index 45ec71e6378..92f8e5c8557 100644 --- a/etc/profile-a-l/JDownloader.profile +++ b/etc/profile-a-l/JDownloader.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,6 +29,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/Logs.profile b/etc/profile-a-l/Logs.profile index 431439f1753..1a78b86c974 100644 --- a/etc/profile-a-l/Logs.profile +++ b/etc/profile-a-l/Logs.profile @@ -1,5 +1,10 @@ # Firejail profile for gnome-logs # This file is overwritten after every install/update +# Persistent local customizations +include Logs.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index 948d3774a87..256e2115a17 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc whitelist /usr/share/abiword-3.0 include whitelist-usr-share-common.inc @@ -27,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,7 +42,7 @@ tracelog private-bin abiword private-cache private-dev -private-etc fonts,gtk-3.0,passwd +private-etc fonts,gtk-3.0,ld.so.preload,passwd private-tmp # dbus-user none diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile new file mode 100644 index 00000000000..8652ae5f1d2 --- /dev/null +++ b/etc/profile-a-l/agetpkg.profile @@ -0,0 +1,59 @@ +# Firejail profile for agetpkg +# Description: CLI tool to list/get/install packages from the Arch Linux Archive +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include agetpkg.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +# Allow python (blacklisted by disable-interpreters.inc) +#include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +hostname agetpkg +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +shell none +tracelog + +private-bin agetpkg,python3 +private-cache +private-dev +private-etc ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index ffc613f1ef7..168e81985b1 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile @@ -25,7 +25,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -40,6 +39,7 @@ netfilter no3d nodvd nogroups +noinput # nonewprivs noroot nosound @@ -47,7 +47,7 @@ notv nou2f novideo # protocol unix,inet,inet6,netlink -# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set +# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set tracelog private-dev diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index 34933f2836d..d1e7df37bff 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile @@ -8,19 +8,22 @@ include globals.local noblacklist ${HOME}/.config/akregatorrc noblacklist ${HOME}/.local/share/akregator +noblacklist ${HOME}/.local/share/kxmlgui5/akregator include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkfile ${HOME}/.config/akregatorrc mkdir ${HOME}/.local/share/akregator +mkdir ${HOME}/.local/share/kxmlgui5/akregator whitelist ${HOME}/.config/akregatorrc whitelist ${HOME}/.local/share/akregator whitelist ${HOME}/.local/share/kssl +whitelist ${HOME}/.local/share/kxmlgui5/akregator include whitelist-common.inc include whitelist-var-common.inc @@ -29,6 +32,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile new file mode 100644 index 00000000000..9b74b4d29b0 --- /dev/null +++ b/etc/profile-a-l/alacarte.profile @@ -0,0 +1,65 @@ +# Firejail profile for alacarte +# Description: Create desktop and menu launchers easily +# This file is overwritten after every install/update +# Persistent local customizations +include alacarte.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +# Whitelist your system icon directory,varies by distro +whitelist /usr/share/alacarte +whitelist /usr/share/app-info +whitelist /usr/share/desktop-directories +whitelist /usr/share/icons +whitelist /var/lib/app-info/icons +whitelist /var/lib/flatpak/exports/share/applications +whitelist /var/lib/flatpak/exports/share/icons +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +no3d +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +# private-bin alacarte,bash,python*,sh +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg +private-tmp + +dbus-user none +dbus-system none + +read-write ${HOME}/.config/menus +read-write ${HOME}/.gnome/apps +read-write ${HOME}/.local/share/applications +read-write ${HOME}/.local/share/flatpak/exports diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile new file mode 100644 index 00000000000..b31996cd261 --- /dev/null +++ b/etc/profile-a-l/alienarena-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for alienarena-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include alienarena-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin alienarena-wrapper + +# Redirect +include alienarena.profile diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile new file mode 100644 index 00000000000..62857a3e275 --- /dev/null +++ b/etc/profile-a-l/alienarena.profile @@ -0,0 +1,52 @@ +# Firejail profile for alienarena +# Description: Multiplayer retro sci-fi deathmatch game +# This file is overwritten after every install/update +# Persistent local customizations +include alienarena.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/cor-games + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/cor-games +whitelist ${HOME}/.local/share/cor-games +whitelist /usr/share/alienarena +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin alienarena +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11 +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile new file mode 100644 index 00000000000..61c3ad21d87 --- /dev/null +++ b/etc/profile-a-l/alpine.profile @@ -0,0 +1,103 @@ +# Firejail profile for alpine +# Description: Text-based email and newsgroups reader +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include alpine.local +# Persistent global definitions +include globals.local + +# Workaround for bug https://github.com/netblue30/firejail/issues/2747 +# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)' + +noblacklist /var/mail +noblacklist /var/spool/mail +noblacklist ${DOCUMENTS} +noblacklist ${HOME}/.addressbook +noblacklist ${HOME}/.alpine-smime +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.mh_profile +noblacklist ${HOME}/.mime.types +noblacklist ${HOME}/.newsrc +noblacklist ${HOME}/.pine-crash +noblacklist ${HOME}/.pine-debug1 +noblacklist ${HOME}/.pine-debug2 +noblacklist ${HOME}/.pine-debug3 +noblacklist ${HOME}/.pine-debug4 +noblacklist ${HOME}/.pine-interrupted-mail +noblacklist ${HOME}/.pinerc +noblacklist ${HOME}/.pinercex +noblacklist ${HOME}/.signature +noblacklist ${HOME}/mail + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +#whitelist ${DOCUMENTS} +#whitelist ${DOWNLOADS} +#whitelist ${HOME}/.addressbook +#whitelist ${HOME}/.alpine-smime +#whitelist ${HOME}/.mailcap +#whitelist ${HOME}/.mh_profile +#whitelist ${HOME}/.mime.types +#whitelist ${HOME}/.newsrc +#whitelist ${HOME}/.pine-crash +#whitelist ${HOME}/.pine-interrupted-mail +#whitelist ${HOME}/.pinerc +#whitelist ${HOME}/.pinercex +#whitelist ${HOME}/.pine-debug1 +#whitelist ${HOME}/.pine-debug2 +#whitelist ${HOME}/.pine-debug3 +#whitelist ${HOME}/.pine-debug4 +#whitelist ${HOME}/.signature +#whitelist ${HOME}/mail +whitelist /var/mail +whitelist /var/spool/mail +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin alpine +private-cache +private-dev +private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg +private-tmp +writable-run-user +writable-var + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME}/.signature diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile new file mode 100644 index 00000000000..97b97fe5f77 --- /dev/null +++ b/etc/profile-a-l/alpinef.profile @@ -0,0 +1,14 @@ +# Firejail profile for alpinef +# Description: Text-based email and newsgroups reader using function keys +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include alpinef.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin alpinef + +# Redirect +include alpine.profile diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index 0b974e9ace6..e7b78f7d037 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile @@ -11,7 +11,6 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -20,6 +19,7 @@ include whitelist-var-common.inc caps.drop all netfilter nogroups +noinput nonewprivs noroot notv @@ -33,3 +33,15 @@ shell none private-dev # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl private-tmp + +dbus-user filter +dbus-user.own org.kde.amarok +dbus-user.own org.mpris.amarok +dbus-user.own org.mpris.MediaPlayer2.amarok +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.kde.StatusNotifierWatcher +# If you're not on kde-plasma add the next lines to your amarok.local. +#dbus-user.own org.kde.kded +#dbus-user.own org.kde.klauncher +#dbus-user.talk org.kde.knotify +dbus-system none diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index feb4a5e7e57..e82c145d108 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.aMule @@ -26,12 +25,14 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound notv nou2f novideo +# Add netlink protocol to use UPnP protocol unix,inet,inet6 seccomp shell none diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 2e4e564dd47..ad44d5f1d12 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile @@ -5,19 +5,21 @@ include android-studio.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/Google noblacklist ${HOME}/.AndroidStudio* noblacklist ${HOME}/.android noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index fa688f1a548..b6e931be569 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile @@ -17,8 +17,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.local/share/Anki2 @@ -34,6 +34,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,13 +45,12 @@ protocol unix,inet,inet6 # QtWebengine needs chroot to set up its own sandbox seccomp !chroot shell none -tracelog disable-mnt private-bin anki,python* private-cache private-dev -private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf +private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf private-tmp dbus-user none diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile index 35b18bab401..5001b20cb05 100644 --- a/etc/profile-a-l/anydesk.profile +++ b/etc/profile-a-l/anydesk.profile @@ -9,9 +9,9 @@ noblacklist ${HOME}/.anydesk include disable-common.inc include disable-devel.inc -include disable-passwdmgr.inc -include disable-programs.inc include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.anydesk whitelist ${HOME}/.anydesk @@ -21,6 +21,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile index a5b1ba9f14f..9668ba00ac0 100644 --- a/etc/profile-a-l/aosp.profile +++ b/etc/profile-a-l/aosp.profile @@ -11,14 +11,15 @@ noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.repo_.gitconfig.json noblacklist ${HOME}/.repoconfig -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile index 39c5da9ab33..1951748d44d 100644 --- a/etc/profile-a-l/apktool.profile +++ b/etc/profile-a-l/apktool.profile @@ -9,7 +9,6 @@ include globals.local include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -20,6 +19,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile new file mode 100644 index 00000000000..5d45a080407 --- /dev/null +++ b/etc/profile-a-l/apostrophe.profile @@ -0,0 +1,72 @@ +# Firejail profile for apostrophe +# Description: Distraction free Markdown editor for GNU/Linux made with GTK+ +# This file is overwritten after every install/update +# Persistent local customizations +include apostrophe.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.texlive20* +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/libexec/webkit2gtk-4.0 +whitelist /usr/share/apostrophe +whitelist /usr/share/texlive +whitelist /usr/share/texmf +whitelist /usr/share/pandoc-* +whitelist /usr/share/perl5 +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin apostrophe,fmtutil,kpsewhich,mktexfmt,pandoc,pdftex,perl,python3*,sh,xdvipdfmx,xelatex,xetex +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,texlive,X11 +private-tmp + +dbus-user filter +dbus-user.own org.gnome.gitlab.somas.Apostrophe +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/ar.profile b/etc/profile-a-l/ar.profile index 6ed60ffe575..5a20a8181d7 100644 --- a/etc/profile-a-l/ar.profile +++ b/etc/profile-a-l/ar.profile @@ -7,41 +7,5 @@ include ar.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname ar -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-bin ar -private-cache -private-dev - -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile index 324730bdefd..c164073c5e2 100644 --- a/etc/profile-a-l/arch-audit.profile +++ b/etc/profile-a-l/arch-audit.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/arch-audit @@ -28,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile index 19c37f90ed1..3aebd685d9f 100644 --- a/etc/profile-a-l/archaudit-report.profile +++ b/etc/profile-a-l/archaudit-report.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile new file mode 100644 index 00000000000..81733220ffd --- /dev/null +++ b/etc/profile-a-l/archiver-common.profile @@ -0,0 +1,52 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include archiver-common.local + +# common profile for archiver/compression tools + +blacklist ${RUNUSER} + +# Comment/uncomment the relevant include file(s) in your archiver-common.local +# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver** +# in the relevant .local. Beware that things tend to break when overtightening +# profiles. For example, because you only need to (un)compress files in ${DOWNLOADS}, +# other applications may need access to ${HOME}/.local/share. + +# Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc. +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc. +#include disable-programs.inc +include disable-shell.inc + +apparmor +caps.drop all +hostname archiver +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +#noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +private-cache +private-dev + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/ardour4.profile b/etc/profile-a-l/ardour4.profile index 4ad8dd4561f..5c62c94bee3 100644 --- a/etc/profile-a-l/ardour4.profile +++ b/etc/profile-a-l/ardour4.profile @@ -1,5 +1,10 @@ # Firejail profile alias for ardour5 # This file is overwritten after every install/update +# Persistent local customizations +include ardur4.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include ardour5.profile diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile index a27cb4f6e3c..78dea1cd04b 100644 --- a/etc/profile-a-l/ardour5.profile +++ b/etc/profile-a-l/ardour5.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile index fd1ca9a09b5..01da63e8eb7 100644 --- a/etc/profile-a-l/arduino.profile +++ b/etc/profile-a-l/arduino.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index d2dcaace1e6..e96def04842 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -29,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,12 +40,12 @@ seccomp shell none # disable-mnt -# Add your custom event hook commands to 'private-bin' in your aria2c.local +# Add your custom event hook commands to 'private-bin' in your aria2c.local. private-bin aria2c,gzip -# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) +# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). #private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl private-lib libreadline.so.* private-tmp diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 01004d772df..45071dc62ad 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile @@ -7,12 +7,12 @@ include ark.local include globals.local noblacklist ${HOME}/.config/arkrc +noblacklist ${HOME}/.local/share/kxmlgui5/ark include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/ark @@ -25,6 +25,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 51dad94d1cb..98ae01950da 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.arm @@ -29,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,6 +43,6 @@ tracelog disable-mnt private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor private-dev -private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor private-tmp diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index 19a4771aa32..adf4e16ee59 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile @@ -17,8 +17,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc # whitelisting in ${HOME} makes settings immutable, see #3112 @@ -40,6 +40,7 @@ ipc-namespace no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -55,7 +56,7 @@ disable-mnt private-bin artha,enchant,notify-send private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.preload,machine-id private-lib libnotify.so.* private-tmp diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile index da72a4a739c..788a943022a 100644 --- a/etc/profile-a-l/assogiate.profile +++ b/etc/profile-a-l/assogiate.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${PICTURES} @@ -28,6 +28,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -50,3 +51,4 @@ dbus-user none dbus-system none memory-deny-write-execute +read-write ${HOME}/.local/share/mime diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile index 33dd4103f3a..fbc65ffc777 100644 --- a/etc/profile-a-l/asunder.profile +++ b/etc/profile-a-l/asunder.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ caps.drop all netfilter no3d # nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile index fceef957904..5f237ac59cf 100644 --- a/etc/profile-a-l/atom.profile +++ b/etc/profile-a-l/atom.profile @@ -6,35 +6,26 @@ include atom.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include disable-devel.inc +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore disable-mnt + noblacklist ${HOME}/.atom noblacklist ${HOME}/.config/Atom # Allows files commonly used by IDEs include allow-common-devel.inc -include disable-common.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all # net none -netfilter -nodvd -nogroups -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-cache -private-dev -private-tmp -dbus-user none -dbus-system none +# Redirect +include electron.profile diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index e501e956c79..272f9906d13 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile @@ -7,47 +7,14 @@ include atool.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc -include disable-common.inc -# include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname atool -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none -# private-bin atool,perl -private-cache -private-dev # without login.defs atool complains and uses UID/GID 1000 by default -private-etc alternatives,group,login.defs,passwd +private-etc alternatives,group,ld.so.preload,login.defs,passwd private-tmp -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index adca38cb5dc..264bc021507 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,9 +40,9 @@ seccomp shell none tracelog -private-bin atril,atril-previewer,atril-thumbnailer +private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote private-dev -private-etc alternatives,fonts,ld.so.cache +private-etc alternatives,fonts,ld.so.cache,ld.so.preload # atril uses webkit gtk to display epub files # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index 2e1f6f32a25..d71370b7eb4 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ apparmor caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index 5a454d31d98..264bfb9ab88 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -26,6 +26,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index b2ed3b03042..58b2efde6e8 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile @@ -13,13 +13,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc whitelist ${MUSIC} whitelist ${DOWNLOADS} whitelist /usr/share/audio-recorder +whitelist /usr/share/gstreamer-1.0 include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -44,7 +44,11 @@ tracelog disable-mnt # private-bin audio-recorder private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload private-tmp +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none + # memory-deny-write-execute - breaks on Arch diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile new file mode 100644 index 00000000000..8fefc1eb71b --- /dev/null +++ b/etc/profile-a-l/authenticator-rs.profile @@ -0,0 +1,55 @@ +# Firejail profile for authenticator-rs +# Description: Rust based 2FA authentication program +# This file is overwritten after every install/update +# Persistent local customizations +include authenticator-rs.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/authenticator-rs + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/authenticator-rs +whitelist ${HOME}/.local/share/authenticator-rs +whitelist ${DOWNLOADS} +whitelist /usr/share/uk.co.grumlimited.authenticator-rs +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin authenticator-rs +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl,xdg +private-tmp + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 131b20c703d..f9a03ca6804 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # apparmor @@ -26,6 +25,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,7 +39,7 @@ shell none disable-mnt # private-bin authenticator,python* private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl private-tmp # makes settings immutable diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile index b1a77c0a4bf..abd535afef9 100644 --- a/etc/profile-a-l/autokey-common.profile +++ b/etc/profile-a-l/autokey-common.profile @@ -19,7 +19,6 @@ include disable-devel.inc # disable-exec.inc might break scripting functionality #include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -27,6 +26,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile new file mode 100644 index 00000000000..468a3fe9f00 --- /dev/null +++ b/etc/profile-a-l/avidemux.profile @@ -0,0 +1,54 @@ +# Firejail profile for Avidemux +# Description: Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks. +# Persistent local customizations +include avidemux.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.avidemux6 +noblacklist ${HOME}/.config/avidemux3_qt5rc +noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.avidemux6 +mkdir ${HOME}/.config/avidemux3_qt5rc +whitelist ${HOME}/.avidemux6 +whitelist ${HOME}/.config/avidemux3_qt5rc +whitelist ${VIDEOS} + +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5 +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile index d7228570f59..e01ea5b5d53 100644 --- a/etc/profile-a-l/aweather.profile +++ b/etc/profile-a-l/aweather.profile @@ -11,8 +11,8 @@ noblacklist ${HOME}/.config/aweather include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.config/aweather whitelist ${HOME}/.config/aweather @@ -23,6 +23,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile new file mode 100644 index 00000000000..48cb9619b79 --- /dev/null +++ b/etc/profile-a-l/b2sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for b2sum +# Description: compute and check BLAKE2 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include b2sum.local +# Persistent global definitions +include globals.local + +private-bin b2sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile new file mode 100644 index 00000000000..419dcaab59b --- /dev/null +++ b/etc/profile-a-l/ballbuster-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for ballbuster-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include ballbuster-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin ballbuster-wrapper + +# Redirect +include ballbuster.profile diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile new file mode 100644 index 00000000000..daa13a7ed8a --- /dev/null +++ b/etc/profile-a-l/ballbuster.profile @@ -0,0 +1,52 @@ +# Firejail profile for ballbuster +# Description: Move the paddle to bounce the ball and break all the bricks +# This file is overwritten after every install/update +# Persistent local customizations +include ballbuster.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.ballbuster.hs + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkfile ${HOME}/.ballbuster.hs +whitelist ${HOME}/.ballbuster.hs +whitelist /usr/share/ballbuster +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin ballbuster +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 785e37a1622..252016bec20 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile @@ -23,7 +23,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -36,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile new file mode 100644 index 00000000000..2080aad62f9 --- /dev/null +++ b/etc/profile-a-l/balsa.profile @@ -0,0 +1,82 @@ +# Firejail profile for balsa +# Description: GNOME mail client +# This file is overwritten after every install/update +# Persistent local customizations +include balsa.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.balsa +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mozilla +noblacklist ${HOME}/.signature +noblacklist ${HOME}/mail +noblacklist /var/mail +noblacklist /var/spool/mail + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.balsa +mkdir ${HOME}/.gnupg +mkfile ${HOME}/.signature +mkdir ${HOME}/mail +whitelist ${HOME}/.balsa +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${HOME}/.signature +whitelist ${HOME}/mail +whitelist ${RUNUSER}/gnupg +whitelist /usr/share/balsa +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +# disable-mnt +# Add "pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. +private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg +private-tmp +writable-run-user +writable-var + +dbus-user filter +dbus-user.own org.desktop.Balsa +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.keyring.SystemPrompter +dbus-system none + +read-only ${HOME}/.mozilla/firefox/profiles.ini diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile index 50f7531c01c..c8dbcad4e2d 100644 --- a/etc/profile-a-l/baobab.profile +++ b/etc/profile-a-l/baobab.profile @@ -10,8 +10,8 @@ include globals.local include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc +include disable-shell.inc # include disable-xdg.inc include whitelist-runuser-common.inc @@ -21,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -29,6 +30,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile index f5da3782eec..f6775ee01c5 100644 --- a/etc/profile-a-l/barrier.profile +++ b/etc/profile-a-l/barrier.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile new file mode 100644 index 00000000000..87bcf9a19a4 --- /dev/null +++ b/etc/profile-a-l/bcompare.profile @@ -0,0 +1,47 @@ +# Firejail profile for Beyond Compare by Scooter Software +# Description: directory and file compare utility +# Disables the network, which only impacts checking for updates. +# This file is overwritten after every install/update +# Persistent local customizations +include bcompare.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/bcompare +# In case the user decides to include disable-programs.inc, still allow +# KDE's Gwenview to view images via right click -> Open With -> Associated Application +noblacklist ${HOME}/.config/gwenviewrc + +# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc. +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc. +#include disable-programs.inc +#include disable-shell.inc - breaks launch +include disable-write-mnt.inc + +apparmor +caps.drop all +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile index cc1886a496d..f3a9568bd1c 100644 --- a/etc/profile-a-l/beaker.profile +++ b/etc/profile-a-l/beaker.profile @@ -3,17 +3,26 @@ # Persistent local customizations include beaker.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -noblacklist ${HOME}/.config/Beaker Browser +# Disabled until someone reported positive feedback +ignore include disable-exec.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore nou2f +ignore novideo +ignore shell none +ignore disable-mnt +ignore private-cache +ignore private-dev +ignore private-tmp -include disable-devel.inc -include disable-interpreters.inc +noblacklist ${HOME}/.config/Beaker Browser mkdir ${HOME}/.config/Beaker Browser whitelist ${HOME}/.config/Beaker Browser -include whitelist-common.inc # Redirect include electron.profile diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 99e2802eb08..24db11c7e5b 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.bibletime @@ -26,6 +25,7 @@ whitelist ${HOME}/.bibletime whitelist ${HOME}/.sword whitelist ${HOME}/.local/share/bibletime whitelist /usr/share/bibletime +whitelist /usr/share/doc/bibletime whitelist /usr/share/sword include whitelist-common.inc include whitelist-usr-share-common.inc @@ -37,6 +37,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -51,7 +52,7 @@ disable-mnt # private-bin bibletime,qt5ct private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf private-tmp dbus-user none diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile new file mode 100644 index 00000000000..61cd792b12e --- /dev/null +++ b/etc/profile-a-l/bijiben.profile @@ -0,0 +1,63 @@ +# Firejail profile for bijiben +# Description: Simple Note Viewer +# This file is overwritten after every install/update +# Persistent local customizations +include bijiben.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/bijiben + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/bijiben +whitelist ${HOME}/.local/share/bijiben +whitelist ${HOME}/.cache/tracker +whitelist /usr/libexec/webkit2gtk-4.0 +whitelist /usr/share/bijiben +whitelist /usr/share/tracker +whitelist /usr/share/tracker3 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin bijiben +# private-cache -- access to .cache/tracker is required +private-dev +private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Notes +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Tracker1 +dbus-system none + +env WEBKIT_FORCE_SANDBOX=0 diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile index ac1e21ba7ab..ef6ef7a757a 100644 --- a/etc/profile-a-l/bitcoin-qt.profile +++ b/etc/profile-a-l/bitcoin-qt.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.bitcoin mkdir ${HOME}/.config/Bitcoin @@ -29,6 +29,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile index 62eeb88f3e4..773fa75002b 100644 --- a/etc/profile-a-l/bitlbee.profile +++ b/etc/profile-a-l/bitlbee.profile @@ -16,13 +16,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc netfilter no3d nodvd +noinput nonewprivs nosound notv diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index 3095e7505a4..91ce57966d2 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile @@ -6,52 +6,25 @@ include bitwarden.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include whitelist-usr-share-common.inc + ignore noexec /tmp noblacklist ${HOME}/.config/Bitwarden -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc +include disable-shell.inc mkdir ${HOME}/.config/Bitwarden whitelist ${HOME}/.config/Bitwarden -whitelist ${DOWNLOADS} -include whitelist-common.inc -include whitelist-var-common.inc -apparmor -caps.drop all machine-id -netfilter no3d -nodvd -nogroups -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp !chroot -shell none -#tracelog - breaks on Arch - -private-bin bitwarden -private-cache + ?HAS_APPIMAGE: ignore private-dev -private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl private-opt Bitwarden -private-tmp - -# breaks appindicator (tray) functionality -# dbus-user none -# dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) +# Redirect +include electron.profile diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile index 13e83493dbc..233f9a96f64 100644 --- a/etc/profile-a-l/blackbox.profile +++ b/etc/profile-a-l/blackbox.profile @@ -6,7 +6,7 @@ include blackbox.local # Persistent global definitions include globals.local -# all applications started in awesome will run in this profile +# all applications started in blackbox will run in this profile noblacklist ${HOME}/.blackbox include disable-common.inc diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile index 8f230a413ca..28ce8fbeabe 100644 --- a/etc/profile-a-l/bleachbit.profile +++ b/etc/profile-a-l/bleachbit.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc caps.drop all @@ -22,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile index b7242c4438c..55d8fdcf2db 100644 --- a/etc/profile-a-l/blender-2.8.profile +++ b/etc/profile-a-l/blender-2.8.profile @@ -1,5 +1,10 @@ # Firejail profile alias for blender # This file is overwritten after every install/update +# Persistent local customizations +include blender-2.8.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include blender.profile diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile index 6a72fb602a6..225fd7cdcd0 100644 --- a/etc/profile-a-l/blender.profile +++ b/etc/profile-a-l/blender.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc # Allow usage of AMD GPU by OpenCL @@ -28,14 +27,14 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv nou2f protocol unix,inet,inet6,netlink -seccomp +# numpy, used by many add-ons, requires the mbind syscall +seccomp !mbind shell none private-dev -private-tmp - diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 216e86109fe..8d8787174e1 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -22,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -35,7 +35,7 @@ shell none # private-bin bash,bless,mono,sh private-cache private-dev -private-etc alternatives,fonts,mono +private-etc alternatives,fonts,ld.so.preload,mono private-tmp dbus-user none diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile new file mode 100644 index 00000000000..7179bf4a59a --- /dev/null +++ b/etc/profile-a-l/blobby.profile @@ -0,0 +1,51 @@ +# Firejail profile for blobby +# Persistent local customizations +include blobby.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.blobby + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.blobby +whitelist ${HOME}/.blobby +include whitelist-common.inc +whitelist /usr/share/blobby +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin blobby +private-dev +private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.preload,login.defs,machine-id,passwd,pulse +private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 2a56bdf94aa..683a7858b66 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.parallelrealities/blobwars @@ -28,6 +28,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -42,7 +43,7 @@ disable-mnt private-bin blobwars private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile index 88ac9c0ed06..bc5219e2927 100644 --- a/etc/profile-a-l/bluefish.profile +++ b/etc/profile-a-l/bluefish.profile @@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -21,6 +20,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile index 031f3f4bde8..6e8f0d7d1ad 100644 --- a/etc/profile-a-l/bnox.profile +++ b/etc/profile-a-l/bnox.profile @@ -5,6 +5,11 @@ include bnox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/bnox noblacklist ${HOME}/.config/bnox diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile index 70f62813eba..94afc9e0b73 100644 --- a/etc/profile-a-l/brackets.profile +++ b/etc/profile-a-l/brackets.profile @@ -13,13 +13,13 @@ noblacklist ${HOME}/.config/Brackets include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile index 417a6b3e0a6..65670190926 100644 --- a/etc/profile-a-l/brasero.profile +++ b/etc/profile-a-l/brasero.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile index 528a6402d2f..bbe23056fcb 100644 --- a/etc/profile-a-l/brave-browser-beta.profile +++ b/etc/profile-a-l/brave-browser-beta.profile @@ -1,5 +1,10 @@ # Firejail profile alias for brave (beta channel) # This file is overwritten after every install/update +# Persistent local customizations +include brave-browser-beta.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff --git a/etc/profile-a-l/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile index 4601de1190c..b3fcc22ee9d 100644 --- a/etc/profile-a-l/brave-browser-dev.profile +++ b/etc/profile-a-l/brave-browser-dev.profile @@ -1,5 +1,10 @@ # Firejail profile alias for brave (development channel) # This file is overwritten after every install/update +# Persistent local customizations +include brave-browser-dev.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff --git a/etc/profile-a-l/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile index 43d3cc7248c..796c90deb8e 100644 --- a/etc/profile-a-l/brave-browser-nightly.profile +++ b/etc/profile-a-l/brave-browser-nightly.profile @@ -1,5 +1,10 @@ # Firejail profile alias for brave (nightly channel) # This file is overwritten after every install/update +# Persistent local customizations +include brave-browser-nightly.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff --git a/etc/profile-a-l/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile index 06d33dea4b6..fab7f5f1493 100644 --- a/etc/profile-a-l/brave-browser-stable.profile +++ b/etc/profile-a-l/brave-browser-stable.profile @@ -1,5 +1,10 @@ # Firejail profile alias for brave (release channel) # This file is overwritten after every install/update +# Persistent local customizations +include brave-browser-stable.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff --git a/etc/profile-a-l/brave-browser.profile b/etc/profile-a-l/brave-browser.profile index e223ecf87c5..fda337725c4 100644 --- a/etc/profile-a-l/brave-browser.profile +++ b/etc/profile-a-l/brave-browser.profile @@ -1,5 +1,10 @@ # Firejail profile alias for brave # This file is overwritten after every install/update +# Persistent local customizations +include brave-browser.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include brave.profile diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile index 35c59f5a3de..09548c7610e 100644 --- a/etc/profile-a-l/brave.profile +++ b/etc/profile-a-l/brave.profile @@ -8,6 +8,11 @@ include globals.local # noexec /tmp is included in chromium-common.profile and breaks Brave ignore noexec /tmp +# TOR is installed in ${HOME}. +# NOTE: chromium-common.profile enables apparmor. To keep that intact +# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default. +# Alternatively you can add 'ignore apparmor' to your brave.local. +ignore noexec ${HOME} noblacklist ${HOME}/.cache/BraveSoftware noblacklist ${HOME}/.config/BraveSoftware diff --git a/etc/profile-a-l/bsdcat.profile b/etc/profile-a-l/bsdcat.profile index 5271ee5d627..ff7d83dadce 100644 --- a/etc/profile-a-l/bsdcat.profile +++ b/etc/profile-a-l/bsdcat.profile @@ -1,5 +1,10 @@ # Firejail profile alias for bsdtar # This file is overwritten after every install/update +# Persistent local customizations +include bsdcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include bsdtar.profile diff --git a/etc/profile-a-l/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile index 5271ee5d627..eb35ef79f50 100644 --- a/etc/profile-a-l/bsdcpio.profile +++ b/etc/profile-a-l/bsdcpio.profile @@ -1,5 +1,10 @@ # Firejail profile alias for bsdtar # This file is overwritten after every install/update +# Persistent local customizations +include bsdcpio.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include bsdtar.profile diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index 08e51f3c164..dbfc9099689 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile @@ -6,43 +6,7 @@ include bsdtar.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* +private-etc alternatives,group,ld.so.preload,localtime,passwd -include disable-common.inc -# include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname bsdtar -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -# noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -# support compressed archives -private-bin bash,bsdcat,bsdcpio,bsdtar,bzip2,compress,gtar,gzip,lbzip2,libarchive,lz4,lzip,lzma,lzop,sh,xz -private-cache -private-dev -private-etc alternatives,group,localtime,passwd - -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile index 1f56d516981..53cfde352ee 100644 --- a/etc/profile-a-l/bzflag.profile +++ b/etc/profile-a-l/bzflag.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.bzf @@ -26,6 +26,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile index d17cfa85f0a..cdc1683845f 100644 --- a/etc/profile-a-l/calibre.profile +++ b/etc/profile-a-l/calibre.profile @@ -13,7 +13,6 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile index 489036e3957..280a61401c6 100644 --- a/etc/profile-a-l/calligra.profile +++ b/etc/profile-a-l/calligra.profile @@ -6,10 +6,11 @@ include calligra.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.local/share/kxmlgui5/calligra + include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -18,6 +19,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -25,9 +27,10 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none -private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 +private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligragemini,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4 private-dev # dbus-user none diff --git a/etc/profile-a-l/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile index 7804a3b9725..ace6c05f8e6 100644 --- a/etc/profile-a-l/calligraauthor.profile +++ b/etc/profile-a-l/calligraauthor.profile @@ -1,5 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligraauthor.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile index 7804a3b9725..b2c23a57b63 100644 --- a/etc/profile-a-l/calligraconverter.profile +++ b/etc/profile-a-l/calligraconverter.profile @@ -1,5 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligraconverter.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligraflow.profile b/etc/profile-a-l/calligraflow.profile index 7804a3b9725..ca654b3f347 100644 --- a/etc/profile-a-l/calligraflow.profile +++ b/etc/profile-a-l/calligraflow.profile @@ -1,5 +1,10 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligraflow.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile new file mode 100644 index 00000000000..006c307ab0f --- /dev/null +++ b/etc/profile-a-l/calligragemini.profile @@ -0,0 +1,12 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update +# Persistent local customizations +include calligragemini.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/calligragemini + +# Redirect +include calligra.profile diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile index 7804a3b9725..81dbd4dcdd2 100644 --- a/etc/profile-a-l/calligraplan.profile +++ b/etc/profile-a-l/calligraplan.profile @@ -1,5 +1,12 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligraplan.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile index 7804a3b9725..bba91b66bfa 100644 --- a/etc/profile-a-l/calligraplanwork.profile +++ b/etc/profile-a-l/calligraplanwork.profile @@ -1,5 +1,12 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligraplanwork.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile index 7804a3b9725..7bc296047c0 100644 --- a/etc/profile-a-l/calligrasheets.profile +++ b/etc/profile-a-l/calligrasheets.profile @@ -1,5 +1,12 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligrasheets.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile index 7804a3b9725..7694abbe414 100644 --- a/etc/profile-a-l/calligrastage.profile +++ b/etc/profile-a-l/calligrastage.profile @@ -1,5 +1,12 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligrastage.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage # Redirect include calligra.profile diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile index 7804a3b9725..d69d56a95c0 100644 --- a/etc/profile-a-l/calligrawords.profile +++ b/etc/profile-a-l/calligrawords.profile @@ -1,5 +1,12 @@ # Firejail profile alias for calligra # This file is overwritten after every install/update +# Persistent local customizations +include calligrawords.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords # Redirect include calligra.profile diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index f48cc43a10f..d3c25d451a2 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/cameramonitor @@ -46,7 +46,7 @@ tracelog disable-mnt private-bin cameramonitor,python* private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp # dbus-user none diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile index c44d56b909f..69cf912ef62 100644 --- a/etc/profile-a-l/cantata.profile +++ b/etc/profile-a-l/cantata.profile @@ -18,14 +18,15 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc # apparmor caps.drop all ipc-namespace netfilter +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile new file mode 100644 index 00000000000..ff46cd42915 --- /dev/null +++ b/etc/profile-a-l/cargo.profile @@ -0,0 +1,72 @@ +# Firejail profile for cargo +# Description: The Rust package manager +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cargo.local +# Persistent global definitions +include globals.local + +ignore noexec ${HOME} +ignore noexec /tmp + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist ${HOME}/.cargo/credentials +noblacklist ${HOME}/.cargo/credentials.toml + +# Allows files commonly used by IDEs +include allow-common-devel.inc + +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + +include disable-common.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +#mkdir ${HOME}/.cargo +#whitelist ${HOME}/YOUR_CARGO_PROJECTS +#whitelist ${HOME}/.cargo +#whitelist ${HOME}/.rustup +#include whitelist-common.inc +whitelist /usr/share/pkgconfig +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +#private-bin cargo,rustc +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-write ${HOME}/.cargo/bin diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile index 009d3a049d4..38a670fdc48 100644 --- a/etc/profile-a-l/catfish.profile +++ b/etc/profile-a-l/catfish.profile @@ -18,7 +18,6 @@ include allow-python3.inc # include disable-common.inc # include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc whitelist /var/lib/mlocate diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile new file mode 100644 index 00000000000..ceba032699c --- /dev/null +++ b/etc/profile-a-l/cawbird.profile @@ -0,0 +1,46 @@ +# Firejail profile for cawbird +# Description: Open-source Twitter client for Linux +# This file is overwritten after every install/update +# Persistent local customizations +include cawbird.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/cawbird + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin cawbird +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg +private-tmp + +# dbus-user none +dbus-system none diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 567bd912adc..1a9340632d3 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile @@ -9,21 +9,30 @@ include globals.local noblacklist ${HOME}/.config/celluloid noblacklist ${HOME}/.config/gnome-mpv noblacklist ${HOME}/.config/youtube-dl -noblacklist ${MUSIC} -noblacklist ${VIDEOS} + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc +mkdir ${HOME}/.config/celluloid +mkdir ${HOME}/.config/gnome-mpv +mkdir ${HOME}/.config/youtube-dl +whitelist ${HOME}/.config/celluloid +whitelist ${HOME}/.config/gnome-mpv +whitelist ${HOME}/.config/youtube-dl +include whitelist-common.inc +include whitelist-player-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -32,22 +41,25 @@ apparmor caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog private-bin celluloid,env,gnome-mpv,python*,youtube-dl private-cache -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg private-dev private-tmp dbus-user filter dbus-user.own io.github.celluloid_player.Celluloid +dbus-user.talk ca.desrt.dconf dbus-user.talk org.gnome.SettingsDaemon.MediaKeys dbus-system none diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile index 93f61091bed..e89f488ea3c 100644 --- a/etc/profile-a-l/checkbashisms.profile +++ b/etc/profile-a-l/checkbashisms.profile @@ -18,11 +18,9 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist /usr/share/perl5 include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -34,6 +32,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index 337117c4a6c..978d727f4c1 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile @@ -9,17 +9,26 @@ include globals.local noblacklist ${VIDEOS} noblacklist ${PICTURES} +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${VIDEOS} whitelist ${PICTURES} +whitelist /run/udev/data +whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner +whitelist /usr/share/gnome-video-effects +whitelist /usr/share/gstreamer-1.0 include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -28,20 +37,26 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot +nosound notv nou2f protocol unix seccomp +seccomp.block-secondary shell none tracelog disable-mnt private-bin cheese private-cache -private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 +private-dev +private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.preload private-tmp -dbus-user none +dbus-user filter +dbus-user.own org.gnome.Cheese +dbus-user.talk ca.desrt.dconf dbus-system none diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile index 70dea5bd929..e68182b27a7 100644 --- a/etc/profile-a-l/cherrytree.profile +++ b/etc/profile-a-l/cherrytree.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile new file mode 100644 index 00000000000..8803a4d9d1b --- /dev/null +++ b/etc/profile-a-l/chromium-browser-privacy.profile @@ -0,0 +1,19 @@ +# Firejail profile for chromium-browser-privacy +# This file is overwritten after every install/update +# Persistent local customizations +include chromium-browser-privacy.local + +noblacklist ${HOME}/.cache/ungoogled-chromium +noblacklist ${HOME}/.config/ungoogled-chromium + +blacklist /usr/libexec + +mkdir ${HOME}/.cache/ungoogled-chromium +mkdir ${HOME}/.config/ungoogled-chromium +whitelist ${HOME}/.cache/ungoogled-chromium +whitelist ${HOME}/.config/ungoogled-chromium + +# private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings + +# Redirect +include chromium.profile diff --git a/etc/profile-a-l/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile index f83052d9ae2..7ad806f5b7f 100644 --- a/etc/profile-a-l/chromium-browser.profile +++ b/etc/profile-a-l/chromium-browser.profile @@ -1,5 +1,10 @@ # Firejail profile alias for chromium # This file is overwritten after every install/update +# Persistent local customizations +include chromium-browser.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include chromium.profile diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile new file mode 100644 index 00000000000..19addd28532 --- /dev/null +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile @@ -0,0 +1,9 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include chromium-common-hardened.inc.local + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp !chroot diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index c54fb0e19fa..c42243e0267 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile @@ -12,11 +12,16 @@ include chromium-common.local noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki +# Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser +# to have access to Gnome extensions (extensions.gnome.org) via browser connector +#include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.pki mkdir ${HOME}/.local/share/pki @@ -24,21 +29,31 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. +#include chromium-common-hardened.inc.profile + apparmor caps.keep sys_admin,sys_chroot netfilter -# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector nodvd nogroups +noinput notv ?BROWSER_DISABLE_U2F: nou2f shell none disable-mnt +private-cache ?BROWSER_DISABLE_U2F: private-dev -# private-tmp - problems with multiple browser sessions +#private-tmp - issues when using multiple browser sessions + +#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. +dbus-system none -# the file dialog needs to work without d-bus +# The file dialog needs to work without d-bus. ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile new file mode 100644 index 00000000000..dadedfbcf8c --- /dev/null +++ b/etc/profile-a-l/chromium-freeworld.profile @@ -0,0 +1,10 @@ +# Firejail profile for chromium-freeworld +# This file is overwritten after every install/update +# Persistent local customizations +include chromium-freeworld.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include chromium.profile diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile index dab9ce449d7..9ac33aa1c6d 100644 --- a/etc/profile-a-l/chromium.profile +++ b/etc/profile-a-l/chromium.profile @@ -15,6 +15,8 @@ mkdir ${HOME}/.config/chromium whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf +whitelist /usr/share/chromium +whitelist /usr/share/mozilla/extensions # private-bin chromium,chromium-browser,chromedriver diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile index 8c3fb42d197..7d3e0c10084 100644 --- a/etc/profile-a-l/cin.profile +++ b/etc/profile-a-l/cin.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -19,13 +18,14 @@ ipc-namespace net none nodvd #nogroups +noinput nonewprivs notv nou2f noroot protocol unix -# if an 1-1.2% gap per thread hurts you, comment seccomp +# If a 1-1.2% gap per thread hurts you, add 'ignore seccomp' to your cin.local. seccomp shell none diff --git a/etc/profile-a-l/cinelerra.profile b/etc/profile-a-l/cinelerra.profile index 88a65037ef8..38297bbaeb4 100644 --- a/etc/profile-a-l/cinelerra.profile +++ b/etc/profile-a-l/cinelerra.profile @@ -1,5 +1,10 @@ # Firejail profile alias for cin # This file is overwritten after every install/update +# Persistent local customizations +include cinelerra.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cin.profile diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile new file mode 100644 index 00000000000..2baeed2ed60 --- /dev/null +++ b/etc/profile-a-l/cksum.profile @@ -0,0 +1,13 @@ +# Firejail profile for cksum +# Description: checksum and count the bytes in a file +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include cksum.local +# Persistent global definitions +include globals.local + +private-bin cksum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile index 2726ab5afeb..e403c2c410e 100644 --- a/etc/profile-a-l/clamav.profile +++ b/etc/profile-a-l/clamav.profile @@ -17,6 +17,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/clamdscan.profile b/etc/profile-a-l/clamdscan.profile index 4c6c56c5ff1..b25b46a27fc 100644 --- a/etc/profile-a-l/clamdscan.profile +++ b/etc/profile-a-l/clamdscan.profile @@ -1,5 +1,10 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update +# Persistent local customizations +include clamdscan.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include clamav.profile diff --git a/etc/profile-a-l/clamdtop.profile b/etc/profile-a-l/clamdtop.profile index 4c6c56c5ff1..8c8cb38805d 100644 --- a/etc/profile-a-l/clamdtop.profile +++ b/etc/profile-a-l/clamdtop.profile @@ -1,5 +1,10 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update +# Persistent local customizations +include clamdtop.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include clamav.profile diff --git a/etc/profile-a-l/clamscan.profile b/etc/profile-a-l/clamscan.profile index 4c6c56c5ff1..0bc95e515e1 100644 --- a/etc/profile-a-l/clamscan.profile +++ b/etc/profile-a-l/clamscan.profile @@ -1,5 +1,10 @@ # Firejail profile alias for clamav # This file is overwritten after every install/update +# Persistent local customizations +include clamscan.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include clamav.profile diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile index 4425a2bd070..2a06178a544 100644 --- a/etc/profile-a-l/clamtk.profile +++ b/etc/profile-a-l/clamtk.profile @@ -13,6 +13,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index 24954b2d83a..691657fa04d 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile @@ -11,12 +11,20 @@ noblacklist ${HOME}/.claws-mail mkdir ${HOME}/.claws-mail whitelist ${HOME}/.claws-mail -# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) +# Add the below lines to your claws-mail.local if you use python-based plugins. # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc whitelist /usr/share/doc/claws-mail +# private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2 + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.keyring.SystemPrompter +# Add the next line to your claws-mail.local if you use the notification plugin. +# dbus-user.talk org.freedesktop.Notifications + # Redirect include email-common.profile diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 12ce47401b7..5eb2cb621d7 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile @@ -15,12 +15,10 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.claws-mail whitelist ${HOME}/.claws-mail -whitelist /usr/share/perl5 include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -31,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,8 +44,8 @@ disable-mnt private-bin bash,clawsker,perl,sh,which private-cache private-dev -private-etc alternatives,fonts -private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* +private-etc alternatives,fonts,ld.so.preload +private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* private-tmp dbus-user none diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile index 4d92157d032..b1509f391bd 100644 --- a/etc/profile-a-l/clementine.profile +++ b/etc/profile-a-l/clementine.profile @@ -12,22 +12,29 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc include whitelist-var-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +apparmor caps.drop all +noinput nonewprivs noroot notv nou2f novideo -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink # blacklisting of ioprio_set system calls breaks clementine seccomp !ioprio_set private-dev private-tmp + +dbus-system none +# dbus-user none diff --git a/etc/profile-a-l/clion-eap.profile b/etc/profile-a-l/clion-eap.profile new file mode 100644 index 00000000000..3602c3e7b38 --- /dev/null +++ b/etc/profile-a-l/clion-eap.profile @@ -0,0 +1,10 @@ +# Firejail profile for CLion EAP +# This file is overwritten after every install/update +# Persistent local customizations +include clion-eap.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include clion.profile diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index b27d93684da..15071d731f4 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile @@ -5,23 +5,28 @@ include clion.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/JetBrains/CLion* +noblacklist ${HOME}/.cache/JetBrains/CLion* +noblacklist ${HOME}/.clion* noblacklist ${HOME}/.CLion* noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile index dace5e83eb1..f3c77fa7756 100644 --- a/etc/profile-a-l/clipgrab.profile +++ b/etc/profile-a-l/clipgrab.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,6 +42,6 @@ private-cache private-dev private-tmp -# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it +# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it. # dbus-user none # dbus-system none diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index 66b5fc85901..4c7cb86bfe8 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,6 +32,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/clocks.profile b/etc/profile-a-l/clocks.profile index da50e7d497f..3b3efb9f36f 100644 --- a/etc/profile-a-l/clocks.profile +++ b/etc/profile-a-l/clocks.profile @@ -1,5 +1,10 @@ # Firejail profile for gnome-clocks # This file is overwritten after every install/update +# Persistent local customizations +include clocks.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index fa1e5d722c7..e51dd6bed58 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile @@ -12,8 +12,8 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all @@ -27,4 +27,4 @@ seccomp shell none private-bin cmus -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile index 6f8a25211c0..fdf94ec412f 100644 --- a/etc/profile-a-l/code.profile +++ b/etc/profile-a-l/code.profile @@ -5,6 +5,21 @@ include code.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include disable-devel.inc +ignore include disable-exec.inc +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore disable-mnt +ignore dbus-user none +ignore dbus-system none + noblacklist ${HOME}/.config/Code noblacklist ${HOME}/.config/Code - OSS noblacklist ${HOME}/.vscode @@ -13,30 +28,13 @@ noblacklist ${HOME}/.vscode-oss # Allows files commonly used by IDEs include allow-common-devel.inc -include disable-common.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -shell none - -private-cache -private-dev -private-tmp # Disabling noexec ${HOME} for now since it will # probably interfere with running some programmes # in VS Code # noexec ${HOME} noexec /tmp + +# Redirect +include electron.profile diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile new file mode 100644 index 00000000000..97bf6d394fc --- /dev/null +++ b/etc/profile-a-l/cola.profile @@ -0,0 +1,10 @@ +# Firejail profile for cola +# Description: Linux native frontend for Git,alternative call for git-cola +# This file is overwritten after every install/update +# Persistent local customizations +include cola.local +# Persistent global definitions +include globals.local + +# Redirect +include git-cola.profile diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile new file mode 100644 index 00000000000..4b762047dc2 --- /dev/null +++ b/etc/profile-a-l/colorful-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for colorful-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include colorful-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin colorful-wrapper + +# Redirect +include colorful.profile diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile new file mode 100644 index 00000000000..33ee0d0ee6d --- /dev/null +++ b/etc/profile-a-l/colorful.profile @@ -0,0 +1,52 @@ +# Firejail profile for colorful +# Description: simple 2D sideview shooter +# This file is overwritten after every install/update +# Persistent local customizations +include colorful.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.suve/colorful + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.suve/colorful +whitelist ${HOME}/.suve/colorful +whitelist /usr/share/suve +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin colorful +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pulse +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile new file mode 100644 index 00000000000..6f08bc378ce --- /dev/null +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile @@ -0,0 +1,55 @@ +# Firejail profile for com.github.bleakgrey.tootle +# Description: Gtk Mastodon client +# This file is overwritten after every install/update +# Persistent local customizations +include com.github.bleakgrey.tootle.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/com.github.bleakgrey.tootle + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/com.github.bleakgrey.tootle +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/com.github.bleakgrey.tootle +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin com.github.bleakgrey.tootle +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg +private-tmp + +# Settings are immutable +# dbus-user filter +# dbus-user.own com.github.bleakgrey.tootle +# dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index 6df9627b328..d33b89e7cce 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/agenda @@ -36,6 +36,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -51,12 +52,12 @@ disable-mnt private-bin com.github.dahenson.agenda private-cache private-dev -private-etc dconf,fonts,gtk-3.0 +private-etc dconf,fonts,gtk-3.0,ld.so.preload private-tmp dbus-user filter -dbus.own com.github.dahenson.agenda -dbus.talk ca.desrt.dconf +dbus-user.own com.github.dahenson.agenda +dbus-user.talk ca.desrt.dconf dbus-system none read-only ${HOME} diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index 39a9a360dee..c75a09a518f 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile @@ -17,8 +17,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate @@ -39,6 +39,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -54,7 +55,7 @@ disable-mnt private-bin com.github.johnfactotum.Foliate,gjs private-cache private-dev -private-etc dconf,fonts,gconf,gtk-3.0 +private-etc dconf,fonts,gconf,gtk-3.0,ld.so.preload private-tmp read-only ${HOME} diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile new file mode 100644 index 00000000000..b10d1b5b0e3 --- /dev/null +++ b/etc/profile-a-l/com.github.phase1geo.minder.profile @@ -0,0 +1,61 @@ +# Firejail profile for com.github.phase1geo.minder +# Description: Mind-mapping application +# This file is overwritten after every install/update +# Persistent local customizations +include com.github.phase1geo.minder.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/minder +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.local/share/minder +whitelist ${HOME}/.local/share/minder +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${PICTURES} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin com.github.phase1geo.minder +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg +private-tmp + +dbus-user filter +dbus-user.own com.github.phase1geo.minder +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile new file mode 100644 index 00000000000..1e37da602c0 --- /dev/null +++ b/etc/profile-a-l/com.gitlab.newsflash.profile @@ -0,0 +1,10 @@ +# Firejail profile alias for newsflash +# This file is overwritten after every install/update +# Persistent local customizations +include com.gitlab.newsflash.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include newsflash.profile diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile index e5cd7085a09..7ccc101bfd3 100644 --- a/etc/profile-a-l/conky.profile +++ b/etc/profile-a-l/conky.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/conplay.profile b/etc/profile-a-l/conplay.profile index 8d9f3324f17..d0ad7c753a6 100644 --- a/etc/profile-a-l/conplay.profile +++ b/etc/profile-a-l/conplay.profile @@ -12,7 +12,5 @@ include conplay.local # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc -whitelist /usr/share/perl5 - # Redirect include mpg123.profile diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile index dbb043c17d5..537381f64b1 100644 --- a/etc/profile-a-l/corebird.profile +++ b/etc/profile-a-l/corebird.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -22,6 +22,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index 8efe48240c1..351ca0dab6f 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc # This profile could be significantly strengthened by adding the following to cower.local @@ -28,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,5 +46,4 @@ private-dev private-tmp memory-deny-write-execute - read-only ${HOME}/.config/cower/config diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile new file mode 100644 index 00000000000..1d623fa0903 --- /dev/null +++ b/etc/profile-a-l/coyim.profile @@ -0,0 +1,49 @@ +# Firejail profile for coyim +# Description: GTK Jabber client written in Go +# This file is overwritten after every install/update +# Persistent local customizations +include coyim.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/coyim + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/coyim +whitelist ${HOME}/.config/coyim +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,ssl +private-tmp + +dbus-user none +dbus-system none + +#memory-deny-write-execute diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile index 087a5b2bba4..bdc4f21a697 100644 --- a/etc/profile-a-l/cpio.profile +++ b/etc/profile-a-l/cpio.profile @@ -7,40 +7,8 @@ include cpio.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - noblacklist /sbin noblacklist /usr/sbin -include disable-common.inc -# include disable-devel.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname cpio -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -nosound -notv -nou2f -novideo -seccomp -shell none -tracelog -x11 none - -private-cache -private-dev - -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-a-l/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile index 39151865e6d..2e24429fdde 100644 --- a/etc/profile-a-l/crawl-tiles.profile +++ b/etc/profile-a-l/crawl-tiles.profile @@ -1,5 +1,10 @@ # Firejail profile alias for crawl # This file is overwritten after every install/update +# Persistent local customizations +include crawl-titles.local +# Persistent global definitions +# added by included profile +#include globals.local ignore no3d diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile index 3da2413d903..7cbbcd8d31f 100644 --- a/etc/profile-a-l/crawl.profile +++ b/etc/profile-a-l/crawl.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index 755b6e9f8e5..deb2c0ef830 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-common.inc @@ -26,6 +26,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -38,7 +39,7 @@ shell none disable-mnt private-bin crow private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt none private-tmp private-srv none diff --git a/etc/profile-a-l/cryptocat.profile b/etc/profile-a-l/cryptocat.profile index 69aa39de217..5362e7a6abc 100644 --- a/etc/profile-a-l/cryptocat.profile +++ b/etc/profile-a-l/cryptocat.profile @@ -1,5 +1,10 @@ # Firejail profile alias for Cryptocat # This file is overwritten after every install/update +# Persistent local customizations +include cryptocat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include Cryptocat.profile diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 996ff51d328..448d8b6552f 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile @@ -7,17 +7,21 @@ include curl.local # Persistent global definitions include globals.local +# curl 7.74.0 introduces experimental support for HSTS cache +# https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/ +# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts. +# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local +# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact. +noblacklist ${HOME}/.curl-hsts noblacklist ${HOME}/.curlrc blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc -# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local +# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local. #include disable-xdg.inc include whitelist-usr-share-common.inc @@ -31,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 51df7b45528..0e754c4482f 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/d-feet @@ -35,6 +35,7 @@ ipc-namespace no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,7 +50,7 @@ disable-mnt private-bin d-feet,python* private-cache private-dev -private-etc alternatives,dbus-1,fonts,machine-id +private-etc alternatives,dbus-1,fonts,ld.so.preload,machine-id private-tmp #memory-deny-write-execute - breaks on Arch (see issue #1803) diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile index 2a71ad11ca8..a3590281cf2 100644 --- a/etc/profile-a-l/darktable.profile +++ b/etc/profile-a-l/darktable.profile @@ -10,11 +10,12 @@ noblacklist ${HOME}/.cache/darktable noblacklist ${HOME}/.config/darktable noblacklist ${PICTURES} +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -22,6 +23,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile new file mode 100644 index 00000000000..c2532ed3b8b --- /dev/null +++ b/etc/profile-a-l/dbus-send.profile @@ -0,0 +1,59 @@ +# Firejail profile for dbus-send +# Description: Send a message to a message bus +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include dbus-send.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +# Breaks abstract sockets +#net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private +private-bin dbus-send +private-cache +private-dev +private-etc alternatives,dbus-1,ld.so.preload +private-lib libpcre* +private-tmp + +memory-deny-write-execute +read-only ${HOME} diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index 62379d3efce..2b43c5ea31a 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${HOME}/.local/share/glib-2.0 @@ -26,6 +26,7 @@ caps.drop all no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -34,6 +35,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog @@ -41,7 +43,7 @@ disable-mnt private-bin dconf-editor private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,machine-id +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,machine-id private-lib private-tmp diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index ea19b22094c..1cbeee76304 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,7 +46,7 @@ disable-mnt private-bin dconf,gsettings private-cache private-dev -private-etc alternatives,dconf +private-etc alternatives,dconf,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile new file mode 100644 index 00000000000..b1d41ddf759 --- /dev/null +++ b/etc/profile-a-l/ddgr.profile @@ -0,0 +1,13 @@ +# Firejail profile for ddgr +# Description: Search DuckDuckGo from your terminal +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ddgr.local +# Persistent global definitions +include globals.local + +private-bin ddgr + +# Redirect +include googler-common.profile diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 5b95b74be2a..0669a5a6c11 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -46,7 +45,7 @@ tracelog disable-mnt private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile index 8e67d9daae1..d9ff941da12 100644 --- a/etc/profile-a-l/deadbeef.profile +++ b/etc/profile-a-l/deadbeef.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -21,6 +20,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index 74314cf92f0..0d8c224d7eb 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile @@ -5,20 +5,21 @@ include default.local # Persistent global definitions include globals.local -# generic gui profile +# generic GUI profile # depending on your usage, you can enable some of the commands below: include disable-common.inc # include disable-devel.inc # include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +# include disable-shell.inc +# include disable-write-mnt.inc # include disable-xdg.inc # include whitelist-common.inc -# include whitelist-usr-share-common.inc # include whitelist-runuser-common.inc +# include whitelist-usr-share-common.inc # include whitelist-var-common.inc # apparmor @@ -30,12 +31,13 @@ netfilter # no3d # nodvd # nogroups +noinput nonewprivs noroot # nosound -# notv +notv # nou2f -# novideo +novideo protocol unix,inet,inet6 seccomp # shell none diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile index 17c5059f555..3697243e065 100644 --- a/etc/profile-a-l/deluge.profile +++ b/etc/profile-a-l/deluge.profile @@ -16,7 +16,6 @@ include disable-common.inc # include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/deluge @@ -30,6 +29,7 @@ caps.drop all machine-id netfilter nodvd +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile index 9a98c4933c8..5175146db96 100644 --- a/etc/profile-a-l/desktopeditors.profile +++ b/etc/profile-a-l/desktopeditors.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -26,6 +25,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index f3c012acb16..562f6b1056f 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile @@ -11,8 +11,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/devhelp @@ -26,6 +26,7 @@ caps.drop all # net none - makes settings immutable nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,7 +42,7 @@ disable-mnt private-bin devhelp private-cache private-dev -private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl +private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl private-tmp # makes settings immutable @@ -49,5 +50,4 @@ private-tmp # dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) - read-only ${HOME} diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 1ab10a6f693..19b6cffaf5a 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +31,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,7 +48,7 @@ disable-mnt private-bin devilspie private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-lib gconv private-tmp @@ -56,5 +56,4 @@ dbus-user none dbus-system none memory-deny-write-execute - read-only ${HOME} diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile index 7a59c5d73d2..9c1cf72f02d 100644 --- a/etc/profile-a-l/dex2jar.profile +++ b/etc/profile-a-l/dex2jar.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile index 52bf1c7f8fc..90214875632 100644 --- a/etc/profile-a-l/dia.profile +++ b/etc/profile-a-l/dia.profile @@ -9,16 +9,24 @@ include globals.local noblacklist ${HOME}/.dia noblacklist ${DOCUMENTS} +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc -include allow-python2.inc -include allow-python3.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +#mkdir ${HOME}/.dia +#whitelist ${HOME}/.dia +#whitelist ${DOCUMENTS} +#include whitelist-common.inc +whitelist /usr/share/dia +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -27,6 +35,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,6 +45,7 @@ novideo protocol unix seccomp shell none +tracelog disable-mnt #private-bin dia diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile index 152dfd98011..a925781af62 100644 --- a/etc/profile-a-l/dig.profile +++ b/etc/profile-a-l/dig.profile @@ -11,18 +11,16 @@ noblacklist ${HOME}/.digrc noblacklist ${PATH}/dig blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -#mkfile ${HOME}/.digrc -- see #903 +#mkfile ${HOME}/.digrc - see #903 whitelist ${HOME}/.digrc include whitelist-common.inc include whitelist-usr-share-common.inc @@ -36,6 +34,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -50,7 +49,7 @@ tracelog disable-mnt private-bin bash,dig,sh private-dev -# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) +# Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038). #private-lib private-tmp diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile index ae4a63c6299..41625e12e77 100644 --- a/etc/profile-a-l/digikam.profile +++ b/etc/profile-a-l/digikam.profile @@ -10,13 +10,13 @@ noblacklist ${HOME}/.config/digikam noblacklist ${HOME}/.config/digikamrc noblacklist ${HOME}/.kde/share/apps/digikam noblacklist ${HOME}/.kde4/share/apps/digikam +noblacklist ${HOME}/.local/share/kxmlgui5/digikam noblacklist ${PICTURES} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile index 7103d02852b..276ee251a13 100644 --- a/etc/profile-a-l/dillo.profile +++ b/etc/profile-a-l/dillo.profile @@ -11,7 +11,6 @@ noblacklist ${HOME}/.dillo include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.dillo @@ -25,6 +24,7 @@ include whitelist-var-common.inc caps.drop all netfilter nodvd +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile new file mode 100644 index 00000000000..ae0549d3eff --- /dev/null +++ b/etc/profile-a-l/dino-im.profile @@ -0,0 +1,14 @@ +# Firejail profile for dino-im +# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name +# This file is overwritten after every install/update +# Persistent local customizations +include dino-im.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Add Ubuntu specific binary name +private-bin dino-im + +# Redirect +include dino.profile diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index 82ddf2819f8..b1a9550f102 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile @@ -12,28 +12,31 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino whitelist ${DOWNLOADS} include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all netfilter -no3d nodvd nogroups +noinput nonewprivs noroot -nosound notv nou2f -novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin dino @@ -41,3 +44,4 @@ private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl -- breaks server connection private-tmp +dbus-system none diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile index 3e9dacd1e18..43db95b8a93 100644 --- a/etc/profile-a-l/discord-canary.profile +++ b/etc/profile-a-l/discord-canary.profile @@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/discordcanary mkdir ${HOME}/.config/discordcanary whitelist ${HOME}/.config/discordcanary -private-bin discord-canary +private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9] private-opt discord-canary # Redirect diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index cbeef798f0d..c04e3889994 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile @@ -6,33 +6,27 @@ include discord-common.local # added by caller profile #include globals.local -ignore noexec ${HOME} +# Disabled until someone reported positive feedback +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore apparmor +ignore disable-mnt +ignore private-cache +ignore dbus-user none +ignore dbus-system none -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc +ignore noexec ${HOME} +ignore novideo -whitelist ${DOWNLOADS} whitelist ${HOME}/.config/BetterDiscord whitelist ${HOME}/.local/share/betterdiscordctl -include whitelist-common.inc -include whitelist-var-common.inc -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp !chroot +private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl + +join-or-start discord -private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh -private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl -private-tmp +# Redirect +include electron.profile diff --git a/etc/profile-a-l/display-im6.q16.profile b/etc/profile-a-l/display-im6.q16.profile new file mode 100644 index 00000000000..b80afc3fa03 --- /dev/null +++ b/etc/profile-a-l/display-im6.q16.profile @@ -0,0 +1,10 @@ +# Firejail profile for display-im6.q16 +# This file is overwritten after every install/update +# Persistent local customizations +include display-im6.q16.local +# Persistent global definitions +include globals.local + + +# Redirect +include display.profile diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 2ae4edced39..6eff39d402c 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-usr-share-common.inc @@ -26,6 +26,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,7 +40,7 @@ shell none private-bin display,python* private-dev # On Debian-based systems, display is a symlink in /etc/alternatives -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile index e0239577175..51ba6f8b759 100644 --- a/etc/profile-a-l/dnox.profile +++ b/etc/profile-a-l/dnox.profile @@ -5,6 +5,11 @@ include dnox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/dnox noblacklist ${HOME}/.config/dnox diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile index e48e9d1acc5..906089663ef 100644 --- a/etc/profile-a-l/dnscrypt-proxy.profile +++ b/etc/profile-a-l/dnscrypt-proxy.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +31,7 @@ machine-id netfilter no3d nodvd +noinput nonewprivs nosound notv diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile index 6db71bd4928..2db1548a484 100644 --- a/etc/profile-a-l/dnsmasq.profile +++ b/etc/profile-a-l/dnsmasq.profile @@ -16,13 +16,13 @@ blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc caps.keep net_admin,net_bind_service,net_raw,setgid,setuid no3d nodvd +noinput nonewprivs nosound notv diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile new file mode 100644 index 00000000000..ac86ef75a6c --- /dev/null +++ b/etc/profile-a-l/dolphin-emu.profile @@ -0,0 +1,63 @@ +# Firejail profile for dolphin-emu +# Description: An emulator for Gamecube and Wii games +# This file is overwritten after every install/update +# Persistent local customizations +include dolphin-emu.local +# Persistent global definitions +include globals.local + +# Note: you must whitelist your games folder in your dolphin-emu.local. + +noblacklist ${HOME}/.cache/dolphin-emu +noblacklist ${HOME}/.config/dolphin-emu +noblacklist ${HOME}/.local/share/dolphin-emu + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/dolphin-emu +mkdir ${HOME}/.config/dolphin-emu +mkdir ${HOME}/.local/share/dolphin-emu +whitelist ${HOME}/.cache/dolphin-emu +whitelist ${HOME}/.config/dolphin-emu +whitelist ${HOME}/.local/share/dolphin-emu +whitelist /usr/share/dolphin-emu +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +# Add the next line to your dolphin-emu.local if you do not need NetPlay support. +# net none +netfilter +# Add the next line to your dolphin-emu.local if you do not need disc support. +#nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink,bluetooth +seccomp +shell none +tracelog + +private-bin bash,dolphin-emu,dolphin-emu-x11,sh +private-cache +# Add the next line to your dolphin-emu.local if you do not need controller support. +#private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile index 70a21e11cf3..99cf0f7f891 100644 --- a/etc/profile-a-l/dooble-qt4.profile +++ b/etc/profile-a-l/dooble-qt4.profile @@ -1,5 +1,10 @@ # Firejail profile alias for dooble # This file is overwritten after every install/update +# Persistent local customizations +include dooble-qt4.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include dooble.profile diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile index bc197b22316..f1b630ac809 100644 --- a/etc/profile-a-l/dooble.profile +++ b/etc/profile-a-l/dooble.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.dooble @@ -25,6 +24,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile index 17ccc9b9a5e..ad7049d3df9 100644 --- a/etc/profile-a-l/dosbox.profile +++ b/etc/profile-a-l/dosbox.profile @@ -11,17 +11,21 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -35,3 +39,6 @@ tracelog private-bin dosbox private-dev private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile index df839cc4733..26243ab4e20 100644 --- a/etc/profile-a-l/dragon.profile +++ b/etc/profile-a-l/dragon.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/dragonplayer @@ -25,6 +25,7 @@ include whitelist-var-common.inc caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 4132caa4fc5..253f5643ee0 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/draw.io @@ -30,6 +30,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,7 +45,7 @@ shell none private-bin drawio private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile new file mode 100644 index 00000000000..2a09270f7f1 --- /dev/null +++ b/etc/profile-a-l/drill.profile @@ -0,0 +1,55 @@ +# Firejail profile for drill +# Description: DNS lookup utility +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include drill.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/drill + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +include disable-common.inc +# include disable-devel.inc +include disable-exec.inc +# include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private +private-bin bash,drill,sh +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile index 1b242d42276..73d9cfbbcec 100644 --- a/etc/profile-a-l/dropbox.profile +++ b/etc/profile-a-l/dropbox.profile @@ -9,10 +9,12 @@ noblacklist ${HOME}/.config/autostart noblacklist ${HOME}/.dropbox noblacklist ${HOME}/.dropbox-dist +# Allow python3 (blacklisted by disable-interpreters.inc) +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.dropbox @@ -30,6 +32,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index bb711b1bfbf..0345f2b24bb 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,7 +45,7 @@ disable-mnt #private-bin bash,easystroke,sh private-cache private-dev -private-etc alternatives,fonts,group,passwd +private-etc alternatives,fonts,group,ld.so.preload,passwd # breaks custom shell command functionality #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* private-tmp diff --git a/etc/profile-a-l/ebook-convert.profile b/etc/profile-a-l/ebook-convert.profile new file mode 100644 index 00000000000..988ba90fc99 --- /dev/null +++ b/etc/profile-a-l/ebook-convert.profile @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-convert.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff --git a/etc/profile-a-l/ebook-edit.profile b/etc/profile-a-l/ebook-edit.profile new file mode 100644 index 00000000000..3b5fee0a847 --- /dev/null +++ b/etc/profile-a-l/ebook-edit.profile @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-edit.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff --git a/etc/profile-a-l/ebook-meta.profile b/etc/profile-a-l/ebook-meta.profile new file mode 100644 index 00000000000..594a8e24106 --- /dev/null +++ b/etc/profile-a-l/ebook-meta.profile @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-meta.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff --git a/etc/profile-a-l/ebook-polish.profile b/etc/profile-a-l/ebook-polish.profile new file mode 100644 index 00000000000..ad94e32a2e3 --- /dev/null +++ b/etc/profile-a-l/ebook-polish.profile @@ -0,0 +1,11 @@ +# Firejail profile alias for calibre +# This file is overwritten after every install/update +# Persistent local customizations +include ebook-polish.local + +net none +dbus-user none +dbus-system none + +# Redirect +include calibre.profile diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index d5def68c241..e472f57b679 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile @@ -8,20 +8,20 @@ include globals.local noblacklist ${HOME}/.config/electron-mail -whitelist ${DOWNLOADS} - include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/electron-mail whitelist ${HOME}/.config/electron-mail +whitelist ${DOWNLOADS} include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -31,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -44,12 +45,12 @@ shell none private-bin electron-mail private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg private-opt ElectronMail private-tmp # breaks tray functionality # dbus-user none -# dbus-system none +dbus-system none # memory-deny-write-execute - breaks on Arch diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index 9b99c7ffb99..05ae7e16d89 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile @@ -3,25 +3,38 @@ # This file is overwritten after every install/update # Persistent local customizations include electron.local -# Persistent global definitions -include globals.local include disable-common.inc -include disable-passwdmgr.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc include disable-programs.inc +include disable-xdg.inc whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. +#include chromium-common-hardened.inc.profile apparmor -caps.drop all +caps.keep sys_admin,sys_chroot netfilter nodvd nogroups -nonewprivs -noroot +noinput notv -protocol unix,inet,inet6,netlink -seccomp +nou2f +novideo +shell none + +disable-mnt +private-cache +private-dev +private-tmp dbus-user none dbus-system none diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index bcc84ddb892..8cfc9f797a8 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.electrum @@ -31,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,7 +47,7 @@ private-bin electrum,python* private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl private-tmp # dbus-user none diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile new file mode 100644 index 00000000000..48a826f2e76 --- /dev/null +++ b/etc/profile-a-l/element-desktop.profile @@ -0,0 +1,24 @@ +# Firejail profile for element-desktop +# Description: All-in-one secure chat app for teams, friends and organisations +# This file is overwritten after every install/update +# Persistent local customizations +include element-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local + +ignore dbus-user none + +noblacklist ${HOME}/.config/Element + +mkdir ${HOME}/.config/Element +whitelist ${HOME}/.config/Element +whitelist /opt/Element + +private-opt Element + +dbus-user filter +dbus-user.talk org.freedesktop.secrets + +# Redirect +include riot-desktop.profile diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile index 2a306d70424..5a29eb24b59 100644 --- a/etc/profile-a-l/elinks.profile +++ b/etc/profile-a-l/elinks.profile @@ -1,6 +1,7 @@ # Firejail profile for elinks # Description: Advanced text-mode WWW browser # This file is overwritten after every install/update +quiet # Persistent local customizations include elinks.local # Persistent global definitions @@ -8,36 +9,10 @@ include globals.local noblacklist ${HOME}/.elinks -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* +mkdir ${HOME}/.elinks +whitelist ${HOME}/.elinks -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc +private-bin elinks -include whitelist-runuser-common.inc - -caps.drop all -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -# private-bin elinks -private-cache -private-dev -# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl -private-tmp +# Redirect +include links-common.profile diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index ab378105ed1..7e9be653dc3 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile @@ -8,15 +8,13 @@ include globals.local noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d -# if you need gpg uncomment the following line -# or put it into your emacs.local +# Add the next line to your emacs.local if you need gpg support. #noblacklist ${HOME}/.gnupg # Allows files commonly used by IDEs include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -29,3 +27,6 @@ notv novideo protocol unix,inet,inet6 seccomp + +read-write ${HOME}/.emacs +read-write ${HOME}/.emacs.d diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index f9d96858b04..8673b65ca33 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile @@ -7,42 +7,50 @@ include email-common.local # added by caller profile #include globals.local +noblacklist ${HOME}/.bogofilter noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mozilla noblacklist ${HOME}/.signature # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local -# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications +# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications noblacklist ${HOME}/Mail noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist ${DOCUMENTS} -whitelist ${DOWNLOADS} -mkfile ${HOME}/.config/mimeapps.list mkdir ${HOME}/.gnupg +mkfile ${HOME}/.config/mimeapps.list mkfile ${HOME}/.signature whitelist ${HOME}/.config/mimeapps.list +whitelist ${HOME}/.mozilla/firefox/profiles.ini whitelist ${HOME}/.gnupg whitelist ${HOME}/.signature +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local whitelist ${HOME}/Mail +whitelist ${RUNUSER}/gnupg whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all +machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -51,18 +59,26 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog +# disable-mnt private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg private-tmp - # encrypting and signing email -read-only ${HOME}/.config/mimeapps.list writable-run-user +dbus-system none + # If you want to read local mail stored in /var/mail, add the following to email-common.local: -# whitelist /var/mail -# whitelist /var/spool/mail -# writable-var +#noblacklist /var/mail +#noblacklist /var/spool/mail +#whitelist /var/mail +#whitelist /var/spool/mail +#writable-var + +read-only ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.signature diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index 2b5de799f48..0a2e239960b 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,6 +32,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,7 +48,7 @@ x11 none private-bin enchant,enchant-* private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 6c0892c56f2..1aca416d865 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile @@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -21,6 +20,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,7 +36,6 @@ tracelog private-dev # private-tmp -dbus-user none +dbus-user filter +dbus-user.talk ca.desrt.dconf dbus-system none - -memory-deny-write-execute diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile index d8ac8b24a47..d982433e277 100644 --- a/etc/profile-a-l/enox.profile +++ b/etc/profile-a-l/enox.profile @@ -5,6 +5,11 @@ include enox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/Enox noblacklist ${HOME}/.config/Enox diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile index 68113e29415..0d0d6f08395 100644 --- a/etc/profile-a-l/enpass.profile +++ b/etc/profile-a-l/enpass.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,16 +31,17 @@ whitelist ${DOCUMENTS} include whitelist-common.inc include whitelist-var-common.inc -# machine-id and nosound break audio notification functionality -# comment both if you need that functionality or put 'ignore machine-id' -# and 'ignore nosound' in your enpass.local - +# machine-id and nosound break audio notification functionality. +# Add the next lines to your enpass.local if you need that functionality. +#ignore machine-id +#ignore nosound caps.drop all machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 80c704c6b32..ddc0ce0b996 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile @@ -11,12 +11,14 @@ noblacklist ${HOME}/.local/share/Trash noblacklist ${HOME}/.Steam noblacklist ${HOME}/.steam +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -26,9 +28,11 @@ apparmor caps.drop all ipc-namespace machine-id +net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,11 +41,12 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* private-tmp diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 3266f7d28fb..65e5c6e69d9 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile @@ -10,14 +10,19 @@ noblacklist ${HOME}/.config/eog whitelist /usr/share/eog -# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' -# comment those if you need that functionality -# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local +# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'. +# Add the next lines to your eog.local if you need that functionality. +#ignore private-bin +#ignore private-etc +#ignore private-lib + private-bin eog -dbus-user filter -dbus-user.own org.gnome.Eog -dbus-user.talk ca.desrt.dconf +# broken on Debian 10 (buster) running LXDE got the following error: +# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown +#dbus-user filter +#dbus-user.own org.gnome.eog +#dbus-user.talk ca.desrt.dconf dbus-system none # Redirect diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile index 5bfeb8c8f82..7143a8e0328 100644 --- a/etc/profile-a-l/eom.profile +++ b/etc/profile-a-l/eom.profile @@ -10,9 +10,12 @@ noblacklist ${HOME}/.config/mate/eom whitelist /usr/share/eom -# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' -# comment those if you need that functionality -# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local +# private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'. +# Add the next lines to your eom.local if you need that functionality. +#ignore private-bin +#ignore private-etc +#ignore private-lib + private-bin eom # Redirect diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile index 029f613c6f2..131d68951d9 100644 --- a/etc/profile-a-l/ephemeral.profile +++ b/etc/profile-a-l/ephemeral.profile @@ -41,6 +41,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. noroot diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile new file mode 100644 index 00000000000..fe7b912bd9a --- /dev/null +++ b/etc/profile-a-l/equalx.profile @@ -0,0 +1,63 @@ +# Firejail profile for equalx +# Description: A graphical editor for writing LaTeX equations +# This file is overwritten after every install/update +# Persistent local customizations +include equalx.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/equalx +noblacklist ${HOME}/.equalx + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/equalx +mkdir ${HOME}/.equalx +whitelist ${HOME}/.config/equalx +whitelist ${HOME}/.equalx +whitelist /usr/share/poppler +whitelist /usr/share/ghostscript +whitelist /usr/share/texlive +whitelist /usr/share/equalx +whitelist /var/lib/texmf +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin equalx,gs,pdflatex,pdftocairo +private-cache +private-dev +private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile new file mode 100644 index 00000000000..98f9499187f --- /dev/null +++ b/etc/profile-a-l/etr-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for etr-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include etr-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin etr-wrapper + +# Redirect +include etr.profile diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile index 72f5883667f..edeed69bf90 100644 --- a/etc/profile-a-l/etr.profile +++ b/etc/profile-a-l/etr.profile @@ -8,17 +8,21 @@ include globals.local noblacklist ${HOME}/.etr +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.etr whitelist ${HOME}/.etr whitelist /usr/share/etr +# Debian version +whitelist /usr/share/games/etr include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -29,6 +33,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -36,6 +41,7 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog @@ -43,7 +49,7 @@ disable-mnt private-bin etr private-cache private-dev -# private-etc alternatives,drirc,machine-id,openal +# private-etc alternatives,drirc,machine-id,openal,passwd private-tmp dbus-user none diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 04964ce3383..63e456488cc 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile @@ -6,15 +6,21 @@ include evince.local # Persistent global definitions include globals.local +# WARNING: using bookmarks possibly exposes information, including file history from other programs. +# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below). +#noblacklist ${HOME}/.local/share/gvfs-metadata + noblacklist ${HOME}/.config/evince noblacklist ${DOCUMENTS} +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/doc @@ -32,6 +38,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,17 +47,21 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog private-bin evince,evince-previewer,evince-thumbnailer private-cache private-dev -private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd +private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd # private-lib might break two-page-view on some systems -private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* +private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* private-tmp -# might break two-page-view on some systems -dbus-user none +# dbus-user filtering might break two-page-view on some systems +dbus-user filter +# Add the next two lines to your evince.local if you need bookmarks support. +#dbus-user.talk org.gtk.vfs.Daemon +#dbus-user.talk org.gtk.vfs.Metadata dbus-system none diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 4740bf93547..a803272344e 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile @@ -20,7 +20,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -31,6 +30,7 @@ netfilter #no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,4 +43,4 @@ shell none private-dev private-tmp - +writable-var diff --git a/etc/profile-a-l/exfalso.profile b/etc/profile-a-l/exfalso.profile index 0b961f5343b..92e4395c5ed 100644 --- a/etc/profile-a-l/exfalso.profile +++ b/etc/profile-a-l/exfalso.profile @@ -4,57 +4,12 @@ # Persistent local customizations include exfalso.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -noblacklist ${HOME}/.quodlibet -noblacklist ${MUSIC} - -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -whitelist ${DOWNLOADS} -whitelist ${MUSIC} - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -mkdir ${HOME}/.quodlibet -whitelist ${HOME}/.quodlibet -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none - -private-bin exfalso,python* -private-cache -private-dev -private-etc alternatives,fonts,group,passwd private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3* -private-tmp dbus-user none -dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) +# Redirect +include quodlibet.profile diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 90d8a0fc221..12c22ba5ba6 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile @@ -15,10 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -whitelist /usr/share/perl5 whitelist /usr/share/perl-image-exiftool include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -31,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,12 +42,13 @@ shell none tracelog x11 none -# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. -# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening. +# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool +# to /usr/bin/exiftool and add the below to your exiftool.local. +# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening. #private-bin exiftool,perl private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 0024b6660bd..62ea449a676 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile @@ -13,21 +13,26 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/falkon mkdir ${HOME}/.config/falkon whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/falkon whitelist ${HOME}/.config/falkon +whitelist /usr/share/falkon include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -37,7 +42,13 @@ protocol unix,inet,inet6,netlink seccomp !chroot # tracelog +disable-mnt +# private-bin falkon +private-cache private-dev -# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies -# private-tmp - interferes with the opening of downloaded files +private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-tmp +# dbus-user filter +# dbus-user.own org.kde.Falkon +dbus-system none diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile index af670cee24b..121c5ba26c5 100644 --- a/etc/profile-a-l/fbreader.profile +++ b/etc/profile-a-l/fbreader.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -23,6 +23,7 @@ apparmor caps.drop all net none nodvd +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 1795408067e..25e1082adab 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,20 +28,20 @@ no3d nodvd nogroups nonewprivs -# noroot +noroot nosound notv nou2f novideo -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink #seccomp #shell none disable-mnt private private-bin bash,fdns,sh -# private-cache -private-dev +private-cache +#private-dev private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl # private-lib private-tmp diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile index 60c6c85488a..e45df21fc2a 100644 --- a/etc/profile-a-l/feedreader.profile +++ b/etc/profile-a-l/feedreader.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/feedreader @@ -32,6 +32,7 @@ netfilter # no3d nodvd nogroups +noinput nonewprivs noroot # nosound @@ -51,8 +52,8 @@ private-tmp dbus-user filter dbus-user.own org.gnome.FeedReader dbus-user.own org.gnome.FeedReader.ArticleView +dbus-user.talk org.freedesktop.secrets # Enable as you need. #dbus-user.talk org.freedesktop.Notifications -#dbus-user.talk org.freedesktop.secrets #dbus-user.talk org.gnome.OnlineAccounts dbus-system none diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile new file mode 100644 index 00000000000..f9b3d58c9e3 --- /dev/null +++ b/etc/profile-a-l/feh-network.inc.profile @@ -0,0 +1,8 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include feh-network.inc.local + +ignore net none +netfilter +protocol unix,inet,inet6 +private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,pki,resolv.conf,ssl diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 91123fa0e9e..f2770f294d9 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile @@ -1,6 +1,7 @@ # Firejail profile for feh # Description: imlib2 based image viewer # This file is overwritten after every install/update +quiet # Persistent local customizations include feh.local # Persistent global definitions @@ -10,19 +11,18 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc -# This profile disables network access -# In order to enable network access, -# uncomment the following or put it in your feh.local: -# include feh-network.inc +# Add the next line to your feh.local to enable network access. +#include feh-network.inc.profile caps.drop all net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,7 +36,7 @@ shell none private-bin feh,jpegexiforient,jpegtran private-cache private-dev -private-etc alternatives,feh +private-etc alternatives,feh,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile index 9b4c5f1140e..a2372ec8af6 100644 --- a/etc/profile-a-l/ferdi.profile +++ b/etc/profile-a-l/ferdi.profile @@ -33,6 +33,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile index d64fe830fd2..babfeab61da 100644 --- a/etc/profile-a-l/fetchmail.profile +++ b/etc/profile-a-l/fetchmail.profile @@ -12,7 +12,6 @@ noblacklist ${HOME}/.netrc include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -20,6 +19,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile index 37c46e7d642..637e6fbf5ba 100644 --- a/etc/profile-a-l/ffmpeg.profile +++ b/etc/profile-a-l/ffmpeg.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/devedeng @@ -31,6 +31,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,6 +41,7 @@ novideo protocol inet,inet6 # allow set_mempolicy, which is required to encode using libx265 seccomp !set_mempolicy +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile index 04134cbf45a..2284ccbe429 100644 --- a/etc/profile-a-l/ffplay.profile +++ b/etc/profile-a-l/ffplay.profile @@ -14,7 +14,7 @@ ignore nogroups ignore nosound private-bin ffplay -private-etc alsa,asound.conf,group +private-etc alsa,asound.conf,group,ld.so.preload # Redirect include ffmpeg.profile diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile index 24339953b3e..dbae06f1958 100644 --- a/etc/profile-a-l/file-manager-common.profile +++ b/etc/profile-a-l/file-manager-common.profile @@ -15,7 +15,7 @@ ignore noexec ${HOME} # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc -# Allow perl +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc # Allow python (blacklisted by disable-interpreters.inc) @@ -26,7 +26,6 @@ include allow-python3.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc #include disable-programs.inc allusers @@ -36,6 +35,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 70dd030eeb2..54fa7dfa7fe 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile @@ -10,9 +10,10 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/libexec/file-roller +whitelist /usr/libexec/p7zip whitelist /usr/share/file-roller include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -20,12 +21,13 @@ include whitelist-var-common.inc apparmor caps.drop all -#ipc-namespace - causing issues launching on archlinux machine-id # net none - breaks on older Ubuntu versions +netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -34,11 +36,14 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog -private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo +private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd private-cache private-dev -private-etc dconf,fonts,gtk-3.0,xdg +private-etc dconf,fonts,gtk-3.0,ld.so.preload,xdg # private-tmp + +dbus-system none diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index 74620d4cdc1..397120a0b9c 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile @@ -7,12 +7,10 @@ include file.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -24,6 +22,7 @@ net none no3d nodvd nogroups +noinput nonewprivs nosound notv diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 6c7ab8f0df6..dc5def54fec 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile @@ -13,6 +13,9 @@ noblacklist ${HOME}/.filezilla include allow-python2.inc include allow-python3.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc @@ -24,6 +27,7 @@ include whitelist-var-common.inc caps.drop all netfilter nodvd +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile new file mode 100644 index 00000000000..77487161e84 --- /dev/null +++ b/etc/profile-a-l/firedragon.profile @@ -0,0 +1,26 @@ +# Firejail profile for FireDragon +# Description: Librewolf fork with enhanced KDE integration +# This file is overwritten after every install/update +# Persistent local customizations +include firedragon.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/firedragon +noblacklist ${HOME}/.firedragon + +mkdir ${HOME}/.cache/firedragon +mkdir ${HOME}/.firedragon +whitelist ${HOME}/.cache/firedragon +whitelist ${HOME}/.firedragon + +# Add the next lines to your firedragon.local if you want to use the migration wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + +# FireDragon requires a shell to launch on Arch. We can possibly remove sh though. +# Add the next line to your firedragon.local to enable private-bin. +#private-bin bash,dbus-launch,dbus-send,env,firedragon,python*,sh,which + +# Redirect +include firefox-common.profile diff --git a/etc/inc/firefox-common-addons.inc b/etc/profile-a-l/firefox-common-addons.profile similarity index 75% rename from etc/inc/firefox-common-addons.inc rename to etc/profile-a-l/firefox-common-addons.profile index 681e72d3317..b2b7c362a0d 100644 --- a/etc/inc/firefox-common-addons.inc +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -2,10 +2,17 @@ # Persistent customizations should go in a .local file. include firefox-common-addons.local +ignore whitelist ${RUNUSER}/*firefox* +ignore include whitelist-runuser-common.inc +ignore private-cache + +noblacklist ${HOME}/.cache/youtube-dl noblacklist ${HOME}/.config/kgetrc +noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/okularpartrc noblacklist ${HOME}/.config/okularrc noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.kde/share/apps/kget noblacklist ${HOME}/.kde/share/apps/okular noblacklist ${HOME}/.kde/share/config/kgetrc @@ -17,17 +24,22 @@ noblacklist ${HOME}/.kde4/share/config/kgetrc noblacklist ${HOME}/.kde4/share/config/okularpartrc noblacklist ${HOME}/.kde4/share/config/okularrc noblacklist ${HOME}/.local/share/kget +noblacklist ${HOME}/.local/share/kxmlgui5/okular noblacklist ${HOME}/.local/share/okular noblacklist ${HOME}/.local/share/qpdfview +noblacklist ${HOME}/.netrc whitelist ${HOME}/.cache/gnome-mplayer/plugin +whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs whitelist ${HOME}/.config/gnome-mplayer whitelist ${HOME}/.config/kgetrc +whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/okularpartrc whitelist ${HOME}/.config/okularrc whitelist ${HOME}/.config/pipelight-silverlight5.1 whitelist ${HOME}/.config/pipelight-widevine whitelist ${HOME}/.config/qpdfview +whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.kde/share/apps/kget whitelist ${HOME}/.kde/share/apps/okular whitelist ${HOME}/.kde/share/config/kgetrc @@ -41,9 +53,11 @@ whitelist ${HOME}/.kde4/share/config/okularrc whitelist ${HOME}/.keysnail.js whitelist ${HOME}/.lastpass whitelist ${HOME}/.local/share/kget +whitelist ${HOME}/.local/share/kxmlgui5/okular whitelist ${HOME}/.local/share/okular whitelist ${HOME}/.local/share/qpdfview whitelist ${HOME}/.local/share/tridactyl +whitelist ${HOME}/.netrc whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc whitelist ${HOME}/.tridactylrc @@ -53,12 +67,17 @@ whitelist ${HOME}/.wine-pipelight whitelist ${HOME}/.wine-pipelight64 whitelist ${HOME}/.zotero whitelist ${HOME}/dwhelper +whitelist /usr/share/lua +whitelist /usr/share/lua* +whitelist /usr/share/vulkan -# GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) +# GNOME Shell integration (chrome-gnome-shell) needs dbus and python noblacklist ${HOME}/.local/share/gnome-shell whitelist ${HOME}/.local/share/gnome-shell -ignore dbus-user none -ignore dbus-system none +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.ChromeGnomeShell +dbus-user.talk org.gnome.Shell +# Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc # KeePassXC Browser Integration @@ -67,3 +86,8 @@ include allow-python3.inc # Flash plugin # private-etc must first be enabled in firefox-common.profile and in profiles including it. #private-etc adobe + +# ff2mpv +#ignore noexec ${HOME} +#include allow-lua.inc +#private-bin env,mpv,python3*,waf,youtube-dl diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 7c343c26ded..20ae039aaa0 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile @@ -9,8 +9,8 @@ include firefox-common.local # noexec ${HOME} breaks DRM binaries. ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} -# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins. -#include firefox-common-addons.inc +# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins. +#include firefox-common-addons.profile noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki @@ -27,15 +27,18 @@ whitelist ${DOWNLOADS} whitelist ${HOME}/.pki whitelist ${HOME}/.local/share/pki include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc include whitelist-var-common.inc apparmor caps.drop all -# machine-id breaks pulse audio; it should work fine in setups where sound is not required. +# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. #machine-id netfilter nodvd nogroups +noinput nonewprivs # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. noroot @@ -51,10 +54,11 @@ shell none disable-mnt ?BROWSER_DISABLE_U2F: private-dev # private-etc below works fine on most distributions. There are some problems on CentOS. +# Add it to your firefox-common.local if you want to enable it. #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp -# breaks various desktop integration features -# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma +# 'dbus-user none' breaks various desktop integration features like global menus, native notifications, +# Gnome connector, KDE connect and power management on KDE Plasma. dbus-user none dbus-system none diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 337311ed8e8..9138fed900d 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -6,33 +6,63 @@ include firefox.local # Persistent global definitions include globals.local +# NOTE: sandboxing web browsers is as important as it is complex. Users might be +# interested in creating custom profiles depending on use case (e.g. one for +# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more +# info. Here are a few links to get you going. +# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance +# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox +# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 + noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.mozilla +noblacklist ${RUNUSER}/*firefox* + +blacklist /usr/libexec mkdir ${HOME}/.cache/mozilla/firefox mkdir ${HOME}/.mozilla whitelist ${HOME}/.cache/mozilla/firefox whitelist ${HOME}/.mozilla +# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support. +# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + whitelist /usr/share/doc whitelist /usr/share/firefox +whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini whitelist /usr/share/gtk-doc/html whitelist /usr/share/mozilla whitelist /usr/share/webext +whitelist ${RUNUSER}/*firefox* include whitelist-usr-share-common.inc -# firefox requires a shell to launch on Arch. +# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which -# Fedora use shell scripts to launch firefox, at least this is required -#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname -# private-etc must first be enabled in firefox-common.profile +# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin. +#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname +# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too. #private-etc firefox dbus-user filter +dbus-user.own org.mozilla.Firefox.* dbus-user.own org.mozilla.firefox.* dbus-user.own org.mpris.MediaPlayer2.firefox.* -# Uncomment or put in your firefox.local to enable native notifications. +# Add the next line to your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications +# Add the next line to your firefox.local to allow inhibiting screensavers. +#dbus-user.talk org.freedesktop.ScreenSaver +# Add the next lines to your firefox.local for plasma browser integration. +#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kuiserver +# Add the next line to your firefox.local to allow screen sharing under wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Add the next line to your firefox.local if screen sharing sharing still does not work +# with the above lines (might depend on the portal implementation). +#ignore noroot ignore dbus-user none # Redirect diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 5a69684b58e..5c7bc03d836 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile @@ -8,16 +8,27 @@ include flameshot.local include globals.local noblacklist ${PICTURES} +noblacklist ${HOME}/.config/Dharkael +noblacklist ${HOME}/.config/flameshot include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +#mkdir ${HOME}/.config/Dharkael +#mkdir ${HOME}/.config/flameshot +#whitelist ${PICTURES} +#whitelist ${HOME}/.config/Dharkael +#whitelist ${HOME}/.config/flameshot +whitelist /usr/share/flameshot +#include whitelist-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all ipc-namespace @@ -25,6 +36,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -33,14 +45,24 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin flameshot private-cache -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl private-dev -private-tmp +#private-tmp -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.dharkael.Flameshot +dbus-user.own org.flameshot.Flameshot +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.portal.Desktop +dbus-user.talk org.gnome.Shell +dbus-user.talk org.kde.KWin +dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.own org.kde.* +dbus-system none diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile index b841bce7597..310fb378f0b 100644 --- a/etc/profile-a-l/flashpeak-slimjet.profile +++ b/etc/profile-a-l/flashpeak-slimjet.profile @@ -5,6 +5,11 @@ include flashpeak-slimjet.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/slimjet noblacklist ${HOME}/.config/slimjet diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile index 40472ab931a..bc173d0f180 100644 --- a/etc/profile-a-l/flowblade.profile +++ b/etc/profile-a-l/flowblade.profile @@ -17,13 +17,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile index c296c049194..1210f365c5e 100644 --- a/etc/profile-a-l/fluxbox.profile +++ b/etc/profile-a-l/fluxbox.profile @@ -6,7 +6,7 @@ include fluxbox.local # Persistent global definitions include globals.local -# all applications started in awesome will run in this profile +# all applications started in fluxbox will run in this profile noblacklist ${HOME}/.fluxbox include disable-common.inc diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile index ae0e32d1e27..02db368b7de 100644 --- a/etc/profile-a-l/font-manager.profile +++ b/etc/profile-a-l/font-manager.profile @@ -17,8 +17,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/font-manager @@ -37,6 +37,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile index 6d305e2af6d..6020464b32a 100644 --- a/etc/profile-a-l/fontforge.profile +++ b/etc/profile-a-l/fontforge.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile new file mode 100644 index 00000000000..265eec1ca48 --- /dev/null +++ b/etc/profile-a-l/fractal.profile @@ -0,0 +1,58 @@ +# Firejail profile for fractal +# Description: Desktop client for Matrix +# This file is overwritten after every install/update +# Persistent local customizations +include fractal.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/fractal + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/fractal +whitelist ${HOME}/.cache/fractal +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin fractal +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Fractal +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +dbus-system none diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile index 344804ca92d..9b780a57246 100644 --- a/etc/profile-a-l/franz.profile +++ b/etc/profile-a-l/franz.profile @@ -33,6 +33,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile index 0a1d4a750de..827dc8be98a 100644 --- a/etc/profile-a-l/freecad.profile +++ b/etc/profile-a-l/freecad.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile index 44bf62cfeb2..2b2cdae2938 100644 --- a/etc/profile-a-l/freecadcmd.profile +++ b/etc/profile-a-l/freecadcmd.profile @@ -1,5 +1,10 @@ # Firejail profile alias for freecad # This file is overwritten after every install/update +# Persistent local customizations +include freecadcms.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include freecad.profile diff --git a/etc/profile-a-l/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile index fa36459e703..bf034a7092a 100644 --- a/etc/profile-a-l/freeciv-gtk3.profile +++ b/etc/profile-a-l/freeciv-gtk3.profile @@ -1,5 +1,10 @@ # Firejail profile alias for freeciv # This file is overwritten after every install/update +# Persistent local customizations +include freeciv-gtk3.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include freeciv.profile diff --git a/etc/profile-a-l/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile index fa36459e703..942058fa602 100644 --- a/etc/profile-a-l/freeciv-mp-gtk3.profile +++ b/etc/profile-a-l/freeciv-mp-gtk3.profile @@ -1,5 +1,10 @@ # Firejail profile alias for freeciv # This file is overwritten after every install/update +# Persistent local customizations +include freeciv-mp-gtk3.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include freeciv.profile diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile index 0fe9334784d..5126e2d3782 100644 --- a/etc/profile-a-l/freeciv.profile +++ b/etc/profile-a-l/freeciv.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile index 3cbd2ff5338..4467b58694f 100644 --- a/etc/profile-a-l/freecol.profile +++ b/etc/profile-a-l/freecol.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,6 +38,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile index 0ffb5c54d44..fbe3d45e3f7 100644 --- a/etc/profile-a-l/freemind.profile +++ b/etc/profile-a-l/freemind.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile index 9449e7c4832..b6ca167eb2f 100644 --- a/etc/profile-a-l/freeoffice-planmaker.profile +++ b/etc/profile-a-l/freeoffice-planmaker.profile @@ -7,4 +7,4 @@ include freeoffice-planmaker.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-a-l/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile index 636868e2ea8..43661028c23 100644 --- a/etc/profile-a-l/freeoffice-presentations.profile +++ b/etc/profile-a-l/freeoffice-presentations.profile @@ -7,4 +7,4 @@ include freeoffice-presentations.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-a-l/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile index 5d98d1cc65e..f7d30eaed51 100644 --- a/etc/profile-a-l/freeoffice-textmaker.profile +++ b/etc/profile-a-l/freeoffice-textmaker.profile @@ -6,4 +6,4 @@ include freeoffice-textmaker.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile new file mode 100644 index 00000000000..aeed313c8bc --- /dev/null +++ b/etc/profile-a-l/freetube.profile @@ -0,0 +1,22 @@ +# Firejail profile for freetube +# Description: Youtube client with local subscription feature +# This file is overwritten after every install/update +# Persistent local customizations +include freetube.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/FreeTube + +include allow-bin-sh.inc + +include disable-shell.inc + +mkdir ${HOME}/.config/FreeTube +whitelist ${HOME}/.config/FreeTube + +private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg + +# Redirect +include electron.profile diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile index 2bab79e2e6b..6382b80af78 100644 --- a/etc/profile-a-l/freshclam.profile +++ b/etc/profile-a-l/freshclam.profile @@ -14,6 +14,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs nosound notv diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 06f13e8c6c5..efd5246d66a 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile @@ -12,14 +12,15 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.frogatto whitelist ${HOME}/.frogatto +whitelist /usr/libexec/frogatto whitelist /usr/share/frogatto include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -28,6 +29,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -35,6 +37,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog @@ -42,7 +45,7 @@ disable-mnt private-bin frogatto,sh private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index 9245ae3a97f..bb35c9447a2 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile @@ -15,13 +15,11 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.frozen-bubble whitelist ${HOME}/.frozen-bubble -whitelist /usr/share/perl5 include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -32,6 +30,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile new file mode 100644 index 00000000000..1009f345b19 --- /dev/null +++ b/etc/profile-a-l/funnyboat.profile @@ -0,0 +1,56 @@ +# Firejail profile for funnyboat +# This file is overwritten after every install/update +# Persistent local customizations +include funnyboat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.funnyboat + +ignore noexec /dev/shm +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +# include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.funnyboat +whitelist ${HOME}/.funnyboat +include whitelist-common.inc +include whitelist-runuser-common.inc +whitelist /usr/share/funnyboat +# Debian: +whitelist /usr/share/games/funnyboat +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none +# tracelog + +disable-mnt +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile index 2ae6dd9d82b..945dea14637 100644 --- a/etc/profile-a-l/gajim-history-manager.profile +++ b/etc/profile-a-l/gajim-history-manager.profile @@ -1,5 +1,10 @@ # Firejail profile alias for gajim-history-manager # This file is overwritten after every install/update +# Persistent local customizations +include gajim-history-manager.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gajim.profile diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index 85d9b9bd99f..6d764a0f9c4 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile @@ -6,6 +6,7 @@ include gajim.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.cache/gajim noblacklist ${HOME}/.config/gajim noblacklist ${HOME}/.local/share/gajim @@ -18,25 +19,33 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -# Comment the following line if you need to whitelist other folders than ~/Downloads +# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads. include disable-xdg.inc +mkdir ${HOME}/.gnupg mkdir ${HOME}/.cache/gajim mkdir ${HOME}/.config/gajim mkdir ${HOME}/.local/share/gajim +whitelist ${HOME}/.gnupg whitelist ${HOME}/.cache/gajim whitelist ${HOME}/.config/gajim whitelist ${HOME}/.local/share/gajim whitelist ${DOWNLOADS} +whitelist ${RUNUSER}/gnupg +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -47,9 +56,24 @@ shell none tracelog disable-mnt -private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python,python3,sh,zsh +private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh +private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp +writable-run-user + +dbus-user filter +dbus-user.own org.gajim.Gajim +dbus-user.talk org.gnome.Mutter.IdleMonitor +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.kde.kwalletd5 +dbus-user.talk org.mpris.MediaPlayer2.* +dbus-system filter +dbus-system.talk org.freedesktop.login1 +# Add the next line to your gajim.local to enable location plugin support. +#dbus-system.talk org.freedesktop.GeoClue2 join-or-start gajim diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 404d8974253..c6280c4887b 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/galculator @@ -28,6 +28,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,7 +43,7 @@ tracelog private-bin galculator private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-lib private-tmp diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile new file mode 100644 index 00000000000..a31dde21c66 --- /dev/null +++ b/etc/profile-a-l/gallery-dl.profile @@ -0,0 +1,18 @@ +# Firejail profile for gallery-dl +# Description: Downloader of images from various sites +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gallery-dl.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.config/gallery-dl +noblacklist ${HOME}/.gallery-dl.conf + +private-bin gallery-dl +private-etc gallery-dl.conf,ld.so.preload + +# Redirect +include youtube-dl.profile diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile new file mode 100644 index 00000000000..e9eb55709fc --- /dev/null +++ b/etc/profile-a-l/gapplication.profile @@ -0,0 +1,73 @@ +# Firejail profile for gapplication +# Description: D-Bus application launcher +# This file is overwritten after every install/update +# Persistent local customizations +include gapplication.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER}/wayland-* +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog +x11 none + +disable-mnt +private +private-bin gapplication +private-cache +private-dev +private-etc ld.so.preload,none +private-tmp + +# Add the next line to your gapplication.local to filter D-Bus names. +# You might need to add additional dbus-user.talk rules (see 'gapplication list-apps'). +#dbus-user filter +dbus-user.talk org.gnome.Boxes +dbus-user.talk org.gnome.Builder +dbus-user.talk org.gnome.Calendar +dbus-user.talk org.gnome.ChromeGnomeShell +dbus-user.talk org.gnome.DejaDup +dbus-user.talk org.gnome.DiskUtility +dbus-user.talk org.gnome.Extensions +dbus-user.talk org.gnome.Maps +dbus-user.talk org.gnome.Nautilus +dbus-user.talk org.gnome.Shell.PortalHelper +dbus-user.talk org.gnome.Software +dbus-user.talk org.gnome.Weather +dbus-system none + +memory-deny-write-execute +read-only ${HOME} diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile index 46a862a2185..297e5d34597 100644 --- a/etc/profile-a-l/gcloud.profile +++ b/etc/profile-a-l/gcloud.profile @@ -24,6 +24,7 @@ netfilter nodvd # required for sudo-free docker #nogroups +noinput nonewprivs noroot notv @@ -35,7 +36,7 @@ tracelog disable-mnt private-dev -private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index 96848575d33..6532d85f091 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,6 +37,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -54,7 +54,7 @@ disable-mnt private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* private-cache private-dev -private-etc alternatives,fonts,gconf +private-etc alternatives,fonts,gconf,ld.so.preload private-lib GConf,libpython*,python2* private-tmp diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile index 31599e32ab6..f244cb5262e 100644 --- a/etc/profile-a-l/geany.profile +++ b/etc/profile-a-l/geany.profile @@ -12,7 +12,6 @@ noblacklist ${HOME}/.config/geany include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -20,6 +19,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index fa01d04b771..b78f7e647b8 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile @@ -4,30 +4,83 @@ # Persistent local customizations include geary.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local -# Users have Geary set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories - -ignore dbus-user none -ignore dbus-system none -ignore private-tmp - -noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.cache/evolution +noblacklist ${HOME}/.cache/folks +noblacklist ${HOME}/.cache/geary +noblacklist ${HOME}/.config/evolution +noblacklist ${HOME}/.config/geary +noblacklist ${HOME}/.local/share/evolution noblacklist ${HOME}/.local/share/geary +noblacklist ${HOME}/.mozilla + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc -mkdir ${HOME}/.gnupg +mkdir ${HOME}/.cache/evolution +mkdir ${HOME}/.cache/folks +mkdir ${HOME}/.cache/geary +mkdir ${HOME}/.config/evolution mkdir ${HOME}/.config/geary +mkdir ${HOME}/.local/share/evolution mkdir ${HOME}/.local/share/geary -whitelist ${HOME}/.gnupg +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/evolution +whitelist ${HOME}/.cache/folks +whitelist ${HOME}/.cache/geary +whitelist ${HOME}/.config/evolution whitelist ${HOME}/.config/geary +whitelist ${HOME}/.local/share/evolution whitelist ${HOME}/.local/share/geary +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist /usr/share/geary +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc -read-only ${HOME}/.config/mimeapps.list +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog -whitelist /usr/share/geary +# disable-mnt +# Add 'ignore private-bin' to geary.local for hyperlink support +private-bin geary +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,ssl,xdg +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Geary +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.Contacts +dbus-user.talk org.gnome.OnlineAccounts +dbus-user.talk org.gnome.evolution.dataserver.AddressBook10 +dbus-user.talk org.gnome.evolution.dataserver.Sources5 +dbus-system none -# allow Mozilla browsers -# Redirect -include firefox.profile +read-only ${HOME}/.mozilla/firefox/profiles.ini diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile index 17b7ad56379..0726d17bd20 100644 --- a/etc/profile-a-l/gedit.profile +++ b/etc/profile-a-l/gedit.profile @@ -16,7 +16,6 @@ include disable-common.inc # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -29,6 +28,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,12 +37,13 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog # private-bin gedit private-dev -# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. +# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them. #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* private-tmp diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index e06a9afad27..4812e13683d 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile @@ -6,14 +6,19 @@ include geekbench.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.geekbench5 +noblacklist /sbin +noblacklist /usr/sbin + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.geekbench5 +whitelist ${HOME}/.geekbench5 include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -27,6 +32,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,17 +45,14 @@ shell none tracelog disable-mnt -private-bin bash,geekbenc*,sh +#private-bin bash,geekbench*,sh -- #4576 private-cache private-dev -private-etc alternatives,group,lsb-release,passwd -private-lib gcc/*/*/libstdc++.so.* -private-opt none +private-etc alternatives,group,ld.so.preload,lsb-release,passwd private-tmp dbus-user none dbus-system none -#memory-deny-write-execute - breaks on Arch (see issue #1803) - read-only ${HOME} +read-write ${HOME}/.geekbench5 diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 8810ca1614e..fbb509d895c 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile @@ -13,12 +13,12 @@ noblacklist ${HOME}/.local/share/geeqie include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index 587a12a934f..388f6496dfc 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${HOME}/.cache/gfeeds noblacklist ${HOME}/.cache/org.gabmus.gfeeds noblacklist ${HOME}/.config/org.gabmus.gfeeds.json +noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc @@ -17,16 +18,19 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/gfeeds mkdir ${HOME}/.cache/org.gabmus.gfeeds mkfile ${HOME}/.config/org.gabmus.gfeeds.json +mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles whitelist ${HOME}/.cache/gfeeds whitelist ${HOME}/.cache/org.gabmus.gfeeds whitelist ${HOME}/.config/org.gabmus.gfeeds.json +whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/gfeeds include whitelist-common.inc include whitelist-runuser-common.inc @@ -40,6 +44,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,6 +53,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile new file mode 100644 index 00000000000..d8ca4ae41a0 --- /dev/null +++ b/etc/profile-a-l/gget.profile @@ -0,0 +1,59 @@ +# Firejail profile for gget +# Description: a cli. to get things. from git repos +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include gget.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin gget +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl +private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/ghb.profile b/etc/profile-a-l/ghb.profile index 1e7ce2350b8..c65d7e70929 100644 --- a/etc/profile-a-l/ghb.profile +++ b/etc/profile-a-l/ghb.profile @@ -1,5 +1,10 @@ # Firejail profile alias for handbrake # This file is overwritten after every install/update +# Persistent local customizations +include ghb.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include handbrake.profile diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index 1d5398403cb..3dfdc01849c 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile @@ -11,19 +11,23 @@ noblacklist ${HOME}/.local/share/ghostwriter noblacklist ${DOCUMENTS} noblacklist ${PICTURES} +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/ghostwriter whitelist /usr/share/mozilla-dicts whitelist /usr/share/texlive whitelist /usr/share/pandoc* +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc +include whitelist-var-common.inc apparmor caps.drop all @@ -31,6 +35,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,6 +44,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp !chroot +seccomp.block-secondary shell none #tracelog -- breaks @@ -49,5 +55,5 @@ private-dev private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg private-tmp -dbus-user none +dbus-user filter dbus-system none diff --git a/etc/profile-a-l/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile index dbf49ac22e6..ea099b0a566 100644 --- a/etc/profile-a-l/gimp-2.10.profile +++ b/etc/profile-a-l/gimp-2.10.profile @@ -1,5 +1,10 @@ # Firejail profile alias for gimp # This file is overwritten after every install/update +# Persistent local customizations +include gimp-2.10.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gimp.profile diff --git a/etc/profile-a-l/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile index dbf49ac22e6..af0793c587d 100644 --- a/etc/profile-a-l/gimp-2.8.profile +++ b/etc/profile-a-l/gimp-2.8.profile @@ -1,5 +1,10 @@ # Firejail profile alias for gimp # This file is overwritten after every install/update +# Persistent local customizations +include gimp-2.8.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gimp.profile diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index 8093c0c39d9..df9c2ac7a39 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile @@ -6,9 +6,15 @@ include gimp.local # Persistent global definitions include globals.local +# Add the next lines to your gimp.local in order to support scanning via xsane (see #3640). +# TODO: Replace 'ignore seccomp' with a less permissive option. +#ignore seccomp +#ignore dbus-system +#ignore net +#protocol unix,inet,inet6 + # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory -# if you are not using external plugins, you can comment 'ignore noexec' statement below -# or put 'noexec ${HOME}' in your gimp.local +# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local. ignore noexec ${HOME} noblacklist ${HOME}/.cache/babl @@ -19,10 +25,13 @@ noblacklist ${HOME}/.gimp* noblacklist ${DOCUMENTS} noblacklist ${PICTURES} +# See issue #4367, gimp 2.10.22-3: gegl:introspect broken +noblacklist /sbin +noblacklist /usr/sbin + include disable-common.inc include disable-exec.inc include disable-devel.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,13 +47,14 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound notv nou2f protocol unix -seccomp +seccomp !mbind shell none tracelog diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 681fc2829a6..010cdae06f6 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile @@ -19,7 +19,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -38,6 +37,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -52,7 +52,7 @@ tracelog disable-mnt private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile new file mode 100644 index 00000000000..c13273321cb --- /dev/null +++ b/etc/profile-a-l/git-cola.profile @@ -0,0 +1,87 @@ +# Firejail profile for git-cola +# Description: Linux native frontend for Git +# This file is overwritten after every install/update +# Persistent local customizations +include git-cola.local +# Persistent global definitions +include globals.local + +ignore noexec ${HOME} + +noblacklist ${HOME}/.gitconfig +noblacklist ${HOME}/.git-credentials +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.subversion +noblacklist ${HOME}/.config/git +noblacklist ${HOME}/.config/git-cola +# Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings. +#noblacklist ${HOME}/ + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${RUNUSER}/gnupg +whitelist ${RUNUSER}/keyring +# Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer. +whitelist /usr/share/git +whitelist /usr/share/git-cola +whitelist /usr/share/git-core +whitelist /usr/share/git-gui +whitelist /usr/share/gitk +whitelist /usr/share/gitweb +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local. +#private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg +private-tmp +writable-run-user + +# dbus-user filtering breaks meld as diff viewer +# Add the next line to your git-cola.local if you don't use meld. +#dbus-user filter +# Add the next line to your git-cola.local if you need keyring access +#dbus-user.talk org.freedesktop.secrets +dbus-system none + +read-only ${HOME}/.git-credentials + +# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts. +read-only ${HOME}/.ssh diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index e5a2f3985fc..b0318e4a316 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile @@ -15,16 +15,17 @@ noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.nanorc -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/git @@ -43,6 +44,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 71b8e9b115e..314b797c0fb 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile @@ -10,13 +10,14 @@ noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.local/share/gitg -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc #whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY @@ -37,6 +38,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,6 +47,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog @@ -56,6 +59,6 @@ private-tmp dbus-user filter dbus-user.own org.gnome.gitg dbus-user.talk ca.desrt.dconf -# Uncomment (or put in your gitg.local) if you need keyring access. +# Add the next line to your gitg.local if you need keyring access. #dbus-user.talk org.freedesktop.secrets dbus-system none diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile index b25b138adf0..325c54ced78 100644 --- a/etc/profile-a-l/github-desktop.profile +++ b/etc/profile-a-l/github-desktop.profile @@ -6,43 +6,35 @@ include github-desktop.local # Persistent global definitions include globals.local +# Note: On debian-based distributions the binary might be located in +# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. +# If that's the case you can start GitHub Desktop with firejail via +# `firejail "/opt/GitHub Desktop/github-desktop"`. + +# Disabled until someone reported positive feedback +ignore include disable-xdg.inc +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore apparmor +ignore dbus-user none +ignore dbus-system none + noblacklist ${HOME}/.config/GitHub Desktop noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials -include disable-common.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc - -caps.drop all -netfilter # no3d -nodvd -nogroups -nonewprivs -noroot nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -# Note: On debian-based distributions the binary might be located in -# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH. -# If that's the case you can start GitHub Desktop with firejail via -# `firejail "/opt/GitHub Desktop/github-desktop"`. - -disable-mnt # private-bin github-desktop -private-cache ?HAS_APPIMAGE: ignore private-dev -private-dev # private-lib -private-tmp # memory-deny-write-execute + +# Redirect +include electron.profile diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 017b1765aae..36b016e02f7 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Gitter @@ -26,6 +25,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,7 +37,7 @@ shell none disable-mnt private-bin bash,env,gitter -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,pulse,resolv.conf,ssl private-opt Gitter private-dev private-tmp diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile index 9c8848b8a6f..a522728526c 100644 --- a/etc/profile-a-l/gjs.profile +++ b/etc/profile-a-l/gjs.profile @@ -19,7 +19,6 @@ include allow-gjs.inc include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -30,6 +29,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile new file mode 100644 index 00000000000..d783940f3a5 --- /dev/null +++ b/etc/profile-a-l/gl-117-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for gl-117-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include gl-117-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin gl-117-wrapper + +# Redirect +include gl-117.profile diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile new file mode 100644 index 00000000000..35d969e6d5d --- /dev/null +++ b/etc/profile-a-l/gl-117.profile @@ -0,0 +1,52 @@ +# Firejail profile for gl-117 +# Description: Action flight simulator +# This file is overwritten after every install/update +# Persistent local customizations +include gl-117.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.gl-117 + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.gl-117 +whitelist ${HOME}/.gl-117 +whitelist /usr/share/gl-117 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin gl-117 +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile new file mode 100644 index 00000000000..7dc2cf65e5d --- /dev/null +++ b/etc/profile-a-l/glaxium-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for glaxium-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include glaxium-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin glaxium-wrapper + +# Redirect +include glaxium.profile diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile new file mode 100644 index 00000000000..dec0daef26a --- /dev/null +++ b/etc/profile-a-l/glaxium.profile @@ -0,0 +1,52 @@ +# Firejail profile for glaxium +# Description: 3d spaceship shoot-em-up +# This file is overwritten after every install/update +# Persistent local customizations +include glaxium.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.glaxiumrc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkfile ${HOME}/.glaxiumrc +whitelist ${HOME}/.glaxiumrc +whitelist /usr/share/glaxium +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin glaxium +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,glvnd,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pulse +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile index bb78a608e98..d07f0ace400 100644 --- a/etc/profile-a-l/globaltime.profile +++ b/etc/profile-a-l/globaltime.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -20,6 +19,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index b3aad8b2c53..0a1264888c9 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -45,7 +44,7 @@ tracelog disable-mnt #private-bin gmpc private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp writable-run-user diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile index 998109ca79e..5b7eaa78d41 100644 --- a/etc/profile-a-l/gnome-books.profile +++ b/etc/profile-a-l/gnome-books.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile index 7a684dd5966..9fe9ed6baea 100644 --- a/etc/profile-a-l/gnome-builder.profile +++ b/etc/profile-a-l/gnome-builder.profile @@ -6,6 +6,8 @@ include gnome-builder.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.bash_history + noblacklist ${HOME}/.cache/gnome-builder noblacklist ${HOME}/.config/gnome-builder noblacklist ${HOME}/.local/share/gnome-builder @@ -14,7 +16,6 @@ noblacklist ${HOME}/.local/share/gnome-builder include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -24,6 +25,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -34,3 +36,5 @@ seccomp shell none private-dev + +read-write ${HOME}/.bash_history diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile index a18a123d328..ac130da2138 100644 --- a/etc/profile-a-l/gnome-calculator.profile +++ b/etc/profile-a-l/gnome-calculator.profile @@ -10,9 +10,9 @@ include globals.local include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-common.inc @@ -24,11 +24,12 @@ apparmor caps.drop all ipc-namespace machine-id -# net none +#net none -- breaks currency conversion netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,7 +38,9 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin gnome-calculator @@ -46,8 +49,7 @@ private-dev #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* private-tmp -# makes settings immutable -# dbus-user none -# dbus-system none - -# memory-deny-write-execute +dbus-user filter +dbus-user.own org.gnome.Calculator +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile new file mode 100644 index 00000000000..2c1dee50ccf --- /dev/null +++ b/etc/profile-a-l/gnome-calendar.profile @@ -0,0 +1,63 @@ +# Firejail profile for gnome-calendar +# Description: Calendar for GNOME +# This file is overwritten after every install/update +# Persistent local customizations +include gnome-calendar.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/libgweather +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private +private-bin gnome-calendar +private-cache +private-dev +private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Calendar +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.evolution.dataserver.* +#dbus-user.talk org.gnome.OnlineAccounts +#dbus-user.talk org.gnome.ControlCenter +# NOTE: dbus-system none fails, filter without rules works. +dbus-system filter +#dbus-system.talk org.freedesktop.timedate1 +#dbus-system.talk org.freedesktop.login1 +#dbus-system.talk org.freedesktop.GeoClue2 + +read-only ${HOME} diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile index 3d7a2e4a689..aaa1e3f5a3a 100644 --- a/etc/profile-a-l/gnome-characters.profile +++ b/etc/profile-a-l/gnome-characters.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/org.gnome.Characters @@ -30,6 +30,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -38,12 +39,12 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog disable-mnt -# Uncomment the next line (or add it to your gnome-characters.local) -# if you don't need recently used chars +# Add the next line to your gnome-characters.local if you don't need access to recently used chars. #private private-bin gjs,gnome-characters private-cache @@ -51,8 +52,7 @@ private-dev private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg private-tmp -# Uncomment the next lines (or add it to your gnome-characters.local) -# if you don't need recently used chars +# Add the next lines to your gnome-characters.local if you don't need access to recently used chars. # dbus-user none # dbus-system none diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index c1d2a34c038..6261fcc2725 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc #mkdir ${HOME}/.local/share/gnome-chess @@ -34,6 +34,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,5 +50,5 @@ disable-mnt private-bin fairymax,gnome-chess,gnuchess,hoichess private-cache private-dev -private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 +private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.preload private-tmp diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index b865423c502..7d33ac94e36 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/gnome-clocks @@ -27,6 +27,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -41,6 +42,6 @@ disable-mnt private-bin gnome-clocks,gsound-play private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl private-tmp diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile index 7a38bdc8a59..f96f750dda1 100644 --- a/etc/profile-a-l/gnome-contacts.profile +++ b/etc/profile-a-l/gnome-contacts.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ caps.drop all netfilter #no3d - breaks on Arch nodvd +noinput nonewprivs noroot nosound @@ -32,6 +32,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary disable-mnt private-dev diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile index 705fe624ea9..0ed3c7541b1 100644 --- a/etc/profile-a-l/gnome-documents.profile +++ b/etc/profile-a-l/gnome-documents.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile index b2327133cf7..29472915233 100644 --- a/etc/profile-a-l/gnome-font-viewer.profile +++ b/etc/profile-a-l/gnome-font-viewer.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -22,6 +21,7 @@ caps.drop all net none no3d nodvd +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 59fe330a1af..28c7e3346aa 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/mesa_shader_cache @@ -25,6 +25,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -32,6 +33,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog @@ -40,7 +42,7 @@ private private-bin gnome-hexgl private-cache private-dev -private-etc alsa,asound.conf,machine-id,pulse +private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile index ecbb741581c..b743251025b 100644 --- a/etc/profile-a-l/gnome-keyring.profile +++ b/etc/profile-a-l/gnome-keyring.profile @@ -9,19 +9,22 @@ include globals.local noblacklist ${HOME}/.gnupg -whitelist ${HOME}/.gnupg -whitelist ${DOWNLOADS} include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.gnupg +whitelist ${HOME}/.gnupg +whitelist ${DOWNLOADS} +whitelist ${RUNUSER}/gnupg +whitelist ${RUNUSER}/keyring whitelist /usr/share/gnupg whitelist /usr/share/gnupg2 include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -33,6 +36,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,6 +45,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog @@ -52,6 +57,6 @@ private-dev private-tmp # dbus-user none -# dbus-system none +dbus-system none memory-deny-write-execute diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index ea4151137e1..1d2366365b2 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile @@ -16,11 +16,9 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/gnome-latex -whitelist /usr/share/perl5 whitelist /usr/share/texlive include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -34,6 +32,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,10 +41,13 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog private-cache private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed -private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive +private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.preload,login.defs,passwd,texlive + +dbus-system none diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 4b6453015a4..3d8218e992a 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /var/log/journal @@ -25,12 +25,8 @@ ipc-namespace net none no3d nodvd -# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), -# comment both 'nogroups' and 'noroot' -# or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local. -nogroups +noinput nonewprivs -noroot nosound notv nou2f @@ -44,14 +40,15 @@ disable-mnt private-bin gnome-logs private-cache private-dev -private-etc alternatives,fonts,localtime,machine-id +private-etc alternatives,fonts,ld.so.preload,localtime,machine-id private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* private-tmp writable-var-log -dbus-user none +dbus-user filter +dbus-user.own org.gnome.Logs +dbus-user.talk ca.desrt.dconf dbus-system none -# comment this if you export logs to a file in your ${HOME} -# or put 'ignore read-only ${HOME}' in your gnome-logs.local. +# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}. read-only ${HOME} diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index 1366d1e1e10..7732117ac1e 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile @@ -18,12 +18,14 @@ noblacklist ${HOME}/.local/share/maps-places.json # Allow gjs (blacklisted by disable-interpreters.inc) include allow-gjs.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/champlain @@ -45,6 +47,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -53,6 +56,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile index 12bee644856..f8f40ea5443 100644 --- a/etc/profile-a-l/gnome-mplayer.profile +++ b/etc/profile-a-l/gnome-mplayer.profile @@ -14,12 +14,12 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc caps.drop all nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile index f5d65273232..dfb95d27b4e 100644 --- a/etc/profile-a-l/gnome-mpv.profile +++ b/etc/profile-a-l/gnome-mpv.profile @@ -1,5 +1,10 @@ # Firejail profile alias for celluloid (formerly GNOME MPV) # This file is overwritten after every install/update +# Persistent local customizations +include gnome-mpv.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include celluloid.profile diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index 36b46897cad..fe8268530c4 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot notv @@ -42,6 +42,6 @@ tracelog # private-bin calls a file manager - whatever is installed! #private-bin env,gio-launch-desktop,gnome-music,python*,yelp private-dev -private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg +private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,xdg private-tmp diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile index 33eb9c81af8..abf3dd759c0 100644 --- a/etc/profile-a-l/gnome-nettool.profile +++ b/etc/profile-a-l/gnome-nettool.profile @@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ netfilter no3d nodvd nogroups +noinput # ping needs to elevate privileges, noroot and nonewprivs will kill it #nonewprivs #noroot diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index 555a59d93a2..bdc09b5ac0d 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile @@ -13,12 +13,14 @@ noblacklist ${HOME}/*.kdbx # Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/cracklib @@ -34,6 +36,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,6 +45,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog @@ -49,5 +53,10 @@ disable-mnt private-bin gnome-passwordsafe,python3* private-cache private-dev -private-etc dconf,fonts,gtk-3.0,passwd +private-etc dconf,fonts,gtk-3.0,ld.so.preload,passwd private-tmp + +dbus-user filter +dbus-user.own org.gnome.PasswordSafe +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile index 2af406af914..4fd78eaab75 100644 --- a/etc/profile-a-l/gnome-photos.profile +++ b/etc/profile-a-l/gnome-photos.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -25,6 +24,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -33,6 +33,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index c1d2dae354c..fb108ee975e 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile @@ -12,7 +12,6 @@ noblacklist ${HOME}/.config/gnome-pie include disable-devel.inc include disable-exec.inc #include disable-interpreters.inc -include disable-passwdmgr.inc #include disable-programs.inc caps.drop all @@ -21,6 +20,7 @@ ipc-namespace no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -34,7 +34,7 @@ shell none disable-mnt private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.preload,machine-id private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* private-tmp diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 2a5d2a23119..256a0c69fcf 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -50,7 +50,9 @@ private-tmp dbus-user filter dbus-user.own org.gnome.Pomodoro dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.Mutter.IdleMonitor dbus-user.talk org.gnome.Shell +dbus-user.talk org.freedesktop.Notifications dbus-system none read-only ${HOME} diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index 20c35537162..9a5f878fc2b 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.cache/gnome-recipes mkdir ${HOME}/.local/share/gnome-recipes @@ -33,6 +33,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,7 +47,7 @@ shell none disable-mnt private-bin gnome-recipes,tar private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,ssl private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* private-tmp diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile index 78ceb9c4f74..7ee01dec1f5 100644 --- a/etc/profile-a-l/gnome-ring.profile +++ b/etc/profile-a-l/gnome-ring.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile index 55913a2d723..8c3db651f19 100644 --- a/etc/profile-a-l/gnome-schedule.profile +++ b/etc/profile-a-l/gnome-schedule.profile @@ -29,7 +29,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -51,6 +50,7 @@ machine-id no3d nodvd nogroups +noinput nosound notv nou2f diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index fe6bc025d12..a4e4ae38ad9 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-usr-share-common.inc @@ -27,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -34,13 +35,14 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog disable-mnt private-bin gnome-screenshot private-dev -private-etc dconf,fonts,gtk-3.0,localtime,machine-id +private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,machine-id private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index a64ec25a996..859d56bd985 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -33,11 +33,12 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog disable-mnt private-cache private-dev -private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg +private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,openal,pango,pulse,xdg private-tmp diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index f597f5cd376..addd76f7fb3 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /var/log @@ -26,9 +26,9 @@ ipc-namespace no3d nodvd # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), -# comment both 'nogroups' and 'noroot' -# or put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. +# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local. nogroups +noinput nonewprivs noroot nosound @@ -43,7 +43,7 @@ disable-mnt private-bin gnome-system-log private-cache private-dev -private-etc alternatives,fonts,localtime,machine-id +private-etc alternatives,fonts,ld.so.preload,localtime,machine-id private-lib private-tmp writable-var-log @@ -52,7 +52,5 @@ writable-var-log # dbus-system none memory-deny-write-execute - -# comment this if you export logs to a file in your ${HOME} -# or put 'ignore read-only ${HOME}' in your gnome-system-log.local +# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}. read-only ${HOME} diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 4539250224e..e7615e4f25d 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/gnome-todo @@ -29,6 +29,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,15 +46,15 @@ disable-mnt private-bin gnome-todo private-cache private-dev -private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg +private-etc dconf,fonts,gtk-3.0,ld.so.preload,localtime,passwd,xdg private-tmp dbus-user filter dbus-user.own org.gnome.Todo dbus-user.talk ca.desrt.dconf #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 -#dbus-user.talk org.gnome.evolution.dataserver.Calendar8 -#dbus-user.talk org.gnome.evolution.dataserver.Sources5 +dbus-user.talk org.gnome.evolution.dataserver.Calendar8 +dbus-user.talk org.gnome.evolution.dataserver.Sources5 #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* #dbus-user.talk org.gnome.OnlineAccounts dbus-system none diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile index 5e8153035b6..aef6b0fdd83 100644 --- a/etc/profile-a-l/gnome-twitch.profile +++ b/etc/profile-a-l/gnome-twitch.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/gnome-twitch @@ -25,6 +24,7 @@ include whitelist-common.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile index a181f1b9ed6..5592879ec0b 100644 --- a/etc/profile-a-l/gnome-weather.profile +++ b/etc/profile-a-l/gnome-weather.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,6 +37,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index 5a17d0ff836..a76fbbb2ca8 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-common.inc @@ -25,6 +25,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -33,13 +34,14 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog disable-mnt private-cache private-dev -private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 +private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pango,passwd,X11 private-tmp dbus-user filter diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile new file mode 100644 index 00000000000..deda06f8ee8 --- /dev/null +++ b/etc/profile-a-l/gnote.profile @@ -0,0 +1,60 @@ +# Firejail profile for gnote +# Description: A simple note-taking application for Gnome +# This file is overwritten after every install/update +# Persistent local customizations +include gnote.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/gnote +noblacklist ${HOME}/.local/share/gnote + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/gnote +mkdir ${HOME}/.local/share/gnote +whitelist ${HOME}/.config/gnote +whitelist ${HOME}/.local/share/gnote +whitelist /usr/libexec/webkit2gtk-4.0 +whitelist /usr/share/gnote +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin gnote +private-cache +private-dev +private-etc dconf,fonts,gtk-3.0,ld.so.preload,pango,X11 +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Gnote +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile new file mode 100644 index 00000000000..e2e15421634 --- /dev/null +++ b/etc/profile-a-l/gnubik.profile @@ -0,0 +1,50 @@ +# Firejail profile for gnubik +# Description: DESCRIPTION +# This file is overwritten after every install/update +# Persistent local customizations +include gnubik.local +# Persistent global definitions +include globals.local + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/gnubik +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private +private-bin gnubik +private-cache +private-dev +private-etc drirc,fonts,gtk-2.0,ld.so.preload +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index 8324a4eb523..f33f634974c 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -38,7 +38,7 @@ tracelog # private-bin godot private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile new file mode 100644 index 00000000000..59a57231938 --- /dev/null +++ b/etc/profile-a-l/goldendict.profile @@ -0,0 +1,57 @@ +# Firejail profile for goldendict +# This file is overwritten after every install/update +# Persistent local customizations +include goldendict.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.goldendict +noblacklist ${HOME}/.cache/GoldenDict + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.goldendict +mkdir ${HOME}/.cache/GoldenDict +whitelist ${HOME}/.goldendict +whitelist ${HOME}/.cache/GoldenDict +# The default path of dictionaries +whitelist /usr/share/stardict/dic +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +# no3d leads to the libGL MESA-LOADER errors +#no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin goldendict +private-cache +private-dev +private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile index c932ad528eb..2ff3bc8d9a9 100644 --- a/etc/profile-a-l/goobox.profile +++ b/etc/profile-a-l/goobox.profile @@ -11,7 +11,6 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -19,6 +18,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile index 73101f5098d..ebe5e870b54 100644 --- a/etc/profile-a-l/google-chrome-beta.profile +++ b/etc/profile-a-l/google-chrome-beta.profile @@ -5,13 +5,24 @@ include google-chrome-beta.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/google-chrome-beta noblacklist ${HOME}/.config/google-chrome-beta +noblacklist ${HOME}/.config/chrome-beta-flags.conf +noblacklist ${HOME}/.config/chrome-beta-flags.config + mkdir ${HOME}/.cache/google-chrome-beta mkdir ${HOME}/.config/google-chrome-beta whitelist ${HOME}/.cache/google-chrome-beta whitelist ${HOME}/.config/google-chrome-beta +whitelist ${HOME}/.config/chrome-beta-flags.conf +whitelist ${HOME}/.config/chrome-beta-flags.config + # Redirect include chromium-common.profile diff --git a/etc/profile-a-l/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile index a456e8d6186..88cd434905c 100644 --- a/etc/profile-a-l/google-chrome-stable.profile +++ b/etc/profile-a-l/google-chrome-stable.profile @@ -1,5 +1,10 @@ # Firejail profile alias for google-chrome # This file is overwritten after every install/update +# Persistent local customizations +include google-chrome-stable.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include google-chrome.profile diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile index 50e9923aaf3..4d303f71bcb 100644 --- a/etc/profile-a-l/google-chrome-unstable.profile +++ b/etc/profile-a-l/google-chrome-unstable.profile @@ -5,13 +5,24 @@ include google-chrome-unstable.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/google-chrome-unstable noblacklist ${HOME}/.config/google-chrome-unstable +noblacklist ${HOME}/.config/chrome-unstable-flags.conf +noblacklist ${HOME}/.config/chrome-unstable-flags.config + mkdir ${HOME}/.cache/google-chrome-unstable mkdir ${HOME}/.config/google-chrome-unstable whitelist ${HOME}/.cache/google-chrome-unstable whitelist ${HOME}/.config/google-chrome-unstable +whitelist ${HOME}/.config/chrome-unstable-flags.conf +whitelist ${HOME}/.config/chrome-unstable-flags.config + # Redirect include chromium-common.profile diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile index c69e98271f9..ed2595f7232 100644 --- a/etc/profile-a-l/google-chrome.profile +++ b/etc/profile-a-l/google-chrome.profile @@ -5,13 +5,24 @@ include google-chrome.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/google-chrome noblacklist ${HOME}/.config/google-chrome +noblacklist ${HOME}/.config/chrome-flags.conf +noblacklist ${HOME}/.config/chrome-flags.config + mkdir ${HOME}/.cache/google-chrome mkdir ${HOME}/.config/google-chrome whitelist ${HOME}/.cache/google-chrome whitelist ${HOME}/.config/google-chrome +whitelist ${HOME}/.config/chrome-flags.conf +whitelist ${HOME}/.config/chrome-flags.config + # Redirect include chromium-common.profile diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile index c1f9197692b..249ae187dcb 100644 --- a/etc/profile-a-l/google-earth-pro.profile +++ b/etc/profile-a-l/google-earth-pro.profile @@ -1,7 +1,29 @@ -# Firejail profile alias for google-earth +# Firejail profile for google-earth-pro # This file is overwritten after every install/update +# Persistent local customizations +include google-earth-pro.local +# Persistent global definitions +# added by included profile +#include globals.local -private-bin google-earth-pro +# Google Earth Pro can show issues that make it unpleasant to use, even when running unsandboxed. +# See https://wiki.archlinux.org/index.php/Google_Earth#Troubleshooting for details. +# Firejailing this application will demand extra work, as there are issues only upstream can fix (see #3906). +# As an alternative one could use the web version: https://earth.google.com/web/. +# The desktop version from the AUR can be made to work with firejail by appending the below snippet +# to /usr/bin/googleearth-pro: +# <--- snippet ---> +# Post-shutdown cleaning +#_lock_app_running="${HOME}/.googleearth/instance-running-lock" +#[[ -L "$_lock_app_running" ]] && rm -f "${_lock_app_running:?}" +#_lock_collada_cache="/tmp/geColladaModelCacheLock" +#[[ -e "$_lock_collada_cache" ]] && rm -f "${_lock_collada_cache:?}" +#_lock_icon_cache="/tmp/geIconCacheLock" +#[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}" +# <--- end of snippet ---> + +# If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local. +private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings # Redirect include google-earth.profile diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile index a331ef8d250..0153a58d157 100644 --- a/etc/profile-a-l/google-earth.profile +++ b/etc/profile-a-l/google-earth.profile @@ -6,28 +6,18 @@ include google-earth.local include globals.local noblacklist ${HOME}/.config/Google -noblacklist ${HOME}/.googleearth/Cache -noblacklist ${HOME}/.googleearth/Temp -noblacklist ${HOME}/.googleearth/myplaces.backup.kml -noblacklist ${HOME}/.googleearth/myplaces.kml +noblacklist ${HOME}/.googleearth include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Google -mkdir ${HOME}/.googleearth/Cache -mkdir ${HOME}/.googleearth/Temp -mkfile ${HOME}/.googleearth/myplaces.backup.kml -mkfile ${HOME}/.googleearth/myplaces.kml +mkdir ${HOME}/.googleearth whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth/Cache -whitelist ${HOME}/.googleearth/Temp -whitelist ${HOME}/.googleearth/myplaces.backup.kml -whitelist ${HOME}/.googleearth/myplaces.kml +whitelist ${HOME}/.googleearth include whitelist-common.inc caps.drop all @@ -35,6 +25,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile index daa38523492..fe61d727e91 100644 --- a/etc/profile-a-l/google-play-music-desktop-player.profile +++ b/etc/profile-a-l/google-play-music-desktop-player.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Google Play Music Desktop Player @@ -28,6 +27,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile new file mode 100644 index 00000000000..a37c7ad778d --- /dev/null +++ b/etc/profile-a-l/googler-common.profile @@ -0,0 +1,61 @@ +# Firejail profile for googler clones +# Description: common profile for googler clones +# This file is overwritten after every install/update +# Persistent local customizations +include googler-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist ${HOME}/.w3m + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${HOME}/.w3m +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin env,python3*,sh,w3m +private-cache +private-dev +private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile new file mode 100644 index 00000000000..9d67006f6bb --- /dev/null +++ b/etc/profile-a-l/googler.profile @@ -0,0 +1,13 @@ +# Firejail profile for googler +# Description: Search Google from your terminal +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include googler.local +# Persistent global definitions +include globals.local + +private-bin googler + +# Redirect +include googler-common.profile diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile index ce7c8496d31..091851fa8ed 100644 --- a/etc/profile-a-l/gpa.profile +++ b/etc/profile-a-l/gpa.profile @@ -11,13 +11,13 @@ noblacklist ${HOME}/.gnupg include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile index adc8957e667..c6ecef5ec3d 100644 --- a/etc/profile-a-l/gpg-agent.profile +++ b/etc/profile-a-l/gpg-agent.profile @@ -15,7 +15,6 @@ blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile index 787f35f9e70..cf58ebdb0ce 100644 --- a/etc/profile-a-l/gpg.profile +++ b/etc/profile-a-l/gpg.profile @@ -15,7 +15,6 @@ blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist ${RUNUSER}/gnupg @@ -32,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 578ccaef92b..436134e1bd8 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc whitelist /usr/share/gpicview include whitelist-usr-share-common.inc @@ -26,6 +26,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,7 +41,7 @@ tracelog private-bin gpicview private-cache private-dev -private-etc alternatives,fonts,group,passwd +private-etc alternatives,fonts,group,ld.so.preload,passwd private-lib private-tmp diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index c1f1b53a0e6..e421c6a0b01 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.config/Gpredict whitelist ${HOME}/.config/Gpredict @@ -23,6 +23,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -35,6 +36,6 @@ tracelog private-bin gpredict private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl private-tmp diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index 82e2504b978..efb6b39c6be 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile @@ -12,14 +12,16 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/gradio mkdir ${HOME}/.local/share/gradio whitelist ${HOME}/.cache/gradio whitelist ${HOME}/.local/share/gradio include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -27,14 +29,27 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv +nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg +disable-mnt +private-bin gradio +private-cache +private-dev +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp +dbus-user filter +dbus-user.own de.haeckerfelix.gradio +dbus-user.own org.mpris.MediaPlayer2.gradio +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile index 427fe2d7a4b..4baca353bec 100644 --- a/etc/profile-a-l/gramps.profile +++ b/etc/profile-a-l/gramps.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 7a1a9440e85..10d41735aea 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/gravity-beams-and-evaporating-stars @@ -24,6 +24,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -39,7 +40,7 @@ private private-bin gravity-beams-and-evaporating-stars private-cache private-dev -private-etc fonts,machine-id +private-etc fonts,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/gtar.profile b/etc/profile-a-l/gtar.profile index 2391c121baa..e3a02e7bcea 100644 --- a/etc/profile-a-l/gtar.profile +++ b/etc/profile-a-l/gtar.profile @@ -1,5 +1,10 @@ # Firejail profile alias for tar # This file is overwritten after every install/update +# Persistent local customizations +include gtar.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include tar.profile diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile index 77de598024c..4218f85451f 100644 --- a/etc/profile-a-l/gthumb.profile +++ b/etc/profile-a-l/gthumb.profile @@ -13,12 +13,13 @@ noblacklist ${HOME}/.steam include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile new file mode 100644 index 00000000000..9c212ff6e86 --- /dev/null +++ b/etc/profile-a-l/gtk-pipe-viewer.profile @@ -0,0 +1,12 @@ +# Firejail profile for gtk-pipe-viewer +# Description: Gtk front-end to pipe-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk-pipe-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +# Redirect +include pipe-viewer.profile diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile new file mode 100644 index 00000000000..978b3d89600 --- /dev/null +++ b/etc/profile-a-l/gtk-straw-viewer.profile @@ -0,0 +1,12 @@ +# Firejail profile for gtk-straw-viewer +# Description: Gtk front-end to straw-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk-straw-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +# Redirect +include straw-viewer.profile diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index ac2e9891b85..c6347efdfdd 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-common.inc @@ -29,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,7 +46,7 @@ disable-mnt private-bin gtk-update-icon-cache private-cache private-dev -private-etc none +private-etc ld.so.preload,none private-lib private-tmp diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile new file mode 100644 index 00000000000..c814f0fefc2 --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewer.profile @@ -0,0 +1,12 @@ +# Firejail profile for gtk-youtube-viewer +# Description: Gtk front-end to youtube-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk-youtube-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +# Redirect +include youtube-viewer.profile diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile new file mode 100644 index 00000000000..787c7bd90fe --- /dev/null +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile @@ -0,0 +1,17 @@ +# Firejail profile for gtk2-youtube-viewer +# Description: Gtk front-end to youtube-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk2-youtube-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +noblacklist /tmp/.X11-unix +noblacklist ${RUNUSER} + +include whitelist-runuser-common.inc + +# Redirect +include youtube-viewer.profile diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile new file mode 100644 index 00000000000..988882622fd --- /dev/null +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile @@ -0,0 +1,17 @@ +# Firejail profile for gtk3-youtube-viewer +# Description: Gtk front-end to youtube-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include gtk3-youtube-viewer.local +# added by included profile +#include globals.local + +ignore quiet + +noblacklist /tmp/.X11-unix +noblacklist ${RUNUSER} + +include whitelist-runuser-common.inc + +# Redirect +include youtube-viewer.profile diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile index 8ffd7ff58f5..39fb177ddf4 100644 --- a/etc/profile-a-l/guayadeque.profile +++ b/etc/profile-a-l/guayadeque.profile @@ -12,13 +12,14 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile index 624914759f1..d47000e892f 100644 --- a/etc/profile-a-l/gucharmap.profile +++ b/etc/profile-a-l/gucharmap.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-common.inc @@ -26,6 +26,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -34,6 +35,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile index 922b2cbdebc..2223c37a1ca 100644 --- a/etc/profile-a-l/gummi.profile +++ b/etc/profile-a-l/gummi.profile @@ -8,12 +8,16 @@ include globals.local noblacklist ${HOME}/.cache/gummi noblacklist ${HOME}/.config/gummi +# Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc -private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex +private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex # Redirect include latex-common.profile - diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile index 6e97c6b7800..584d88f859b 100644 --- a/etc/profile-a-l/gunzip.profile +++ b/etc/profile-a-l/gunzip.profile @@ -7,5 +7,7 @@ include gunzip.local # added by included profile #include globals.local +include allow-bin-sh.inc + # Redirect include gzip.profile diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile new file mode 100644 index 00000000000..8ddde3c471b --- /dev/null +++ b/etc/profile-a-l/guvcview.profile @@ -0,0 +1,55 @@ +# Firejail profile for guvcview +# Description: GTK+ base UVC Viewer +# This file is overwritten after every install/update +# Persistent local customizations +include guvcview.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/guvcview2 + +noblacklist ${PICTURES} +noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/guvcview2 +whitelist ${HOME}/.config/guvcview2 +whitelist ${PICTURES} +whitelist ${VIDEOS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin guvcview +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,dconf,drirc,fonts,glvnd,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nvidia,pango,pulse,X11 +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index dee0ba9a2ec..8becf6d84ec 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile @@ -15,14 +15,15 @@ noblacklist ${HOME}/.kde/share/config/gwenviewrc noblacklist ${HOME}/.kde4/share/apps/gwenview noblacklist ${HOME}/.kde4/share/config/gwenviewrc noblacklist ${HOME}/.local/share/gwenview +noblacklist ${HOME}/.local/share/kxmlgui5/gwenview noblacklist ${HOME}/.local/share/org.kde.gwenview include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -32,6 +33,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -44,7 +46,7 @@ shell none private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 private-dev -private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg +private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg # dbus-user none # dbus-system none diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile index 8ec39d8ca19..b261c16f4aa 100644 --- a/etc/profile-a-l/gzip.profile +++ b/etc/profile-a-l/gzip.profile @@ -7,43 +7,9 @@ include gzip.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - -# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop +# all capabilities this is automatically read-only. noblacklist /var/lib/pacman -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname gzip -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-cache -private-dev - -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-a-l/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile index 1e7ce2350b8..42371a8533e 100644 --- a/etc/profile-a-l/handbrake-gtk.profile +++ b/etc/profile-a-l/handbrake-gtk.profile @@ -1,5 +1,10 @@ # Firejail profile alias for handbrake # This file is overwritten after every install/update +# Persistent local customizations +include handbrake-gtk.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include handbrake.profile diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index 0539ffcb89a..9ad9aef3312 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ apparmor caps.drop all net none nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile index 8ec67ff1959..3be34917609 100644 --- a/etc/profile-a-l/hashcat.profile +++ b/etc/profile-a-l/hashcat.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile new file mode 100644 index 00000000000..8c1ada1d1b8 --- /dev/null +++ b/etc/profile-a-l/hasher-common.profile @@ -0,0 +1,59 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include hasher-common.local + +# common profile for hasher/checksum tools + +blacklist ${RUNUSER} + +# Comment/uncomment the relevant include file(s) in your hasher-common.local +# to (un)restrict file access for **all** hashers. Another option is to do this **per hasher** +# in the relevant .local. Beware that things tend to break when overtightening +# profiles. For example, because you only need to hash/check files in ${DOWNLOADS}, +# other applications may need access to ${HOME}/.local/share. + +# Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc. +#include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc. +#include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +# Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc. +#include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog +x11 none + +# Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache. +#private-cache +private-dev +# Add the next line to your hasher-common.local if you don't need to hash files in /tmp. +#private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile index 898a07a5f27..9c6f162c662 100644 --- a/etc/profile-a-l/hedgewars.profile +++ b/etc/profile-a-l/hedgewars.profile @@ -8,10 +8,11 @@ include globals.local noblacklist ${HOME}/.hedgewars +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.hedgewars @@ -22,6 +23,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile index 7723cbd6b5c..88448ad452e 100644 --- a/etc/profile-a-l/hexchat.profile +++ b/etc/profile-a-l/hexchat.profile @@ -7,7 +7,12 @@ include hexchat.local include globals.local noblacklist ${HOME}/.config/hexchat -noblacklist /usr/share/perl* + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc @@ -17,8 +22,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/hexchat @@ -32,6 +37,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -44,7 +50,7 @@ tracelog disable-mnt # debug note: private-bin requires perl, python, etc on some systems -private-bin hexchat,python* +private-bin hexchat,python*,sh private-dev #private-lib - python problems private-tmp diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile index 8d2987b6292..0145f7ceb6a 100644 --- a/etc/profile-a-l/highlight.profile +++ b/etc/profile-a-l/highlight.profile @@ -6,20 +6,20 @@ include highlight.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc caps.drop all net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/hitori.profile b/etc/profile-a-l/hitori.profile new file mode 100644 index 00000000000..6d67f4587ee --- /dev/null +++ b/etc/profile-a-l/hitori.profile @@ -0,0 +1,14 @@ +# Firejail profile for hitori +# Description: Play the Hitori puzzle game +# This file is overwritten after every install/update +# Persistent local customizations +include hitori.local +# Persistent global definitions +include globals.local + +private-bin hitori + +dbus-user.own org.gnome.Hitori + +# Redirect +include gnome_games-common.profile diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile new file mode 100644 index 00000000000..f2dac58819a --- /dev/null +++ b/etc/profile-a-l/homebank.profile @@ -0,0 +1,59 @@ +# Firejail profile for homebank +# Description: Personal finance manager +# This file is overwritten after every install/update +# Persistent local customizations +include homebank.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/homebank + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/homebank +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/homebank +whitelist /usr/share/homebank +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +# net none +netfilter +nodvd +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin homebank +private-cache +private-dev +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11 +private-tmp + +dbus-user none +dbus-system none + +# memory-deny-write-execute diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile index e5a5a7efa4e..984e90e1fa4 100644 --- a/etc/profile-a-l/host.profile +++ b/etc/profile-a-l/host.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile index f8d9f999dd1..0a9c831f392 100644 --- a/etc/profile-a-l/hugin.profile +++ b/etc/profile-a-l/hugin.profile @@ -14,14 +14,15 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index 1e3663b8f28..0baebdae141 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkfile ${HOME}/hyperrogue.ini @@ -28,6 +28,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -43,7 +44,7 @@ private-bin hyperrogue private-cache private-cwd ${HOME} private-dev -private-etc fonts,machine-id +private-etc fonts,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index 9ffdb9e9bfd..200b4c8b1a2 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile @@ -9,16 +9,16 @@ include globals.local # Notice: default browser will most likely not be able to automatically open, due to sandbox. # Auto-opening default browser can be disabled in the I2P router console. # This profile will not currently work with any Arch User Repository I2P packages, -# use the distro-independent official I2P java installer instead +# use the distro-independent official I2P java installer instead. -# Only needed if i2prouter binary is in home directory, official I2P java installer does this +# Only needed when i2prouter binary resides in home directory (official I2P java installer does so). ignore noexec ${HOME} noblacklist ${HOME}/.config/i2p noblacklist ${HOME}/.i2p noblacklist ${HOME}/.local/share/i2p noblacklist ${HOME}/i2p -# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this +# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). noblacklist /usr/sbin # Allow java (blacklisted by disable-devel.inc) @@ -28,7 +28,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -40,13 +39,14 @@ whitelist ${HOME}/.config/i2p whitelist ${HOME}/.i2p whitelist ${HOME}/.local/share/i2p whitelist ${HOME}/i2p -# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this +# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so). whitelist /usr/sbin/wrapper* include whitelist-common.inc -# May break I2P if wrapper is placed in the home directory; official I2P java installer does this -# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ +# May break I2P if wrapper resides in the home directory (official I2P java installer does so). +# When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local, +# as it places the wrapper in /usr/sbin/ #apparmor caps.drop all ipc-namespace @@ -55,6 +55,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs nosound notv @@ -67,5 +68,5 @@ shell none disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl private-tmp diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile index c1ca0e41384..e96b1843c85 100644 --- a/etc/profile-a-l/i3.profile +++ b/etc/profile-a-l/i3.profile @@ -6,7 +6,7 @@ include i3.local # Persistent global definitions include globals.local -# all applications started in awesome will run in this profile +# all applications started in i3 will run in this profile noblacklist ${HOME}/.config/i3 include disable-common.inc diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile index a99c603bda3..863dc8acf87 100644 --- a/etc/profile-a-l/iagno.profile +++ b/etc/profile-a-l/iagno.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -20,6 +20,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index a7d0d531ffd..7716a5f1a53 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile @@ -10,20 +10,22 @@ noblacklist ${HOME}/.android noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile index 91a60c18875..4da127fab79 100644 --- a/etc/profile-a-l/imagej.profile +++ b/etc/profile-a-l/imagej.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -23,6 +22,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile index ae03fc8bcc2..54cad08c728 100644 --- a/etc/profile-a-l/img2txt.profile +++ b/etc/profile-a-l/img2txt.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile index af82fb059cf..31ad641c181 100644 --- a/etc/profile-a-l/impressive.profile +++ b/etc/profile-a-l/impressive.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -35,6 +34,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index f1486866838..e0015e69a38 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile @@ -1,6 +1,7 @@ # Firejail profile for inkscape # Description: Vector-based drawing program # This file is overwritten after every install/update +quiet # Persistent local customizations include inkscape.local # Persistent global definitions @@ -24,7 +25,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -39,6 +39,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile index 1b3db73b4f5..a5cac12f24f 100644 --- a/etc/profile-a-l/inox.profile +++ b/etc/profile-a-l/inox.profile @@ -5,6 +5,11 @@ include inox.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/inox noblacklist ${HOME}/.config/inox diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile new file mode 100644 index 00000000000..6753cb3322c --- /dev/null +++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile @@ -0,0 +1,60 @@ +# Firejail profile for notejot +# Description: Jot your ideas +# This file is overwritten after every install/update +# Persistent local customizations +include io.github.lainsce.Notejot.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/io.github.lainsce.Notejot +noblacklist ${HOME}/.local/share/io.github.lainsce.Notejot + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/io.github.lainsce.Notejot +mkdir ${HOME}/.local/share/io.github.lainsce.Notejot +whitelist ${HOME}/.cache/io.github.lainsce.Notejot +whitelist ${HOME}/.local/share/io.github.lainsce.Notejot +whitelist /usr/libexec/webkit2gtk-4.0 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin io.github.lainsce.Notejot +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user filter +dbus-user.own io.github.lainsce.Notejot +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/ipcalc-ng.profile b/etc/profile-a-l/ipcalc-ng.profile new file mode 100644 index 00000000000..3ad0f3a4fa5 --- /dev/null +++ b/etc/profile-a-l/ipcalc-ng.profile @@ -0,0 +1,11 @@ +# Firejail profile ipcalc-ng +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ipcalc-ng.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include ipcalc.profile diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile new file mode 100644 index 00000000000..2997328e887 --- /dev/null +++ b/etc/profile-a-l/ipcalc.profile @@ -0,0 +1,62 @@ +# Firejail profile for ipcalc +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include ipcalc.local +# Persistent global definitions +include globals.local + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +# include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +# include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +# machine-id +net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +# protocol unix +seccomp +shell none +# tracelog + +disable-mnt +private +private-bin bash,ipcalc,ipcalc-ng,perl,sh +# private-cache +private-dev +# empty etc directory +private-etc ld.so.preload,none +private-lib +private-opt none +private-tmp + +dbus-user none +dbus-system none + +# memory-deny-write-execute +# read-only ${HOME} diff --git a/etc/profile-a-l/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile index c7ee64d5638..20b24cedf13 100644 --- a/etc/profile-a-l/iridium-browser.profile +++ b/etc/profile-a-l/iridium-browser.profile @@ -1,5 +1,10 @@ # Firejail profile alias for iridium # This file is overwritten after every install/update +# Persistent local customizations +include iridium-browser.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include iridium.profile diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile index ebb39b0a321..3037d00e98a 100644 --- a/etc/profile-a-l/iridium.profile +++ b/etc/profile-a-l/iridium.profile @@ -5,6 +5,11 @@ include iridium.local # Persistent global definitions include globals.local +# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565 +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/iridium noblacklist ${HOME}/.config/iridium diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile index b3c78c81096..37cde157756 100644 --- a/etc/profile-a-l/itch.profile +++ b/etc/profile-a-l/itch.profile @@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/itch include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.itch @@ -27,6 +26,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile new file mode 100644 index 00000000000..5c4cc74c290 --- /dev/null +++ b/etc/profile-a-l/jami-gnome.profile @@ -0,0 +1,42 @@ +# Firejail profile for jami-gnome +# Description: An encrypted peer-to-peer messenger +# This file is overwritten after every install/update +# Persistent local customizations +include jami-gnome.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/jami +noblacklist ${HOME}/.local/share/jami + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +#include disable-interpreters.inc +include disable-programs.inc + +mkdir ${HOME}/.config/jami +mkdir ${HOME}/.local/share/jami +whitelist ${HOME}/.config/jami +whitelist ${HOME}/.local/share/jami +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp +shell none + +disable-mnt +private-dev +private-tmp + +env QT_QPA_PLATFORM=xcb diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile index 0944051e50b..37f99c2f0a1 100644 --- a/etc/profile-a-l/jd-gui.profile +++ b/etc/profile-a-l/jd-gui.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index b79ae0ee07a..59260dc640c 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -22,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -34,7 +34,7 @@ tracelog private-bin bash,jerry,sh,stockfish private-dev -private-etc fonts,gtk-2.0,gtk-3.0 +private-etc fonts,gtk-2.0,gtk-3.0,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile index c4121d8352e..edb7ed84038 100644 --- a/etc/profile-a-l/jitsi-meet-desktop.profile +++ b/etc/profile-a-l/jitsi-meet-desktop.profile @@ -6,34 +6,22 @@ include jitsi-meet-desktop.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore nou2f +ignore novideo +ignore shell none + ignore noexec /tmp noblacklist ${HOME}/.config/Jitsi Meet -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-xdg.inc - nowhitelist ${DOWNLOADS} mkdir ${HOME}/.config/Jitsi Meet - whitelist ${HOME}/.config/Jitsi Meet -include whitelist-common.inc -include whitelist-usr-share-common.inc -include whitelist-runuser-common.inc -include whitelist-var-common.inc - -seccomp !chroot - -disable-mnt -private-bin bash,jitsi-meet-desktop -private-cache -private-dev +private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg -private-tmp # Redirect include electron.profile diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile index 223c360b8cc..0e578909a98 100644 --- a/etc/profile-a-l/jitsi.profile +++ b/etc/profile-a-l/jitsi.profile @@ -13,7 +13,6 @@ include allow-java.inc include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index b1852b015e2..8d391b90f04 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile @@ -7,6 +7,7 @@ include jumpnbump-menu.local # added by included profile #include globals.local +# Allow python (blacklisted by disable-interpreters.inc) include allow-python3.inc private-bin jumpnbump-menu,python3* diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index daeb546107a..b9bc8f21908 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -42,7 +42,7 @@ disable-mnt private-bin jumpnbump private-cache private-dev -private-etc none +private-etc ld.so.preload,none private-tmp dbus-user none diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index 0c1da7ae1a9..655257f0868 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile @@ -9,22 +9,23 @@ include globals.local noblacklist ${HOME}/.config/k3brc noblacklist ${HOME}/.kde/share/config/k3brc noblacklist ${HOME}/.kde4/share/config/k3brc +noblacklist ${HOME}/.local/share/kxmlgui5/k3b noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc include whitelist-var-common.inc -caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource +caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource # net none netfilter no3d # nonewprivs - breaks privileged helpers +noinput # noroot - breaks privileged helpers nosound notv diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index c7f811939ee..8799a6f2459 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile @@ -19,7 +19,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ include whitelist-var-common.inc caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index e1e93163b43..5253a78b033 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,7 +42,7 @@ disable-mnt private-bin kalgebra,kalgebramobile private-cache private-dev -private-etc fonts,machine-id +private-etc fonts,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile index d2394fe2083..3768d277eb9 100644 --- a/etc/profile-a-l/kalgebramobile.profile +++ b/etc/profile-a-l/kalgebramobile.profile @@ -1,5 +1,10 @@ # Firejail profile for kalgebramobile # This file is overwritten after every install/update +# Persistent local customizations +include kalgebramobile.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include kalgebra.profile diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile index 3b2e93b0afc..231299a2f2c 100644 --- a/etc/profile-a-l/karbon.profile +++ b/etc/profile-a-l/karbon.profile @@ -1,5 +1,12 @@ # Firejail profile alias for krita # This file is overwritten after every install/update +# Persistent local customizations +include karbon.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.local/share/kxmlgui5/karbon # Redirect include krita.profile diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index 321c4558fdf..d8b2dddb176 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile @@ -15,12 +15,18 @@ noblacklist ${HOME}/.config/kateschemarc noblacklist ${HOME}/.config/katesyntaxhighlightingrc noblacklist ${HOME}/.config/katevirc noblacklist ${HOME}/.local/share/kate +noblacklist ${HOME}/.local/share/kxmlgui5/kate +noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree +noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole +noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin +noblacklist ${HOME}/.local/share/kxmlgui5/katepart +noblacklist ${HOME}/.local/share/kxmlgui5/kateproject +noblacklist ${HOME}/.local/share/kxmlgui5/katesearch include disable-common.inc # include disable-devel.inc include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -31,6 +37,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile new file mode 100644 index 00000000000..d8863100581 --- /dev/null +++ b/etc/profile-a-l/kazam.profile @@ -0,0 +1,55 @@ +# Firejail profile for kazam +# Description: Screen capture tool +# This file is overwritten after every install/update +# Persistent local customizations +include kazam.local +# Persistent global definitions +include globals.local + +ignore noexec ${HOME} + +noblacklist ${PICTURES} +noblacklist ${VIDEOS} +noblacklist ${HOME}/.config/kazam + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/kazam +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +# private-bin kazam,python* +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,machine-id,pulse,selinux,X11,xdg +private-tmp + +dbus-system none diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index 6f94777aab2..c551dbdbe16 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile @@ -6,21 +6,30 @@ include kcalc.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.local/share/kxmlgui5/kcalc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +mkdir ${HOME}/.local/share/kxmlgui5/kcalc mkfile ${HOME}/.config/kcalcrc mkfile ${HOME}/.kde/share/config/kcalcrc mkfile ${HOME}/.kde4/share/config/kcalcrc whitelist ${HOME}/.config/kcalcrc whitelist ${HOME}/.kde/share/config/kcalcrc whitelist ${HOME}/.kde4/share/config/kcalcrc +whitelist ${HOME}/.local/share/kxmlgui5/kcalc +whitelist /usr/share/config.kcfg/kcalc.kcfg +whitelist /usr/share/kcalc +whitelist /usr/share/kconf_update/kcalcrc.upd include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -29,6 +38,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,13 +47,19 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin kcalc +private-cache private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf # private-lib - problems on Arch private-tmp dbus-user none dbus-system none + +#memory-deny-write-execute diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile index 082045c62d8..4ddd5dac57d 100644 --- a/etc/profile-a-l/kdeinit4.profile +++ b/etc/profile-a-l/kdeinit4.profile @@ -11,8 +11,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -20,6 +20,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs # nosound - disabled for knotify noroot diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile index e3560cb3584..87808ced7b1 100644 --- a/etc/profile-a-l/kdenlive.profile +++ b/etc/profile-a-l/kdenlive.profile @@ -11,12 +11,12 @@ ignore noexec ${HOME} noblacklist ${HOME}/.cache/kdenlive noblacklist ${HOME}/.config/kdenliverc noblacklist ${HOME}/.local/share/kdenlive +noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -24,6 +24,7 @@ caps.drop all # net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile new file mode 100644 index 00000000000..fa50b0a2056 --- /dev/null +++ b/etc/profile-a-l/kdiff3.profile @@ -0,0 +1,56 @@ +# Firejail profile for kdiff3 +# Description: KDiff3 is a file and folder diff and merge tool. +# This file is overwritten after every install/update +# Persistent local customizations +include kdiff3.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/kdiff3fileitemactionrc +noblacklist ${HOME}/.config/kdiff3rc + +# Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc. +# By default we deny access only to .ssh and .gnupg. +#include disable-common.inc +blacklist ${HOME}/.ssh +blacklist ${HOME}/.gnupg + +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc. +#include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. +#include whitelist-usr-share-common.inc +# Add the next line to your kdiff3.local if you don't need to compare files in /var. +#include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin kdiff3 +private-cache +private-dev + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile index 9852f8a7957..f26c10be32e 100644 --- a/etc/profile-a-l/keepass.profile +++ b/etc/profile-a-l/keepass.profile @@ -19,7 +19,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/keepass2.profile b/etc/profile-a-l/keepass2.profile index aef236ccc6e..72f79bef717 100644 --- a/etc/profile-a-l/keepass2.profile +++ b/etc/profile-a-l/keepass2.profile @@ -1,5 +1,10 @@ # Firejail profile alias for keepass # This file is overwritten after every install/update +# Persistent local customizations +include keepass2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include keepass.profile diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index b8239e140b9..616b87d7e93 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,7 +41,7 @@ tracelog private-bin keepassx,keepassx2 private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/keepassx2.profile b/etc/profile-a-l/keepassx2.profile index fdd27e9f90f..f2704d67f3c 100644 --- a/etc/profile-a-l/keepassx2.profile +++ b/etc/profile-a-l/keepassx2.profile @@ -1,6 +1,11 @@ # Firejail profile for keepassx2 # Description: Cross platform password manager # This file is overwritten after every install/update +# Persistent local customizations +include keepassx2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirects include keepassx.profile diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 9458edf33c2..0f3e6605b1b 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -8,21 +8,62 @@ include globals.local noblacklist ${HOME}/*.kdb noblacklist ${HOME}/*.kdbx +noblacklist ${HOME}/.cache/keepassxc noblacklist ${HOME}/.config/keepassxc +noblacklist ${HOME}/.config/KeePassXCrc noblacklist ${HOME}/.keepassxc -# 2.2.4 needs this path when compiled with "Native messaging browser extension" -noblacklist ${HOME}/.mozilla noblacklist ${DOCUMENTS} +# Allow browser profiles, required for browser integration. +noblacklist ${HOME}/.config/BraveSoftware +noblacklist ${HOME}/.config/chromium +noblacklist ${HOME}/.config/google-chrome +noblacklist ${HOME}/.config/vivaldi +noblacklist ${HOME}/.local/share/torbrowser +noblacklist ${HOME}/.mozilla + +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local. +# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx. +#mkdir ${HOME}/Documents/KeePassXC +#whitelist ${HOME}/Documents/KeePassXC +# Needed for KeePassXC-Browser. +#mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts +#mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/chromium/NativeMessagingHosts +#mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/google-chrome/NativeMessagingHosts +#mkfile ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/vivaldi/NativeMessagingHosts +#mkfile ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.config/vivaldi/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts +#mkfile ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.mozilla/native-messaging-hosts +#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.cache/keepassxc +#mkdir ${HOME}/.config/keepassxc +#whitelist ${HOME}/.cache/keepassxc +#whitelist ${HOME}/.config/keepassxc +#whitelist ${HOME}/.config/KeePassXCrc +#include whitelist-common.inc + whitelist /usr/share/keepassxc +include whitelist-run-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -32,35 +73,38 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound notv nou2f novideo -protocol unix,netlink -seccomp +protocol unix +seccomp !name_to_handle_at +seccomp.block-secondary shell none tracelog private-bin keepassxc,keepassxc-cli,keepassxc-proxy private-dev -private-etc alternatives,fonts,ld.so.cache,machine-id +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id private-tmp dbus-user filter -#dbus-user.own org.keepassxc.KeePassXC -dbus-user.talk com.canonical.Unity.Session +dbus-user.own org.keepassxc.KeePassXC.* +dbus-user.talk com.canonical.Unity dbus-user.talk org.freedesktop.ScreenSaver -dbus-user.talk org.freedesktop.login1.Manager -dbus-user.talk org.freedesktop.login1.Session dbus-user.talk org.gnome.ScreenSaver dbus-user.talk org.gnome.SessionManager -dbus-user.talk org.gnome.SessionManager.Presence -# Uncomment or add to your keepassxc.local to allow Notifications. +dbus-user.talk org.xfce.ScreenSaver +# Add the next line to your keepassxc.local to allow notifications. #dbus-user.talk org.freedesktop.Notifications +# Add the next line to your keepassxc.local to allow the tray menu. #dbus-user.talk org.kde.StatusNotifierWatcher -dbus-system none +#dbus-user.own org.kde.* +dbus-system filter +dbus-system.talk org.freedesktop.login1 -# Mutex is stored in /tmp by default, which is broken by private-tmp +# Mutex is stored in /tmp by default, which is broken by private-tmp. join-or-start keepassxc diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile index ed815676a0a..40fe65e3f01 100644 --- a/etc/profile-a-l/kfind.profile +++ b/etc/profile-a-l/kfind.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc # include disable-programs.inc apparmor @@ -29,6 +28,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index 485edc1a41c..ec315b431b5 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile @@ -12,12 +12,12 @@ noblacklist ${HOME}/.kde/share/config/kgetrc noblacklist ${HOME}/.kde4/share/apps/kget noblacklist ${HOME}/.kde4/share/config/kgetrc noblacklist ${HOME}/.local/share/kget +noblacklist ${HOME}/.local/share/kxmlgui5/kget include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -26,6 +26,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index cce92a93f6e..8b35a89464f 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile @@ -8,12 +8,12 @@ include globals.local noblacklist ${MUSIC} noblacklist ${HOME}/.config/kid3rc +noblacklist ${HOME}/.local/share/kxmlgui5/kid3 include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +24,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -36,7 +37,7 @@ tracelog private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp private-opt none private-srv none diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile index b3ade0dd9f8..1f42526d381 100644 --- a/etc/profile-a-l/kino.profile +++ b/etc/profile-a-l/kino.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -22,6 +21,7 @@ apparmor caps.drop all netfilter nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index d222d6d247c..837ea9e36ba 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ netfilter # no3d nodvd nogroups +noinput nonewprivs noroot # nosound @@ -44,7 +44,7 @@ shell none disable-mnt private-cache private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile index 10b689ce5b1..f089658afdc 100644 --- a/etc/profile-a-l/klatexformula.profile +++ b/etc/profile-a-l/klatexformula.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -26,6 +25,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile index 9137963c41a..3142cbca6c8 100644 --- a/etc/profile-a-l/klatexformula_cmdl.profile +++ b/etc/profile-a-l/klatexformula_cmdl.profile @@ -1,5 +1,10 @@ # Firejail profile alias for klatexformula_cmdl # This file is overwritten after every install/update +# Persistent local customizations +include klatexformula_cmdl.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include klatexformula.profile diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index c03d750982e..964175274f9 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -45,7 +45,7 @@ disable-mnt private-bin bash,klavaro,sh,tclsh,tclsh* private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp private-opt none private-srv none diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 198b05a1125..2c645677c9a 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile @@ -25,6 +25,8 @@ noblacklist ${HOME}/.local/share/apps/korganizer noblacklist ${HOME}/.local/share/contacts noblacklist ${HOME}/.local/share/emailidentities noblacklist ${HOME}/.local/share/kmail2 +noblacklist ${HOME}/.local/share/kxmlgui5/kmail +noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 noblacklist ${HOME}/.local/share/local-mail noblacklist ${HOME}/.local/share/notes noblacklist /tmp/akonadi-* @@ -33,7 +35,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -43,6 +44,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile index 7eabde61db0..8d462c44c0e 100644 --- a/etc/profile-a-l/kmplayer.profile +++ b/etc/profile-a-l/kmplayer.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ apparmor caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile index ababfcdb105..f155d0ad600 100644 --- a/etc/profile-a-l/knotes.profile +++ b/etc/profile-a-l/knotes.profile @@ -12,6 +12,7 @@ include knotes.local noblacklist ${HOME}/.config/knotesrc noblacklist ${HOME}/.local/share/knotes +noblacklist ${HOME}/.local/share/kxmlgui5/knotes # Redirect include kmail.profile diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index 86afe46b536..f901637f3d6 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile @@ -8,6 +8,16 @@ include globals.local # noexec ${HOME} breaks plugins ignore noexec ${HOME} +# Add the following to your kodi.local if you use a CEC Adapter. +#ignore nogroups +#ignore noroot +#ignore private-dev +# Add the following to your kodi.local if you use the Lutris Kodi Addon +#noblacklist /sbin +#noblacklist /usr/sbin +#noblacklist ${HOME}/.cache/lutris +#noblacklist ${HOME}/.config/lutris +#noblacklist ${HOME}/.local/share/lutris noblacklist ${HOME}/.kodi noblacklist ${MUSIC} @@ -22,7 +32,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,7 +41,9 @@ apparmor caps.drop all netfilter nogroups +noinput nonewprivs +# Seems to cause issues with Nvidia drivers sometimes (#3501) noroot nou2f protocol unix,inet,inet6,netlink diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index dd3e9617fc5..723fef0d2f5 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile @@ -7,15 +7,17 @@ include konversation.local include globals.local noblacklist ${HOME}/.config/konversationrc +noblacklist ${HOME}/.config/konversation.notifyrc noblacklist ${HOME}/.kde/share/config/konversationrc noblacklist ${HOME}/.kde4/share/config/konversationrc +noblacklist ${HOME}/.local/share/kxmlgui5/konversation include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -24,6 +26,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile index e0bdce059e2..9e75b03eb21 100644 --- a/etc/profile-a-l/kopete.profile +++ b/etc/profile-a-l/kopete.profile @@ -10,12 +10,12 @@ noblacklist ${HOME}/.kde/share/apps/kopete noblacklist ${HOME}/.kde/share/config/kopeterc noblacklist ${HOME}/.kde4/share/apps/kopete noblacklist ${HOME}/.kde4/share/config/kopeterc +noblacklist ${HOME}/.local/share/kxmlgui5/kopete include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/lib/winpopup @@ -25,6 +25,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile index be992147884..2d32254215d 100644 --- a/etc/profile-a-l/krita.profile +++ b/etc/profile-a-l/krita.profile @@ -22,7 +22,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -33,6 +32,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile index c64113c1501..96eb6978d4f 100644 --- a/etc/profile-a-l/krunner.profile +++ b/etc/profile-a-l/krunner.profile @@ -6,9 +6,9 @@ include krunner.local # Persistent global definitions include globals.local -# - programs started in krunner run with this generic profile. +# - programs started in krunner run with this generic profile # - when a file is opened in krunner, the file viewer runs in its own sandbox -# with its own profile, if it is sandboxed automatically. +# with its own profile, if it is sandboxed automatically # noblacklist ${HOME}/.cache/krunner # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* @@ -22,7 +22,6 @@ noblacklist ${HOME}/.kde4/share/config/krunnerrc include disable-common.inc # include disable-devel.inc # include disable-interpreters.inc -# include disable-passwdmgr.inc # include disable-programs.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index 2eb46a7e8b4..9d8aa1bd7ca 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile @@ -12,17 +12,19 @@ noblacklist ${HOME}/.kde/share/config/ktorrentrc noblacklist ${HOME}/.kde4/share/apps/ktorrent noblacklist ${HOME}/.kde4/share/config/ktorrentrc noblacklist ${HOME}/.local/share/ktorrent +noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.kde/share/apps/ktorrent mkdir ${HOME}/.kde4/share/apps/ktorrent mkdir ${HOME}/.local/share/ktorrent +mkdir ${HOME}/.local/share/kxmlgui5/ktorrent mkfile ${HOME}/.config/ktorrentrc mkfile ${HOME}/.kde/share/config/ktorrentrc mkfile ${HOME}/.kde4/share/config/ktorrentrc @@ -33,6 +35,7 @@ whitelist ${HOME}/.kde/share/config/ktorrentrc whitelist ${HOME}/.kde4/share/apps/ktorrent whitelist ${HOME}/.kde4/share/config/ktorrentrc whitelist ${HOME}/.local/share/ktorrent +whitelist ${HOME}/.local/share/kxmlgui5/ktorrent include whitelist-common.inc include whitelist-var-common.inc @@ -42,6 +45,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index b23b237303e..78eb2e8f5db 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkfile ${HOME}/.config/ktouch2rc @@ -30,6 +30,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -45,7 +46,7 @@ disable-mnt private-bin ktouch private-cache private-dev -private-etc alternatives,fonts,kde5rc,machine-id +private-etc alternatives,fonts,kde5rc,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile new file mode 100644 index 00000000000..ad6b2f5fe1a --- /dev/null +++ b/etc/profile-a-l/kube.profile @@ -0,0 +1,81 @@ +# Firejail profile for kube +# Description: Qt mail client +# This file is overwritten after every install/update +# Persistent local customizations +include kube.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mozilla +noblacklist ${HOME}/.cache/kube +noblacklist ${HOME}/.config/kube +noblacklist ${HOME}/.config/sink +noblacklist ${HOME}/.local/share/kube +noblacklist ${HOME}/.local/share/sink + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.cache/kube +mkdir ${HOME}/.config/kube +mkdir ${HOME}/.config/sink +mkdir ${HOME}/.local/share/kube +mkdir ${HOME}/.local/share/sink +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${HOME}/.cache/kube +whitelist ${HOME}/.config/kube +whitelist ${HOME}/.config/sink +whitelist ${HOME}/.local/share/kube +whitelist ${HOME}/.local/share/sink +whitelist ${RUNUSER}/gnupg +whitelist /usr/share/kube +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +# disable-mnt +# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg +# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. +private-bin kube,sink_synchronizer +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg +private-tmp +writable-run-user + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.freedesktop.Notifications +dbus-system none + +read-only ${HOME}/.mozilla/firefox/profiles.ini diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index d512dd100bb..32e9870e5ef 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile @@ -17,8 +17,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -27,6 +27,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,5 +42,5 @@ tracelog disable-mnt private-bin kwin_x11 private-dev -private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg +private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg private-tmp diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index a71e3bfb986..cd5ce70349f 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile @@ -13,14 +13,15 @@ noblacklist ${HOME}/.config/katesyntaxhighlightingrc noblacklist ${HOME}/.config/katevirc noblacklist ${HOME}/.config/kwriterc noblacklist ${HOME}/.local/share/kwrite +noblacklist ${HOME}/.local/share/kxmlgui5/kwrite noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -31,6 +32,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot # nosound - KWrite is using ALSA! @@ -44,7 +46,7 @@ tracelog private-bin kbuildsycoca4,kdeinit4,kwrite private-dev -private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg +private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg private-tmp # dbus-user none diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile index b090be7268d..7993e97e3c1 100644 --- a/etc/profile-a-l/latex-common.profile +++ b/etc/profile-a-l/latex-common.profile @@ -10,7 +10,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/lib @@ -22,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile index 338d8c8bb44..3b5b98493bf 100644 --- a/etc/profile-a-l/lbunzip2.profile +++ b/etc/profile-a-l/lbunzip2.profile @@ -1,6 +1,11 @@ # Firejail profile alias for gzip # Description: GNU compression utilities # This file is overwritten after every install/update +# Persistent local customizations +include lbunzip2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gzip.profile diff --git a/etc/profile-a-l/lbzcat.profile b/etc/profile-a-l/lbzcat.profile index 338d8c8bb44..e628ceaaec8 100644 --- a/etc/profile-a-l/lbzcat.profile +++ b/etc/profile-a-l/lbzcat.profile @@ -1,6 +1,11 @@ # Firejail profile alias for gzip # Description: GNU compression utilities # This file is overwritten after every install/update +# Persistent local customizations +include lbzcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gzip.profile diff --git a/etc/profile-a-l/lbzip2.profile b/etc/profile-a-l/lbzip2.profile index 338d8c8bb44..5d793578088 100644 --- a/etc/profile-a-l/lbzip2.profile +++ b/etc/profile-a-l/lbzip2.profile @@ -1,6 +1,11 @@ # Firejail profile alias for gzip # Description: GNU compression utilities # This file is overwritten after every install/update +# Persistent local customizations +include lbzip2.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include gzip.profile diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile index c456541aaaa..75105abf2b1 100644 --- a/etc/profile-a-l/leafpad.profile +++ b/etc/profile-a-l/leafpad.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -23,6 +23,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile index de6fa67d19b..db61bf94159 100644 --- a/etc/profile-a-l/less.profile +++ b/etc/profile-a-l/less.profile @@ -7,7 +7,6 @@ include less.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} noblacklist ${HOME}/.lesshst @@ -15,7 +14,6 @@ noblacklist ${HOME}/.lesshst include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc apparmor caps.drop all @@ -24,6 +22,7 @@ machine-id net none no3d nodvd +noinput nonewprivs #noroot nosound diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile new file mode 100644 index 00000000000..c1ce4bb8d96 --- /dev/null +++ b/etc/profile-a-l/librecad.profile @@ -0,0 +1,50 @@ +# Firejail profile for librecad +# Persistent local customizations +include librecad.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/LibreCAD +noblacklist ${HOME}/.local/share/LibreCAD + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/librecad +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +#nogroups +#noinput +nonewprivs +noroot +notv +#nou2f +novideo +protocol unix,inet,inet6 +netfilter +seccomp +shell none +#tracelog + +#disable-mnt +private-bin librecad +private-dev +# private-etc cups,drirc,fonts,passwd,xdg +#private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index 948e2927c9c..3283077059b 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile @@ -9,44 +9,49 @@ include globals.local noblacklist /usr/local/sbin noblacklist ${HOME}/.config/libreoffice -# libreoffice uses java for some certain operations -# comment if you don't care about java functionality +# libreoffice uses java for some functionality. +# Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality. # Allow java (blacklisted by disable-devel.inc) include allow-java.inc +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc -# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode. -# comment the next line to use the ubuntu profile instead of firejail's apparmor profile +# Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. +# Add the next lines to your libreoffice.local to use the Ubuntu profile instead of firejail's apparmor profile. +#ignore apparmor +#ignore nonewprivs +#ignore protocol +#ignore seccomp +#ignore tracelog + apparmor caps.drop all netfilter nodvd nogroups -# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile +noinput nonewprivs noroot notv nou2f novideo -# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile protocol unix,inet,inet6 -# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile seccomp shell none -# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile tracelog +#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls +private-cache private-dev private-tmp -dbus-user none dbus-system none join-or-start libreoffice diff --git a/etc/profile-a-l/librewolf-nightly.profile b/etc/profile-a-l/librewolf-nightly.profile new file mode 100644 index 00000000000..72df5a52aad --- /dev/null +++ b/etc/profile-a-l/librewolf-nightly.profile @@ -0,0 +1,13 @@ +# Firejail profile for librewolf-nightly +# This file is overwritten after every install/update +# Persistent local customizations +include librewolf-nightly.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Add the next line to your librewolf-nightly.local to enable private-bin. +#private-bin librewolf-nightly + +# Redirect +include librewolf.profile diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile new file mode 100644 index 00000000000..ebffbbabfbe --- /dev/null +++ b/etc/profile-a-l/librewolf.profile @@ -0,0 +1,56 @@ +# Firejail profile for Librewolf +# Description: Firefox fork based on privacy +# This file is overwritten after every install/update +# Persistent local customizations +include librewolf.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/librewolf +noblacklist ${HOME}/.librewolf + +mkdir ${HOME}/.cache/librewolf +mkdir ${HOME}/.librewolf +whitelist ${HOME}/.cache/librewolf +whitelist ${HOME}/.librewolf + +# Add the next lines to your librewolf.local if you want to use the migration wizard. +#noblacklist ${HOME}/.mozilla +#whitelist ${HOME}/.mozilla + +# To enable KeePassXC Plugin add one of the following lines to your librewolf.local. +# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them. +#whitelist ${RUNUSER}/kpxc_server +#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer + +whitelist /usr/share/doc +whitelist /usr/share/gtk-doc/html +whitelist /usr/share/mozilla +whitelist /usr/share/webext +include whitelist-usr-share-common.inc + +# Add the next line to your librewolf.local to enable private-bin (Arch Linux). +#private-bin dbus-launch,dbus-send,librewolf,sh +# Add the next line to your librewolf.local to enable private-etc. +# NOTE: private-etc must first be enabled in firefox-common.local. +#private-etc librewolf + +dbus-user filter +dbus-user.own org.mozilla.librewolf.* +# Add the next line to your librewolf.local to enable native notifications. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to your librewolf.local to allow inhibiting screensavers. +#dbus-user.talk org.freedesktop.ScreenSaver +# Add the next lines to your librewolf.local for plasma browser integration. +#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kuiserver +# Add the next line to your librewolf.local to allow screensharing under Wayland. +#dbus-user.talk org.freedesktop.portal.Desktop +# Also add the next line to your librewolf.local if screensharing does not work with +# the above lines (depends on the portal implementation). +#ignore noroot +ignore dbus-user none + +# Redirect +include firefox-common.profile diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile new file mode 100644 index 00000000000..747fd85fab7 --- /dev/null +++ b/etc/profile-a-l/lifeograph.profile @@ -0,0 +1,57 @@ +# Firejail profile for lifeograph +# Description: Lifeograph is a diary program to take personal notes +# This file is overwritten after every install/update +# Persistent local customizations +include lifeograph.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOCUMENTS} +whitelist /usr/share/lifeograph +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin lifeograph +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile index 7cfd4fc101f..f7955e35227 100644 --- a/etc/profile-a-l/liferea.profile +++ b/etc/profile-a-l/liferea.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/liferea @@ -37,12 +36,13 @@ netfilter # no3d nodvd nogroups +noinput nonewprivs noroot # nosound notv nou2f -# novideo +novideo protocol unix,inet,inet6 seccomp shell none @@ -51,3 +51,12 @@ tracelog disable-mnt private-dev private-tmp + +dbus-user filter +dbus-user.own net.sourceforge.liferea +dbus-user.talk ca.desrt.dconf +# Add the next line to your liferea.local if you use the 'Popup Notifications' plugin. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin. +#dbus-user.talk org.freedesktop.secrets +dbus-system none diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile index 624d4a8bde9..073d814ec95 100644 --- a/etc/profile-a-l/lincity-ng.profile +++ b/etc/profile-a-l/lincity-ng.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.lincity-ng @@ -27,6 +27,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile new file mode 100644 index 00000000000..dac3eaee32e --- /dev/null +++ b/etc/profile-a-l/links-common.profile @@ -0,0 +1,62 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include links-common.local + +# common profile for links browsers + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +# Additional noblacklist files/directories (blacklisted in disable-programs.inc) +# used as associated programs can be added in your links-common.local. +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +# Add 'ignore machine-id' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +machine-id +netfilter +# Add 'ignore no3d' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +# Add 'ignore nosound' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. +private-bin sh +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl +# Add the next line to your links-common.local to allow external media players. +# private-etc alsa,asound.conf,machine-id,openal,pulse +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index b2f94d3cf16..8ce39cc7fcb 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile @@ -1,6 +1,7 @@ # Firejail profile for links # Description: Text WWW browser # This file is overwritten after every install/update +quiet # Persistent local customizations include links.local # Persistent global definitions @@ -8,59 +9,10 @@ include globals.local noblacklist ${HOME}/.links -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# you may want to noblacklist files/directories blacklisted in -# disable-programs.inc and used as associated programs -include disable-programs.inc -include disable-xdg.inc - mkdir ${HOME}/.links whitelist ${HOME}/.links -whitelist ${DOWNLOADS} -include whitelist-runuser-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -# comment machine-id (or put 'ignore machine-id' in your links.local) if you want -# to allow access only to user-configured associated media player -machine-id -netfilter -# comment no3d (or put 'ignore no3d' in your links.local) if you want -# to allow access only to user-configured associated media player -no3d -nodvd -nogroups -nonewprivs -noroot -# comment nosound (or put 'ignore nosound' in your links.local) if you want -# to allow access only to user-configured associated media player -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog -disable-mnt -# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local -# or append 'PROGRAM1,PROGRAM2' to this private-bin line -private-bin links,sh -private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl -# Uncomment the following line (or put it in your links.local) allow external -# media players -# private-etc alsa,asound.conf,machine-id,openal,pulse -private-tmp +private-bin links -memory-deny-write-execute +# Redirect +include links-common.profile diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile new file mode 100644 index 00000000000..5f91dfcd268 --- /dev/null +++ b/etc/profile-a-l/links2.profile @@ -0,0 +1,18 @@ +# Firejail profile for links2 +# Description: Text WWW browser with a graphic version +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include links2.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.links2 + +mkdir ${HOME}/.links2 +whitelist ${HOME}/.links2 + +private-bin links2 + +# Redirect +include links-common.profile diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile index dc156b29853..f821c7512d2 100644 --- a/etc/profile-a-l/linphone.profile +++ b/etc/profile-a-l/linphone.profile @@ -6,20 +6,26 @@ include linphone.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/linphone noblacklist ${HOME}/.linphone-history.db noblacklist ${HOME}/.linphonerc +noblacklist ${HOME}/.local/share/linphone include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -mkfile ${HOME}/.linphone-history.db -mkfile ${HOME}/.linphonerc +# linphone 4.0 (released 2017-06-26) moved config and database files to respect +# freedesktop standards. For backward compatibility we continue to whitelist +# ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile. +mkdir ${HOME}/.config/linphone +mkdir ${HOME}/.local/share/linphone +whitelist ${HOME}/.config/linphone whitelist ${HOME}/.linphone-history.db whitelist ${HOME}/.linphonerc +whitelist ${HOME}/.local/share/linphone whitelist ${DOWNLOADS} include whitelist-common.inc @@ -28,6 +34,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile index afe1ad635a1..d1a754a6e8f 100644 --- a/etc/profile-a-l/lmms.profile +++ b/etc/profile-a-l/lmms.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/lobase.profile b/etc/profile-a-l/lobase.profile index 8348a57fe9a..b248d38f785 100644 --- a/etc/profile-a-l/lobase.profile +++ b/etc/profile-a-l/lobase.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include lobase.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/localc.profile b/etc/profile-a-l/localc.profile index 8348a57fe9a..a467ef3db8c 100644 --- a/etc/profile-a-l/localc.profile +++ b/etc/profile-a-l/localc.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include localc.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/lodraw.profile b/etc/profile-a-l/lodraw.profile index 8348a57fe9a..f1db590ed83 100644 --- a/etc/profile-a-l/lodraw.profile +++ b/etc/profile-a-l/lodraw.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include lodraw.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/loffice.profile b/etc/profile-a-l/loffice.profile index 8348a57fe9a..aa291017a7c 100644 --- a/etc/profile-a-l/loffice.profile +++ b/etc/profile-a-l/loffice.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include loffice.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile index 8348a57fe9a..534dc5d14d1 100644 --- a/etc/profile-a-l/lofromtemplate.profile +++ b/etc/profile-a-l/lofromtemplate.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include lofromtemplate.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/loimpress.profile b/etc/profile-a-l/loimpress.profile index 8348a57fe9a..a9473d1a601 100644 --- a/etc/profile-a-l/loimpress.profile +++ b/etc/profile-a-l/loimpress.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include loimpress.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index 1ce83822dc5..a590c5fb741 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot notv @@ -37,6 +37,6 @@ seccomp shell none private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp diff --git a/etc/profile-a-l/lomath.profile b/etc/profile-a-l/lomath.profile index 8348a57fe9a..8bc388be74d 100644 --- a/etc/profile-a-l/lomath.profile +++ b/etc/profile-a-l/lomath.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include lomath.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/loweb.profile b/etc/profile-a-l/loweb.profile index 8348a57fe9a..34b9dcad03d 100644 --- a/etc/profile-a-l/loweb.profile +++ b/etc/profile-a-l/loweb.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include loweb.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/lowriter.profile b/etc/profile-a-l/lowriter.profile index 8348a57fe9a..054ce3a48ec 100644 --- a/etc/profile-a-l/lowriter.profile +++ b/etc/profile-a-l/lowriter.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include lowriter.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-a-l/lsar.profile b/etc/profile-a-l/lsar.profile new file mode 100644 index 00000000000..faf5bb7f921 --- /dev/null +++ b/etc/profile-a-l/lsar.profile @@ -0,0 +1,13 @@ +# Firejail profile for lsar +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include lsar.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin lsar + +# Redirect +include ar.profile diff --git a/etc/profile-a-l/luarocks.profile b/etc/profile-a-l/luarocks.profile new file mode 100644 index 00000000000..e6a9df60d09 --- /dev/null +++ b/etc/profile-a-l/luarocks.profile @@ -0,0 +1,72 @@ +# Firejail profile for luarocks +# Description: LuaRocks is the package manager for the Lua programming language. +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include luarocks.local +# Persistent global definitions +include globals.local + +# Disallow blocking access to Lua header files. +noblacklist /usr/include/lua* +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +blacklist ${RUNUSER} + +include disable-common.inc +# luarocks can invoke compilers +#include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +# luarocks is hacky and needs shell access +#include disable-shell.inc +include disable-X11.inc +include disable-xdg.inc + +whitelist ${HOME}/.netrc +whitelist ${HOME}/.config/pkcs11 +whitelist ${HOME}/.wget-hsts +whitelist ${HOME}/.cache/luarocks +whitelist ${HOME}/luarocks/cmd/external +whitelist ${HOME}/.nix-profile/bin +whitelist ${HOME}/.luarocks +whitelist ${HOME}/.config/luarocks + +whitelist /usr/share/lua +include whitelist-run-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +#private-etc alternatives,ca-certificates,crypto-policies,luarocks,pki,ssl +private-tmp + +dbus-user none +dbus-system none + +read-write ${HOME}/.luarocks diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile index 26157b94239..3d52d126686 100644 --- a/etc/profile-a-l/lugaru.profile +++ b/etc/profile-a-l/lugaru.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/lugaru @@ -31,6 +31,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile index 2b0feaa17ac..179bc37f26e 100644 --- a/etc/profile-a-l/luminance-hdr.profile +++ b/etc/profile-a-l/luminance-hdr.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -21,6 +20,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile new file mode 100644 index 00000000000..bf8ab9e6465 --- /dev/null +++ b/etc/profile-a-l/lutris.profile @@ -0,0 +1,79 @@ +# Firejail profile for lutris +# Description: Multi-library game handler with special support for Wine +# This file is overwritten after every install/update +# Persistent local customizations +include lutris.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/llvm* +noblacklist ${HOME}/Games +noblacklist ${HOME}/.cache/lutris +noblacklist ${HOME}/.cache/winetricks +noblacklist ${HOME}/.config/lutris +noblacklist ${HOME}/.local/share/lutris +# noblacklist ${HOME}/.wine +noblacklist /tmp/.wine-* +# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise +# Lutris won't even start. +noblacklist /sbin +noblacklist /usr/sbin + +ignore noexec ${HOME} + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/Games +mkdir ${HOME}/.cache/lutris +mkdir ${HOME}/.cache/winetricks +mkdir ${HOME}/.config/lutris +mkdir ${HOME}/.local/share/lutris +# mkdir ${HOME}/.wine +whitelist ${DOWNLOADS} +whitelist ${HOME}/Games +whitelist ${HOME}/.cache/lutris +whitelist ${HOME}/.cache/winetricks +whitelist ${HOME}/.config/lutris +whitelist ${HOME}/.local/share/lutris +# whitelist ${HOME}/.wine +whitelist /usr/share/lutris +whitelist /usr/share/wine +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +# allow-debuggers +# apparmor +caps.drop all +ipc-namespace +# net none +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none + +# Add the next line to your lutris.local if you do not need controller support. +#private-dev +private-tmp + +dbus-user filter +dbus-user.own net.lutris.Lutris +dbus-user.talk com.feralinteractive.GameMode +dbus-system none diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile index a33ddab78ca..404535f913b 100644 --- a/etc/profile-a-l/lximage-qt.profile +++ b/etc/profile-a-l/lximage-qt.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -22,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile index 9094f437768..0651b83298c 100644 --- a/etc/profile-a-l/lxmusic.profile +++ b/etc/profile-a-l/lxmusic.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile index dbd0a61e566..05a92e39dbb 100644 --- a/etc/profile-a-l/lynx.profile +++ b/etc/profile-a-l/lynx.profile @@ -1,6 +1,7 @@ # Firejail profile for lynx # Description: Classic non-graphical (text-mode) web browser # This file is overwritten after every install/update +quiet # Persistent local customizations include lynx.local # Persistent global definitions @@ -12,7 +13,6 @@ blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -23,6 +23,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile new file mode 100644 index 00000000000..3213f3674f2 --- /dev/null +++ b/etc/profile-a-l/lyx.profile @@ -0,0 +1,38 @@ +# Firejail profile for lyx +# Description: Open source document processor based on LaTeX typsetting +# This file is overwritten after every install/update +# Persistent local customizations +include lyx.local +# Persistent global definitions +include globals.local + +ignore private-tmp + +noblacklist ${HOME}/.config/LyX +noblacklist ${HOME}/.lyx + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +whitelist /usr/share/lyx +whitelist /usr/share/texinfo +whitelist /usr/share/texlive +whitelist /usr/share/texmf-dist +whitelist /usr/share/tlpkg +include whitelist-usr-share-common.inc + +apparmor +machine-id + +# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex +private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg + +# Redirect +include latex-common.profile diff --git a/etc/profile-a-l/lzcat.profile b/etc/profile-a-l/lzcat.profile index d9c72407f5d..693a1e1677b 100644 --- a/etc/profile-a-l/lzcat.profile +++ b/etc/profile-a-l/lzcat.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzcmp.profile b/etc/profile-a-l/lzcmp.profile index d9c72407f5d..f2e49fde090 100644 --- a/etc/profile-a-l/lzcmp.profile +++ b/etc/profile-a-l/lzcmp.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzcmp.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzdiff.profile b/etc/profile-a-l/lzdiff.profile index f7410b92808..1e2e17eee3e 100644 --- a/etc/profile-a-l/lzdiff.profile +++ b/etc/profile-a-l/lzdiff.profile @@ -1,6 +1,12 @@ # Firejail profile alias for cpio # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update +quiet +# Persistent local customizations +include lzdiff.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzegrep.profile b/etc/profile-a-l/lzegrep.profile index d9c72407f5d..ca93f2a8bed 100644 --- a/etc/profile-a-l/lzegrep.profile +++ b/etc/profile-a-l/lzegrep.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzegrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile index d9c72407f5d..97138e9a092 100644 --- a/etc/profile-a-l/lzfgrep.profile +++ b/etc/profile-a-l/lzfgrep.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzfgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzgrep.profile b/etc/profile-a-l/lzgrep.profile index d9c72407f5d..fca9a39df46 100644 --- a/etc/profile-a-l/lzgrep.profile +++ b/etc/profile-a-l/lzgrep.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzip.profile b/etc/profile-a-l/lzip.profile index d9c72407f5d..806375b054f 100644 --- a/etc/profile-a-l/lzip.profile +++ b/etc/profile-a-l/lzip.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzip.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzless.profile b/etc/profile-a-l/lzless.profile index d9c72407f5d..20cae4a87ec 100644 --- a/etc/profile-a-l/lzless.profile +++ b/etc/profile-a-l/lzless.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzless.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzma.profile b/etc/profile-a-l/lzma.profile index d9c72407f5d..776550bf997 100644 --- a/etc/profile-a-l/lzma.profile +++ b/etc/profile-a-l/lzma.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzma.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzmadec.profile b/etc/profile-a-l/lzmadec.profile index 0c5ec1b0999..9dac7592714 100644 --- a/etc/profile-a-l/lzmadec.profile +++ b/etc/profile-a-l/lzmadec.profile @@ -1,6 +1,12 @@ # Firejail profile alias for xzdec # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update +quiet +# Persistent local customizations +include lzmadec.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include xzdec.profile diff --git a/etc/profile-a-l/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile index d9c72407f5d..25b65c48fde 100644 --- a/etc/profile-a-l/lzmainfo.profile +++ b/etc/profile-a-l/lzmainfo.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzmainfo.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzmore.profile b/etc/profile-a-l/lzmore.profile index d9c72407f5d..aa4350ad569 100644 --- a/etc/profile-a-l/lzmore.profile +++ b/etc/profile-a-l/lzmore.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include lzmore.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-a-l/lzop.profile b/etc/profile-a-l/lzop.profile new file mode 100644 index 00000000000..f3175c5901f --- /dev/null +++ b/etc/profile-a-l/lzop.profile @@ -0,0 +1,12 @@ +# Firejail profile for lzop +# Description: File compressor using lzo lib +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include lzop.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include cpio.profile diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile index 5cf570f8029..3acb88e0e98 100644 --- a/etc/profile-m-z/Maelstrom.profile +++ b/etc/profile-m-z/Maelstrom.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /var/lib/games @@ -25,6 +25,7 @@ ipc-namespace net none nodvd nogroups +noinput #nonewprivs #noroot notv diff --git a/etc/profile-m-z/Maps.profile b/etc/profile-m-z/Maps.profile index c52d2f2da86..493a740d7bd 100644 --- a/etc/profile-m-z/Maps.profile +++ b/etc/profile-m-z/Maps.profile @@ -1,5 +1,10 @@ # Firejail profile for gnome-maps # This file is overwritten after every install/update +# Persistent local customizations +include Maps.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile index c2734b1c16d..6286f066e96 100644 --- a/etc/profile-m-z/Mathematica.profile +++ b/etc/profile-m-z/Mathematica.profile @@ -11,7 +11,6 @@ noblacklist ${HOME}/.Wolfram Research include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.Mathematica diff --git a/etc/profile-m-z/Natron.profile b/etc/profile-m-z/Natron.profile index 42c22bf67fa..061e5d83b8b 100644 --- a/etc/profile-m-z/Natron.profile +++ b/etc/profile-m-z/Natron.profile @@ -1,5 +1,10 @@ # Firejail profile alias for natron # This file is overwritten after every install/update +# Persistent local customizations +include Natron.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include natron.profile diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile new file mode 100644 index 00000000000..59150f4c44c --- /dev/null +++ b/etc/profile-m-z/PCSX2.profile @@ -0,0 +1,56 @@ +# Firejail profile for PCSX2 +# Description: A PlayStation 2 emulator +# This file is overwritten after every install/update +# Persistent local customizations +include PCSX2.local +# Persistent global definitions +include globals.local + +# Note: you must whitelist your games folder in your PCSX2.local. + +noblacklist ${HOME}/.config/PCSX2 + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/PCSX2 +whitelist ${HOME}/.config/PCSX2 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +netfilter +# Add the next line to your PCSX2.local if you're not loading games from disc. +#nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,netlink +#seccomp - breaks loading with no logs +shell none +#tracelog - 32/64 bit incompatibility + +private-bin PCSX2 +private-cache +# Add the next line to your PCSX2.local if you do not need controller support. +#private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/PPSSPPSDL.profile b/etc/profile-m-z/PPSSPPSDL.profile new file mode 100644 index 00000000000..deb00a43622 --- /dev/null +++ b/etc/profile-m-z/PPSSPPSDL.profile @@ -0,0 +1,9 @@ +# Firejail profile for PPSSPPSDL +# This file is overwritten after every install/update +# Persistent local customizations +include PPSSPPSDL.local +# added by included profile +#include globals.local + +# Redirect +include ppsspp.profile diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index d1548a8642e..17ea38073ce 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile @@ -23,8 +23,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/qtchooser @@ -36,6 +36,7 @@ netfilter # no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -52,7 +53,7 @@ private-cache private-dev private-tmp -# dbus-user none -# dbus-system none +dbus-user none +dbus-system none #memory-deny-write-execute - breaks on Arch (see issue #1803) diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index 8157cdff405..235640eebd0 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/Nextcloud/Notes @@ -35,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,6 +50,6 @@ tracelog disable-mnt private-bin gio,QOwnNotes private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-tmp diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile index d4b0837364f..cfc53c07704 100644 --- a/etc/profile-m-z/Screenshot.profile +++ b/etc/profile-m-z/Screenshot.profile @@ -1,5 +1,10 @@ # Firejail profile for gnome-screenshot # This file is overwritten after every install/update +# Persistent local customizations +include Screenshot.local +# Persistent global definitions +# added by included profile +#include globals.local # Temporary fix for https://github.com/netblue30/firejail/issues/2624 # Redirect diff --git a/etc/profile-m-z/Telegram.profile b/etc/profile-m-z/Telegram.profile index 310e0237eff..6877e1578a6 100644 --- a/etc/profile-m-z/Telegram.profile +++ b/etc/profile-m-z/Telegram.profile @@ -1,5 +1,10 @@ # Firejail profile alias for telegram # This file is overwritten after every install/update +# Persistent local customizations +include Telegram.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include telegram.profile diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index 3195e39fa45..ca7165a5d52 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.ViberPC @@ -34,5 +33,5 @@ shell none disable-mnt private-bin awk,bash,dig,sh,Viber -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 private-tmp diff --git a/etc/profile-m-z/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile index 4c99ae9a314..4f88a26c022 100644 --- a/etc/profile-m-z/VirtualBox.profile +++ b/etc/profile-m-z/VirtualBox.profile @@ -1,6 +1,11 @@ # Firejail profile alias for virtualbox # Description: x86 virtualization solution # This file is overwritten after every install/update +# Persistent local customizations +include VirtualBox.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include virtualbox.profile diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile index 7e7c0c3cdbf..9c797a3e5aa 100644 --- a/etc/profile-m-z/XMind.profile +++ b/etc/profile-m-z/XMind.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.xmind @@ -23,6 +22,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index ab5fdf942f1..5cf5161cedb 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile @@ -22,6 +22,7 @@ caps.drop all # Xephyr needs to be allowed access to the abstract Unix socket namespace. nodvd nogroups +noinput nonewprivs # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. # noroot diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 937d02d6047..722e12d9ce9 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile @@ -25,6 +25,7 @@ caps.drop all # Xvfb needs to be allowed access to the abstract Unix socket namespace. nodvd nogroups +noinput nonewprivs # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. #noroot @@ -42,5 +43,5 @@ private # private-bin sh,xkbcomp,Xvfb # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb private-dev -private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf +private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf private-tmp diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile new file mode 100644 index 00000000000..21482a16186 --- /dev/null +++ b/etc/profile-m-z/ZeGrapher.profile @@ -0,0 +1,48 @@ +# Firejail profile for ZeGrapher +# Description: Free and opensource math graphing software +# This file is overwritten after every install/update +# Persistent local customizations +include ZeGrapher.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/ZeGrapher Project + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc + +whitelist /usr/share/ZeGrapher +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin ZeGrapher +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile index 3eef22f980e..88b68d43f4b 100644 --- a/etc/profile-m-z/macrofusion.profile +++ b/etc/profile-m-z/macrofusion.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all @@ -25,6 +25,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index 380a5995740..b7cba2421f8 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.magicor @@ -31,6 +31,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs notv nou2f @@ -44,7 +45,7 @@ disable-mnt private-bin magicor,python2* private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index 513fcae5546..3a68cce0075 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile @@ -32,7 +32,6 @@ noblacklist /var/lib/pacman include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile new file mode 100644 index 00000000000..b6038cc9143 --- /dev/null +++ b/etc/profile-m-z/man.profile @@ -0,0 +1,69 @@ +# Firejail profile for man +# Description: manpage viewer +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include man.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +noblacklist ${HOME}/.local/share/man +noblacklist ${HOME}/.rustup + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +#mkdir ${HOME}/.local/share/man +#whitelist ${HOME}/.local/share/man +#whitelist ${HOME}/.manpath +whitelist /usr/share/groff +whitelist /usr/share/info +whitelist /usr/share/lintian +whitelist /usr/share/locale +whitelist /usr/share/man +whitelist /var/cache/man +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +novideo +nou2f +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim +private-cache +private-dev +private-etc alternatives,fonts,groff,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg +#private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +read-only /tmp diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile index b29a489a6ff..28dc5d91458 100644 --- a/etc/profile-m-z/manaplus.profile +++ b/etc/profile-m-z/manaplus.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/mana @@ -30,6 +30,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile new file mode 100644 index 00000000000..746135ae590 --- /dev/null +++ b/etc/profile-m-z/marker.profile @@ -0,0 +1,63 @@ +# Firejail profile for marker +# Description: Marker is a markdown editor for Linux made with Gtk+-3.0 +# This file is overwritten after every install/update +# Persistent local customizations +include marker.local +# Persistent global definitions +include globals.local + +# Add the next lines to your marker.local if you need internet access. +#ignore net none +#protocol unix,inet,inet6 +#private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf + +noblacklist ${HOME}/.cache/marker +noblacklist ${DOCUMENTS} + +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/libexec/webkit2gtk-4.0 +whitelist /usr/share/com.github.fabiocolacio.marker +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin marker,python3* +private-cache +private-dev +private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11 +private-tmp + +dbus-user filter +dbus-user.own com.github.fabiocolacio.marker +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index e4da0c66a60..dc2088a184e 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -23,6 +22,7 @@ caps.drop all machine-id nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,6 +36,6 @@ tracelog private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index ce418d68f2f..cb14c658414 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/mate-calc @@ -30,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,7 +42,7 @@ shell none disable-mnt private-bin mate-calc,mate-calculator -private-etc alternatives,dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload private-dev private-opt none private-tmp diff --git a/etc/profile-m-z/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile index bb438f5f058..5c8200ec5b4 100644 --- a/etc/profile-m-z/mate-calculator.profile +++ b/etc/profile-m-z/mate-calculator.profile @@ -1,5 +1,10 @@ # Firejail profile alias for mate-calc # This file is overwritten after every install/update +# Persistent local customizations +include mate-calculator.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include mate-calc.profile diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index f1a7ca18f6a..97793abd5e6 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile @@ -9,16 +9,18 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-common.inc +apparmor caps.drop all netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -31,7 +33,7 @@ shell none disable-mnt private-bin mate-color-select -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-dev private-lib private-tmp diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index 59f439c9146..cb0002af6df 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile @@ -11,8 +11,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.config/mate/mate-dictionary whitelist ${HOME}/.config/mate/mate-dictionary @@ -24,6 +24,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,7 +37,7 @@ shell none disable-mnt private-bin mate-dictionary -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssl private-opt mate-dictionary private-dev private-tmp diff --git a/etc/profile-m-z/mathematica.profile b/etc/profile-m-z/mathematica.profile index 96406035035..cc73f9d80da 100644 --- a/etc/profile-m-z/mathematica.profile +++ b/etc/profile-m-z/mathematica.profile @@ -1,5 +1,10 @@ # Firejail profile alias for Mathematica # This file is overwritten after every install/update +# Persistent local customizations +include mathematica.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include Mathematica.profile diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile new file mode 100644 index 00000000000..b3080df88c5 --- /dev/null +++ b/etc/profile-m-z/matrix-mirage.profile @@ -0,0 +1,24 @@ +# Firejail profile for matrix-mirage +# Description: Debian name for mirage binary/package +# This file is overwritten after every install/update +# Persistent local customizations +include matrix-mirage.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.cache/matrix-mirage +noblacklist ${HOME}/.config/matrix-mirage +noblacklist ${HOME}/.local/share/matrix-mirage + +mkdir ${HOME}/.cache/matrix-mirage +mkdir ${HOME}/.config/matrix-mirage +mkdir ${HOME}/.local/share/matrix-mirage +whitelist ${HOME}/.cache/matrix-mirage +whitelist ${HOME}/.config/matrix-mirage +whitelist ${HOME}/.local/share/matrix-mirage + +private-bin matrix-mirage + +# Redirect +include mirage.profile diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile new file mode 100644 index 00000000000..3c2bf4fa390 --- /dev/null +++ b/etc/profile-m-z/mattermost-desktop.profile @@ -0,0 +1,29 @@ +# Firejail profile for mattermost-desktop +# This file is overwritten after every install/update +# Persistent local customizations +include mattermost-desktop.local +# Persistent global definitions +include globals.local + +# Disabled until someone reported positive feedback +ignore apparmor +ignore dbus-user none +ignore dbus-system none + +noblacklist ${HOME}/.config/Mattermost + +include disable-shell.inc + +mkdir ${HOME}/.config/Mattermost +whitelist ${HOME}/.config/Mattermost + +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl + +# Not tested +#dbus-user filter +#dbus-user.own com.mattermost.Desktop +#dbus-user.talk org.freedesktop.Notifications +#dbus-system none + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index 134a6ae6378..87083f1e329 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile @@ -12,12 +12,13 @@ noblacklist ${HOME}/.mcabberrc include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc caps.drop all netfilter nodvd +noinput nonewprivs noroot nosound @@ -30,4 +31,4 @@ shell none private-bin mcabber private-dev -private-etc alternatives,ca-certificates,crypto-policies,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,ssl diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile new file mode 100644 index 00000000000..5c965f55c9c --- /dev/null +++ b/etc/profile-m-z/mcomix.profile @@ -0,0 +1,73 @@ +# Firejail profile for mcomix +# Description: A comic book and manga viewer in python +# This file is overwritten after every install/update +# Persistent local customizations +include mcomix.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/mcomix +noblacklist ${HOME}/.local/share/mcomix +noblacklist ${DOCUMENTS} + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow python (blacklisted by disable-interpreters.inc) +# mcomix <= 1.2 uses python2 +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/mcomix +mkdir ${HOME}/.local/share/mcomix +whitelist /usr/share/mcomix +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +include whitelist-runuser-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +# mcomix <= 1.2 uses python2 +private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip +private-cache +private-dev +# mcomix <= 1.2 uses gtk-2.0 +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg +private-tmp + +dbus-user none +dbus-system none + +read-only ${HOME} +read-write ${HOME}/.config/mcomix +read-write ${HOME}/.local/share/mcomix +#to allow ${HOME}/.local/share/recently-used.xbel +read-write ${HOME}/.local/share +# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails +read-write ${HOME}/.thumbnails diff --git a/etc/profile-m-z/md5sum.profile b/etc/profile-m-z/md5sum.profile new file mode 100644 index 00000000000..3612c73fd55 --- /dev/null +++ b/etc/profile-m-z/md5sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for md5sum +# Description: compute and check MD5 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include md5sum.local +# Persistent global definitions +include globals.local + +private-bin md5sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile new file mode 100644 index 00000000000..da5e0ffa88b --- /dev/null +++ b/etc/profile-m-z/mdr.profile @@ -0,0 +1,55 @@ +# Firejail profile for mdr +# Description: A standalone Markdown renderer for the terminal +# Persistent local customizations +include mdr.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +hostname mdr +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private-bin mdr +private-cache +private-dev +private-etc ld.so.preload,none +private-lib +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index c62d3f6d54e..9403321e22c 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -26,6 +26,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,7 +42,7 @@ x11 none private-bin mediainfo private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile index 95cd673c641..f73ef093557 100644 --- a/etc/profile-m-z/mediathekview.profile +++ b/etc/profile-m-z/mediathekview.profile @@ -24,7 +24,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,6 +33,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile index 19f9edf051d..d5574569888 100644 --- a/etc/profile-m-z/megaglest.profile +++ b/etc/profile-m-z/megaglest.profile @@ -12,13 +12,14 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.megaglest whitelist ${HOME}/.megaglest whitelist /usr/share/megaglest +whitelist /usr/share/games/megaglest # Debian version include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -30,6 +31,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -37,6 +39,7 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile index 02aad808465..4635573e622 100644 --- a/etc/profile-m-z/megaglest_editor.profile +++ b/etc/profile-m-z/megaglest_editor.profile @@ -1,5 +1,10 @@ # Firejail profile alias for megaglest # This file is overwritten after every install/update +# Persistent local customizations +include megaglest_editor.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include megaglest.profile diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index be13e964368..4aeca0f287e 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile @@ -6,43 +6,47 @@ include meld.local # Persistent global definitions include globals.local -# If you want to use meld as git-mergetool (and maybe some other VCS integrations) you need -# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path +# If you want to use meld as git mergetool (and maybe some other VCS integrations) you need +# to bypass firejail. You can do this by removing the symlink or by calling it by its absolute path. # Removing the symlink: -# sudo rm /usr/local/bin/meld -# Calling by its absolute path (example for git-mergetool): -# git config --global mergetool.meld.cmd /usr/bin/meld +# $ sudo rm /usr/local/bin/meld +# Calling it by its absolute path (example for git mergetool): +# $ git config --global mergetool.meld.cmd /usr/bin/meld noblacklist ${HOME}/.config/meld noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.local/share/meld -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion # Allow python (blacklisted by disable-interpreters.inc) +# Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks +# but want to keep Python 2 support for older meld versions. +#include allow-python2.inc include allow-python3.inc -# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. -#include allow-python2.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + +blacklist /usr/libexec -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. +# Add the next line to your meld.local if you don't need to compare files in disable-common.inc. #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. +# Add the next line to your meld.local if you don't need to compare files in disable-programs.inc. #include disable-programs.inc +include disable-shell.inc include whitelist-runuser-common.inc -# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. +# Add the next lines to your meld.local if you don't need to compare files in /usr/share. #whitelist /usr/share/meld #include whitelist-usr-share-common.inc -# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var. +# Add the next line to your meld.local if you don't need to compare files in /var. #include whitelist-var-common.inc apparmor @@ -53,6 +57,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -61,14 +66,16 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog private-bin bzr,cvs,git,hg,meld,python*,svn private-cache private-dev -# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc. +# Add the next line to your meld.local if you don't need to compare files in /etc. #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion +# Add 'ignore private-tmp' to your meld.local if you want to use it as difftool (#3551). private-tmp read-only ${HOME}/.ssh diff --git a/etc/profile-m-z/mencoder.profile b/etc/profile-m-z/mencoder.profile index caf238785e9..3909e543e82 100644 --- a/etc/profile-m-z/mencoder.profile +++ b/etc/profile-m-z/mencoder.profile @@ -11,7 +11,6 @@ include mencoder.local #include disable-common.inc #include disable-devel.inc #include disable-interpreters.inc -#include disable-passwdmgr.inc #include disable-programs.inc ipc-namespace diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile index 6022b110a51..446109e9af5 100644 --- a/etc/profile-m-z/mendeleydesktop.profile +++ b/etc/profile-m-z/mendeleydesktop.profile @@ -22,7 +22,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -31,6 +30,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile new file mode 100644 index 00000000000..f9f7db3cb04 --- /dev/null +++ b/etc/profile-m-z/menulibre.profile @@ -0,0 +1,64 @@ +# Firejail profile for menulibre +# Description: Create desktop and menu launchers easily +# This file is overwritten after every install/update +# Persistent local customizations +include menulibre.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +# Whitelist your system icon directory,varies by distro +whitelist /usr/share/app-info +whitelist /usr/share/desktop-directories +whitelist /usr/share/icons +whitelist /usr/share/menulibre +whitelist /var/lib/app-info/icons +whitelist /var/lib/flatpak/exports/share/applications +whitelist /var/lib/flatpak/exports/share/icons +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +no3d +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg +private-tmp + +dbus-user none +dbus-system none + +read-write ${HOME}/.config/menus +read-write ${HOME}/.gnome/apps +read-write ${HOME}/.local/share/applications +read-write ${HOME}/.local/share/flatpak/exports diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile index f9466eb6189..bdd36949b4f 100644 --- a/etc/profile-m-z/meteo-qt.profile +++ b/etc/profile-m-z/meteo-qt.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/meteo-qt @@ -30,6 +30,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile new file mode 100644 index 00000000000..095038f08ca --- /dev/null +++ b/etc/profile-m-z/microsoft-edge-beta.profile @@ -0,0 +1,20 @@ +# Firejail profile for Microsoft Edge Beta +# Description: Web browser from Microsoft,beta channel +# This file is overwritten after every install/update +# Persistent local customizations +include microsoft-edge-beta.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/microsoft-edge-beta +noblacklist ${HOME}/.config/microsoft-edge-beta + +mkdir ${HOME}/.cache/microsoft-edge-beta +mkdir ${HOME}/.config/microsoft-edge-beta +whitelist ${HOME}/.cache/microsoft-edge-beta +whitelist ${HOME}/.config/microsoft-edge-beta + +private-opt microsoft + +# Redirect +include chromium-common.profile diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile new file mode 100644 index 00000000000..039cd36a80c --- /dev/null +++ b/etc/profile-m-z/microsoft-edge-dev.profile @@ -0,0 +1,20 @@ +# Firejail profile for Microsoft Edge Dev +# Description: Web browser from Microsoft,dev channel +# This file is overwritten after every install/update +# Persistent local customizations +include microsoft-edge-dev.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/microsoft-edge-dev +noblacklist ${HOME}/.config/microsoft-edge-dev + +mkdir ${HOME}/.cache/microsoft-edge-dev +mkdir ${HOME}/.config/microsoft-edge-dev +whitelist ${HOME}/.cache/microsoft-edge-dev +whitelist ${HOME}/.config/microsoft-edge-dev + +private-opt microsoft + +# Redirect +include chromium-common.profile diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile new file mode 100644 index 00000000000..f427507d11c --- /dev/null +++ b/etc/profile-m-z/microsoft-edge.profile @@ -0,0 +1,11 @@ +# Firejail profile for Microsoft Edge +# Description: Web browser from Microsoft +# This file is overwritten after every install/update +# Persistent local customizations +include microsoft-edge.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include microsoft-edge-dev.profile diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile index e152596083a..7928d124ef2 100644 --- a/etc/profile-m-z/midori.profile +++ b/etc/profile-m-z/midori.profile @@ -25,7 +25,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -#include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index e6ea54522d5..bcc7b232b2d 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/mindless @@ -25,6 +25,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,7 +42,7 @@ private private-bin mindless private-cache private-dev -private-etc fonts +private-etc fonts,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile new file mode 100644 index 00000000000..d4f3e344ee1 --- /dev/null +++ b/etc/profile-m-z/minecraft-launcher.profile @@ -0,0 +1,59 @@ +# Firejail profile for minecraft-launcher +# Description: Official Minecraft launcher from Mojang +# This file is overwritten after every install/update +# Persistent local customizations +include minecraft-launcher.local +# Persistent global definitions +include globals.local + +# Some distros put the executable in /opt/minecraft-launcher. +# Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. + +ignore noexec ${HOME} + +noblacklist ${HOME}/.minecraft + +include allow-java.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.minecraft +whitelist ${HOME}/.minecraft +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin java,java-config,minecraft-launcher +private-cache +private-dev +# If multiplayer or realms break, add 'private-etc ' +# or 'ignore private-etc' to your minecraft-launcher.local. +private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg +private-opt minecraft-launcher +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index f201b13d730..ec5de821acf 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile @@ -6,21 +6,28 @@ include minetest.local # Persistent global definitions include globals.local +# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf: +# screenshot_path = /home//.minetest/screenshots + noblacklist ${HOME}/.cache/minetest noblacklist ${HOME}/.minetest +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/minetest mkdir ${HOME}/.minetest whitelist ${HOME}/.cache/minetest whitelist ${HOME}/.minetest +whitelist /usr/share/games/minetest whitelist /usr/share/minetest include whitelist-common.inc include whitelist-runuser-common.inc @@ -32,6 +39,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -39,12 +47,14 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog disable-mnt -private-bin minetest -private-cache +private-bin minetest,rm +# cache is used for storing assets when connecting to servers +#private-cache private-dev # private-etc needs to be updated, see #1702 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile new file mode 100644 index 00000000000..581af9b81de --- /dev/null +++ b/etc/profile-m-z/minitube.profile @@ -0,0 +1,61 @@ +# Firejail profile for minitube +# Description: Native Youtube viewer for Linux +# This file is overwritten after every install/update +# Persistent local customizations +include minitube.local +# Persistent global definitions +include globals.local + +noblacklist ${PICTURES} +noblacklist ${HOME}/.cache/Flavio Tordini +noblacklist ${HOME}/.config/Flavio Tordini +noblacklist ${HOME}/.local/share/Flavio Tordini + +include allow-lua.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/Flavio Tordini +mkdir ${HOME}/.config/Flavio Tordini +mkdir ${HOME}/.local/share/Flavio Tordini +whitelist ${PICTURES} +whitelist ${HOME}/.cache/Flavio Tordini +whitelist ${HOME}/.config/Flavio Tordini +whitelist ${HOME}/.local/share/Flavio Tordini +whitelist /usr/share/minitube +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin minitube +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile new file mode 100644 index 00000000000..5a8544965c7 --- /dev/null +++ b/etc/profile-m-z/mirage.profile @@ -0,0 +1,61 @@ +# Firejail profile for mirage +# Description: Desktop client for Matrix +# This file is overwritten after every install/update +# Persistent local customizations +include mirage.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/mirage +noblacklist ${HOME}/.config/mirage +noblacklist ${HOME}/.local/share/mirage +noblacklist /sbin + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/mirage +mkdir ${HOME}/.config/mirage +mkdir ${HOME}/.local/share/mirage +whitelist ${HOME}/.cache/mirage +whitelist ${HOME}/.config/mirage +whitelist ${HOME}/.local/share/mirage +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin ldconfig,mirage +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index ef074843652..133a1735028 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.mirrormagic @@ -28,6 +28,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -43,7 +44,7 @@ private private-bin mirrormagic private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile new file mode 100644 index 00000000000..79f603f9255 --- /dev/null +++ b/etc/profile-m-z/mocp.profile @@ -0,0 +1,53 @@ +# Firejail profile for mocp +# Description: A powerful & easy to use console audio player +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include mocp.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.moc +noblacklist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin mocp +private-cache +private-dev +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +read-write ${HOME}/.moc diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile index 868313c40fa..2939d9bde25 100644 --- a/etc/profile-m-z/mousepad.profile +++ b/etc/profile-m-z/mousepad.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -22,6 +22,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index bf60773953b..445691f6ae0 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -23,6 +23,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -36,7 +37,7 @@ tracelog private-bin mp3splt-gtk private-cache private-dev -private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse +private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.preload,machine-id,openal,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index c65754a0326..4d61092502b 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,7 +44,7 @@ disable-mnt private-bin flacsplt,mp3splt,mp3wrap,oggsplt private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp memory-deny-write-execute diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index fd0351db0e6..59739091473 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile @@ -18,8 +18,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${MUSIC} @@ -35,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,7 +49,7 @@ shell none private-bin mpDris2,notify-send,python* private-cache private-dev -private-etc alternatives,hosts,nsswitch.conf +private-etc alternatives,hosts,ld.so.preload,nsswitch.conf private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* private-tmp diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile index 3fda87a4899..761d5b041aa 100644 --- a/etc/profile-m-z/mpd.profile +++ b/etc/profile-m-z/mpd.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ caps.drop all netfilter no3d nodvd +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile index 6e18aa40164..c3bff23bc39 100644 --- a/etc/profile-m-z/mpg123.profile +++ b/etc/profile-m-z/mpg123.profile @@ -1,19 +1,18 @@ # Firejail profile for mpg123 # Description: MPEG audio player/decoder # This file is overwritten after every install/update +quiet # Persistent local customizations include mpg123.local # Persistent global definitions include globals.local noblacklist ${MUSIC} -noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -23,19 +22,24 @@ include whitelist-var-common.inc apparmor caps.drop all netfilter +no3d nogroups +noinput nonewprivs noroot +notv nou2f +novideo protocol unix,inet,inet6,netlink seccomp shell none +tracelog #private-bin mpg123* private-dev private-tmp -memory-deny-write-execute - dbus-user none dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile index cd25d6c0b0f..2d51d98840b 100644 --- a/etc/profile-m-z/mplayer.profile +++ b/etc/profile-m-z/mplayer.profile @@ -7,17 +7,18 @@ include mplayer.local include globals.local noblacklist ${HOME}/.mplayer -noblacklist ${MUSIC} -noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc +read-only ${DESKTOP} +mkdir ${HOME}/.mplayer +whitelist ${HOME}/.mplayer +include whitelist-common.inc +include whitelist-player-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -26,6 +27,7 @@ caps.drop all # net none - mplayer can be used for streaming. netfilter # nogroups +noinput nonewprivs noroot nou2f @@ -36,4 +38,3 @@ shell none private-bin mplayer private-dev private-tmp - diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index f30fd48ebb8..cadfd9b7ff2 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile @@ -13,6 +13,9 @@ noblacklist ${HOME}/.mplayer noblacklist ${HOME}/.netrc noblacklist ${HOME}/mps +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -24,8 +27,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/mps-youtube @@ -39,10 +42,8 @@ whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.mplayer whitelist ${HOME}/.netrc whitelist ${HOME}/mps -whitelist ${DOWNLOADS} -whitelist ${MUSIC} -whitelist ${VIDEOS} include whitelist-common.inc +include whitelist-player-common.inc include whitelist-var-common.inc apparmor @@ -51,6 +52,7 @@ netfilter nodvd # Seems to cause issues with Nvidia drivers sometimes nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index 8c463e7db6c..74402a8de52 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -7,28 +7,54 @@ include mpv.local # Persistent global definitions include globals.local +# In order to save screenshots to a persistent location, +# edit ~/.config/mpv/foobar.conf: +# screenshot-directory=~/Pictures + +# Mpv has a powerful lua-API, some off these lua-scripts interact +# with external resources which are blocked by firejail. In such cases +# you need to allow these resources by +# - adding additional binaries to private-bin +# - whitelisting additional paths +# - noblacklisting paths +# - weaking the dbus-policy +# - ... +# +# Often these scripts require a shell: +#include allow-bin-sh.inc +#private-bin sh + noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.netrc # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc -noblacklist ${MUSIC} -noblacklist ${PICTURES} -noblacklist ${VIDEOS} +blacklist /usr/libexec include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc +include disable-shell.inc +read-only ${DESKTOP} +mkdir ${HOME}/.config/mpv +mkdir ${HOME}/.config/youtube-dl +mkfile ${HOME}/.netrc +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.config/youtube-dl +whitelist ${HOME}/.netrc +include whitelist-common.inc +include whitelist-player-common.inc +whitelist /usr/share/lua +whitelist /usr/share/lua* whitelist /usr/share/vulkan include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -36,19 +62,20 @@ include whitelist-var-common.inc apparmor caps.drop all netfilter - -# Seems to cause issues with Nvidia drivers sometimes +# nogroups seems to cause issues with Nvidia drivers sometimes nogroups +noinput nonewprivs noroot nou2f protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog -private-bin env,mpv,python*,youtube-dl -# Causes slow OSD, see #2838 +private-bin env,mpv,python*,waf,youtube-dl +# private-cache causes slow OSD, see #2838 #private-cache private-dev diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index f02a4f357b2..16dc97d0c79 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile @@ -8,18 +8,27 @@ include globals.local noblacklist ${HOME}/.local/share/love +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.local/share/love whitelist ${HOME}/.local/share/love whitelist /usr/share/mrrescue include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -28,6 +37,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -35,6 +45,7 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog @@ -42,7 +53,7 @@ disable-mnt private-bin love,mrrescue,sh private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index a6892d6983d..7b4a305e93f 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile @@ -16,13 +16,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -35,7 +35,7 @@ tracelog disable-mnt private-bin bash,env,fonts,jak,ms-office,python*,sh -private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,pki,resolv.conf,ssl private-dev private-tmp diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile new file mode 100644 index 00000000000..126336cb3f6 --- /dev/null +++ b/etc/profile-m-z/mtpaint.profile @@ -0,0 +1,49 @@ +# Firejail profile for mtpaint +# Description: Simple painting and editing program +# This file is overwritten after every install/update +# Persistent local customizations +include mtpaint.local +# Persistent global definitions +include globals.local + +noblacklist ${PICTURES} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +no3d +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin mtpaint +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/multimc.profile b/etc/profile-m-z/multimc.profile index 338f494c981..2c8b95a2697 100644 --- a/etc/profile-m-z/multimc.profile +++ b/etc/profile-m-z/multimc.profile @@ -1,5 +1,10 @@ # Firejail profile alias for multimc5 # This file is overwritten after every install/update +# Persistent local customizations +include multimc.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include multimc5.profile diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 4753074188b..a61f9001d4a 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile @@ -9,6 +9,10 @@ noblacklist ${HOME}/.local/share/multimc noblacklist ${HOME}/.local/share/multimc5 noblacklist ${HOME}/.multimc5 +# Ignore noexec on ${HOME} as MultiMC installs LWJGL native +# libraries in ${HOME}/.local/share/multimc +ignore noexec ${HOME} + # Allow java (blacklisted by disable-devel.inc) include allow-java.inc @@ -16,7 +20,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.local/share/multimc @@ -31,6 +34,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile index a16934806e5..ad09209792a 100644 --- a/etc/profile-m-z/mumble.profile +++ b/etc/profile-m-z/mumble.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.config/Mumble mkdir ${HOME}/.local/share/data/Mumble @@ -28,7 +28,6 @@ include whitelist-var-common.inc caps.drop all netfilter -no3d nodvd nogroups nonewprivs diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile index a04d386a2f7..b95ab21941a 100644 --- a/etc/profile-m-z/mupdf-x11-curl.profile +++ b/etc/profile-m-z/mupdf-x11-curl.profile @@ -12,7 +12,7 @@ ignore net none netfilter protocol unix,inet,inet6 -private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl +private-etc ca-certificates,crypto-policies,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Redirect include mupdf.profile diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile index a3e56170ad2..857b9e7df57 100644 --- a/etc/profile-m-z/mupdf.profile +++ b/etc/profile-m-z/mupdf.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile index 00983a8f3e9..093767c2702 100644 --- a/etc/profile-m-z/mupen64plus.profile +++ b/etc/profile-m-z/mupen64plus.profile @@ -11,8 +11,6 @@ noblacklist ${HOME}/.local/share/mupen64plus include disable-common.inc include disable-devel.inc -include disable-passwdmgr.inc -include disable-passwdmgr.inc include disable-programs.inc # you'll need to manually whitelist ROM files diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile index 679e82ae8d9..12bb653a8f9 100644 --- a/etc/profile-m-z/musescore.profile +++ b/etc/profile-m-z/musescore.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile new file mode 100644 index 00000000000..226fb4810ee --- /dev/null +++ b/etc/profile-m-z/musictube.profile @@ -0,0 +1,57 @@ +# Firejail profile for musictube +# Description: Stream music +# This file is overwritten after every install/update +# Persistent local customizations +include musictube.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/Flavio Tordini +noblacklist ${HOME}/.config/Flavio Tordini +noblacklist ${HOME}/.local/share/Flavio Tordini + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/Flavio Tordini +mkdir ${HOME}/.config/Flavio Tordini +mkdir ${HOME}/.local/share/Flavio Tordini +whitelist ${HOME}/.cache/Flavio Tordini +whitelist ${HOME}/.config/Flavio Tordini +whitelist ${HOME}/.local/share/Flavio Tordini +whitelist /usr/share/musictube +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin musictube +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index a6b85a8e4de..aab2ac19d78 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile @@ -10,7 +10,6 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -20,17 +19,19 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nogroups +noinput nosound notv nou2f novideo protocol unix,inet,inet6,netlink -seccomp +seccomp !chroot disable-mnt private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.preload,machine-id,pki,pulse,ssl diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index 8ff547b528d..fb923051f26 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile @@ -1,6 +1,7 @@ # Firejail profile for mutt # Description: Text-based mailreader supporting MIME, GPG, PGP and threading # This file is overwritten after every install/update +quiet # Persistent local customizations include mutt.local # Persistent global definitions @@ -8,15 +9,18 @@ include globals.local noblacklist /var/mail noblacklist /var/spool/mail +noblacklist ${DOCUMENTS} noblacklist ${HOME}/.Mail noblacklist ${HOME}/.bogofilter noblacklist ${HOME}/.cache/mutt +noblacklist ${HOME}/.config/mutt noblacklist ${HOME}/.config/nano noblacklist ${HOME}/.elinks noblacklist ${HOME}/.emacs noblacklist ${HOME}/.emacs.d noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap noblacklist ${HOME}/.msmtprc noblacklist ${HOME}/.mutt noblacklist ${HOME}/.muttrc @@ -34,19 +38,87 @@ noblacklist ${HOME}/sent blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +# Add the next lines to your mutt.local for oauth.py,S/MIME support. +#include allow-perl.inc +#include allow-python2.inc +#include allow-python3.inc + include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc +mkdir ${HOME}/.Mail +mkdir ${HOME}/.bogofilter +mkdir ${HOME}/.cache/mutt +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/nano +mkdir ${HOME}/.elinks +mkdir ${HOME}/.emacs.d +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.mail +mkdir ${HOME}/.mutt +mkdir ${HOME}/.vim +mkdir ${HOME}/.w3m +mkdir ${HOME}/Mail +mkdir ${HOME}/mail +mkdir ${HOME}/postponed +mkdir ${HOME}/sent +mkfile ${HOME}/.emacs +mkfile ${HOME}/.mailcap +mkfile ${HOME}/.msmtprc +mkfile ${HOME}/.muttrc +mkfile ${HOME}/.nanorc +mkfile ${HOME}/.signature +mkfile ${HOME}/.viminfo +mkfile ${HOME}/.vimrc +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${HOME}/.Mail +whitelist ${HOME}/.bogofilter +whitelist ${HOME}/.cache/mutt +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.elinks +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mail +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.msmtprc +whitelist ${HOME}/.mutt +whitelist ${HOME}/.muttrc +whitelist ${HOME}/.nanorc +whitelist ${HOME}/.signature +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/.vimrc +whitelist ${HOME}/.w3m +whitelist ${HOME}/Mail +whitelist ${HOME}/mail +whitelist ${HOME}/postponed +whitelist ${HOME}/sent +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/mutt +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.drop all +ipc-namespace +machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -55,7 +127,23 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none +tracelog +# disable-mnt +private-cache private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg +private-tmp writable-run-user +writable-var + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME}/.elinks +read-only ${HOME}/.nanorc +read-only ${HOME}/.signature +read-only ${HOME}/.w3m diff --git a/etc/profile-m-z/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile index 59b3024edf6..4b474591803 100644 --- a/etc/profile-m-z/mypaint-ora-thumbnailer.profile +++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile @@ -1,5 +1,10 @@ # Firejail profile alias for mypaint-ora-thumbnailer # This file is overwritten after every install/update +# Persistent local customizations +include mypaint-ora-thumbnailer.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include mypaint.profile diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index c592e847701..bf01aaa0efd 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile @@ -19,7 +19,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -30,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,7 +43,7 @@ tracelog private-cache private-dev -private-etc alternatives,dconf,fonts,gtk-3.0 +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 2a4625896b2..23a30bf979c 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/nano @@ -30,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,8 +46,12 @@ x11 none private-bin nano,rnano private-cache private-dev -# Comment the next line if you want to edit files in /etc directly -private-etc alternatives,nanorc +# Add the next lines to your nano.local if you want to edit files in /etc directly. +#ignore private-etc +#writable-etc +private-etc alternatives,ld.so.preload,nanorc +# Add the next line to your nano.local if you want to edit files in /var directly. +#writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile index 5bf152f8447..2464844c46f 100644 --- a/etc/profile-m-z/natron.profile +++ b/etc/profile-m-z/natron.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile index 651804bf139..063e30366c8 100644 --- a/etc/profile-m-z/ncdu.profile +++ b/etc/profile-m-z/ncdu.profile @@ -16,6 +16,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/ncdu2.profile b/etc/profile-m-z/ncdu2.profile new file mode 100644 index 00000000000..5b6364c5d89 --- /dev/null +++ b/etc/profile-m-z/ncdu2.profile @@ -0,0 +1,11 @@ +# Firejail profile for ncdu2 +# Description: Ncurses disk usage viewer (zig rewrite) +# This file is overwritten after every install/update +# Persistent local customizations +include ncdu2.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include ncdu.profile diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile new file mode 100644 index 00000000000..58cc716d93b --- /dev/null +++ b/etc/profile-m-z/neochat.profile @@ -0,0 +1,65 @@ +# Firejail profile for neochat +# Description: Matrix Client +# This file is overwritten after every install/update +# Persistent local customizations +include neochat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/KDE/neochat +noblacklist ${HOME}/.config/KDE +noblacklist ${HOME}/.config/KDE/neochat +noblacklist ${HOME}/.config/neochatrc +noblacklist ${HOME}/.config/neochat.notifyrc +noblacklist ${HOME}/.local/share/KDE/neochat + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/KDE/neochat +mkdir ${HOME}/.local/share/KDE/neochat +whitelist ${HOME}/.cache/KDE/neochat +whitelist ${HOME}/.local/share/KDE/neochat +whitelist ${DOWNLOADS} +include whitelist-1793-workaround.inc +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin neochat +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dbus-1,fonts,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg +private-tmp + +dbus-user filter +dbus-user.own org.kde.neochat +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.kde.kwalletd5 +dbus-system none diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile new file mode 100644 index 00000000000..1e59a14904e --- /dev/null +++ b/etc/profile-m-z/neomutt.profile @@ -0,0 +1,152 @@ +# Firejail profile for neomutt +# Description: Mutt fork with advanced features and better documentation +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include neomutt.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} +noblacklist ${HOME}/.Mail +noblacklist ${HOME}/.bogofilter +noblacklist ${HOME}/.config/mutt +noblacklist ${HOME}/.config/nano +noblacklist ${HOME}/.config/neomutt +noblacklist ${HOME}/.elinks +noblacklist ${HOME}/.emacs +noblacklist ${HOME}/.emacs.d +noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.mail +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.msmtprc +noblacklist ${HOME}/.mutt +noblacklist ${HOME}/.muttrc +noblacklist ${HOME}/.nanorc +noblacklist ${HOME}/.neomutt +noblacklist ${HOME}/.neomuttrc +noblacklist ${HOME}/.signature +noblacklist ${HOME}/.vim +noblacklist ${HOME}/.viminfo +noblacklist ${HOME}/.vimrc +noblacklist ${HOME}/.w3m +noblacklist ${HOME}/Mail +noblacklist ${HOME}/mail +noblacklist ${HOME}/postponed +noblacklist ${HOME}/sent +noblacklist /var/mail +noblacklist /var/spool/mail + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include allow-lua.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.Mail +mkdir ${HOME}/.bogofilter +mkdir ${HOME}/.config/mutt +mkdir ${HOME}/.config/nano +mkdir ${HOME}/.config/neomutt +mkdir ${HOME}/.elinks +mkdir ${HOME}/.emacs.d +mkdir ${HOME}/.gnupg +mkdir ${HOME}/.mail +mkdir ${HOME}/.mutt +mkdir ${HOME}/.neomutt +mkdir ${HOME}/.vim +mkdir ${HOME}/.w3m +mkdir ${HOME}/Mail +mkdir ${HOME}/mail +mkdir ${HOME}/postponed +mkdir ${HOME}/sent +mkfile ${HOME}/.emacs +mkfile ${HOME}/.mailcap +mkfile ${HOME}/.msmtprc +mkfile ${HOME}/.muttrc +mkfile ${HOME}/.nanorc +mkfile ${HOME}/.neomuttrc +mkfile ${HOME}/.signature +mkfile ${HOME}/.viminfo +mkfile ${HOME}/.vimrc +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${HOME}/.Mail +whitelist ${HOME}/.bogofilter +whitelist ${HOME}/.config/mutt +whitelist ${HOME}/.config/nano +whitelist ${HOME}/.config/neomutt +whitelist ${HOME}/.elinks +whitelist ${HOME}/.emacs +whitelist ${HOME}/.emacs.d +whitelist ${HOME}/.gnupg +whitelist ${HOME}/.mail +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.msmtprc +whitelist ${HOME}/.mutt +whitelist ${HOME}/.muttrc +whitelist ${HOME}/.nanorc +whitelist ${HOME}/.neomutt +whitelist ${HOME}/.neomuttrc +whitelist ${HOME}/.signature +whitelist ${HOME}/.vim +whitelist ${HOME}/.viminfo +whitelist ${HOME}/.vimrc +whitelist ${HOME}/.w3m +whitelist ${HOME}/Mail +whitelist ${HOME}/mail +whitelist ${HOME}/postponed +whitelist ${HOME}/sent +whitelist /usr/share/gnupg +whitelist /usr/share/gnupg2 +whitelist /usr/share/neomutt +whitelist /var/mail +whitelist /var/spool/mail +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +# disable-mnt +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg +private-tmp +writable-run-user +writable-var + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME}/.elinks +read-only ${HOME}/.nanorc +read-only ${HOME}/.signature +read-only ${HOME}/.w3m diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index cbf0d235d57..57f026a0b69 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkfile ${HOME}/.netactview @@ -31,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,7 +45,7 @@ disable-mnt private-bin netactview,netactview_polkit private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-lib private-tmp diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile index 4daa8054b7e..4da43a2d06e 100644 --- a/etc/profile-m-z/nethack-vultures.profile +++ b/etc/profile-m-z/nethack-vultures.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.vultures @@ -26,6 +25,7 @@ ipc-namespace net none nodvd nogroups +noinput #nonewprivs #noroot notv diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile index c8c927db23d..5037133f2c8 100644 --- a/etc/profile-m-z/nethack.profile +++ b/etc/profile-m-z/nethack.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/games/nethack @@ -25,6 +24,7 @@ net none no3d nodvd nogroups +noinput #nonewprivs #noroot nosound diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile new file mode 100644 index 00000000000..534e41dd19f --- /dev/null +++ b/etc/profile-m-z/neverball-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for neverball-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include neverball-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin neverball-wrapper + +# Redirect +include neverball.profile diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile index 84c63454927..9b7826fd0ce 100644 --- a/etc/profile-m-z/neverball.profile +++ b/etc/profile-m-z/neverball.profile @@ -12,28 +12,40 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.neverball whitelist ${HOME}/.neverball +whitelist /usr/share/neverball include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all -netfilter +net none nodvd nogroups +noinput nonewprivs noroot notv nou2f novideo -protocol unix,netlink +protocol unix seccomp +seccomp.block-secondary shell none +tracelog disable-mnt private-bin neverball +private-cache private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id private-tmp +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile new file mode 100644 index 00000000000..dacd113cc12 --- /dev/null +++ b/etc/profile-m-z/neverputt-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for neverputt-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include neverputt-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin neverputt-wrapper + +# Redirect +include neverputt.profile diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile index 85581a2f0a9..6efb19502d4 100644 --- a/etc/profile-m-z/newsbeuter.profile +++ b/etc/profile-m-z/newsbeuter.profile @@ -7,13 +7,23 @@ include newsbeuter.local # added by included profile #include globals.local -noblacklist ${HOME}/.config/newsbeuter -noblacklist ${HOME}/.newsbeuter +ignore include newsboat.local +ignore mkdir ${HOME}/.config/newsboat +ignore mkdir ${HOME}/.local/share/newsboat +ignore mkdir ${HOME}/.newsboat +blacklist ${PATH}/newsboat + +blacklist ${HOME}/.config/newsboat +blacklist ${HOME}/.local/share/newsboat +blacklist ${HOME}/.newsboat + +nowhitelist ${HOME}/.config/newsboat +nowhitelist ${HOME}/.local/share/newsboat +nowhitelist ${HOME}/.newsboat mkdir ${HOME}/.config/newsbeuter +mkdir ${HOME}/.local/share/newsbeuter mkdir ${HOME}/.newsbeuter -whitelist ${HOME}/.config/newsbeuter -whitelist ${HOME}/.newsbeuter private-bin newsbeuter diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index a7bac6286ff..34c6110cfdd 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile @@ -6,17 +6,28 @@ include newsboat.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/newsbeuter +noblacklist ${HOME}/.config/newsboat +noblacklist ${HOME}/.local/share/newsbeuter +noblacklist ${HOME}/.local/share/newsboat +noblacklist ${HOME}/.newsbeuter noblacklist ${HOME}/.newsboat include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/newsboat +mkdir ${HOME}/.local/share/newsboat mkdir ${HOME}/.newsboat +whitelist ${HOME}/.config/newsbeuter +whitelist ${HOME}/.config/newsboat +whitelist ${HOME}/.local/share/newsbeuter +whitelist ${HOME}/.local/share/newsboat +whitelist ${HOME}/.newsbeuter whitelist ${HOME}/.newsboat include whitelist-common.inc include whitelist-runuser-common.inc @@ -28,6 +39,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -38,10 +50,10 @@ seccomp shell none disable-mnt -private-bin newsboat +private-bin gzip,lynx,newsboat,sh,w3m private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo private-tmp dbus-user none diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile new file mode 100644 index 00000000000..56cedec038b --- /dev/null +++ b/etc/profile-m-z/newsflash.profile @@ -0,0 +1,60 @@ +# Firejail profile for newsflash +# Description: Modern feed reader +# This file is overwritten after every install/update +# Persistent local customizations +include newsflash.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/NewsFlashGTK +noblacklist ${HOME}/.config/news-flash +noblacklist ${HOME}/.local/share/news-flash + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/NewsFlashGTK +mkdir ${HOME}/.config/news-flash +mkdir ${HOME}/.local/share/news-flash +whitelist ${HOME}/.cache/NewsFlashGTK +whitelist ${HOME}/.config/news-flash +whitelist ${HOME}/.local/share/news-flash +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin com.gitlab.newsflash,newsflash +private-cache +private-dev +private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 +private-tmp + +dbus-user none +#dbus-user.own com.gitlab.newsflash +#dbus-user.talk org.freedesktop.Notifications +dbus-system none diff --git a/etc/profile-m-z/nextcloud-desktop.profile b/etc/profile-m-z/nextcloud-desktop.profile new file mode 100644 index 00000000000..e74f9c03f53 --- /dev/null +++ b/etc/profile-m-z/nextcloud-desktop.profile @@ -0,0 +1,10 @@ +# Firejail profile alias for nextcloud +# This file is overwritten after every install/update +# Persistent local customizations +include nextcloud-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include nextcloud.profile diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile new file mode 100644 index 00000000000..d0eef9704ef --- /dev/null +++ b/etc/profile-m-z/nextcloud.profile @@ -0,0 +1,72 @@ +# Firejail profile for nextcloud +# Description: Nextcloud desktop synchronization client +# This file is overwritten after every install/update +# Persistent local customizations +include nextcloud.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/Nextcloud +noblacklist ${HOME}/.config/Nextcloud +noblacklist ${HOME}/.local/share/Nextcloud +# Add the next lines to your nextcloud.local to allow sync in more directories. +#noblacklist ${DOCUMENTS} +#noblacklist ${MUSIC} +#noblacklist ${PICTURES} +#noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/Nextcloud +mkdir ${HOME}/.config/Nextcloud +mkdir ${HOME}/.local/share/Nextcloud +whitelist ${HOME}/Nextcloud +whitelist ${HOME}/.config/Nextcloud +whitelist ${HOME}/.local/share/Nextcloud +# Add the next lines to your nextcloud.local to allow sync in more directories. +#whitelist ${DOCUMENTS} +#whitelist ${MUSIC} +#whitelist ${PICTURES} +#whitelist ${VIDEOS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin nextcloud,nextcloud-desktop +private-cache +private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-dev +private-tmp + +dbus-user filter +dbus-user.talk org.freedesktop.secrets +# Add the next line to your nextcloud.local for tray icon support +#dbus-user.talk org.kde.StatusNotifierWatcher +dbus-system none diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 119b3023980..2f305dae965 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile @@ -6,27 +6,36 @@ include nheko.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/nheko noblacklist ${HOME}/.config/nheko -noblacklist ${HOME}/.cache/nheko/nheko +noblacklist ${HOME}/.local/share/nheko include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +mkdir ${HOME}/.cache/nheko mkdir ${HOME}/.config/nheko -mkdir ${HOME}/.cache/nheko/nheko +mkdir ${HOME}/.local/share/nheko +whitelist ${HOME}/.cache/nheko whitelist ${HOME}/.config/nheko -whitelist ${HOME}/.cache/nheko/nheko +whitelist ${HOME}/.local/share/nheko whitelist ${DOWNLOADS} include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -37,5 +46,15 @@ tracelog disable-mnt private-bin nheko +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg private-tmp +dbus-user filter +dbus-user.talk org.freedesktop.secrets +# Add the next line to your nheko.local to enable notification support. +#dbus-user.talk org.freedesktop.Notifications +# Add the next line to your nheko.local to enable tray icon support. +#dbus-user.talk org.kde.StatusNotifierWatcher +dbus-system none diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile index 7764edffbcf..0b55a0d3abc 100644 --- a/etc/profile-m-z/nicotine.profile +++ b/etc/profile-m-z/nicotine.profile @@ -8,14 +8,15 @@ include globals.local noblacklist ${HOME}/.nicotine +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.nicotine @@ -34,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile index d9cb2edc53a..13c6b59aea1 100644 --- a/etc/profile-m-z/nitroshare-cli.profile +++ b/etc/profile-m-z/nitroshare-cli.profile @@ -1,6 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update +# Persistent local customizations +include nitroshare-cli.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff --git a/etc/profile-m-z/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile index d9cb2edc53a..513d267038a 100644 --- a/etc/profile-m-z/nitroshare-nmh.profile +++ b/etc/profile-m-z/nitroshare-nmh.profile @@ -1,6 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update +# Persistent local customizations +include nitroshare-nmh.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff --git a/etc/profile-m-z/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile index d9cb2edc53a..6edff3cce91 100644 --- a/etc/profile-m-z/nitroshare-send.profile +++ b/etc/profile-m-z/nitroshare-send.profile @@ -1,6 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update +# Persistent local customizations +include nitroshare-send.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff --git a/etc/profile-m-z/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile index d9cb2edc53a..ba5f8edf5c2 100644 --- a/etc/profile-m-z/nitroshare-ui.profile +++ b/etc/profile-m-z/nitroshare-ui.profile @@ -1,6 +1,11 @@ # Firejail profile alias for nitroshare # Description: Network File Transfer Application # This file is overwritten after every install/update +# Persistent local customizations +include nitroshare-ui.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include nitroshare.profile diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index 1743a771e33..d6234cd045c 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -28,6 +27,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,7 +42,7 @@ disable-mnt private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui private-cache private-dev -private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl +private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare private-tmp diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile new file mode 100644 index 00000000000..cd48ed3c7fb --- /dev/null +++ b/etc/profile-m-z/node.profile @@ -0,0 +1,11 @@ +# Firejail profile for node +# Description: Evented I/O for V8 javascript +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile new file mode 100644 index 00000000000..ab69136f68f --- /dev/null +++ b/etc/profile-m-z/nodejs-common.profile @@ -0,0 +1,95 @@ +# Firejail profile for Node.js +# Description: Asynchronous event-driven JavaScript runtime +# This file is overwritten after every install/update +# Persistent local customizations +include nodejs-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc +ignore read-only ${HOME}/.nvm +ignore read-only ${HOME}/.yarnrc + +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + +ignore noexec ${HOME} + +include allow-bin-sh.inc + +include disable-common.inc +include disable-exec.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +# If you want whitelisting, change ${HOME}/Projects below to your node projects directory +# and add the next lines to your nodejs-common.local. +#mkdir ${HOME}/.node-gyp +#mkdir ${HOME}/.npm +#mkdir ${HOME}/.npm-packages +#mkfile ${HOME}/.npmrc +#mkdir ${HOME}/.nvm +#mkdir ${HOME}/.yarn +#mkdir ${HOME}/.yarn-config +#mkdir ${HOME}/.yarncache +#mkfile ${HOME}/.yarnrc +#whitelist ${HOME}/.node-gyp +#whitelist ${HOME}/.npm +#whitelist ${HOME}/.npm-packages +#whitelist ${HOME}/.npmrc +#whitelist ${HOME}/.nvm +#whitelist ${HOME}/.yarn +#whitelist ${HOME}/.yarn-config +#whitelist ${HOME}/.yarncache +#whitelist ${HOME}/.yarnrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +whitelist /usr/share/doc/node +whitelist /usr/share/nvm +whitelist /usr/share/systemtap/tapset/node.stp +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none + +disable-mnt +private-dev +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg +#private-tmp + +dbus-user none +dbus-system none + +# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. +#env GATSBY_TELEMETRY_DISABLED=1 diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index 7a7ff504ac9..0bed12b1f0e 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -41,7 +41,5 @@ tracelog #private-bin nomacs private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl private-tmp - -memory-deny-write-execute diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile new file mode 100644 index 00000000000..a7bb93a0277 --- /dev/null +++ b/etc/profile-m-z/notify-send.profile @@ -0,0 +1,60 @@ +# Firejail profile for notify-send +# Description: a program to send desktop notifications +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include notify-send.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private +private-bin notify-send +private-cache +private-dev +private-etc ld.so.preload,none +private-tmp + +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +dbus-system none + +memory-deny-write-execute +read-only ${HOME} diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile new file mode 100644 index 00000000000..4d8beea5af7 --- /dev/null +++ b/etc/profile-m-z/npm.profile @@ -0,0 +1,11 @@ +# Firejail profile for npm +# Description: The Node.js Package Manager +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include npm.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile index a8e0ddd896c..baa8ddfeb38 100644 --- a/etc/profile-m-z/nslookup.profile +++ b/etc/profile-m-z/nslookup.profile @@ -8,7 +8,6 @@ include nslookup.local include globals.local blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} noblacklist ${PATH}/nslookup @@ -17,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,6 +32,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile new file mode 100644 index 00000000000..9e3093ea797 --- /dev/null +++ b/etc/profile-m-z/nuclear.profile @@ -0,0 +1,25 @@ +# Firejail profile for nuclear +# Description: Stream music from Youtube,Soundcloud,Jamendo +# This file is overwritten after every install/update +# Persistent local customizations +include nuclear.local +# Persistent global definitions +include globals.local + +ignore dbus-user + +noblacklist ${HOME}/.config/nuclear + +include disable-shell.inc + +mkdir ${HOME}/.config/nuclear +whitelist ${HOME}/.config/nuclear + +no3d + +# private-bin nuclear +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt nuclear + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile new file mode 100644 index 00000000000..80da228340c --- /dev/null +++ b/etc/profile-m-z/nvm.profile @@ -0,0 +1,13 @@ +# Firejail profile for nvm +# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include nvm.local +# Persistent global definitions +include globals.local + +ignore noroot + +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile index c959eb991bd..3474a075f61 100644 --- a/etc/profile-m-z/nylas.profile +++ b/etc/profile-m-z/nylas.profile @@ -11,7 +11,6 @@ noblacklist ${HOME}/.nylas-mail include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/Nylas Mail @@ -25,6 +24,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index df214ff2063..9b431d76d30 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.nyx @@ -30,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,7 +45,7 @@ disable-mnt private-bin nyx,python* private-cache private-dev -private-etc alternatives,fonts,passwd,tor +private-etc alternatives,fonts,ld.so.preload,passwd,tor private-opt none private-srv none private-tmp diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile index 4277bdab351..1ff9ad48a4e 100644 --- a/etc/profile-m-z/obs.profile +++ b/etc/profile-m-z/obs.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ include whitelist-var-common.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 61fe14c085f..0bfb3533327 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-usr-share-common.inc @@ -25,12 +25,13 @@ apparmor caps.drop all ipc-namespace # net none - breaks update functionality and AppArmor on Ubuntu systems -# uncomment (or put 'net none' in your ocenaudio.local) when needed +# Add 'net none' to your ocenaudio.local when you want that functionality. #net none netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -44,7 +45,7 @@ tracelog private-bin ocenaudio private-cache private-dev -private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse +private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse private-tmp # breaks preferences diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 3e4bd94b6c6..7d2374ccff7 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile @@ -13,8 +13,8 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all @@ -22,6 +22,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,7 +38,7 @@ x11 none private-bin odt2txt private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index de82f82666a..0a200b46eac 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile @@ -15,6 +15,7 @@ noblacklist ${HOME}/.kde/share/config/okularrc noblacklist ${HOME}/.kde4/share/apps/okular noblacklist ${HOME}/.kde4/share/config/okularpartrc noblacklist ${HOME}/.kde4/share/config/okularrc +noblacklist ${HOME}/.local/share/kxmlgui5/okular noblacklist ${HOME}/.local/share/okular noblacklist ${DOCUMENTS} @@ -22,13 +23,20 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc -whitelist /usr/share/config.kcfg +whitelist /usr/share/config.kcfg/gssettings.kcfg +whitelist /usr/share/config.kcfg/pdfsettings.kcfg +whitelist /usr/share/config.kcfg/okular.kcfg +whitelist /usr/share/config.kcfg/okular_core.kcfg +whitelist /usr/share/ghostscript +whitelist /usr/share/kconf_update/okular.upd +whitelist /usr/share/kxmlgui5/okular whitelist /usr/share/okular whitelist /usr/share/poppler +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -39,6 +47,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -50,9 +59,9 @@ seccomp shell none tracelog -private-bin kbuildsycoca4,kdeinit4,lpr,okular +private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar private-dev -private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg +private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients # dbus-user none diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile new file mode 100644 index 00000000000..e70e5e81e0d --- /dev/null +++ b/etc/profile-m-z/onboard.profile @@ -0,0 +1,56 @@ +# Firejail profile for onboard +# Description: On-screen keyboard +# This file is overwritten after every install/update +# Persistent local customizations +include onboard.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/onboard + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/onboard +whitelist ${HOME}/.config/onboard +whitelist /usr/share/onboard +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +no3d +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-bin onboard,python*,tput +private-dev +private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg +private-tmp + +dbus-system none diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index 5bfcd052789..cf4d7db30e6 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -25,6 +24,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/ooffice.profile b/etc/profile-m-z/ooffice.profile index 8348a57fe9a..8df7b502b15 100644 --- a/etc/profile-m-z/ooffice.profile +++ b/etc/profile-m-z/ooffice.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include ooffice.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-m-z/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile index 8348a57fe9a..c55d58ba72a 100644 --- a/etc/profile-m-z/ooviewdoc.profile +++ b/etc/profile-m-z/ooviewdoc.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include ooviewdoc.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile index de1ef780032..12c7ea3d0f5 100644 --- a/etc/profile-m-z/open-invaders.profile +++ b/etc/profile-m-z/open-invaders.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.openinvaders whitelist ${HOME}/.openinvaders @@ -25,6 +25,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 3b15a6e42e5..de334defdeb 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile @@ -12,34 +12,39 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.openarena +whitelist ${HOME}/.openarena +whitelist /usr/share/openarena +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all -# ipc-namespace -# netfilter -# nodvd -# nogroups +netfilter +nodvd +nogroups +noinput nonewprivs noroot notv -# nou2f +nou2f novideo protocol unix,inet,inet6,netlink seccomp shell none -# tracelog +tracelog -# disable-mnt -# private-bin openarena +disable-mnt +private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity private-cache private-dev -# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg +private-etc drirc,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg private-tmp -# dbus-user none -# dbus-system none +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile new file mode 100644 index 00000000000..d70fbc101e8 --- /dev/null +++ b/etc/profile-m-z/openarena_ded.profile @@ -0,0 +1,10 @@ +# Firejail profile alias for openarena +# This file is overwritten after every install/update +# Persistent local customizations +include openarena_ded.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include openarena.profile diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 1fb93c79c2b..b49fd9932a8 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile @@ -6,7 +6,7 @@ include openbox.local # Persistent global definitions include globals.local -# all applications started in OpenBox will run in this profile +# all applications started in openbox will run in this profile noblacklist ${HOME}/.config/openbox include disable-common.inc diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile index 59a2d105519..560bc6cbcc0 100644 --- a/etc/profile-m-z/opencity.profile +++ b/etc/profile-m-z/opencity.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.opencity @@ -27,6 +27,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 37f046df240..2534659914a 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.clonk @@ -28,6 +28,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/openmw-launcher.profile b/etc/profile-m-z/openmw-launcher.profile new file mode 100644 index 00000000000..c9cc144e474 --- /dev/null +++ b/etc/profile-m-z/openmw-launcher.profile @@ -0,0 +1,7 @@ +# Firejail profile for openmw-launcher +# This file is overwritten after every install/update +# Persistent local customizations +include openmw-launcher.local + +# Redirect +include openmw.profile diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile new file mode 100644 index 00000000000..ce3399ad6e1 --- /dev/null +++ b/etc/profile-m-z/openmw.profile @@ -0,0 +1,61 @@ +# Firejail profile for openmw +# Description: Open source engine re-implementation for Morrowind +# This file is overwritten after every install/update +# Persistent local customizations +include openmw.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/openmw +noblacklist ${HOME}/.local/share/openmw + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/openmw +mkdir ${HOME}/.local/share/openmw +whitelist ${HOME}/.config/openmw +# Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt. +# Alternatively you can whitelist custom paths in your openmw.local. +whitelist ${HOME}/.local/share/openmw +whitelist /usr/share/openmw +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +netfilter +# Add 'ignore nodvd' to your openmw.local when installing from disc. +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile index 8348a57fe9a..4221db40975 100644 --- a/etc/profile-m-z/openoffice.org.profile +++ b/etc/profile-m-z/openoffice.org.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include openoffice.org.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/profile-m-z/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile index 2f886d2ac0c..c1a0305567f 100644 --- a/etc/profile-m-z/openshot-qt.profile +++ b/etc/profile-m-z/openshot-qt.profile @@ -1,5 +1,10 @@ # Firejail profile alias for openshot # This file is overwritten after every install/update +# Persistent local customizations +include openshot-qt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include openshot.profile diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile index e1839c724aa..e2af2e71485 100644 --- a/etc/profile-m-z/openshot.profile +++ b/etc/profile-m-z/openshot.profile @@ -16,9 +16,12 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +whitelist /usr/share/blender +whitelist /usr/share/inkscape +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -26,17 +29,21 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv nou2f protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog +private-bin blender,inkscape,openshot,openshot-qt,python3* +private-cache private-dev private-tmp -dbus-user none +dbus-user filter dbus-system none diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile index 57e3787aa5c..6c31ebf6588 100644 --- a/etc/profile-m-z/openttd.profile +++ b/etc/profile-m-z/openttd.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.openttd @@ -27,6 +27,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile index 8658d30c6e1..551f1aba4fa 100644 --- a/etc/profile-m-z/opera-beta.profile +++ b/etc/profile-m-z/opera-beta.profile @@ -5,6 +5,11 @@ include opera-beta.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/opera noblacklist ${HOME}/.config/opera-beta diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile index b342b396172..2c7c5fc35bf 100644 --- a/etc/profile-m-z/opera.profile +++ b/etc/profile-m-z/opera.profile @@ -6,6 +6,11 @@ include opera.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/opera noblacklist ${HOME}/.config/opera noblacklist ${HOME}/.opera diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile index 4e12892d6c1..a3ec6a386e1 100644 --- a/etc/profile-m-z/orage.profile +++ b/etc/profile-m-z/orage.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -22,6 +21,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot # nosound - calendar application, It must be able to play sound to wake you up. diff --git a/etc/profile-m-z/org.gnome.NautilusPreviewer.profile b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile new file mode 100644 index 00000000000..eb75add58cb --- /dev/null +++ b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile @@ -0,0 +1,10 @@ +# Firejail profile alias for sushi +# This file is overwritten after every install/update +# Persistent local customizations +include org.gnome.NautilusPreviewer.local +# Persistent global definitions +# added by included profile +#include globals.local + +# Redirect +include sushi.profile diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile index 4cd4dae17d9..de6a6d3f5fa 100644 --- a/etc/profile-m-z/ostrichriders.profile +++ b/etc/profile-m-z/ostrichriders.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.ostrichriders @@ -28,6 +28,8 @@ ipc-namespace net none nodvd nogroups +# Add 'ignore noinput' to your ostrichriders.local if you need controller support. +noinput nonewprivs noroot notv @@ -41,7 +43,6 @@ tracelog disable-mnt private-bin ostrichriders private-cache -# private-dev should be commented for controllers private-dev private-tmp diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile new file mode 100644 index 00000000000..78f92a86021 --- /dev/null +++ b/etc/profile-m-z/otter-browser.profile @@ -0,0 +1,59 @@ +# Firejail profile for otter-browser +# Description: Lightweight web browser based on Qt5 +# This file is overwritten after every install/update +# Persistent local customizations +include otter-browser.local +# Persistent global definitions +include globals.local + +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} + +noblacklist ${HOME}/.cache/Otter +noblacklist ${HOME}/.config/otter +noblacklist ${HOME}/.pki +noblacklist ${HOME}/.local/share/pki + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/Otter +mkdir ${HOME}/.config/otter +mkdir ${HOME}/.pki +mkdir ${HOME}/.local/share/pki +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/Otter +whitelist ${HOME}/.config/otter +whitelist ${HOME}/.pki +whitelist ${HOME}/.local/share/pki +whitelist /usr/share/otter-browser +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +?BROWSER_DISABLE_U2F: nou2f +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none + +disable-mnt +private-bin bash,otter-browser,sh,which +private-cache +?BROWSER_DISABLE_U2F: private-dev +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-system none diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index 354f6eab8d0..460f60beb3a 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile @@ -7,19 +7,21 @@ include pandoc.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} noblacklist ${DOCUMENTS} +include allow-bin-sh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +include whitelist-runuser-common.inc # breaks pdf output #include whitelist-var-common.inc @@ -31,6 +33,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,15 +42,15 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none disable-mnt -private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf private-cache private-dev -private-etc alternatives,texlive +private-etc alternatives,ld.so.preload,texlive,texmf private-tmp dbus-user none diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile index e7a0694edbd..a4737d38817 100644 --- a/etc/profile-m-z/parole.profile +++ b/etc/profile-m-z/parole.profile @@ -12,8 +12,8 @@ noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all @@ -27,4 +27,4 @@ shell none private-bin dbus-launch,parole private-cache -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,pulse,ssl diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile index 2bb85e3c66e..3973c1b4a51 100644 --- a/etc/profile-m-z/patch.profile +++ b/etc/profile-m-z/patch.profile @@ -7,7 +7,6 @@ include patch.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} noblacklist ${DOCUMENTS} @@ -16,7 +15,7 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc +include disable-shell.inc include disable-xdg.inc include whitelist-usr-share-common.inc @@ -28,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,13 +36,14 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none private-bin patch,red private-dev -private-lib libfakeroot +private-lib libdl.so.*,libfakeroot dbus-user none dbus-system none diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index f7d3576da89..76f1c970464 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -45,7 +45,7 @@ disable-mnt private-bin pavucontrol private-cache private-dev -private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse +private-etc alternatives,asound.conf,avahi,fonts,ld.so.preload,machine-id,pulse private-lib private-tmp diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile new file mode 100644 index 00000000000..e52a1c4a9e7 --- /dev/null +++ b/etc/profile-m-z/pcsxr.profile @@ -0,0 +1,56 @@ +# Firejail profile for pcsxr +# Description: A PlayStation emulator +# This file is overwritten after every install/update +# Persistent local customizations +include pcsxr.local +# Persistent global definitions +include globals.local + +# Note: you must whitelist your games folder in your pcsxr.local + +noblacklist ${HOME}/.pcsxr + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.pcsxr +whitelist ${HOME}/.pcsxr +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +netfilter +# Add the next line to your pcsxr.local when not loading games from disc. +#nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,netlink +seccomp +shell none +tracelog + +private-bin pcsxr +private-cache +# Add the next line to your pcsxr.local if you do not need controller support. +#private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg +private-opt none +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index 4b6da4d6f20..400fc3d77a8 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -22,6 +21,7 @@ ipc-namespace net none no3d nogroups +noinput nonewprivs noroot nosound @@ -34,7 +34,7 @@ shell none private-bin pdfchain,pdftk,sh private-dev -private-etc alternatives,dconf,fonts,gtk-3.0,xdg +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.preload,xdg private-tmp dbus-user none diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile index fb3c4252608..c8397a31e89 100644 --- a/etc/profile-m-z/pdfmod.profile +++ b/etc/profile-m-z/pdfmod.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,6 +26,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile index 2f42271594d..0c2ce05885e 100644 --- a/etc/profile-m-z/pdfsam.profile +++ b/etc/profile-m-z/pdfsam.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index d9e4aedfb5d..b1c2dfb1cc1 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile @@ -6,16 +6,16 @@ include pdftotext.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${DOCUMENTS} @@ -31,6 +31,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,6 +40,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none @@ -46,7 +48,7 @@ x11 none private-bin pdftotext private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 66fdd649656..e216742a40e 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile @@ -13,15 +13,26 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +#mkdir ${HOME}/.cache/peek +#whitelist ${HOME}/.cache/peek +#whitelist ${PICTURES} +#whitelist ${VIDEOS} +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor caps.drop all +machine-id net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -30,14 +41,22 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none +tracelog -# private-bin breaks gif mode, mp4 and webm mode work fine however -# private-bin convert,ffmpeg,peek +disable-mnt +private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh private-dev +private-etc dconf,firejail,fonts,gtk-3.0,ld.so.preload,login.defs,pango,passwd,X11 private-tmp -dbus-user none +dbus-user filter +dbus-user.own com.uploadedlobster.peek +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.FileManager1 +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.gnome.Shell.Screencast dbus-system none memory-deny-write-execute diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile index d4d3e914d7e..13e89616e2d 100644 --- a/etc/profile-m-z/penguin-command.profile +++ b/etc/profile-m-z/penguin-command.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc whitelist ${HOME}/.penguin-command include whitelist-common.inc @@ -24,6 +24,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile new file mode 100644 index 00000000000..c0d0ae4df8d --- /dev/null +++ b/etc/profile-m-z/photoflare.profile @@ -0,0 +1,50 @@ +# Firejail profile for photoflare +# Description: Simple painting and editing program +# This file is overwritten after every install/update +# Persistent local customizations +include photoflare.local +# Persistent global definitions +include photoflare.local + +noblacklist ${PICTURES} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +no3d +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin photoflare +private-cache +private-dev +private-etc alternatives,fonts,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile index 15fc7a4547d..dbbfc527576 100644 --- a/etc/profile-m-z/picard.profile +++ b/etc/profile-m-z/picard.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,6 +27,7 @@ caps.drop all no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index 2e421574451..904c17e09a3 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile @@ -15,12 +15,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.purple whitelist ${HOME}/.purple +whitelist ${DOWNLOADS} +whitelist ${PICTURES} include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -30,6 +31,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile new file mode 100644 index 00000000000..2b5ed6e278e --- /dev/null +++ b/etc/profile-m-z/pinball-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for pinball-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include pinball-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin pinball-wrapper + +# Redirect +include pinball.profile diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile new file mode 100644 index 00000000000..3c76ad99ca5 --- /dev/null +++ b/etc/profile-m-z/pinball.profile @@ -0,0 +1,55 @@ +# Firejail profile for pinball +# Description: Emilia 3D Pinball Game +# This file is overwritten after every install/update +# Persistent local customizations +include pinball.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/emilia + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/emilia +whitelist ${HOME}/.config/emilia + +whitelist /usr/share/pinball +# on debian games are stored under /usr/share/games +whitelist /usr/share/games/pinball +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin pinball +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,machine-id,pulse +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 3ef8ad64acf..b4923c38afe 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile @@ -8,14 +8,12 @@ include ping.local include globals.local blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput # ping needs to rise privileges, noroot and nonewprivs will kill it #nonewprivs #noroot @@ -54,3 +53,6 @@ private-tmp # memory-deny-write-execute is built using seccomp; nonewprivs will kill it #memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 0b6a9ad5f14..fb50e66ca4d 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile @@ -8,12 +8,17 @@ include globals.local noblacklist ${HOME}/.pingus +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.pingus @@ -29,6 +34,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -36,14 +42,15 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog -disbale-mnt +disable-mnt private-bin pingus,pingus.bin,sh private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile index 7d94972c420..f52803d501c 100644 --- a/etc/profile-m-z/pinta.profile +++ b/etc/profile-m-z/pinta.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -23,6 +22,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile index 8b1c5afb886..7c9bb352bfb 100644 --- a/etc/profile-m-z/pioneer.profile +++ b/etc/profile-m-z/pioneer.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.pioneer @@ -26,6 +26,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile new file mode 100644 index 00000000000..3de064311fb --- /dev/null +++ b/etc/profile-m-z/pipe-viewer.profile @@ -0,0 +1,21 @@ +# Firejail profile for pipe-viewer +# Description: Fork of youtube-viewer, scrapes youtube directly and with invidious +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include pipe-viewer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/pipe-viewer +noblacklist ${HOME}/.config/pipe-viewer + +mkdir ${HOME}/.config/pipe-viewer +mkdir ${HOME}/.cache/pipe-viewer +whitelist ${HOME}/.cache/pipe-viewer +whitelist ${HOME}/.config/pipe-viewer + +private-bin gtk-pipe-viewer,pipe-viewer + +# Redirect +include youtube-viewers-common.profile diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile index ad56ce52584..91814d8bb7e 100644 --- a/etc/profile-m-z/pithos.profile +++ b/etc/profile-m-z/pithos.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-common.inc @@ -26,6 +26,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile index c722e29b41d..245ffae225c 100644 --- a/etc/profile-m-z/pitivi.profile +++ b/etc/profile-m-z/pitivi.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -28,6 +27,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile index 9864ed71891..6bd1ad02e76 100644 --- a/etc/profile-m-z/pix.profile +++ b/etc/profile-m-z/pix.profile @@ -13,12 +13,13 @@ noblacklist ${HOME}/.steam include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile new file mode 100644 index 00000000000..23e21f3474d --- /dev/null +++ b/etc/profile-m-z/pkglog.profile @@ -0,0 +1,59 @@ +# Firejail profile for pklog +# Description: Reports log of package updates +# This file is overwritten after every install/update +# Persistent local customizations +include pkglog.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist /var/log/apt/history.log +whitelist /var/log/dnf.rpm.log +whitelist /var/log/pacman.log + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +seccomp +shell none +tracelog + +disable-mnt +private +private-bin pkglog,python* +private-cache +private-dev +private-etc alternatives,ld.so.preload +private-opt none +private-tmp +writable-var-log + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +read-only /var/log/apt/history.log +read-only /var/log/dnf.rpm.log +read-only /var/log/pacman.log diff --git a/etc/profile-m-z/planmaker18.profile b/etc/profile-m-z/planmaker18.profile index 2ba8e86c0db..4cf1efb7f10 100644 --- a/etc/profile-m-z/planmaker18.profile +++ b/etc/profile-m-z/planmaker18.profile @@ -7,4 +7,4 @@ include planmaker18.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-m-z/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile index d0bce44f503..bb85f1fc7e7 100644 --- a/etc/profile-m-z/planmaker18free.profile +++ b/etc/profile-m-z/planmaker18free.profile @@ -7,4 +7,4 @@ include planmaker18free.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile index 03091af6d23..8e98905b542 100644 --- a/etc/profile-m-z/playonlinux.profile +++ b/etc/profile-m-z/playonlinux.profile @@ -4,34 +4,20 @@ # Persistent local customizations include playonlinux.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -noblacklist ${HOME}/.Steam -noblacklist ${HOME}/.local/share/Steam -noblacklist ${HOME}/.local/share/steam -noblacklist ${HOME}/.steam noblacklist ${HOME}/.PlayOnLinux # nc is needed to run playonlinux noblacklist ${PATH}/nc -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - # Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-programs.inc +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -seccomp +# Redirect +include wine.profile diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile index ea8550bdaea..567725be47e 100644 --- a/etc/profile-m-z/pluma.profile +++ b/etc/profile-m-z/pluma.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -28,6 +28,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,6 +49,4 @@ private-tmp # dbus-user none # dbus-system none -memory-deny-write-execute - join-or-start pluma diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile new file mode 100644 index 00000000000..a6b0768f15c --- /dev/null +++ b/etc/profile-m-z/plv.profile @@ -0,0 +1,60 @@ +# Firejail profile for plv +# Description: Inspect pacman log files +# This file is overwritten after every install/update +# Persistent local customizations +include plv.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/PacmanLogViewer + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/PacmanLogViewer +whitelist ${HOME}/.config/PacmanLogViewer +whitelist /var/log/pacman.log +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +seccomp +shell none +tracelog + +disable-mnt +private-bin plv +private-cache +private-dev +private-etc alternatives,fonts,ld.so.preload +private-opt none +private-tmp +writable-var-log + +dbus-user none +dbus-system none + +#memory-deny-write-execute - breaks opening file-chooser +read-only ${HOME} +read-write ${HOME}/.config/PacmanLogViewer +read-only /var/log/pacman.log diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index e9338d4b99c..534cc5943f7 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile @@ -7,14 +7,17 @@ include pngquant.local # Persistent global definitions include globals.local +noblacklist ${PICTURES} + blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -28,15 +31,15 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound notv nou2f novideo -# protocol can be empty, but this is not yet supported see #639 -protocol inet -seccomp +# block the socket syscall to simulate an be empty protocol line, see #639 +seccomp socket shell none tracelog x11 none @@ -44,7 +47,7 @@ x11 none private-bin pngquant private-cache private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile index 87a53775f99..a3d4f985140 100644 --- a/etc/profile-m-z/polari.profile +++ b/etc/profile-m-z/polari.profile @@ -35,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile index c62e53151cc..3e06cf3001d 100644 --- a/etc/profile-m-z/ppsspp.profile +++ b/etc/profile-m-z/ppsspp.profile @@ -1,22 +1,29 @@ # Firejail profile for ppsspp -# Description: A PSP emulator written in C++ +# Description: A PSP emulator # This file is overwritten after every install/update # Persistent local customizations include ppsspp.local # Persistent global definitions include globals.local +# Note: you must whitelist your games folder in your ppsspp.local. + noblacklist ${HOME}/.config/ppsspp -noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc +mkdir ${HOME}/.config/ppsspp +whitelist ${HOME}/.config/ppsspp +whitelist /usr/share/ppsspp +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -27,12 +34,14 @@ nogroups nonewprivs noroot notv +nou2f novideo protocol unix,netlink seccomp shell none -# private-dev is disabled to allow controller support +private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL +# Add the next line to your ppsspp.local if you do not need controller support. #private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-opt ppsspp diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index 019c1a547fe..c9793433ede 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -23,6 +22,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot notv @@ -33,6 +33,6 @@ seccomp shell none private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg private-tmp diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile index d4f53106003..65d684c4021 100644 --- a/etc/profile-m-z/presentations18.profile +++ b/etc/profile-m-z/presentations18.profile @@ -7,5 +7,5 @@ include presentations18.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-m-z/presentations18free.profile b/etc/profile-m-z/presentations18free.profile index e2319f13fd1..21874722415 100644 --- a/etc/profile-m-z/presentations18free.profile +++ b/etc/profile-m-z/presentations18free.profile @@ -7,4 +7,4 @@ include presentations18free.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index b7aa2bf5263..af0ca5d8f29 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile @@ -18,8 +18,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-usr-share-common.inc @@ -30,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,7 +44,7 @@ shell none private-bin profanity private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile index 16fffe517ce..5f598cec595 100644 --- a/etc/profile-m-z/psi-plus.profile +++ b/etc/profile-m-z/psi-plus.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/psi+ @@ -30,6 +29,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile new file mode 100644 index 00000000000..99a72adeeb1 --- /dev/null +++ b/etc/profile-m-z/psi.profile @@ -0,0 +1,78 @@ +# Firejail profile for psi +# Description: Native XMPP client with GPG support +# This file is overwritten after every install/update +# Persistent local customizations +include psi.local +# Persistent global definitions +include globals.local + +# Add the next line to your psi.local to enable GPG support. +#noblacklist ${HOME}/.gnupg +noblacklist ${HOME}/.cache/psi +noblacklist ${HOME}/.cache/Psi +noblacklist ${HOME}/.config/psi +noblacklist ${HOME}/.local/share/psi +noblacklist ${HOME}/.local/share/Psi + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +# Add the next line to your psi.local to enable GPG support. +#mkdir ${HOME}/.gnupg +mkdir ${HOME}/.cache/psi +mkdir ${HOME}/.cache/Psi +mkdir ${HOME}/.config/psi +mkdir ${HOME}/.local/share/psi +mkdir ${HOME}/.local/share/Psi +# Add the next line to your psi.local to enable GPG support. +#whitelist ${HOME}/.gnupg +whitelist ${HOME}/.cache/psi +whitelist ${HOME}/.cache/Psi +whitelist ${HOME}/.config/psi +whitelist ${HOME}/.local/share/psi +whitelist ${HOME}/.local/share/Psi +whitelist ${DOWNLOADS} +# Add the next lines to your psi.local to enable GPG support. +#whitelist /usr/share/gnupg +#whitelist /usr/share/gnupg2 +whitelist /usr/share/psi +# Add the next lines to your psi.local to enable GPG support. +#whitelist ${RUNUSER}/gnupg +#whitelist ${RUNUSER}/keyring +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +novideo +nou2f +protocol unix,inet,inet6,netlink +seccomp !chroot +shell none +#tracelog - breaks on Arch + +disable-mnt +# Add the next line to your psi.local to enable GPG support. +#private-bin gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet +private-bin getopt,psi +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile index 034c144c71d..8d8729d4a56 100644 --- a/etc/profile-m-z/pybitmessage.profile +++ b/etc/profile-m-z/pybitmessage.profile @@ -16,7 +16,6 @@ include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-interpreters.inc @@ -28,6 +27,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile index 9ee426a9561..f3d40e7f3ea 100644 --- a/etc/profile-m-z/pycharm-community.profile +++ b/etc/profile-m-z/pycharm-community.profile @@ -15,13 +15,13 @@ include allow-common-devel.inc include disable-common.inc include disable-devel.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all machine-id nodvd nogroups +noinput nosound notv nou2f diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile index a14d0268b6c..b754a18c944 100644 --- a/etc/profile-m-z/pycharm-professional.profile +++ b/etc/profile-m-z/pycharm-professional.profile @@ -1,5 +1,10 @@ # Firejail profilen alias for pycharm-professional # This file is overwritten after every install/update +# Persistent local customizations +include pyucharm-professional.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.PyCharm* diff --git a/etc/profile-m-z/pzstd.profile b/etc/profile-m-z/pzstd.profile index ce9af328683..b0a4c6be84b 100644 --- a/etc/profile-m-z/pzstd.profile +++ b/etc/profile-m-z/pzstd.profile @@ -1,5 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update +# Persistent local customizations +include pzstd.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile index 820dc72144b..8778ec5fbd1 100644 --- a/etc/profile-m-z/qbittorrent.profile +++ b/etc/profile-m-z/qbittorrent.profile @@ -19,8 +19,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.cache/qBittorrent mkdir ${HOME}/.config/qBittorrent @@ -40,6 +40,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -55,6 +56,7 @@ private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg private-tmp +# See https://github.com/netblue30/firejail/issues/3707 for tray-icon dbus-user none dbus-system none diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile new file mode 100644 index 00000000000..4d4d3694b16 --- /dev/null +++ b/etc/profile-m-z/qcomicbook.profile @@ -0,0 +1,67 @@ +# Firejail profile for qcomicbook +# Description: A comic book and manga viewer in QT +# This file is overwritten after every install/update +# Persistent local customizations +include qcomicbook.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/PawelStolowski +noblacklist ${HOME}/.config/PawelStolowski +noblacklist ${HOME}/.local/share/PawelStolowski +noblacklist ${DOCUMENTS} + +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/PawelStolowski +mkdir ${HOME}/.config/PawelStolowski +mkdir ${HOME}/.local/share/PawelStolowski +whitelist /usr/share/qcomicbook +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg +private-tmp + +dbus-user none +dbus-system none + +read-only ${HOME} +read-write ${HOME}/.cache/PawelStolowski +read-write ${HOME}/.config/PawelStolowski +read-write ${HOME}/.local/share/PawelStolowski +#to allow ${HOME}/.local/share/recently-used.xbel +read-write ${HOME}/.local/share diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile index ac60384fd3b..2aea715dc55 100644 --- a/etc/profile-m-z/qemu-launcher.profile +++ b/etc/profile-m-z/qemu-launcher.profile @@ -8,7 +8,6 @@ include globals.local noblacklist ${HOME}/.qemu-launcher include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile index d7d7905dd8d..2333e07d9fb 100644 --- a/etc/profile-m-z/qemu-system-x86_64.profile +++ b/etc/profile-m-z/qemu-system-x86_64.profile @@ -7,7 +7,6 @@ include qemu-system-x86_64.local include globals.local include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index eee5383834b..4ebd556d6e7 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile @@ -18,7 +18,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,6 +36,7 @@ netfilter machine-id nodvd nogroups +noinput nonewprivs noroot nosound @@ -52,7 +52,7 @@ tracelog disable-mnt private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf private-tmp dbus-user none diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile index fb9dca48fc8..7176d8a39c0 100644 --- a/etc/profile-m-z/qlipper.profile +++ b/etc/profile-m-z/qlipper.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -21,6 +20,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile index 4dc6b6784a9..af85c95e7cb 100644 --- a/etc/profile-m-z/qmmp.profile +++ b/etc/profile-m-z/qmmp.profile @@ -12,14 +12,15 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all netfilter # no3d nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile new file mode 100644 index 00000000000..89cb5baa8dc --- /dev/null +++ b/etc/profile-m-z/qnapi.profile @@ -0,0 +1,55 @@ +# Firejail profile for qnapi +# Description: Qt client for downloading movie subtitles from NapiProjekt, OpenSubtitles and Napisy24 +# This file is overwritten after every install/update +# Persistent local customizations +include qnapi.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/qnapi.ini + +ignore noexec /tmp + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkfile ${HOME}/.config/qnapi.ini +whitelist ${HOME}/.config/qnapi.ini +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin 7z,qnapi +private-cache +private-dev +private-etc alternatives,fonts,ld.so.preload +private-opt none +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile index c082762ad12..3ad8a19c841 100644 --- a/etc/profile-m-z/qpdfview.profile +++ b/etc/profile-m-z/qpdfview.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -25,6 +25,7 @@ caps.drop all machine-id nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile new file mode 100644 index 00000000000..691449b9fd9 --- /dev/null +++ b/etc/profile-m-z/qrencode.profile @@ -0,0 +1,57 @@ +# Firejail profile for qrencode +# Description: Encode input data in a QR Code and save as a PNG or EPS image. +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include qrencode.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog +x11 none + +disable-mnt +private-bin qrencode +private-cache +private-dev +private-etc ld.so.preload,none +private-lib libpcre* +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index c8b77123d15..60e1539fa69 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/tox @@ -29,6 +29,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -42,7 +43,7 @@ disable-mnt private-bin qtox private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile new file mode 100644 index 00000000000..91e0d9d0d7f --- /dev/null +++ b/etc/profile-m-z/quadrapassel.profile @@ -0,0 +1,20 @@ +# Firejail profile for quadrapassel +# Description: Tetris-like game for GNOME +# This file is overwritten after every install/update +# Persistent local customizations +include quadrapassel.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/quadrapassel + +mkdir ${HOME}/.local/share/quadrapassel +whitelist ${HOME}/.local/share/quadrapassel +whitelist /usr/share/quadrapassel + +private-bin quadrapassel + +dbus-user.own org.gnome.Quadrapassel + +# Redirect +include gnome_games-common.profile diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile new file mode 100644 index 00000000000..dfb46ddaeb8 --- /dev/null +++ b/etc/profile-m-z/quaternion.profile @@ -0,0 +1,54 @@ +# Firejail profile for quaternion +# Description: Desktop client for Matrix +# This file is overwritten after every install/update +# Persistent local customizations +include quaternion.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/Quotient/quaternion +noblacklist ${HOME}/.config/Quotient + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/Quotient/quaternion +mkdir ${HOME}/.config/Quotient +whitelist ${HOME}/.cache/Quotient/quaternion +whitelist ${HOME}/.config/Quotient +whitelist ${DOWNLOADS} +whitelist /usr/share/Quotient/quaternion +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin quaternion +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile index 8dbdffdc8ca..8f89931c72c 100644 --- a/etc/profile-m-z/quiterss.profile +++ b/etc/profile-m-z/quiterss.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.cache/QuiteRss mkdir ${HOME}/.config/QuiteRss @@ -36,6 +36,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile new file mode 100644 index 00000000000..bc435653d1b --- /dev/null +++ b/etc/profile-m-z/quodlibet.profile @@ -0,0 +1,66 @@ +# Firejail profile for quodlibet +# Description: Music player and music library manager +# This file is overwritten after every install/update +# Persistent local customizations +include quodlibet.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/quodlibet +noblacklist ${HOME}/.config/quodlibet +noblacklist ${HOME}/.quodlibet +noblacklist ${MUSIC} + +include allow-bin-sh.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/quodlibet +mkdir ${HOME}/.config/quodlibet +mkdir ${HOME}/.quodlibet + +whitelist ${HOME}/.cache/quodlibet +whitelist ${HOME}/.config/quodlibet +whitelist ${HOME}/.quodlibet +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +private-bin exfalso,operon,python*,quodlibet,sh +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,passwd,pki,pulse,resolv.conf,ssl +private-tmp + +dbus-system none diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile index 7aa71c8488c..c29d87a73e5 100644 --- a/etc/profile-m-z/qupzilla.profile +++ b/etc/profile-m-z/qupzilla.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/qupzilla diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile index bb1ad56d390..436b98f2939 100644 --- a/etc/profile-m-z/redeclipse.profile +++ b/etc/profile-m-z/redeclipse.profile @@ -12,18 +12,22 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.redeclipse whitelist ${HOME}/.redeclipse +whitelist /usr/share/redeclipse include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -32,8 +36,13 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog disable-mnt +#private-bin redeclipse,sh,man +private-cache private-dev private-tmp +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile new file mode 100644 index 00000000000..d1dd365ab62 --- /dev/null +++ b/etc/profile-m-z/rednotebook.profile @@ -0,0 +1,66 @@ +# Firejail profile for rednotebook +# Description: Daily journal with calendar, templates and keyword searching +# This file is overwritten after every install/update +# Persistent local customizations +include rednotebook.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/rednotebook +noblacklist ${HOME}/.rednotebook + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc + +mkdir ${HOME}/.cache/rednotebook +mkdir ${HOME}/.rednotebook +whitelist ${HOME}/.cache/rednotebook +whitelist ${HOME}/.rednotebook +whitelist ${DESKTOP} +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +whitelist ${PICTURES} +whitelist ${VIDEOS} +whitelist /usr/libexec/webkit2gtk-4.0 +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin python3*,rednotebook +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile index 298ab19022a..06ae67ae135 100644 --- a/etc/profile-m-z/redshift.profile +++ b/etc/profile-m-z/redshift.profile @@ -13,7 +13,6 @@ noblacklist ${HOME}/.config/redshift.conf include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 207156ba54b..6b914479131 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile @@ -9,15 +9,14 @@ include globals.local include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/com.github.artemanufrij.regextester -include whitelist-usr-share-common.inc - include whitelist-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor @@ -28,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,15 +43,13 @@ disable-mnt private-bin regextester private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-lib libgranite.so.* private-tmp -# makes settings immutable -# dbus-user none -# dbus-system none - -memory-deny-write-execute +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-system none # never write anything read-only ${HOME} diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 6311c91df6d..16da40dafa8 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile @@ -9,13 +9,14 @@ include globals.local noblacklist ${HOME}/.remmina noblacklist ${HOME}/.config/remmina noblacklist ${HOME}/.local/share/remmina -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +26,7 @@ include whitelist-var-common.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index f3939685a24..26b62e456f2 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile @@ -14,17 +14,21 @@ noblacklist ${HOME}/.local/share/rhythmbox include allow-python2.inc include allow-python3.inc +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/rhythmbox whitelist /usr/share/lua whitelist /usr/share/libquvi-scripts +whitelist /usr/share/tracker include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -33,6 +37,7 @@ apparmor caps.drop all netfilter nogroups +noinput nonewprivs noroot notv @@ -40,10 +45,12 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none tracelog private-bin rhythmbox,rhythmbox-client +private-cache private-dev private-tmp @@ -52,7 +59,8 @@ dbus-user.own org.gnome.Rhythmbox3 dbus-user.own org.mpris.MediaPlayer2.rhythmbox dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gtk.vfs.* dbus-user.talk org.freedesktop.Notifications -dbus-system none +dbus-user.talk org.gnome.SettingsDaemon.MediaKeys dbus-system filter dbus-system.talk org.freedesktop.Avahi diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile index 1b8fbbc97d4..705ca004551 100644 --- a/etc/profile-m-z/ricochet.profile +++ b/etc/profile-m-z/ricochet.profile @@ -11,8 +11,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.local/share/Ricochet whitelist ${DOWNLOADS} @@ -25,6 +25,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile index 4372fabe119..e91d25196c6 100644 --- a/etc/profile-m-z/riot-desktop.profile +++ b/etc/profile-m-z/riot-desktop.profile @@ -7,7 +7,5 @@ include riot-desktop.local # added by included profile #include globals.local -seccomp !chroot - # Redirect include riot-web.profile diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile index b930adf2b00..687c943b09d 100644 --- a/etc/profile-m-z/riot-web.profile +++ b/etc/profile-m-z/riot-web.profile @@ -4,14 +4,15 @@ # Persistent local customizations include riot-web.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local + +ignore noexec /tmp noblacklist ${HOME}/.config/Riot mkdir ${HOME}/.config/Riot whitelist ${HOME}/.config/Riot -include whitelist-common.inc +whitelist /usr/share/webapps/element # Redirect include electron.profile diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile index cf6daada52c..81aef5a65ce 100644 --- a/etc/profile-m-z/ripperx.profile +++ b/etc/profile-m-z/ripperx.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile index a1cbdf16cf6..79f090d95d3 100644 --- a/etc/profile-m-z/ristretto.profile +++ b/etc/profile-m-z/ristretto.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -26,6 +25,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile index a574e4e8b98..8d3607c75bd 100644 --- a/etc/profile-m-z/rocketchat.profile +++ b/etc/profile-m-z/rocketchat.profile @@ -3,14 +3,28 @@ # Persistent local customizations include rocketchat.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local + +# Disabled until someone reported positive feedback +ignore include disable-devel.inc +ignore include disable-exec.inc +ignore include disable-interpreters.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore nou2f +ignore novideo +ignore shell none +ignore disable-mnt +ignore private-cache +ignore private-dev +ignore private-tmp noblacklist ${HOME}/.config/Rocket.Chat mkdir ${HOME}/.config/Rocket.Chat whitelist ${HOME}/.config/Rocket.Chat -include whitelist-common.inc # Redirect include electron.profile diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index a39ff759a2b..e49f10b7bfb 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile @@ -7,24 +7,22 @@ include rsync.local # Persistent global definitions include globals.local -# Warning: This profile is writte to use rsync as an client for downloading, -# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups. - +# WARNING: this profile is designed to use rsync as a client for downloading, +# not as a daemon (rsync --daemon) nor to create backups. # Usage: firejail --profile=rsync-download_only rsync blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc -# Uncomment or add to rsync.local to enable extra hardening +# Add the next line to your rsync-download_only.local to enable extra hardening. #whitelist ${DOWNLOADS} include whitelist-var-common.inc @@ -35,6 +33,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -50,7 +49,7 @@ disable-mnt private-bin rsync private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile new file mode 100644 index 00000000000..cd84ce05e63 --- /dev/null +++ b/etc/profile-m-z/rtin.profile @@ -0,0 +1,8 @@ +# Firejail profile for rtin +# Description: ncurses-based Usenet newsreader +# symlink to tin, same as `tin -r` +# This file is overwritten after every install/update +# Persistent local customizations +include rtin.local + +include tin.profile diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile index 0b4d6e1b1d3..7576249387e 100644 --- a/etc/profile-m-z/rtorrent.profile +++ b/etc/profile-m-z/rtorrent.profile @@ -10,13 +10,14 @@ include globals.local include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc caps.drop all machine-id netfilter nodvd +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile new file mode 100644 index 00000000000..cc6db504326 --- /dev/null +++ b/etc/profile-m-z/rtv-addons.profile @@ -0,0 +1,28 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include rtv-addons.local +# You can configure rtv to open different type of links +# in external applications. Configuration here: +# https://github.com/michael-lazar/rtv#viewing-media-links +# This include is meant to facilitate that configuration +# with the use of a .local file. + +ignore nosound +ignore private-bin +ignore dbus-user none + +noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.mailcap +noblacklist ${HOME}/.netrc +noblacklist ${HOME}/.w3m + +whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.mailcap +whitelist ${HOME}/.netrc +whitelist ${HOME}/.w3m + +#private-bin w3m,mpv,youtube-dl + +# tells rtv, which browser to use +#env RTV_BROWSER=w3m diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index 14740e05fc9..03d812270d5 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile @@ -12,15 +12,21 @@ blacklist ${RUNUSER}/wayland-* noblacklist ${HOME}/.config/rtv noblacklist ${HOME}/.local/share/rtv +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +# You can configure rtv to open different type of links in external applications. +# Configuration: https://github.com/michael-lazar/rtv#viewing-media-links. +# Add the next line to your rtv.local to enable external application support. +#include rtv-addons.profile include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -37,6 +43,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -49,10 +56,10 @@ shell none tracelog disable-mnt -private-bin python*,rtv,sh,xdg-settings +private-bin less,python*,rtv,sh,xdg-settings private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg dbus-user none dbus-system none diff --git a/etc/profile-m-z/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile index 64432c171bf..304bda87b4b 100644 --- a/etc/profile-m-z/runenpass.sh.profile +++ b/etc/profile-m-z/runenpass.sh.profile @@ -1,5 +1,10 @@ # Firejail alias profile for enpass # This file is overwritten after every install/update +# Persistent local customizations +include runenpass.sh.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include enpass.profile diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile index 8f0544f3386..d447be44337 100644 --- a/etc/profile-m-z/sayonara.profile +++ b/etc/profile-m-z/sayonara.profile @@ -11,14 +11,15 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile index 0f67d4d09d5..1fa45a74718 100644 --- a/etc/profile-m-z/scallion.profile +++ b/etc/profile-m-z/scallion.profile @@ -14,7 +14,6 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile index 507d0827eba..e76caec1d03 100644 --- a/etc/profile-m-z/scorched3d-wrapper.profile +++ b/etc/profile-m-z/scorched3d-wrapper.profile @@ -1,10 +1,11 @@ -# Firejail profile for scorched3d +# Firejail profile for scorched3d-wrapper # This file is overwritten after every install/update # Persistent local customizations include scorched3d-wrapper.local -whitelist /usr/share/opengl-games-utils -private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity +include allow-opengl-game.inc + +private-bin scorched3d-wrapper # Redirect include scorched3d.profile diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile index 6a1003c3300..77b3d8923e5 100644 --- a/etc/profile-m-z/scorched3d.profile +++ b/etc/profile-m-z/scorched3d.profile @@ -12,13 +12,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.scorched3d whitelist ${HOME}/.scorched3d whitelist /usr/share/scorched3d +whitelist /usr/share/games/scorched3d include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -29,6 +29,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -40,7 +41,7 @@ shell none tracelog disable-mnt -private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds +private-bin scorched3d,scorched3dc,scorched3ds private-cache private-dev private-tmp diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index 7cb57edce87..d256b2efeb9 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.swb.ini @@ -28,6 +28,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -42,7 +43,7 @@ disable-mnt private-bin scorchwentbonkers private-cache private-dev -private-etc alsa,asound.conf,machine-id,pulse +private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile index 22cd10737a5..5cf60baea19 100644 --- a/etc/profile-m-z/scribus.profile +++ b/etc/profile-m-z/scribus.profile @@ -34,7 +34,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -45,6 +44,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile index b45eff4cd7f..81a7dc92962 100644 --- a/etc/profile-m-z/sdat2img.profile +++ b/etc/profile-m-z/sdat2img.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -25,6 +25,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 89572484475..cb3378597f7 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile @@ -6,6 +6,9 @@ include seahorse-adventures.local # Persistent global definitions include globals.local +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -14,11 +17,12 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/seahorse-adventures +whitelist /usr/share/games/seahorse-adventures include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -28,6 +32,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -40,10 +45,10 @@ tracelog disable-mnt private -private-bin python*,seahorse-adventures +private-bin bash,dash,python*,seahorse-adventures,sh private-cache private-dev -private-etc machine-id +private-etc ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile index 96ff74edfd6..f08b852db2a 100644 --- a/etc/profile-m-z/seahorse-tool.profile +++ b/etc/profile-m-z/seahorse-tool.profile @@ -8,7 +8,7 @@ include seahorse-tool.local #include globals.local # private-etc workaround for: #2877 -private-etc firejail,login.defs,passwd +private-etc firejail,ld.so.preload,login.defs,passwd private-tmp # Redirect diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 85d86d64664..94a27da871c 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -9,19 +9,19 @@ include globals.local blacklist /tmp/.X11-unix noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.ssh -noblacklist /tmp/ssh-* + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc # whitelisting in ${HOME} breaks file encryption feature of nautilus. -# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile +# Once #2882 is fixed this can be activated here and nowhitelisted in seahorse-tool.profile. #mkdir ${HOME}/.gnupg #mkdir ${HOME}/.ssh #whitelist ${HOME}/.gnupg @@ -45,6 +45,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -63,6 +64,7 @@ private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ho writable-run-user dbus-user filter +dbus-user.own org.gnome.seahorse dbus-user.own org.gnome.seahorse.Application dbus-user.talk org.freedesktop.secrets dbus-system none diff --git a/etc/profile-m-z/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile index 53229495033..f9cb0843217 100644 --- a/etc/profile-m-z/seamonkey-bin.profile +++ b/etc/profile-m-z/seamonkey-bin.profile @@ -1,5 +1,10 @@ # Firejail profile alias for seamonkey # This file is overwritten after every install/update +# Persistent local customizations +include seamonkey-bin.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include seamonkey.profile diff --git a/etc/profile-m-z/secret-tool.profile b/etc/profile-m-z/secret-tool.profile index 70d9a5b1d59..99ba11d30b9 100644 --- a/etc/profile-m-z/secret-tool.profile +++ b/etc/profile-m-z/secret-tool.profile @@ -1,6 +1,7 @@ # Firejail profile for secret-tool # Description: Library for storing and retrieving passwords and other secrets # This file is overwritten after every install/update +quiet # Persistent local customizations include secret-tool.local # Persistent global definitions diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile index 5bc4735aeaa..3c9ef3a8676 100644 --- a/etc/profile-m-z/server.profile +++ b/etc/profile-m-z/server.profile @@ -7,7 +7,6 @@ # [sudo] password for netblue: # Reading profile /etc/firejail/server.profile # Reading profile /etc/firejail/disable-common.inc -# Reading profile /etc/firejail/disable-passwdmgr.inc # Reading profile /etc/firejail/disable-programs.inc # # ** Note: you can use --noprofile to disable server.profile ** @@ -43,35 +42,49 @@ include disable-common.inc # include disable-devel.inc # include disable-exec.inc # include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -# include disable-xdg.inc +include disable-write-mnt.inc +include disable-xdg.inc +# include whitelist-runuser-common.inc +# include whitelist-usr-share-common.inc +# include whitelist-var-common.inc + +apparmor caps # ipc-namespace +machine-id # netfilter /etc/firejail/webserver.net no3d nodvd # nogroups +noinput # nonewprivs # noroot nosound notv nou2f novideo +# protocol unix,inet,inet6,netlink seccomp # shell none -# disable-mnt +disable-mnt private # private-bin program # private-cache private-dev +# see /usr/share/doc/firejail/profile.template for more common private-etc paths. # private-etc alternatives # private-lib +# private-opt none private-tmp -# dbus-user none +dbus-user none # dbus-system none # memory-deny-write-execute +# read-only ${HOME} +# writable-run-user +# writable-var +# writable-var-log diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile new file mode 100644 index 00000000000..7788974cedf --- /dev/null +++ b/etc/profile-m-z/servo.profile @@ -0,0 +1,49 @@ +# Firejail profile for servo +# Description: The Servo Browser Engine +# This file is overwritten after every install/update +# Persistent local customizations +include servo.local +# Persistent global definitions +include globals.local + +# Servo is usually installed inside $HOME +ignore noexec ${HOME} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +# Add the next lines to your servo.local to turn this into a whitelisting profile. +# You will need to add a whitelist for the directory where servo is installed. +#whitelist ${DOWNLOADS} +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin servo,sh +private-cache +private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/sha1sum.profile b/etc/profile-m-z/sha1sum.profile new file mode 100644 index 00000000000..b2064b95dc2 --- /dev/null +++ b/etc/profile-m-z/sha1sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for sha1sum +# Description: compute and check SHA1 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha1sum.local +# Persistent global definitions +include globals.local + +private-bin sha1sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/sha224sum.profile b/etc/profile-m-z/sha224sum.profile new file mode 100644 index 00000000000..cb26cc5ff56 --- /dev/null +++ b/etc/profile-m-z/sha224sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for sha224sum +# Description: compute and check SHA224 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha224sum.local +# Persistent global definitions +include globals.local + +private-bin sha224sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile new file mode 100644 index 00000000000..48944ebea87 --- /dev/null +++ b/etc/profile-m-z/sha256sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for sha256sum +# Description: compute and check SHA256 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha256sum.local +# Persistent global definitions +include globals.local + +private-bin sha256sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/sha384sum.profile b/etc/profile-m-z/sha384sum.profile new file mode 100644 index 00000000000..6d876daede0 --- /dev/null +++ b/etc/profile-m-z/sha384sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for sha384sum +# Description: compute and check SHA384 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha384sum.local +# Persistent global definitions +include globals.local + +private-bin sha384sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/sha512sum.profile b/etc/profile-m-z/sha512sum.profile new file mode 100644 index 00000000000..7ebaf3540a6 --- /dev/null +++ b/etc/profile-m-z/sha512sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for sha512sum +# Description: compute and check SHA512 message digest +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sha512sum.local +# Persistent global definitions +include globals.local + +private-bin sha512sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile index 6cd70c2ea14..f2469048f93 100644 --- a/etc/profile-m-z/shellcheck.profile +++ b/etc/profile-m-z/shellcheck.profile @@ -7,7 +7,6 @@ include shellcheck.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} noblacklist ${DOCUMENTS} @@ -16,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +30,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,6 +39,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile index ee231483300..0bcf5f693b6 100644 --- a/etc/profile-m-z/shortwave.profile +++ b/etc/profile-m-z/shortwave.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +31,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile index bec0bfbb0bd..e5dbf5c5f87 100644 --- a/etc/profile-m-z/shotcut.profile +++ b/etc/profile-m-z/shotcut.profile @@ -14,13 +14,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile new file mode 100644 index 00000000000..304a1cda273 --- /dev/null +++ b/etc/profile-m-z/shotwell.profile @@ -0,0 +1,60 @@ +# Firejail profile for shotwell +# Description: A digital photo organizer designed for the GNOME desktop environment +# This file is overwritten after every install/update +# Persistent local customizations +include shotwell.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/shotwell +noblacklist ${HOME}/.local/share/shotwell + +noblacklist ${PICTURES} +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/shotwell +mkdir ${HOME}/.local/share/shotwell +whitelist ${HOME}/.cache/shotwell +whitelist ${HOME}/.local/share/shotwell +whitelist ${PICTURES} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-bin shotwell +private-cache +private-dev +private-etc alternatives,fonts,ld.so.preload,machine-id +private-opt none +private-tmp + +dbus-user filter +dbus-user.own org.gnome.Shotwell +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor +dbus-system none diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile index 6a2f5c434ae..24f1464f94b 100644 --- a/etc/profile-m-z/signal-cli.profile +++ b/etc/profile-m-z/signal-cli.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index 5d9225705ab..77a7f5b3882 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile @@ -5,6 +5,8 @@ include signal-desktop.local # Persistent global definitions include globals.local +ignore novideo + ignore noexec /tmp noblacklist ${HOME}/.config/Signal @@ -14,31 +16,15 @@ noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini read-only ${HOME}/.mozilla/firefox/profiles.ini -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-programs.inc -include disable-passwdmgr.inc - mkdir ${HOME}/.config/Signal -whitelist ${DOWNLOADS} whitelist ${HOME}/.config/Signal -include whitelist-common.inc -include whitelist-var-common.inc - -apparmor -caps.keep sys_admin,sys_chroot -netfilter -nodvd -nogroups -notv -nou2f -shell none - -disable-mnt -private-dev -private-tmp - -dbus-user none -dbus-system none + +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl + +# allow D-Bus notifications +dbus-user filter +dbus-user.talk org.freedesktop.Notifications +ignore dbus-user none + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile index cfc33d07482..4351a4d43ac 100644 --- a/etc/profile-m-z/silentarmy.profile +++ b/etc/profile-m-z/silentarmy.profile @@ -10,8 +10,8 @@ include disable-common.inc # include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -20,6 +20,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile index 40fe8c5668f..b0ab0d039cc 100644 --- a/etc/profile-m-z/simple-scan.profile +++ b/etc/profile-m-z/simple-scan.profile @@ -12,10 +12,10 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +whitelist /usr/share/hplip whitelist /usr/share/simple-scan include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile index edcc2a0f4ef..03a3503277c 100644 --- a/etc/profile-m-z/simplescreenrecorder.profile +++ b/etc/profile-m-z/simplescreenrecorder.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -25,6 +24,7 @@ apparmor caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile index 1b81f2ea15b..55e472dbe60 100644 --- a/etc/profile-m-z/simutrans.profile +++ b/etc/profile-m-z/simutrans.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.simutrans @@ -25,6 +24,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile index 093a6139869..4965d388264 100644 --- a/etc/profile-m-z/skanlite.profile +++ b/etc/profile-m-z/skanlite.profile @@ -11,7 +11,6 @@ noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile index 341c25a9558..ed04eda8e9e 100644 --- a/etc/profile-m-z/skypeforlinux.profile +++ b/etc/profile-m-z/skypeforlinux.profile @@ -5,27 +5,25 @@ include skypeforlinux.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore whitelist ${DOWNLOADS} +ignore include whitelist-common.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore nou2f +ignore novideo +ignore private-dev +ignore dbus-user none +ignore dbus-system none + # breaks Skype +ignore apparmor ignore noexec /tmp noblacklist ${HOME}/.config/skypeforlinux -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -caps.keep sys_admin,sys_chroot -netfilter -nodvd -nogroups -notv -shell none - -disable-mnt -private-cache # private-dev - needs /dev/disk -private-tmp + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index b2828fcb158..a511ebb1cb8 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile @@ -5,30 +5,28 @@ include slack.local # Persistent global definitions include globals.local +# Disabled until someone reported positive feedback +ignore include disable-exec.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore apparmor +ignore novideo +ignore private-tmp +ignore dbus-user none +ignore dbus-system none + noblacklist ${HOME}/.config/Slack -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc +include allow-bin-sh.inc + +include disable-shell.inc mkdir ${HOME}/.config/Slack whitelist ${HOME}/.config/Slack -whitelist ${DOWNLOADS} -include whitelist-common.inc -include whitelist-var-common.inc -caps.keep sys_admin,sys_chroot -netfilter -nodvd -nogroups -notv -nou2f -shell none +private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack +private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe -disable-mnt -private-bin locale,slack -private-cache -private-dev -private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe +# Redirect +include electron.profile diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile index ca0516e65eb..bebf77ccc6f 100644 --- a/etc/profile-m-z/slashem.profile +++ b/etc/profile-m-z/slashem.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/games/slashem @@ -25,6 +24,7 @@ net none no3d nodvd nogroups +noinput #nonewprivs #noroot nosound diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile index ac01c675b41..7c1e18ac3d8 100644 --- a/etc/profile-m-z/smplayer.profile +++ b/etc/profile-m-z/smplayer.profile @@ -10,6 +10,9 @@ noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.mplayer +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc @@ -21,11 +24,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +whitelist /usr/share/lua* whitelist /usr/share/smplayer +whitelist /usr/share/vulkan include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -33,6 +38,7 @@ apparmor caps.drop all netfilter # nogroups +noinput nonewprivs noroot nou2f @@ -40,7 +46,7 @@ protocol unix,inet,inet6,netlink seccomp shell none -private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl +private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl private-dev private-tmp diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile index 79bc02979ca..65e6d38e45e 100644 --- a/etc/profile-m-z/smtube.profile +++ b/etc/profile-m-z/smtube.profile @@ -19,7 +19,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -36,6 +35,7 @@ notv nou2f novideo nogroups +noinput nonewprivs noroot protocol unix,inet,inet6,netlink diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile new file mode 100644 index 00000000000..0cdb5537e8b --- /dev/null +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile @@ -0,0 +1,55 @@ +# Firejail profile for smuxi-frontend-gnome +# Description: Multi protocol chat client with Twitter support +# This file is overwritten after every install/update +# Persistent local customizations +include smuxi-frontend-gnome.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/smuxi +noblacklist ${HOME}/.config/smuxi +noblacklist ${HOME}/.local/share/smuxi + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/smuxi +mkdir ${HOME}/.config/smuxi +mkdir ${HOME}/.local/share/smuxi +whitelist ${HOME}/.cache/smuxi +whitelist ${HOME}/.config/smuxi +whitelist ${HOME}/.local/share/smuxi +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile index 3b3fd1ae19f..83493652ca8 100644 --- a/etc/profile-m-z/snox.profile +++ b/etc/profile-m-z/snox.profile @@ -5,6 +5,11 @@ include snox.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/snox noblacklist ${HOME}/.config/snox diff --git a/etc/profile-m-z/soffice.profile b/etc/profile-m-z/soffice.profile index 8348a57fe9a..f7f86c33c94 100644 --- a/etc/profile-m-z/soffice.profile +++ b/etc/profile-m-z/soffice.profile @@ -1,5 +1,10 @@ # Firejail profile alias for libreoffice # This file is overwritten after every install/update +# Persistent local customizations +include soffice.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include libreoffice.profile diff --git a/etc/inc/softmaker-common.inc b/etc/profile-m-z/softmaker-common.profile similarity index 81% rename from etc/inc/softmaker-common.inc rename to etc/profile-m-z/softmaker-common.profile index a8ec5848c88..47468a53110 100644 --- a/etc/inc/softmaker-common.inc +++ b/etc/profile-m-z/softmaker-common.profile @@ -6,9 +6,9 @@ include softmaker-common.local # added by caller profile #include globals.local -# The offical packages install the desktop file under /usr/local/share/applications -# with an absolute Exec line. These files are NOT handelt by firecfg, -# therefore you must manualy copy them in you home and remove '/usr/bin/'. +# The official packages install the desktop file under /usr/local/share/applications +# with an absolute Exec line. These files are NOT handled by firecfg, +# therefore you must manually copy them in you home and remove '/usr/bin/'. noblacklist ${HOME}/SoftMaker @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /usr/share/office2018 @@ -30,6 +29,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile index 8519de6df48..0af88e048b7 100644 --- a/etc/profile-m-z/sol.profile +++ b/etc/profile-m-z/sol.profile @@ -9,8 +9,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc # all necessary files in $HOME are in whitelist-common.inc @@ -24,6 +24,7 @@ net none # no3d nodvd nogroups +noinput nonewprivs noroot # nosound diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile index b9f3768be70..4c37ece8a4b 100644 --- a/etc/profile-m-z/sound-juicer.profile +++ b/etc/profile-m-z/sound-juicer.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ caps.drop all netfilter no3d nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile index bdd6eb7f5dc..e5ff2632762 100644 --- a/etc/profile-m-z/soundconverter.profile +++ b/etc/profile-m-z/soundconverter.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,6 +33,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile new file mode 100644 index 00000000000..fc4ae2b04de --- /dev/null +++ b/etc/profile-m-z/spectacle.profile @@ -0,0 +1,68 @@ +# Firejail profile for spectacle +# Description: Spectacle is a simple application for capturing desktop screenshots. +# This file is overwritten after every install/update +# Persistent local customizations +include spectacle.local +# Persistent global definitions +include globals.local + +# Add the next lines to your spectacle.local to use sharing services. +#netfilter +#ignore net none +#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl +#protocol unix,inet,inet6 + +noblacklist ${HOME}/.config/spectaclerc +noblacklist ${PICTURES} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkfile ${HOME}/.config/spectaclerc +whitelist ${HOME}/.config/spectaclerc +whitelist ${PICTURES} +whitelist /usr/share/kconf_update/spectacle_newConfig.upd +whitelist /usr/share/kconf_update/spectacle_shortcuts.upd +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin spectacle +private-cache +private-dev +private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload +private-tmp + +dbus-user filter +dbus-user.own org.kde.spectacle +dbus-user.own org.kde.Spectacle +dbus-user.talk org.freedesktop.FileManager1 +#dbus-user.talk org.kde.JobViewServer +#dbus-user.talk org.kde.kglobalaccel +dbus-system none diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile new file mode 100644 index 00000000000..5f17b73dcfe --- /dev/null +++ b/etc/profile-m-z/spectral.profile @@ -0,0 +1,58 @@ +# Firejail profile for spectral +# Description: Desktop client for Matrix +# This file is overwritten after every install/update +# Persistent local customizations +include spectral.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/ENCOM/Spectral +noblacklist ${HOME}/.config/ENCOM + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/ENCOM/Spectral +mkdir ${HOME}/.config/ENCOM +whitelist ${HOME}/.cache/ENCOM/Spectral +whitelist ${HOME}/.config/ENCOM +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +disable-mnt +private-cache +private-bin spectral +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-tmp + +dbus-user none +# Add the next lines to your spectral.local to enable notification support. +#ignore dbus-user none +#dbus-user filter +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.kde.StatusNotifierWatcher +dbus-system none diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile index a0b99abcf9f..19d7f8ae37f 100644 --- a/etc/profile-m-z/spectre-meltdown-checker.profile +++ b/etc/profile-m-z/spectre-meltdown-checker.profile @@ -18,11 +18,9 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -whitelist /usr/share/perl5 include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index 1a34cb86df0..0ce91816185 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/spotify @@ -31,6 +30,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -43,8 +43,8 @@ tracelog disable-mnt private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity private-dev -# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl +# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt spotify private-srv none private-tmp diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index 01712081148..21a77a0d119 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile @@ -13,10 +13,11 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -26,6 +27,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -34,12 +36,13 @@ nou2f novideo protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary shell none private-bin sqlitebrowser private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.preload,machine-id,passwd,pki,ssl private-tmp # breaks proxy creation diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 01b63d3cefa..11723664f4c 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,15 +6,13 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /etc/ssh -noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 5d3458c29fe..9295013e74f 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,34 +7,35 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /etc/ssh -noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc -whitelist ${RUNUSER}/keyring/ssh whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh +whitelist ${RUNUSER}/keyring/ssh include whitelist-usr-share-common.inc include whitelist-runuser-common.inc +apparmor caps.drop all ipc-namespace netfilter no3d nodvd nogroups +noinput nonewprivs # noroot - see issue #1543 nosound notv -nou2f +# nou2f - OpenSSH >= 8.2 supports U2F novideo protocol unix,inet,inet6 seccomp diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 1292b806be7..7a59274bf22 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/Standard Notes Backups @@ -27,6 +26,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -38,7 +38,7 @@ seccomp !chroot disable-mnt private-dev private-tmp -private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg +private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg dbus-user none dbus-system none diff --git a/etc/profile-m-z/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile index b62b1910107..17ceedee7a1 100644 --- a/etc/profile-m-z/start-tor-browser.profile +++ b/etc/profile-m-z/start-tor-browser.profile @@ -3,40 +3,8 @@ # Persistent local customizations include start-tor-browser.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -ignore noexec ${HOME} - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -include whitelist-var-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp !chroot -shell none -# tracelog may cause issues, see github issue #1930 -#tracelog - -disable-mnt -private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity -private-dev -private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl -private-tmp - -dbus-user none -dbus-system none +# Redirect +include start-tor-browser.desktop.profile diff --git a/etc/profile-m-z/steam-native.profile b/etc/profile-m-z/steam-native.profile index 47608ad2889..6b4281c5cec 100644 --- a/etc/profile-m-z/steam-native.profile +++ b/etc/profile-m-z/steam-native.profile @@ -1,5 +1,10 @@ # Firejail profile alias for steam # This file is overwritten after every install/update +# Persistent local customizations +include steam-native.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include steam.profile diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile index 47608ad2889..a7e128d40f9 100644 --- a/etc/profile-m-z/steam-runtime.profile +++ b/etc/profile-m-z/steam-runtime.profile @@ -1,5 +1,10 @@ # Firejail profile alias for steam # This file is overwritten after every install/update +# Persistent local customizations +include steam-runtime.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include steam.profile diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5e9a993228..dfefd7c2c17 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -6,16 +6,34 @@ include steam.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/Epic +noblacklist ${HOME}/.config/Loop_Hero +noblacklist ${HOME}/.config/ModTheSpire +noblacklist ${HOME}/.config/RogueLegacy +noblacklist ${HOME}/.config/RogueLegacyStorageContainer noblacklist ${HOME}/.killingfloor +noblacklist ${HOME}/.klei noblacklist ${HOME}/.local/share/3909/PapersPlease noblacklist ${HOME}/.local/share/aspyr-media +noblacklist ${HOME}/.local/share/bohemiainteractive noblacklist ${HOME}/.local/share/cdprojektred +noblacklist ${HOME}/.local/share/Dredmor +noblacklist ${HOME}/.local/share/FasterThanLight noblacklist ${HOME}/.local/share/feral-interactive +noblacklist ${HOME}/.local/share/IntoTheBreach +noblacklist ${HOME}/.local/share/Paradox Interactive +noblacklist ${HOME}/.local/share/PillarsOfEternity +noblacklist ${HOME}/.local/share/RogueLegacy +noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer noblacklist ${HOME}/.local/share/Steam +noblacklist ${HOME}/.local/share/SteamWorldDig +noblacklist ${HOME}/.local/share/SteamWorld Dig 2 noblacklist ${HOME}/.local/share/SuperHexagon noblacklist ${HOME}/.local/share/Terraria noblacklist ${HOME}/.local/share/vpltd noblacklist ${HOME}/.local/share/vulkan +noblacklist ${HOME}/.mbwarband +noblacklist ${HOME}/.paradoxinteractive noblacklist ${HOME}/.steam noblacklist ${HOME}/.steampath noblacklist ${HOME}/.steampid @@ -33,17 +51,29 @@ include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +mkdir ${HOME}/.config/Epic +mkdir ${HOME}/.config/Loop_Hero +mkdir ${HOME}/.config/ModTheSpire +mkdir ${HOME}/.config/RogueLegacy mkdir ${HOME}/.config/unity3d mkdir ${HOME}/.killingfloor +mkdir ${HOME}/.klei mkdir ${HOME}/.local/share/3909/PapersPlease mkdir ${HOME}/.local/share/aspyr-media +mkdir ${HOME}/.local/share/bohemiainteractive mkdir ${HOME}/.local/share/cdprojektred +mkdir ${HOME}/.local/share/Dredmor +mkdir ${HOME}/.local/share/FasterThanLight mkdir ${HOME}/.local/share/feral-interactive +mkdir ${HOME}/.local/share/IntoTheBreach mkdir ${HOME}/.local/share/Paradox Interactive +mkdir ${HOME}/.local/share/PillarsOfEternity +mkdir ${HOME}/.local/share/RogueLegacy mkdir ${HOME}/.local/share/Steam +mkdir ${HOME}/.local/share/SteamWorldDig +mkdir ${HOME}/.local/share/SteamWorld Dig 2 mkdir ${HOME}/.local/share/SuperHexagon mkdir ${HOME}/.local/share/Terraria mkdir ${HOME}/.local/share/vpltd @@ -53,14 +83,29 @@ mkdir ${HOME}/.paradoxinteractive mkdir ${HOME}/.steam mkfile ${HOME}/.steampath mkfile ${HOME}/.steampid +whitelist ${HOME}/.config/Epic +whitelist ${HOME}/.config/Loop_Hero +whitelist ${HOME}/.config/ModTheSpire +whitelist ${HOME}/.config/RogueLegacy +whitelist ${HOME}/.config/RogueLegacyStorageContainer whitelist ${HOME}/.config/unity3d whitelist ${HOME}/.killingfloor +whitelist ${HOME}/.klei whitelist ${HOME}/.local/share/3909/PapersPlease whitelist ${HOME}/.local/share/aspyr-media +whitelist ${HOME}/.local/share/bohemiainteractive whitelist ${HOME}/.local/share/cdprojektred +whitelist ${HOME}/.local/share/Dredmor +whitelist ${HOME}/.local/share/FasterThanLight whitelist ${HOME}/.local/share/feral-interactive +whitelist ${HOME}/.local/share/IntoTheBreach whitelist ${HOME}/.local/share/Paradox Interactive +whitelist ${HOME}/.local/share/PillarsOfEternity +whitelist ${HOME}/.local/share/RogueLegacy +whitelist ${HOME}/.local/share/RogueLegacyStorageContainer whitelist ${HOME}/.local/share/Steam +whitelist ${HOME}/.local/share/SteamWorldDig +whitelist ${HOME}/.local/share/SteamWorld Dig 2 whitelist ${HOME}/.local/share/SuperHexagon whitelist ${HOME}/.local/share/Terraria whitelist ${HOME}/.local/share/vpltd @@ -70,43 +115,51 @@ whitelist ${HOME}/.paradoxinteractive whitelist ${HOME}/.steam whitelist ${HOME}/.steampath whitelist ${HOME}/.steampid -whitelist ${HOME}/.steampid include whitelist-common.inc include whitelist-var-common.inc +# NOTE: The following were intentionally left out as they are alternative +# (i.e.: unnecessary and/or legacy) paths whose existence may potentially +# clobber other paths (see #4225). If you use any, either add the entry to +# steam.local or move the contents to a path listed above (or open an issue if +# it's missing above). +#mkdir ${HOME}/.config/RogueLegacyStorageContainer +#mkdir ${HOME}/.local/share/RogueLegacyStorageContainer + caps.drop all #ipc-namespace netfilter nodvd -# nVidia user may need to comment / ignore nogroups and noroot nogroups nonewprivs +# If you use nVidia you might need to add 'ignore noroot' to your steam.local. noroot notv nou2f -# novideo should be commented for VR +# For VR support add 'ignore novideo' to your steam.local. novideo protocol unix,inet,inet6,netlink -# seccomp cause sometimes issues (see #2951, #3267), -# comment it or add 'ignore seccomp' to steam.local if so. -seccomp !kcmp,!ptrace +# seccomp sometimes causes issues (see #2951, #3267). +# Add 'ignore seccomp' to your steam.local if you experience this. +seccomp !ptrace shell none -# tracelog disabled as it breaks integrated browser +# tracelog breaks integrated browser #tracelog -# private-bin is disabled while in testing, but has been tested working with multiple games +# private-bin is disabled while in testing, but is known to work with multiple games. +# Add the next line to your steam.local to enable private-bin. #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity -# extra programs are available which might be needed for select games +# Extra programs are available which might be needed for select games. +# Add the next line to your steam.local to enable support for these programs. #private-bin java,java-config,mono -# picture viewers are needed for viewing screenshots +# To view screenshots add the next line to your steam.local. #private-bin eog,eom,gthumb,pix,viewnior,xviewer -# private-dev should be commented for controllers private-dev -# private-etc breaks a small selection of games on some systems, comment to support those -private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl +# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' +# to your steam.local to support those. +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl private-tmp -# breaks appindicator support # dbus-user none # dbus-system none diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile index d6df2e0ad7f..d2ebce45f63 100644 --- a/etc/profile-m-z/stellarium.profile +++ b/etc/profile-m-z/stellarium.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.config/stellarium mkdir ${HOME}/.stellarium @@ -28,6 +28,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile new file mode 100644 index 00000000000..513abc21bbe --- /dev/null +++ b/etc/profile-m-z/straw-viewer.profile @@ -0,0 +1,21 @@ +# Firejail profile for straw-viewer +# Description: Fork of youtube-viewer acts like an invidious frontend +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include straw-viewer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/straw-viewer +noblacklist ${HOME}/.config/straw-viewer + +mkdir ${HOME}/.config/straw-viewer +mkdir ${HOME}/.cache/straw-viewer +whitelist ${HOME}/.cache/straw-viewer +whitelist ${HOME}/.config/straw-viewer + +private-bin gtk-straw-viewer,straw-viewer + +# Redirect +include youtube-viewers-common.profile diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile new file mode 100644 index 00000000000..50ecc3432c3 --- /dev/null +++ b/etc/profile-m-z/strawberry.profile @@ -0,0 +1,49 @@ +# Firejail profile for strawberry +# Description: A music player and music collection organizer +# This file is overwritten after every install/update +# Persistent local customizations +include strawberry.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/strawberry +noblacklist ${HOME}/.config/strawberry +noblacklist ${HOME}/.local/share/strawberry +noblacklist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +# blacklisting of ioprio_set system calls breaks strawberry +seccomp !ioprio_set +shell none +tracelog + +disable-mnt +private-bin strawberry,strawberry-tagreader +private-cache +private-dev +private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl +private-tmp + +dbus-system none diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile index 31ed5dd3f61..9298e661449 100644 --- a/etc/profile-m-z/strings.profile +++ b/etc/profile-m-z/strings.profile @@ -7,15 +7,14 @@ include strings.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} #include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc #include disable-programs.inc +include disable-shell.inc #include disable-xdg.inc #include whitelist-usr-share-common.inc @@ -29,6 +28,7 @@ net none no3d nodvd nogroups +noinput nonewprivs #noroot nosound @@ -37,6 +37,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog x11 none diff --git a/etc/profile-m-z/studio.sh.profile b/etc/profile-m-z/studio.sh.profile index 79e879f3605..8df11eef21e 100644 --- a/etc/profile-m-z/studio.sh.profile +++ b/etc/profile-m-z/studio.sh.profile @@ -1,5 +1,10 @@ # Firejail profile alias for Android Studio # This file is overwritten after every install/update +# Persistent local customizations +include studio.sh.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include android-studio.profile diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 428af3737f6..65cb678d0fb 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,7 +44,7 @@ tracelog private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp dbus-user none diff --git a/etc/profile-m-z/sum.profile b/etc/profile-m-z/sum.profile new file mode 100644 index 00000000000..cd73af9195f --- /dev/null +++ b/etc/profile-m-z/sum.profile @@ -0,0 +1,13 @@ +# Firejail profile for sum +# Description: checksum and count the blocks in a file +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include sum.local +# Persistent global definitions +include globals.local + +private-bin sum + +# Redirect +include hasher-common.profile diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index ceaae8fbf1b..323849e35f0 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile @@ -12,13 +12,14 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.local/share/supertux2 whitelist ${HOME}/.local/share/supertux2 whitelist /usr/share/supertux2 +whitelist /usr/share/games/supertux2 # Debian version include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc @@ -29,6 +30,7 @@ caps.drop all net none nodvd nogroups +noinput nonewprivs noroot notv @@ -36,11 +38,14 @@ nou2f novideo protocol unix,netlink seccomp +seccomp.block-secondary shell none tracelog disable-mnt # private-bin supertux2 +private-cache +private-etc ld.so.preload,machine-id private-dev private-tmp diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile new file mode 100644 index 00000000000..af8d73debfd --- /dev/null +++ b/etc/profile-m-z/supertuxkart-wrapper.profile @@ -0,0 +1,14 @@ +# Firejail profile for supertuxkart-wrapper +# This file is overwritten after every install/update +# Persistent local customizations +include supertuxkart-wrapper.local +# Persistent global definitions +# added by included profile +#include globals.local + +include allow-opengl-game.inc + +private-bin supertuxkart-wrapper + +# Redirect +include supertuxkart.profile diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 73877b1b531..5b5b4aae537 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile @@ -10,13 +10,15 @@ noblacklist ${HOME}/.config/supertuxkart noblacklist ${HOME}/.cache/supertuxkart noblacklist ${HOME}/.local/share/supertuxkart +blacklist /usr/libexec + include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc +include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc -include disable-interpreters.inc mkdir ${HOME}/.config/supertuxkart mkdir ${HOME}/.cache/supertuxkart @@ -25,7 +27,9 @@ whitelist ${HOME}/.config/supertuxkart whitelist ${HOME}/.cache/supertuxkart whitelist ${HOME}/.local/share/supertuxkart whitelist /usr/share/supertuxkart +whitelist /usr/share/games/supertuxkart # Debian version include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -39,16 +43,18 @@ noroot notv nou2f novideo -protocol unix,inet,inet6 +protocol unix,inet,inet6,bluetooth seccomp +seccomp.block-secondary shell none tracelog disable-mnt private-bin supertuxkart private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl +# Add the next line to your supertuxkart.local if you do not need controller support. +#private-dev +private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl private-tmp private-opt none private-srv none diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index d4c6d9afcba..cfecb6f6208 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile @@ -11,7 +11,6 @@ noblacklist ${HOME}/.surf include disable-common.inc include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.surf @@ -22,6 +21,7 @@ include whitelist-common.inc caps.drop all netfilter nodvd +noinput nonewprivs noroot notv @@ -34,6 +34,6 @@ tracelog disable-mnt private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl private-tmp diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile new file mode 100644 index 00000000000..6216220439d --- /dev/null +++ b/etc/profile-m-z/sushi.profile @@ -0,0 +1,48 @@ +# Firejail profile for sushi +# Description: A quick previewer for Nautilus +# This file is overwritten after every install/update +# Persistent local customizations +include sushi.local +# Persistent global definitions +include globals.local + +# Allow gjs (blacklisted by disable-interpreters.inc) +include allow-gjs.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +# include disable-programs.inc +include disable-shell.inc + +include whitelist-runuser-common.inc + +apparmor +caps.drop all +net none +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-bin gjs,sushi +private-dev +private-tmp + +dbus-system none + +read-only / +read-only /mnt +read-only /media +read-only /run/mount +read-only /run/media +read-only ${HOME} diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile new file mode 100644 index 00000000000..046d1b4becd --- /dev/null +++ b/etc/profile-m-z/sway.profile @@ -0,0 +1,19 @@ +# Firejail profile for Sway +# Description: i3-compatible Wayland compositor +# This file is overwritten after every install/update +# Persistent local customizations +include sway.local +# Persistent global definitions +include globals.local + +# all applications started in sway will run in this profile +noblacklist ${HOME}/.config/sway +# sway uses ~/.config/i3 as fallback if there is no ~/.config/sway +noblacklist ${HOME}/.config/i3 +include disable-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 4344fe73a0c..328812b04be 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile @@ -13,5 +13,14 @@ whitelist ${HOME}/.sylpheed-2.0 whitelist /usr/share/sylpheed +# private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed + +dbus-user filter +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.secrets +dbus-user.talk org.gnome.keyring.SystemPrompter +# Add the next line to your sylpheed.local to enable notifications. +# dbus-user.talk org.freedesktop.Notifications + # Redirect include email-common.profile diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile index a83080cc374..7f23992a859 100644 --- a/etc/profile-m-z/synfigstudio.profile +++ b/etc/profile-m-z/synfigstudio.profile @@ -13,13 +13,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all net none nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index ad334628500..c7119ae0f5d 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile @@ -6,14 +6,34 @@ include sysprof.local # Persistent global definitions include globals.local +noblacklist ${DOCUMENTS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +# Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality. +#ignore noblacklist ${HOME}/.config/yelp +#ignore mkdir ${HOME}/.config/yelp +#nowhitelist ${HOME}/.config/yelp +#nowhitelist /usr/share/help/C/sysprof +#nowhitelist /usr/share/yelp +#nowhitelist /usr/share/yelp-tools +#nowhitelist /usr/share/yelp-xsl + +noblacklist ${HOME}/.config/yelp +mkdir ${HOME}/.config/yelp +whitelist ${HOME}/.config/yelp +whitelist /usr/share/help/C/sysprof +whitelist /usr/share/yelp +whitelist /usr/share/yelp-tools +whitelist /usr/share/yelp-xsl + +whitelist ${DOCUMENTS} +include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -25,28 +45,33 @@ net none no3d nodvd nogroups +noinput nonewprivs -# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that -#noroot +# Some older Debian/Ubuntu sysprof versions need root privileges. +# Add 'ignore noroot' to your sysprof.local if you run one of these. +noroot nosound notv nou2f novideo protocol unix,netlink +seccomp shell none tracelog disable-mnt -#private-bin sysprof - breaks GUI help menu +#private-bin sysprof - breaks help menu private-cache private-dev -private-etc alternatives,fonts,ld.so.cache,machine-id,ssl -# private-lib breaks GUI help menu +private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl +# private-lib - breaks help menu #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so private-tmp -# makes settings immutable -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.gnome.Shell +dbus-user.own org.gnome.Yelp +dbus-user.own org.gnome.Sysprof3 +dbus-user.talk ca.desrt.dconf -# memory-deny-write-execute - Breaks GUI on Arch +# memory-deny-write-execute - breaks on Arch diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 3a740530572..388805f313f 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile @@ -7,49 +7,17 @@ include tar.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* +# Included in archiver-common.profile +ignore include disable-shell.inc -# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. +# Arch Linux (based distributions) need access to /var/lib/pacman. As we drop +# all capabilities this is automatically read-only. noblacklist /var/lib/pacman -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname tar -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -# support compressed archives -private-bin awk,bash,bzip2,compress,firejail,grep,gtar,gzip,lbzip2,lzip,lzma,lzop,sh,tar,xz -private-cache -private-dev -private-etc alternatives,group,localtime,login.defs,passwd -private-lib libfakeroot +private-etc alternatives,group,ld.so.preload,localtime,login.defs,passwd +#private-lib libfakeroot,liblzma.so.*,libreadline.so.* # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) writable-var -dbus-user none -dbus-system none - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile index 881fbf49eb5..57301a54de2 100644 --- a/etc/profile-m-z/tcpdump.profile +++ b/etc/profile-m-z/tcpdump.profile @@ -8,12 +8,12 @@ include globals.local noblacklist /sbin noblacklist /usr/sbin +noblacklist ${PATH}/tcpdump include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -27,13 +27,14 @@ netfilter no3d nodvd #nogroups +noinput nonewprivs #noroot nosound notv nou2f novideo -protocol unix,inet,inet6,netlink,packet +protocol unix,inet,inet6,netlink,packet,bluetooth seccomp disable-mnt diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index a13c92bc3cb..310c440b107 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile @@ -4,33 +4,23 @@ # Persistent local customizations include teams-for-linux.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local + +# Disabled until someone reported positive feedback +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc ignore dbus-user none ignore dbus-system none noblacklist ${HOME}/.config/teams-for-linux -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc - mkdir ${HOME}/.config/teams-for-linux whitelist ${HOME}/.config/teams-for-linux -include whitelist-common.inc -include whitelist-var-common.inc - -nou2f -novideo -shell none -disable-mnt -private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh -private-cache -private-dev -private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl -private-tmp +private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh +private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl # Redirect include electron.profile diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile index 326b97e4b2d..c8d98cbaa2c 100644 --- a/etc/profile-m-z/teams.profile +++ b/etc/profile-m-z/teams.profile @@ -1,38 +1,30 @@ # Firejail profile for teams # Description: Official Microsoft Teams client for Linux using Electron. # This file is overwritten after every install/update -# Known issues: -# * if Teams crashes on startup try using "ignore apparmor" in your local config # Persistent local customizations include teams.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local +# Disabled until someone reported positive feedback +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore novideo +ignore private-tmp + +# see #3404 +ignore apparmor ignore dbus-user none ignore dbus-system none noblacklist ${HOME}/.config/teams noblacklist ${HOME}/.config/Microsoft -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc - mkdir ${HOME}/.config/teams mkdir ${HOME}/.config/Microsoft whitelist ${HOME}/.config/teams whitelist ${HOME}/.config/Microsoft -include whitelist-common.inc -include whitelist-var-common.inc - -nou2f -shell none -tracelog - -disable-mnt -private-cache -private-dev # Redirect include electron.profile diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile index c1c666f5868..c149473f6a7 100644 --- a/etc/profile-m-z/teamspeak3.profile +++ b/etc/profile-m-z/teamspeak3.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.ts3client @@ -27,6 +26,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile index 7765703de26..df54fb9ba35 100644 --- a/etc/profile-m-z/teeworlds.profile +++ b/etc/profile-m-z/teeworlds.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.teeworlds @@ -26,6 +26,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile index 0cfa7114be4..7463b761f9d 100644 --- a/etc/profile-m-z/telegram-desktop.profile +++ b/etc/profile-m-z/telegram-desktop.profile @@ -1,6 +1,11 @@ # Firejail profile alias for telegram # Description: Official Telegram Desktop client # This file is overwritten after every install/update +# Persistent local customizations +include telegram-desktop.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include telegram.profile diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index e3af5600a1e..fd4b825243c 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile @@ -13,17 +13,44 @@ include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc +mkdir ${HOME}/.TelegramDesktop +mkdir ${HOME}/.local/share/TelegramDesktop +whitelist ${HOME}/.TelegramDesktop +whitelist ${HOME}/.local/share/TelegramDesktop +whitelist ${DOWNLOADS} +whitelist /usr/share/TelegramDesktop +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor caps.drop all netfilter nodvd +noinput nonewprivs noroot notv -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp +seccomp.block-secondary +shell none disable-mnt +private-bin telegram,Telegram,telegram-desktop private-cache +private-dev +private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg private-tmp +dbus-user filter +dbus-user.own org.telegram.desktop.* +dbus-user.talk org.freedesktop.Notifications +dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.gnome.Mutter.IdleMonitor +dbus-user.talk org.freedesktop.ScreenSaver +dbus-system none diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile index 36ce6d46955..0f6691b4927 100644 --- a/etc/profile-m-z/terasology.profile +++ b/etc/profile-m-z/terasology.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.java @@ -30,6 +29,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile index d289473943e..e5a4b645485 100644 --- a/etc/profile-m-z/textmaker18.profile +++ b/etc/profile-m-z/textmaker18.profile @@ -7,5 +7,5 @@ include textmaker18.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile index 7b4fd5b0869..0e918bf0ac2 100644 --- a/etc/profile-m-z/textmaker18free.profile +++ b/etc/profile-m-z/textmaker18free.profile @@ -7,5 +7,5 @@ include textmaker18free.local include globals.local # Redirect -include softmaker-common.inc +include softmaker-common.profile diff --git a/etc/profile-m-z/thunar.profile b/etc/profile-m-z/thunar.profile index 19993016ac9..984c5579f98 100644 --- a/etc/profile-m-z/thunar.profile +++ b/etc/profile-m-z/thunar.profile @@ -1,6 +1,11 @@ # Firejail profile alias for Thunar # Description: Modern file manager for Xfce # This file is overwritten after every install/update +# Persistent local customizations +include thunar.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include Thunar.profile diff --git a/etc/profile-m-z/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile index 6450e40d60d..46a1e57c8a2 100644 --- a/etc/profile-m-z/thunderbird-beta.profile +++ b/etc/profile-m-z/thunderbird-beta.profile @@ -1,5 +1,10 @@ # Firejail profile alias for thunderbird-beta # This file is overwritten after every install/update +# Persistent local customizations +include thunderbird-beta.local +# Persistent global definitions +# added by included profile +#include globals.local private-opt thunderbird-beta diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 44ed6e5e00c..b66b81fdf11 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile @@ -6,12 +6,15 @@ include thunderbird.local # Persistent global definitions include globals.local +ignore include whitelist-runuser-common.inc + # writable-run-user and dbus are needed by enigmail ignore dbus-user none ignore dbus-system none writable-run-user -# If you want to read local mail stored in /var/mail, add the following to thunderbird.local: +# If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly +# and add the following to thunderbird.local: #noblacklist /var/mail #noblacklist /var/spool/mail #whitelist /var/mail @@ -28,7 +31,6 @@ noblacklist ${HOME}/.gnupg # noblacklist ${HOME}/.icedove noblacklist ${HOME}/.thunderbird -include disable-passwdmgr.inc include disable-xdg.inc # If you have setup Thunderbird to archive emails to a local folder, @@ -57,7 +59,5 @@ novideo # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE ignore private-tmp -read-only ${HOME}/.config/mimeapps.list - # Redirect include firefox-common.profile diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile index 4d38d5184cf..07212a452a4 100644 --- a/etc/profile-m-z/tilp.profile +++ b/etc/profile-m-z/tilp.profile @@ -11,8 +11,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc caps.drop all net none @@ -30,6 +30,6 @@ tracelog disable-mnt private-bin tilp private-cache -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-tmp diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile new file mode 100644 index 00000000000..a43e53aaeb9 --- /dev/null +++ b/etc/profile-m-z/tin.profile @@ -0,0 +1,68 @@ +# Firejail profile for tin +# Description: ncurses-based Usenet newsreader +# This file is overwritten after every install/update +# Persistent local customizations +include tin.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.newsrc +noblacklist ${HOME}/.tin + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.tin +mkfile ${HOME}/.newsrc +# Note: files/directories directly in ${HOME} can't be whitelisted, as +# tin saves .newsrc by renaming a temporary file, which is not possible for +# bind-mounted files. +#whitelist ${HOME}/.newsrc +#whitelist ${HOME}/.tin +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin rtin,tin +private-cache +private-dev +private-etc ld.so.preload,passwd,resolv.conf,terminfo,tin +private-lib terminfo +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile new file mode 100644 index 00000000000..1e783d2b9c4 --- /dev/null +++ b/etc/profile-m-z/tmux.profile @@ -0,0 +1,45 @@ +# Firejail profile for tmux +# Description: terminal multiplexer +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include tmux.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist /tmp/tmux-* + +# include disable-common.inc +# include disable-devel.inc +# include disable-exec.inc +# include disable-programs.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none +tracelog + +# private-cache +private-dev +# private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile index 612b2d01b4c..59f1bc3b139 100644 --- a/etc/profile-m-z/tor-browser-ar.profile +++ b/etc/profile-m-z/tor-browser-ar.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ar.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ar diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile index db70a710976..68577e35208 100644 --- a/etc/profile-m-z/tor-browser-ca.profile +++ b/etc/profile-m-z/tor-browser-ca.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ca.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ca diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile index 77b271b6811..33e51fcd080 100644 --- a/etc/profile-m-z/tor-browser-cs.profile +++ b/etc/profile-m-z/tor-browser-cs.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-cs.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-cs diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile index 3b9fff9a4f8..440bb7fc359 100644 --- a/etc/profile-m-z/tor-browser-da.profile +++ b/etc/profile-m-z/tor-browser-da.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-da.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-da diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile index 3b4f7f94fa1..b2b98cf8279 100644 --- a/etc/profile-m-z/tor-browser-de.profile +++ b/etc/profile-m-z/tor-browser-de.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-de.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-de diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile index b978b6042fa..626757dd5c1 100644 --- a/etc/profile-m-z/tor-browser-el.profile +++ b/etc/profile-m-z/tor-browser-el.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-el.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-el diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile index db56dda1bb3..15e6907485c 100644 --- a/etc/profile-m-z/tor-browser-en-us.profile +++ b/etc/profile-m-z/tor-browser-en-us.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-en-us.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-en-us diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile index ad4110c0e73..ef8c1eb8be5 100644 --- a/etc/profile-m-z/tor-browser-en.profile +++ b/etc/profile-m-z/tor-browser-en.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-en.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-en diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile index 1aa58665840..ad734662e74 100644 --- a/etc/profile-m-z/tor-browser-es-es.profile +++ b/etc/profile-m-z/tor-browser-es-es.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-es-es.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-es-es diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile index a386e338703..97d8d857713 100644 --- a/etc/profile-m-z/tor-browser-es.profile +++ b/etc/profile-m-z/tor-browser-es.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-es.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-es diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile index 7f847a7c21d..095be69e452 100644 --- a/etc/profile-m-z/tor-browser-fa.profile +++ b/etc/profile-m-z/tor-browser-fa.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-fa.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-fa diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile index bce470ec824..37f61fc3add 100644 --- a/etc/profile-m-z/tor-browser-fr.profile +++ b/etc/profile-m-z/tor-browser-fr.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-fr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-fr diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile index 994897a879a..ab7141fc476 100644 --- a/etc/profile-m-z/tor-browser-ga-ie.profile +++ b/etc/profile-m-z/tor-browser-ga-ie.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ga-ie.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ga-ie diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile index 6367b4c0a4f..ae56f3b7f6a 100644 --- a/etc/profile-m-z/tor-browser-he.profile +++ b/etc/profile-m-z/tor-browser-he.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-he.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-he diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile index 68e79833ee6..65cd18ac819 100644 --- a/etc/profile-m-z/tor-browser-hu.profile +++ b/etc/profile-m-z/tor-browser-hu.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-hu.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-hu diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile index 85b455ba2d8..57fe09f4715 100644 --- a/etc/profile-m-z/tor-browser-id.profile +++ b/etc/profile-m-z/tor-browser-id.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-id.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-id diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile index 48e88db717d..54f1df42d91 100644 --- a/etc/profile-m-z/tor-browser-is.profile +++ b/etc/profile-m-z/tor-browser-is.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-is.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-is diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile index 3c239ca2926..a7d46e875ba 100644 --- a/etc/profile-m-z/tor-browser-it.profile +++ b/etc/profile-m-z/tor-browser-it.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-it.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-it diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile index c52e0f64e06..b89016141ac 100644 --- a/etc/profile-m-z/tor-browser-ja.profile +++ b/etc/profile-m-z/tor-browser-ja.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ja.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ja diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile index 173b85e5c4b..b57cf10decd 100644 --- a/etc/profile-m-z/tor-browser-ka.profile +++ b/etc/profile-m-z/tor-browser-ka.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ka.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ka diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile index 8faa5afa135..a9bedb6fd6a 100644 --- a/etc/profile-m-z/tor-browser-ko.profile +++ b/etc/profile-m-z/tor-browser-ko.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ko.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ko diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile index d1352dd8096..fbe9f92bde4 100644 --- a/etc/profile-m-z/tor-browser-nb.profile +++ b/etc/profile-m-z/tor-browser-nb.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-nb.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-nb diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile index d4443cca219..678ac171311 100644 --- a/etc/profile-m-z/tor-browser-nl.profile +++ b/etc/profile-m-z/tor-browser-nl.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-nl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-nl diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile index 08ddd4ae786..25d473b1a92 100644 --- a/etc/profile-m-z/tor-browser-pl.profile +++ b/etc/profile-m-z/tor-browser-pl.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-pl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-pl diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile index 9942a3fe841..55adbd5ea4a 100644 --- a/etc/profile-m-z/tor-browser-pt-br.profile +++ b/etc/profile-m-z/tor-browser-pt-br.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-pt-br.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-pt-br diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile index 6294f8ca012..aea13be9d9b 100644 --- a/etc/profile-m-z/tor-browser-ru.profile +++ b/etc/profile-m-z/tor-browser-ru.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-ru.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-ru diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile index c8544262f0a..b7882bd04d7 100644 --- a/etc/profile-m-z/tor-browser-sv-se.profile +++ b/etc/profile-m-z/tor-browser-sv-se.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-sv-se.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-sv-se diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile index 2343fa8de67..c52e8c4c448 100644 --- a/etc/profile-m-z/tor-browser-tr.profile +++ b/etc/profile-m-z/tor-browser-tr.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-tr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-tr diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile index 734c386989f..d5bf7665597 100644 --- a/etc/profile-m-z/tor-browser-vi.profile +++ b/etc/profile-m-z/tor-browser-vi.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-vi.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-vi diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile index 21e813e45d7..6c8925a4a3e 100644 --- a/etc/profile-m-z/tor-browser-zh-cn.profile +++ b/etc/profile-m-z/tor-browser-zh-cn.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-zh-cn.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-zh-cn diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile index 6fe09c6c156..141a6701edc 100644 --- a/etc/profile-m-z/tor-browser-zh-tw.profile +++ b/etc/profile-m-z/tor-browser-zh-tw.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser-zh-tw.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser-zh-tw diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile index 0cd84abf513..76a0e1fa505 100644 --- a/etc/profile-m-z/tor-browser.profile +++ b/etc/profile-m-z/tor-browser.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile index 1e1f5ce35fc..d811b754982 100644 --- a/etc/profile-m-z/tor-browser_ar.profile +++ b/etc/profile-m-z/tor-browser_ar.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ar.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ar diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile index e114b6051a6..8bf1f7cd4ae 100644 --- a/etc/profile-m-z/tor-browser_ca.profile +++ b/etc/profile-m-z/tor-browser_ca.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ca.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ca diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile index 498068bc60d..b41107bf1f4 100644 --- a/etc/profile-m-z/tor-browser_cs.profile +++ b/etc/profile-m-z/tor-browser_cs.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_cs.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_cs diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile index 5c25c03c889..cbec4ee2e0c 100644 --- a/etc/profile-m-z/tor-browser_da.profile +++ b/etc/profile-m-z/tor-browser_da.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_da.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_da diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile index d530e7dbe2d..ea26765d33b 100644 --- a/etc/profile-m-z/tor-browser_de.profile +++ b/etc/profile-m-z/tor-browser_de.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_de.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_de diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile index 67d5ab4405e..ff57a872277 100644 --- a/etc/profile-m-z/tor-browser_el.profile +++ b/etc/profile-m-z/tor-browser_el.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_el.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_el diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile index b298ab2b89a..18c92b6386b 100644 --- a/etc/profile-m-z/tor-browser_en-US.profile +++ b/etc/profile-m-z/tor-browser_en-US.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_en-US.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_en-US diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile index 6bb0616b1b9..ebba83cc4cf 100644 --- a/etc/profile-m-z/tor-browser_en.profile +++ b/etc/profile-m-z/tor-browser_en.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_en.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_en diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile index 78f57ffe513..aecab38d568 100644 --- a/etc/profile-m-z/tor-browser_es-ES.profile +++ b/etc/profile-m-z/tor-browser_es-ES.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_es-ES.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_es-ES diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile index ea34a07c99c..e19e9b5e685 100644 --- a/etc/profile-m-z/tor-browser_es.profile +++ b/etc/profile-m-z/tor-browser_es.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_es.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_es diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile index fbc416ce5be..68414c277e1 100644 --- a/etc/profile-m-z/tor-browser_fa.profile +++ b/etc/profile-m-z/tor-browser_fa.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_fa.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_fa diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile index caea6db5b2f..0a8bb30b753 100644 --- a/etc/profile-m-z/tor-browser_fr.profile +++ b/etc/profile-m-z/tor-browser_fr.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_fr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_fr diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile index 6342daebfb6..12354b900d7 100644 --- a/etc/profile-m-z/tor-browser_ga-IE.profile +++ b/etc/profile-m-z/tor-browser_ga-IE.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ga-IE.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ga-IE diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile index cc4150620f1..19cbb080922 100644 --- a/etc/profile-m-z/tor-browser_he.profile +++ b/etc/profile-m-z/tor-browser_he.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_he.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_he diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile index 952a0b68ae5..62b55e170c2 100644 --- a/etc/profile-m-z/tor-browser_hu.profile +++ b/etc/profile-m-z/tor-browser_hu.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_hu.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_hu diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile index a006b27c07c..2970a7747ae 100644 --- a/etc/profile-m-z/tor-browser_id.profile +++ b/etc/profile-m-z/tor-browser_id.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_id.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_id diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile index 038e0fabbea..f922c764438 100644 --- a/etc/profile-m-z/tor-browser_is.profile +++ b/etc/profile-m-z/tor-browser_is.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_is.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_is diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile index 3d25669948d..40690175976 100644 --- a/etc/profile-m-z/tor-browser_it.profile +++ b/etc/profile-m-z/tor-browser_it.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_it.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_it diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile index 08c942bcdeb..8f9d8d751b4 100644 --- a/etc/profile-m-z/tor-browser_ja.profile +++ b/etc/profile-m-z/tor-browser_ja.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ja.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ja diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile index 97664be4df8..4de4135e13a 100644 --- a/etc/profile-m-z/tor-browser_ka.profile +++ b/etc/profile-m-z/tor-browser_ka.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ka.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ka diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile index 98cf1e3e14a..125c733ce73 100644 --- a/etc/profile-m-z/tor-browser_ko.profile +++ b/etc/profile-m-z/tor-browser_ko.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ko.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ko diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile index 6df840573fb..dc6ac876bac 100644 --- a/etc/profile-m-z/tor-browser_nb.profile +++ b/etc/profile-m-z/tor-browser_nb.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_nb.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_nb diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile index 3f545f8887b..2a3a5b5193a 100644 --- a/etc/profile-m-z/tor-browser_nl.profile +++ b/etc/profile-m-z/tor-browser_nl.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_nl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_nl diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile index 4e04dc027f9..b7dec32db09 100644 --- a/etc/profile-m-z/tor-browser_pl.profile +++ b/etc/profile-m-z/tor-browser_pl.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_pl.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_pl diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile index 7f864886c8c..7a7d4726c8d 100644 --- a/etc/profile-m-z/tor-browser_pt-BR.profile +++ b/etc/profile-m-z/tor-browser_pt-BR.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_pt-BR.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_pt-BR diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile index 2fae6fbe77a..7d2e6bc9787 100644 --- a/etc/profile-m-z/tor-browser_ru.profile +++ b/etc/profile-m-z/tor-browser_ru.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_ru.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_ru diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile index 2157f8d2be7..585925e81cd 100644 --- a/etc/profile-m-z/tor-browser_sv-SE.profile +++ b/etc/profile-m-z/tor-browser_sv-SE.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_sv-SE.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_sv-SE diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile index 20ac246ca91..4b0cc3821d6 100644 --- a/etc/profile-m-z/tor-browser_tr.profile +++ b/etc/profile-m-z/tor-browser_tr.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_tr.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_tr diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile index 4faa06ff63d..4dcfbf56df6 100644 --- a/etc/profile-m-z/tor-browser_vi.profile +++ b/etc/profile-m-z/tor-browser_vi.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_vi.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_vi diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile index e4d8215e696..1e03b8d6bcb 100644 --- a/etc/profile-m-z/tor-browser_zh-CN.profile +++ b/etc/profile-m-z/tor-browser_zh-CN.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_zh-CN.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_zh-CN diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile index 8a28015a6e9..a2dcf5cf1aa 100644 --- a/etc/profile-m-z/tor-browser_zh-TW.profile +++ b/etc/profile-m-z/tor-browser_zh-TW.profile @@ -1,5 +1,10 @@ # Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update +# Persistent local customizations +include tor-browser_zh-TW.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.tor-browser_zh-TW diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index 13d07163570..312123f5970 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile @@ -21,7 +21,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -32,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs nosound notv @@ -46,6 +46,6 @@ private private-bin bash,tor private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,passwd,pki,ssl,tor private-tmp writable-var diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 6bcc51f4d65..e7b8ecd3f53 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile @@ -15,11 +15,13 @@ noblacklist ${HOME}/.local/share/torbrowser include allow-python2.inc include allow-python3.inc +blacklist /opt +blacklist /srv + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -28,13 +30,21 @@ mkdir ${HOME}/.local/share/torbrowser whitelist ${DOWNLOADS} whitelist ${HOME}/.config/torbrowser whitelist ${HOME}/.local/share/torbrowser +whitelist /usr/share/torbrowser-launcher include whitelist-common.inc include whitelist-var-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +# Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support. +# IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need +# to be uncommented too for this to work as expected. +#apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -43,8 +53,7 @@ novideo protocol unix,inet,inet6 seccomp !chroot shell none -# tracelog may cause issues, see github issue #1930 -#tracelog +#tracelog - may cause issues, see #1930 disable-mnt private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index 1ed78934ee7..a7ebaf2aff4 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +28,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile index d49ef0cb80c..dac753fd14a 100644 --- a/etc/profile-m-z/totem.profile +++ b/etc/profile-m-z/totem.profile @@ -6,34 +6,47 @@ include totem.local # Persistent global definitions include globals.local -# Allow lua (required for youtube video) +# Allow lua (blacklisted by disable-interpreters.inc) +# required for youtube video include allow-lua.inc +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + noblacklist ${HOME}/.config/totem noblacklist ${HOME}/.local/share/totem -noblacklist ${MUSIC} -noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc +include disable-shell.inc +read-only ${DESKTOP} +mkdir ${HOME}/.config/totem +mkdir ${HOME}/.local/share/totem +whitelist ${HOME}/.config/totem +whitelist ${HOME}/.local/share/totem +whitelist /usr/share/totem +include whitelist-common.inc +include whitelist-player-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc # apparmor - makes settings immutable caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f protocol unix,inet,inet6 seccomp shell none +tracelog private-bin totem # totem needs access to ~/.cache/tracker or it exits @@ -44,4 +57,4 @@ private-tmp # makes settings immutable # dbus-user none -# dbus-system none +dbus-system none diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile index 9030b1e01a3..ba44224f94f 100644 --- a/etc/profile-m-z/tracker.profile +++ b/etc/profile-m-z/tracker.profile @@ -14,8 +14,8 @@ blacklist ${RUNUSER}/wayland-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-runuser-common.inc diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index cafc6e6d150..0e23b78432a 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/transgui @@ -30,6 +30,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -44,7 +45,7 @@ tracelog private-bin geoiplookup,geoiplookup6,transgui private-cache private-dev -private-etc alternatives,fonts +private-etc alternatives,fonts,ld.so.preload private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* private-tmp diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile index 486be5fe6cb..b3fab083c87 100644 --- a/etc/profile-m-z/transmission-cli.profile +++ b/etc/profile-m-z/transmission-cli.profile @@ -8,7 +8,7 @@ include transmission-cli.local include globals.local private-bin transmission-cli -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile index 9d2e8e9905c..9d9b8cc2cbc 100644 --- a/etc/profile-m-z/transmission-common.profile +++ b/etc/profile-m-z/transmission-common.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/transmission @@ -31,6 +30,7 @@ caps.drop all machine-id netfilter nodvd +noinput nonewprivs noroot nosound @@ -39,6 +39,7 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 363c685e0d6..9d91b8b81bb 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile @@ -14,9 +14,10 @@ whitelist ${HOME}/.config/transmission-daemon whitelist /var/lib/transmission caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot +protocol packet private-bin transmission-daemon -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl read-write /var/lib/transmission writable-var-log diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile index a6400e2c0b9..20d54500fc5 100644 --- a/etc/profile-m-z/transmission-remote-gtk.profile +++ b/etc/profile-m-z/transmission-remote-gtk.profile @@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk mkdir ${HOME}/.config/transmission-remote-gtk whitelist ${HOME}/.config/transmission-remote-gtk -private-etc fonts,hostname,hosts,resolv.conf +private-etc fonts,hostname,hosts,ld.so.preload,resolv.conf # Problems with private-lib (see issue #2889) ignore private-lib diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile index fee4999e600..ad4ad217214 100644 --- a/etc/profile-m-z/transmission-remote.profile +++ b/etc/profile-m-z/transmission-remote.profile @@ -8,7 +8,7 @@ include transmission-remote.local include globals.local private-bin transmission-remote -private-etc alternatives,hosts,nsswitch.conf +private-etc alternatives,hosts,ld.so.preload,nsswitch.conf # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile index 5a3c83f5857..822a368da03 100644 --- a/etc/profile-m-z/transmission-show.profile +++ b/etc/profile-m-z/transmission-show.profile @@ -8,7 +8,7 @@ include transmission-show.local include globals.local private-bin transmission-show -private-etc alternatives,hosts,nsswitch.conf +private-etc alternatives,hosts,ld.so.preload,nsswitch.conf # Redirect include transmission-common.profile diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 64bb8cba825..4e16df553b9 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile @@ -12,13 +12,16 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.tremulous whitelist ${HOME}/.tremulous +whitelist /usr/share/tremulous include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -26,6 +29,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile new file mode 100644 index 00000000000..1959aee1e1c --- /dev/null +++ b/etc/profile-m-z/trojita.profile @@ -0,0 +1,64 @@ +# Firejail profile for trojita +# Description: Qt mail client +# This file is overwritten after every install/update +# Persistent local customizations +include trojita.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.abook +noblacklist ${HOME}/.mozilla +noblacklist ${HOME}/.cache/flaska.net/trojita +noblacklist ${HOME}/.config/flaska.net + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.abook +mkdir ${HOME}/.cache/flaska.net/trojita +mkdir ${HOME}/.config/flaska.net +whitelist ${HOME}/.abook +whitelist ${HOME}/.mozilla/firefox/profiles.ini +whitelist ${HOME}/.cache/flaska.net/trojita +whitelist ${HOME}/.config/flaska.net +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +# disable-mnt +# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile. +private-bin trojita +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg +private-tmp + +dbus-user filter +dbus-user.talk org.freedesktop.secrets +dbus-system none + +read-only ${HOME}/.mozilla/firefox/profiles.ini diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile index e76d522199f..503e1ae641d 100644 --- a/etc/profile-m-z/truecraft.profile +++ b/etc/profile-m-z/truecraft.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.config/mono @@ -24,6 +23,7 @@ include whitelist-common.inc caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile index 684a9491d06..3f5a9647e3f 100644 --- a/etc/profile-m-z/tshark.profile +++ b/etc/profile-m-z/tshark.profile @@ -4,43 +4,8 @@ quiet # Persistent local customizations include tshark.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -whitelist /usr/share/wireshark -include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -apparmor -#caps.keep net_raw -caps.keep dac_override,net_admin,net_raw -ipc-namespace -#net tun0 -netfilter -no3d -nodvd -# nogroups - breaks network traffic capture for unprivileged users -# nonewprivs - breaks network traffic capture for unprivileged users -# noroot -nosound -notv -nou2f -novideo -#protocol unix,inet,inet6,netlink,packet -#seccomp - -disable-mnt -#private -private-cache -#private-bin tshark -private-dev -private-tmp +# Redirect +include wireshark.profile diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile new file mode 100644 index 00000000000..d2cb0cc8ac5 --- /dev/null +++ b/etc/profile-m-z/tutanota-desktop.profile @@ -0,0 +1,31 @@ +# Firejail profile for tutanota-desktop +# Description: Encrypted email client +# This file is overwritten after every install/update +# Persistent local customizations +include tutanota-desktop.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/tuta_integration +noblacklist ${HOME}/.config/tutanota-desktop + +ignore noexec /tmp + +include disable-shell.inc + +mkdir ${HOME}/.config/tuta_integration +mkdir ${HOME}/.config/tutanota-desktop +whitelist ${HOME}/.config/tuta_integration +whitelist ${HOME}/.config/tutanota-desktop + +# These lines are needed to allow Firefox to open links +noblacklist ${HOME}/.mozilla +whitelist ${HOME}/.mozilla/firefox/profiles.ini +read-only ${HOME}/.mozilla/firefox/profiles.ini + +?HAS_APPIMAGE: ignore private-dev +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl +private-opt tutanota-desktop + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile index d2b13d9ee37..807d4328187 100644 --- a/etc/profile-m-z/tuxguitar.profile +++ b/etc/profile-m-z/tuxguitar.profile @@ -6,6 +6,9 @@ include tuxguitar.local # Persistent global definitions include globals.local +# tuxguitar fails to launch +ignore noexec ${HOME} + noblacklist ${HOME}/.tuxguitar* noblacklist ${DOCUMENTS} noblacklist ${MUSIC} @@ -17,7 +20,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -29,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -40,6 +43,3 @@ tracelog private-dev private-tmp - -# noexec ${HOME} - tuxguitar may fail to launch -noexec /tmp diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile index d3dcbfe53e8..8a18519ac03 100644 --- a/etc/profile-m-z/tvbrowser.profile +++ b/etc/profile-m-z/tvbrowser.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -34,6 +33,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile new file mode 100644 index 00000000000..bd2f1bcf955 --- /dev/null +++ b/etc/profile-m-z/twitch.profile @@ -0,0 +1,25 @@ +# Firejail profile for twitch +# Description: Unofficial electron based desktop warpper for Twitch +# This file is overwritten after every install/update +# Persistent local customizations +include twitch.local +# Persistent global definitions +include globals.local + +# Disabled until someone reported positive feedback +ignore nou2f +ignore novideo + +noblacklist ${HOME}/.config/Twitch + +include disable-shell.inc + +mkdir ${HOME}/.config/Twitch +whitelist ${HOME}/.config/Twitch + +private-bin electron,electron[0-9],electron[0-9][0-9],twitch +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt Twitch + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile index 265f6429d46..02f05af1672 100644 --- a/etc/profile-m-z/udiskie.profile +++ b/etc/profile-m-z/udiskie.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -24,6 +23,7 @@ machine-id net none no3d nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile index 8807b0b2cc2..2e5630f3d56 100644 --- a/etc/profile-m-z/uefitool.profile +++ b/etc/profile-m-z/uefitool.profile @@ -11,7 +11,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -21,6 +20,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile index 8a2e83a1ae0..4420099ffe9 100644 --- a/etc/profile-m-z/uget-gtk.profile +++ b/etc/profile-m-z/uget-gtk.profile @@ -11,6 +11,7 @@ include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.config/uGet whitelist ${DOWNLOADS} @@ -22,6 +23,7 @@ include whitelist-var-common.inc caps.drop all netfilter nodvd +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/unar.profile b/etc/profile-m-z/unar.profile new file mode 100644 index 00000000000..0226a7de876 --- /dev/null +++ b/etc/profile-m-z/unar.profile @@ -0,0 +1,13 @@ +# Firejail profile for unar +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include unar.local +# Persistent global definitions +# added by included profile +#include globals.local + +private-bin unar + +# Redirect +include ar.profile diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile index 714a3f2f4fc..e8424cd7d70 100644 --- a/etc/profile-m-z/unbound.profile +++ b/etc/profile-m-z/unbound.profile @@ -16,7 +16,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ machine-id netfilter no3d nodvd +noinput nonewprivs nosound notv diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index fbbe949e97d..685e74e250f 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist ${DOWNLOADS} @@ -31,6 +31,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -48,7 +49,7 @@ private-bin unf private-cache ?HAS_APPIMAGE: ignore private-dev private-dev -private-etc alternatives +private-etc alternatives,ld.so.preload private-lib gcc/*/*/libgcc_s.so.* private-tmp diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile index 7dc13e2841a..b8f4dc431cd 100644 --- a/etc/profile-m-z/unknown-horizons.profile +++ b/etc/profile-m-z/unknown-horizons.profile @@ -10,7 +10,6 @@ noblacklist ${HOME}/.unknown-horizons include disable-common.inc include disable-exec.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.unknown-horizons @@ -25,6 +24,7 @@ apparmor caps.drop all nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/unlzma.profile b/etc/profile-m-z/unlzma.profile index d9c72407f5d..115d982e2c1 100644 --- a/etc/profile-m-z/unlzma.profile +++ b/etc/profile-m-z/unlzma.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include unlzma.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 88a753d596e..761ee91c568 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile @@ -7,39 +7,9 @@ include unrar.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -hostname unrar -ipc-namespace -machine-id -net none -no3d -nodvd -#nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - private-bin unrar -private-dev -private-etc alternatives,group,localtime,passwd +private-etc alternatives,group,ld.so.preload,localtime,passwd private-tmp -dbus-user none -dbus-system none +# Redirect +include archiver-common.profile diff --git a/etc/profile-m-z/unxz.profile b/etc/profile-m-z/unxz.profile index d9c72407f5d..d86313028c6 100644 --- a/etc/profile-m-z/unxz.profile +++ b/etc/profile-m-z/unxz.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include unxz.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index b4b63882b7f..981826b163e 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile @@ -7,41 +7,10 @@ include unzip.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - # GNOME Shell integration (chrome-gnome-shell) noblacklist ${HOME}/.local/share/gnome-shell -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -hostname unzip -ipc-namespace -machine-id -net none -no3d -nodvd -#nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-bin unzip -private-dev -private-etc alternatives,group,localtime,passwd +private-etc alternatives,group,ld.so.preload,localtime,passwd -dbus-user none -dbus-system none +# Redirect +include archiver-common.profile diff --git a/etc/profile-m-z/unzstd.profile b/etc/profile-m-z/unzstd.profile index ce9af328683..0294aceff5a 100644 --- a/etc/profile-m-z/unzstd.profile +++ b/etc/profile-m-z/unzstd.profile @@ -1,5 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update +# Persistent local customizations +include unzstd.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile index 9877ea889d0..5a867a683ed 100644 --- a/etc/profile-m-z/utox.profile +++ b/etc/profile-m-z/utox.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/tox @@ -29,6 +29,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -42,7 +43,7 @@ disable-mnt private-bin utox private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl private-tmp memory-deny-write-execute diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index 6b5f14cabb3..3b38f16e013 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-usr-share-common.inc @@ -25,6 +25,7 @@ machine-id net none nodvd #nogroups +noinput nonewprivs #noroot nosound diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index f009f634059..ed2f0103b21 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile @@ -16,8 +16,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -28,6 +28,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -42,7 +43,7 @@ tracelog private-bin viewnior private-cache private-dev -private-etc alternatives,fonts,machine-id +private-etc alternatives,fonts,ld.so.preload,machine-id private-tmp dbus-user none diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile index 5b6228a94eb..fd15228cfcd 100644 --- a/etc/profile-m-z/viking.profile +++ b/etc/profile-m-z/viking.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -23,6 +22,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile index e9a47423959..a6e05a32a62 100644 --- a/etc/profile-m-z/vim.profile +++ b/etc/profile-m-z/vim.profile @@ -14,7 +14,6 @@ noblacklist ${HOME}/.vimrc include allow-common-devel.inc include disable-common.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-runuser-common.inc @@ -23,6 +22,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index c0dbc9116b8..a6d3eaafd2d 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile @@ -14,19 +14,39 @@ noblacklist /usr/lib/virtualbox noblacklist /usr/lib64/virtualbox include disable-common.inc +include disable-devel.inc include disable-exec.inc -include disable-passwdmgr.inc +include disable-interpreters.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.config/VirtualBox mkdir ${HOME}/VirtualBox VMs whitelist ${HOME}/.config/VirtualBox whitelist ${HOME}/VirtualBox VMs whitelist ${DOWNLOADS} +whitelist /usr/share/virtualbox include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc -caps.keep net_raw,sys_admin,sys_nice +# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 + +apparmor +caps.keep net_raw,sys_nice netfilter nodvd +#nogroups notv +shell none +tracelog + +#disable-mnt +#private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami +private-cache +private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile index 5de5682a3d6..0d80167f320 100644 --- a/etc/profile-m-z/vivaldi-beta.profile +++ b/etc/profile-m-z/vivaldi-beta.profile @@ -1,5 +1,7 @@ -# Firejail profile alias for vivaldi +# Firejail profile for vivaldi-beta # This file is overwritten after every install/update +# Persistent local customizations +include vivaldi-beta.local # Redirect include vivaldi.profile diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile index ea4a4009fe1..543f206af48 100644 --- a/etc/profile-m-z/vivaldi-snapshot.profile +++ b/etc/profile-m-z/vivaldi-snapshot.profile @@ -2,16 +2,6 @@ # This file is overwritten after every install/update # Persistent local customizations include vivaldi-snapshot.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.cache/vivaldi-snapshot -noblacklist ${HOME}/.config/vivaldi-snapshot - -mkdir ${HOME}/.cache/vivaldi-snapshot -mkdir ${HOME}/.config/vivaldi-snapshot -whitelist ${HOME}/.cache/vivaldi-snapshot -whitelist ${HOME}/.config/vivaldi-snapshot # Redirect -include chromium-common.profile +include vivaldi.profile diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile index 5de5682a3d6..94b2cd76c2a 100644 --- a/etc/profile-m-z/vivaldi-stable.profile +++ b/etc/profile-m-z/vivaldi-stable.profile @@ -1,5 +1,7 @@ -# Firejail profile alias for vivaldi +# Firejail profile for vivaldi-stable # This file is overwritten after every install/update +# Persistent local customizations +include vivaldi-stable.local # Redirect include vivaldi.profile diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile index 096ce8a7208..fdeb0307fbd 100644 --- a/etc/profile-m-z/vivaldi.profile +++ b/etc/profile-m-z/vivaldi.profile @@ -13,19 +13,29 @@ whitelist /var/opt/vivaldi writable-var noblacklist ${HOME}/.cache/vivaldi +noblacklist ${HOME}/.cache/vivaldi-snapshot noblacklist ${HOME}/.config/vivaldi +noblacklist ${HOME}/.config/vivaldi-snapshot noblacklist ${HOME}/.local/lib/vivaldi mkdir ${HOME}/.cache/vivaldi +mkdir ${HOME}/.cache/vivaldi-snapshot mkdir ${HOME}/.config/vivaldi +mkdir ${HOME}/.config/vivaldi-snapshot mkdir ${HOME}/.local/lib/vivaldi whitelist ${HOME}/.cache/vivaldi +whitelist ${HOME}/.cache/vivaldi-snapshot whitelist ${HOME}/.config/vivaldi +whitelist ${HOME}/.config/vivaldi-snapshot whitelist ${HOME}/.local/lib/vivaldi +#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot + # breaks vivaldi sync ignore dbus-user none ignore dbus-system none +read-write ${HOME}/.local/lib/vivaldi + # Redirect include chromium-common.profile diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 0069ebeae39..68db032aaff 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile @@ -8,24 +8,32 @@ include globals.local noblacklist ${HOME}/.cache/vlc noblacklist ${HOME}/.config/vlc +noblacklist ${HOME}/.config/aacs noblacklist ${HOME}/.local/share/vlc -noblacklist ${MUSIC} -noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc +read-only ${DESKTOP} +mkdir ${HOME}/.cache/vlc +mkdir ${HOME}/.config/vlc +mkdir ${HOME}/.local/share/vlc +whitelist ${HOME}/.cache/vlc +whitelist ${HOME}/.config/vlc +whitelist ${HOME}/.config/aacs +whitelist ${HOME}/.local/share/vlc +include whitelist-common.inc +include whitelist-player-common.inc include whitelist-var-common.inc #apparmor - on Ubuntu 18.04 it refuses to start without dbus access caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile new file mode 100644 index 00000000000..582a0f693f1 --- /dev/null +++ b/etc/profile-m-z/vmware-player.profile @@ -0,0 +1,8 @@ +# Firejail profile for vmware-player +# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. +# This file is overwritten after every install/update +# Persistent local customizations +include vmware-player.local + +# Redirect +include vmware.profile diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile new file mode 100644 index 00000000000..b2b019ff460 --- /dev/null +++ b/etc/profile-m-z/vmware-view.profile @@ -0,0 +1,56 @@ +# Firejail profile for vmware-view +# Description: VMware Horizon Client +# This file is overwritten after every install/update +# Persistent local customizations +include vmware-view.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.vmware + +noblacklist /sbin +noblacklist /usr/sbin + +include allow-bin-sh.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.vmware +whitelist ${HOME}/.vmware +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +# Add 'ignore novideo' to your vmware-view.local if you need your webcam. +novideo +protocol unix,inet,inet6 +seccomp !iopl +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg +# Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox. +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile new file mode 100644 index 00000000000..6290b57f427 --- /dev/null +++ b/etc/profile-m-z/vmware-workstation.profile @@ -0,0 +1,8 @@ +# Firejail profile for vmware-workstation +# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. +# This file is overwritten after every install/update +# Persistent local customizations +include vmware-workstation.local + +# Redirect +include vmware.profile diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile new file mode 100644 index 00000000000..8e25daee0ab --- /dev/null +++ b/etc/profile-m-z/vmware.profile @@ -0,0 +1,43 @@ +# Firejail profile for vmware +# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. +# This file is overwritten after every install/update +# Persistent local customizations +include vmware.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/vmware +noblacklist ${HOME}/.vmware + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/vmware +mkdir ${HOME}/.vmware +whitelist ${HOME}/.cache/vmware +whitelist ${HOME}/.vmware +# Add the next lines to your vmware.local if you need to use "shared VM". +#whitelist /var/lib/vmware +#writable-var +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.keep chown,net_raw,sys_nice +netfilter +nogroups +notv +shell none +tracelog + +#disable-mnt +# Add the next line to your vmware.local to enable private-bin. +#private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* +private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index b4728fb7211..a4a4fb7d83b 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile @@ -1,5 +1,10 @@ # Firejail profile alias for Visual Studio Code # This file is overwritten after every install/update +# Persistent local customizations +include vscodium.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist ${HOME}/.VSCodium diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile index 2e9078a7be8..fa6ddf1fb29 100644 --- a/etc/profile-m-z/vulturesclaw.profile +++ b/etc/profile-m-z/vulturesclaw.profile @@ -1,5 +1,10 @@ # Firejail profile alias for nethack-vultures # This file is overwritten after every install/update +# Persistent local customizations +include vulturesclaw.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist /var/games/vulturesclaw whitelist /var/games/vulturesclaw diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile index 44c263cfcc7..49d3fa94fbc 100644 --- a/etc/profile-m-z/vultureseye.profile +++ b/etc/profile-m-z/vultureseye.profile @@ -1,5 +1,10 @@ # Firejail profile alias for nethack-vultures # This file is overwritten after every install/update +# Persistent local customizations +include vultureseye.local +# Persistent global definitions +# added by included profile +#include globals.local noblacklist /var/games/vultureseye whitelist /var/games/vultureseye diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile index fbb53943c30..6632ccb6b09 100644 --- a/etc/profile-m-z/vym.profile +++ b/etc/profile-m-z/vym.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all @@ -20,6 +19,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 5215ee6f501..d2e30e8241f 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile @@ -1,32 +1,52 @@ # Firejail profile for w3m # Description: WWW browsable pager with excellent tables/frames support # This file is overwritten after every install/update +quiet # Persistent local customizations include w3m.local # Persistent global definitions include globals.local +# Add the next lines to your w3m.local if you want to use w3m-img on a vconsole. +#ignore nogroups +#ignore private-dev +#ignore private-etc + noblacklist ${HOME}/.w3m blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +# Allow /bin/sh (blacklisted by disable-shell.inc) +include allow-bin-sh.inc + +# Allow perl (blacklisted by disable-interpreters.inc) include allow-perl.inc include disable-common.inc include disable-devel.inc +include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc +mkdir ${HOME}/.w3m +whitelist /usr/share/w3m +whitelist ${DOWNLOADS} +whitelist ${HOME}/.w3m include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all +ipc-namespace +machine-id netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -38,8 +58,14 @@ seccomp shell none tracelog -# private-bin w3m +disable-mnt +private-bin perl,sh,w3m private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index a3de3d444a6..fc59b72395e 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/wormux @@ -34,6 +34,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -48,7 +49,7 @@ disable-mnt private-bin warmux private-cache private-dev -private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl private-tmp dbus-user none diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 32d27e1b93a..5659ec69cc5 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile @@ -15,15 +15,18 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/warsow-2.1 mkdir ${HOME}/.local/share/warsow-2.1 whitelist ${HOME}/.cache/warsow-2.1 whitelist ${HOME}/.local/share/warsow-2.1 +whitelist /usr/share/warsow include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all @@ -31,6 +34,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile index 25f401d8575..46dca0547ff 100644 --- a/etc/profile-m-z/warzone2100.profile +++ b/etc/profile-m-z/warzone2100.profile @@ -12,11 +12,11 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc -# mkdir ${HOME}/.warzone2100-3.1 -# mkdir ${HOME}/.warzone2100-3.2 +mkdir ${HOME}/.warzone2100-3.1 +mkdir ${HOME}/.warzone2100-3.2 whitelist ${HOME}/.warzone2100-3.1 whitelist ${HOME}/.warzone2100-3.2 whitelist /usr/share/games @@ -30,6 +30,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile index c6c940fa305..18f1ca79a80 100644 --- a/etc/profile-m-z/waterfox.profile +++ b/etc/profile-m-z/waterfox.profile @@ -13,14 +13,15 @@ mkdir ${HOME}/.waterfox whitelist ${HOME}/.cache/waterfox whitelist ${HOME}/.waterfox -# Uncomment (or add to watefox.local) the following lines if you want to -# use the migration wizard. +# Add the next lines to your watefox.local if you want to use the migration wizard. #noblacklist ${HOME}/.mozilla #whitelist ${HOME}/.mozilla # waterfox requires a shell to launch on Arch. We can possibly remove sh though. +# Add the next line to your waterfox.local to enable private-bin. #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which -# private-etc must first be enabled in firefox-common.profile +# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be +# enabled in your firefox-common.local. #private-etc waterfox # Redirect diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index fc4e8e571cf..4d849c582f0 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile @@ -8,25 +8,29 @@ include globals.local noblacklist ${HOME}/.WebStorm* noblacklist ${HOME}/.android noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allow KDE file manager to open with log directories (blacklisted by disable-programs.inc) +noblacklist ${HOME}/.config/dolphinrc # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + noblacklist ${PATH}/node noblacklist ${HOME}/.nvm include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile index 8928f8116f9..2fe727b9c43 100644 --- a/etc/profile-m-z/webui-aria2.profile +++ b/etc/profile-m-z/webui-aria2.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -20,6 +19,7 @@ caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile index 4719b978822..92c968fb651 100644 --- a/etc/profile-m-z/weechat-curses.profile +++ b/etc/profile-m-z/weechat-curses.profile @@ -1,5 +1,10 @@ # Firejail profile alias for weechat # This file is overwritten after every install/update +# Persistent local customizations +include weechat-curses.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include weechat.profile diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile index 80072405414..76935212f4a 100644 --- a/etc/profile-m-z/weechat.profile +++ b/etc/profile-m-z/weechat.profile @@ -11,7 +11,7 @@ noblacklist ${HOME}/.weechat include disable-common.inc include disable-programs.inc -whitelist /usr/share/perl5 +whitelist /usr/share/weechat include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile index 934edfce9c5..345b26a2cc1 100644 --- a/etc/profile-m-z/wesnoth.profile +++ b/etc/profile-m-z/wesnoth.profile @@ -13,7 +13,6 @@ noblacklist ${HOME}/.local/share/wesnoth include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.cache/wesnoth @@ -26,6 +25,7 @@ include whitelist-common.inc caps.drop all nodvd +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 65723e68c2a..4c21d6965aa 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile @@ -12,16 +12,15 @@ noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local +include disable-shell.inc +# Depending on workflow you can add the next line to your wget.local. #include disable-xdg.inc include whitelist-usr-share-common.inc @@ -35,6 +34,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,13 +43,14 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog private-bin wget private-cache private-dev -# depending on workflow you can uncomment the below or put this private-etc in your wget.local +# Depending on workflow you can add the next line to your wget.local. #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc #private-tmp diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 187c49ed84b..ae39445613f 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile @@ -4,36 +4,24 @@ # Persistent local customizations include whalebird.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local + +# Disabled until someone reported positive feedback +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc ignore dbus-user none ignore dbus-system none noblacklist ${HOME}/.config/Whalebird -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-xdg.inc - mkdir ${HOME}/.config/Whalebird whitelist ${HOME}/.config/Whalebird -include whitelist-common.inc -include whitelist-var-common.inc no3d -nou2f -novideo -protocol unix,inet,inet6 -shell none -disable-mnt -private-bin whalebird -private-cache -private-dev -private-etc fonts,machine-id -private-tmp +private-bin electron,electron[0-9],electron[0-9][0-9],whalebird +private-etc fonts,ld.so.preload,machine-id # Redirect include electron.profile diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 2af1379e0c8..0650e41ad5a 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile @@ -8,14 +8,12 @@ include whois.local include globals.local blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +29,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,6 +38,7 @@ nou2f novideo protocol inet,inet6 seccomp +seccomp.block-secondary shell none tracelog @@ -47,7 +47,7 @@ private private-bin bash,sh,whois private-cache private-dev -private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf +private-etc alternatives,hosts,jwhois.conf,ld.so.preload,resolv.conf,services,whois.conf private-lib gconv private-tmp diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile index 079e4eb966e..6561be784d9 100644 --- a/etc/profile-m-z/widelands.profile +++ b/etc/profile-m-z/widelands.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.widelands @@ -27,6 +27,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 90134005205..1e9b9341b70 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile @@ -6,6 +6,7 @@ include wine.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/winetricks noblacklist ${HOME}/.Steam noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/steam @@ -16,19 +17,20 @@ noblacklist /tmp/.wine-* include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +# whitelist /usr/share/wine +# include whitelist-usr-share-common.inc include whitelist-var-common.inc -# some applications don't need allow-debuggers, comment the next line -# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local) +# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this. allow-debuggers caps.drop all # net none netfilter nodvd nogroups +noinput nonewprivs noroot # nosound diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index c1250b1f0e7..eebad4a198c 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile @@ -4,33 +4,29 @@ # Persistent local customizations include wire-desktop.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. -ignore caps.drop all +# Disabled until someone reported positive feedback +ignore include disable-exec.inc +ignore include disable-xdg.inc +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc +ignore include whitelist-var-common.inc +ignore novideo +ignore private-cache + ignore dbus-user none ignore dbus-system none noblacklist ${HOME}/.config/Wire -include disable-devel.inc -include disable-interpreters.inc - mkdir ${HOME}/.config/Wire whitelist ${HOME}/.config/Wire -include whitelist-common.inc - -caps.keep sys_admin,sys_chroot -nou2f -shell none -disable-mnt -private-bin bash,electron,electron4,electron6,env,sh,wire-desktop -private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl -private-tmp +private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,pki,resolv.conf,ssl # Redirect include electron.profile diff --git a/etc/profile-m-z/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile index 3e2e1807e54..4d54e986e23 100644 --- a/etc/profile-m-z/wireshark-gtk.profile +++ b/etc/profile-m-z/wireshark-gtk.profile @@ -1,6 +1,11 @@ # Firejail profile alias for wireshark # Description: Network protocol analyzer # This file is overwritten after every install/update +# Persistent local customizations +include wireshark-gtk.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include wireshark.profile diff --git a/etc/profile-m-z/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile index 3e2e1807e54..4e0694f9506 100644 --- a/etc/profile-m-z/wireshark-qt.profile +++ b/etc/profile-m-z/wireshark-qt.profile @@ -1,6 +1,11 @@ # Firejail profile alias for wireshark # Description: Network protocol analyzer # This file is overwritten after every install/update +# Persistent local customizations +include wireshark-qt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include wireshark.profile diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index a30cb43d5e6..16875ad9b43 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile @@ -17,7 +17,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -31,6 +30,7 @@ caps.keep dac_override,net_admin,net_raw netfilter no3d # nogroups - breaks network traffic capture for unprivileged users +noinput # nonewprivs - breaks network traffic capture for unprivileged users # noroot nodvd @@ -38,12 +38,16 @@ nosound notv nou2f novideo -# protocol unix,inet,inet6,netlink -# seccomp - breaks network traffic capture for unprivileged users +# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols +#seccomp shell none tracelog # private-bin wireshark +private-cache private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index 6372654bd07..374290ed0e3 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.wordwarvi @@ -29,6 +29,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -44,7 +45,7 @@ private private-bin wordwarvi private-cache private-dev -private-etc alsa,asound.conf,machine-id,pulse +private-etc alsa,asound.conf,ld.so.preload,machine-id,pulse private-tmp dbus-user none diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile index 6e4a313e33d..cb0301378c4 100644 --- a/etc/profile-m-z/wps.profile +++ b/etc/profile-m-z/wps.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc @@ -23,12 +22,13 @@ include whitelist-var-common.inc apparmor caps.drop all machine-id -# Uncomment the next line (or add to wps.local) if you don't use network features. +# Add the next line to your wps.local if you don't use network features. #net none netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -36,7 +36,7 @@ notv nou2f novideo protocol unix,inet,inet6 -# seccomp cause some minor issues, if you can live with them enable it. +# seccomp causes some minor issues. Add the next line to your wps.local if you can live with those. #seccomp shell none tracelog diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile index fe07813363d..141d167a873 100644 --- a/etc/profile-m-z/x-terminal-emulator.profile +++ b/etc/profile-m-z/x-terminal-emulator.profile @@ -9,6 +9,7 @@ caps.drop all ipc-namespace net none nogroups +noinput noroot nou2f protocol unix diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index bc960383577..3fcac351da4 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile @@ -6,15 +6,16 @@ include x2goclient.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.x2go noblacklist ${HOME}/.x2goclient +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc apparmor @@ -24,6 +25,7 @@ netfilter #no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index 56d3cf40d22..738b5ca13f4 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile @@ -10,8 +10,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/xbill @@ -27,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -43,7 +44,7 @@ private private-bin xbill private-cache private-dev -private-etc none +private-etc ld.so.preload,none private-tmp dbus-user none diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile index 294ad7c8057..3f8aa2d3400 100644 --- a/etc/profile-m-z/xcalc.profile +++ b/etc/profile-m-z/xcalc.profile @@ -9,8 +9,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-var-common.inc @@ -21,6 +21,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile index 64a50083fe8..26383bda38c 100644 --- a/etc/profile-m-z/xed.profile +++ b/etc/profile-m-z/xed.profile @@ -18,8 +18,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -30,6 +30,7 @@ machine-id no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile index cd9561e7492..91e25048d8a 100644 --- a/etc/profile-m-z/xfburn.profile +++ b/etc/profile-m-z/xfburn.profile @@ -11,7 +11,6 @@ noblacklist ${HOME}/.config/xfburn include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc caps.drop all diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile index a3e0c463346..fcfec10d030 100644 --- a/etc/profile-m-z/xfce4-dict.profile +++ b/etc/profile-m-z/xfce4-dict.profile @@ -12,7 +12,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -23,6 +22,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 5707dc4435b..21857dbe65c 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile @@ -12,12 +12,13 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml +whitelist /usr/share/gstreamer-* whitelist /usr/share/xfce4 whitelist /usr/share/xfce4-mixer include whitelist-common.inc @@ -31,6 +32,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -44,10 +46,12 @@ disable-mnt private-bin xfce4-mixer,xfconf-query private-cache private-dev -private-etc alternatives,asound.conf,fonts,machine-id,pulse +private-etc alternatives,asound.conf,fonts,ld.so.preload,machine-id,pulse private-tmp -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.xfce.xfce4-mixer +dbus-user.talk org.xfce.Xfconf +dbus-system none -memory-deny-write-execute +# memory-deny-write-execute - breaks on Arch diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile index c3d0930ff0a..5004b8fb6f2 100644 --- a/etc/profile-m-z/xfce4-notes.profile +++ b/etc/profile-m-z/xfce4-notes.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include whitelist-var-common.inc @@ -25,6 +24,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile new file mode 100644 index 00000000000..ad3058ce2b1 --- /dev/null +++ b/etc/profile-m-z/xfce4-screenshooter.profile @@ -0,0 +1,51 @@ +# Firejail profile for xfce4-screenshooter +# Description: Xfce screenshot tool +# This file is overwritten after every install/update +# Persistent local customizations +include xfce4-screenshooter.local +# Persistent global definitions +include globals.local + +noblacklist ${PICTURES} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/xfce4 +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin xfce4-screenshooter,xfconf-query +private-dev +private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.preload,pki,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none + +# memory-deny-write-execute -- see #3790 diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index 7114f046976..9b7a006d2c2 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile @@ -15,8 +15,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc mkdir ${HOME}/.sword mkdir ${HOME}/.xiphos @@ -31,6 +31,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -46,5 +47,5 @@ disable-mnt private-bin xiphos private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf private-tmp diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile index 7987af280bf..1c9310986c3 100644 --- a/etc/profile-m-z/xlinks.profile +++ b/etc/profile-m-z/xlinks.profile @@ -8,14 +8,13 @@ include xlinks.local #include globals.local noblacklist /tmp/.X11-unix -noblacklist ${HOME}/.links include whitelist-common.inc # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line private-bin xlinks -private-etc fonts +private-etc fonts,ld.so.preload # Redirect include links.profile diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2 new file mode 100644 index 00000000000..bbf660e29da --- /dev/null +++ b/etc/profile-m-z/xlinks2 @@ -0,0 +1,20 @@ +# Firejail profile for xlinks2 +# Description: Text WWW browser (X11) +# This file is overwritten after every install/update +# Persistent local customizations +include xlinks2.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist /tmp/.X11-unix + +include whitelist-common.inc + +# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' +# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line +private-bin xlinks2 +private-etc fonts,ld.so.preload + +# Redirect +include links2.profile diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile index 7a11e12440a..4003f69a220 100644 --- a/etc/profile-m-z/xmms.profile +++ b/etc/profile-m-z/xmms.profile @@ -11,13 +11,14 @@ noblacklist ${MUSIC} include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all netfilter no3d +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index c6ba9bd9de3..2a9fbf17176 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile @@ -11,8 +11,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.xmr-stak @@ -23,6 +23,7 @@ ipc-namespace netfilter nodvd nogroups +noinput nonewprivs noroot nosound @@ -37,7 +38,7 @@ disable-mnt private ${HOME}/.xmr-stak private-bin xmr-stak private-dev -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend private-opt cuda private-tmp diff --git a/etc/profile-m-z/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile index abb91e1ec1f..f1766fcf419 100644 --- a/etc/profile-m-z/xonotic-glx.profile +++ b/etc/profile-m-z/xonotic-glx.profile @@ -1,5 +1,10 @@ # Firejail profile alias for xonotic # This file is overwritten after every install/update +# Persistent local customizations +include xonotic-glx.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include xonotic.profile diff --git a/etc/profile-m-z/xonotic-sdl-wrapper.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile new file mode 100644 index 00000000000..6f0c7cf4cc4 --- /dev/null +++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile @@ -0,0 +1,6 @@ +# Firejail profile alias for xonotic +# This file is overwritten after every install/update +include xonotic-sdl-wrapper.local + +# Redirect +include xonotic.profile diff --git a/etc/profile-m-z/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile index abb91e1ec1f..4b680edb1cc 100644 --- a/etc/profile-m-z/xonotic-sdl.profile +++ b/etc/profile-m-z/xonotic-sdl.profile @@ -1,5 +1,10 @@ # Firejail profile alias for xonotic # This file is overwritten after every install/update +# Persistent local customizations +include xonotic-sdl.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include xonotic.profile diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 949988c3b37..6ffe9ece9ce 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile @@ -8,22 +8,31 @@ include globals.local noblacklist ${HOME}/.xonotic +include allow-bin-sh.inc +include allow-opengl-game.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.xonotic whitelist ${HOME}/.xonotic +whitelist /usr/share/xonotic include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd nogroups +noinput nonewprivs noroot notv @@ -32,12 +41,17 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog disable-mnt -private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl +private-cache +private-bin blind-id,darkplaces-glx,darkplaces-sdl,dirname,ldd,netstat,ps,readlink,sh,uname,xonotic* private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user none dbus-system none + +read-only ${HOME} +read-write ${HOME}/.xonotic diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index ba41d5bb34a..fe73950783f 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile @@ -12,8 +12,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc whitelist /usr/share/xournal @@ -27,6 +27,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -35,13 +36,14 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog private-bin xournal private-cache private-dev -private-etc alternatives,fonts,group,machine-id,passwd +private-etc alternatives,fonts,group,ld.so.preload,machine-id,passwd # TODO should use private-lib private-tmp diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile new file mode 100644 index 00000000000..a23ad68df53 --- /dev/null +++ b/etc/profile-m-z/xournalpp.profile @@ -0,0 +1,34 @@ +# Firejail profile for xournalpp +# Description: Handwriting note-taking software with PDF annotation support +# This file is overwritten after every install/update +# Persistent local customizations +include xournalpp.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.cache/xournalpp +noblacklist ${HOME}/.config/xournalpp +noblacklist ${HOME}/.xournalpp + +include allow-lua.inc + +whitelist /usr/share/texlive +whitelist /usr/share/xournalpp +whitelist /var/lib/texmf +include whitelist-runuser-common.inc + +#mkdir ${HOME}/.cache/xournalpp +#mkdir ${HOME}/.config/xournalpp +#whitelist ${HOME}/.cache/xournalpp +#whitelist ${HOME}/.config/xournalpp +#whitelist ${HOME}/.xournalpp +#whitelist ${HOME}/.texlive20* +#whitelist ${DOCUMENTS} +#include whitelist-common.inc + +private-bin kpsewhich,pdflatex,xournalpp +private-etc alternatives,latexmk.conf,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,texlive + +# Redirect +include xournal.profile diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile index cdffe4eb7a7..0149d36a3bd 100644 --- a/etc/profile-m-z/xpdf.profile +++ b/etc/profile-m-z/xpdf.profile @@ -13,7 +13,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile index 28df73ea50b..d1ea2c9d540 100644 --- a/etc/profile-m-z/xplayer.profile +++ b/etc/profile-m-z/xplayer.profile @@ -7,8 +7,6 @@ include globals.local noblacklist ${HOME}/.config/xplayer noblacklist ${HOME}/.local/share/xplayer -noblacklist ${MUSIC} -noblacklist ${VIDEOS} # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc @@ -18,16 +16,22 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc -include disable-xdg.inc +read-only ${DESKTOP} +mkdir ${HOME}/.config/xplayer +mkdir ${HOME}/.local/share/xplayer +whitelist ${HOME}/.config/xplayer +whitelist ${HOME}/.local/share/xplayer +include whitelist-common.inc +include whitelist-player-common.inc include whitelist-var-common.inc # apparmor - makes settings immutable caps.drop all netfilter nogroups +noinput nonewprivs noroot nou2f diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile index 1033a747129..aed6c102ff0 100644 --- a/etc/profile-m-z/xpra.profile +++ b/etc/profile-m-z/xpra.profile @@ -22,7 +22,6 @@ include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc whitelist /var/lib/xkb @@ -33,6 +32,7 @@ caps.drop all # xpra needs to be allowed access to the abstract Unix socket namespace. nodvd nogroups +noinput nonewprivs # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. #noroot diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index 643c5a317d2..8b880426f43 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile @@ -14,7 +14,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc @@ -26,6 +25,7 @@ caps.drop all no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -39,7 +39,7 @@ tracelog private-bin xreader,xreader-previewer,xreader-thumbnailer private-dev -private-etc alternatives,fonts,ld.so.cache +private-etc alternatives,fonts,ld.so.cache,ld.so.preload private-tmp memory-deny-write-execute diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile index 59c8a44f29e..5c8d6a47e93 100644 --- a/etc/profile-m-z/xviewer.profile +++ b/etc/profile-m-z/xviewer.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include whitelist-var-common.inc @@ -25,6 +25,7 @@ caps.drop all no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/xz.profile b/etc/profile-m-z/xz.profile index d9c72407f5d..7d6be2f49ea 100644 --- a/etc/profile-m-z/xz.profile +++ b/etc/profile-m-z/xz.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xz.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzcat.profile b/etc/profile-m-z/xzcat.profile index d9c72407f5d..8ba77eece87 100644 --- a/etc/profile-m-z/xzcat.profile +++ b/etc/profile-m-z/xzcat.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xzcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzcmp.profile b/etc/profile-m-z/xzcmp.profile index d9c72407f5d..9626048ba5f 100644 --- a/etc/profile-m-z/xzcmp.profile +++ b/etc/profile-m-z/xzcmp.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xzcmp.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzdec.profile b/etc/profile-m-z/xzdec.profile index 542363b5784..79f71f2fd60 100644 --- a/etc/profile-m-z/xzdec.profile +++ b/etc/profile-m-z/xzdec.profile @@ -7,35 +7,5 @@ include xzdec.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -caps.drop all -ipc-namespace -machine-id -net none -no3d -nodvd -#nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-dev - -dbus-user none -dbus-system none +# Redirect +include archiver-common.profile diff --git a/etc/profile-m-z/xzdiff.profile b/etc/profile-m-z/xzdiff.profile index d9c72407f5d..825fa9180ae 100644 --- a/etc/profile-m-z/xzdiff.profile +++ b/etc/profile-m-z/xzdiff.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xzdiff.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzegrep.profile b/etc/profile-m-z/xzegrep.profile index d9c72407f5d..8d50a3bc6aa 100644 --- a/etc/profile-m-z/xzegrep.profile +++ b/etc/profile-m-z/xzegrep.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xzegrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile index d9c72407f5d..a8aac86b7ea 100644 --- a/etc/profile-m-z/xzfgrep.profile +++ b/etc/profile-m-z/xzfgrep.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xzfgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzgrep.profile b/etc/profile-m-z/xzgrep.profile index f7410b92808..ac4cc81c4e4 100644 --- a/etc/profile-m-z/xzgrep.profile +++ b/etc/profile-m-z/xzgrep.profile @@ -1,6 +1,11 @@ # Firejail profile alias for cpio # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update +# Persistent local customizations +include xzgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzless.profile b/etc/profile-m-z/xzless.profile index f7410b92808..f17c5e1f6ed 100644 --- a/etc/profile-m-z/xzless.profile +++ b/etc/profile-m-z/xzless.profile @@ -1,6 +1,11 @@ # Firejail profile alias for cpio # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update +# Persistent local customizations +include xzless.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/xzmore.profile b/etc/profile-m-z/xzmore.profile index d9c72407f5d..ef4106f66a4 100644 --- a/etc/profile-m-z/xzmore.profile +++ b/etc/profile-m-z/xzmore.profile @@ -2,6 +2,11 @@ # Description: Library and command line tools for XZ and LZMA compressed files # This file is overwritten after every install/update quiet +# Persistent local customizations +include xzmore.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include cpio.profile diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile index 680bef67710..81cd021f7a9 100644 --- a/etc/profile-m-z/yandex-browser.profile +++ b/etc/profile-m-z/yandex-browser.profile @@ -5,6 +5,11 @@ include yandex-browser.local # Persistent global definitions include globals.local +# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus +ignore whitelist /usr/share/chromium +ignore include whitelist-runuser-common.inc +ignore include whitelist-usr-share-common.inc + noblacklist ${HOME}/.cache/yandex-browser noblacklist ${HOME}/.cache/yandex-browser-beta noblacklist ${HOME}/.config/yandex-browser diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile new file mode 100644 index 00000000000..05b55d07116 --- /dev/null +++ b/etc/profile-m-z/yarn.profile @@ -0,0 +1,10 @@ +# Firejail profile for yarn +# Description: Fast, reliable, and secure dependency management +quiet +# Persistent local customizations +include yarn.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 7053f98e81e..c5e44c6b4a9 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile @@ -12,15 +12,19 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/yelp whitelist ${HOME}/.config/yelp +whitelist /usr/libexec/webkit2gtk-4.0 whitelist /usr/share/doc +whitelist /usr/share/groff whitelist /usr/share/help +whitelist /usr/share/man whitelist /usr/share/yelp +whitelist /usr/share/yelp-tools whitelist /usr/share/yelp-xsl include whitelist-common.inc include whitelist-runuser-common.inc @@ -29,29 +33,45 @@ include whitelist-var-common.inc apparmor caps.drop all +# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support. +#machine-id net none nodvd nogroups +noinput nonewprivs noroot +# nosound - add the next line to your yelp.local if you don't need sound support. +#nosound notv nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog disable-mnt -private-bin yelp +private-bin groff,man,tbl,troff,yelp private-cache private-dev -private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml +private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml private-tmp -# read-only ${HOME} breaks some not necesarry featrues, comment it if -# you need them or put 'ignore read-only ${HOME}' into your yelp.local. -# broken features: +dbus-user filter +dbus-user.own org.gnome.Yelp +dbus-user.talk ca.desrt.dconf +dbus-system none + +# read-only ${HOME} breaks some features: # 1. yelp --editor-mode # 2. saving the window geometry +# add 'ignore read-only ${HOME}' to your yelp.local if you need these features. read-only ${HOME} +read-write ${HOME}/.cache +# 3. printing to PDF in ${DOCUMENTS} +# additionally add 'noblacklist ${DOCUMENTS}' and 'whitelist ${DOCUMENTS}' to +# your yelp.local if you need PDF printing support. +#noblacklist ${DOCUMENTS} +#whitelist ${DOCUMENTS} diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile new file mode 100644 index 00000000000..94f37a92b59 --- /dev/null +++ b/etc/profile-m-z/youtube-dl-gui.profile @@ -0,0 +1,56 @@ +# Firejail profile for youtube-dl-gui +# Description: A cross platform front-end GUI of the popular youtube-dl media downloader +include youtube-dl-gui.local +# This file is overwritten after every install/update +include globals.local + +#These are blacklisted by disable-interpreters.inc +include allow-python2.inc +include allow-python3.inc + +noblacklist ${HOME}/.config/youtube-dlg + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.config/youtube-dlg +whitelist ${HOME}/.config/youtube-dlg +whitelist ${DOWNLOADS} +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 061d873b393..71e50ab118e 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile @@ -21,15 +21,14 @@ include allow-python2.inc include allow-python3.inc blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* blacklist ${RUNUSER} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc include whitelist-usr-share-common.inc @@ -43,6 +42,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound @@ -51,13 +51,14 @@ nou2f novideo protocol unix,inet,inet6 seccomp +seccomp.block-secondary shell none tracelog private-bin env,ffmpeg,python*,youtube-dl private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf +private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf private-tmp dbus-user none diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile new file mode 100644 index 00000000000..825599fcc2e --- /dev/null +++ b/etc/profile-m-z/youtube-viewer.profile @@ -0,0 +1,21 @@ +# Firejail profile for youtube-viewer +# Description: Trizen's CLI Youtube viewer with login support +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include youtube-viewer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/youtube-viewer +noblacklist ${HOME}/.config/youtube-viewer + +mkdir ${HOME}/.cache/youtube-viewer +mkdir ${HOME}/.config/youtube-viewer +whitelist ${HOME}/.cache/youtube-viewer +whitelist ${HOME}/.config/youtube-viewer + +private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer + +# Redirect +include youtube-viewers-common.profile diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile new file mode 100644 index 00000000000..3224f8fc6d2 --- /dev/null +++ b/etc/profile-m-z/youtube-viewers-common.profile @@ -0,0 +1,60 @@ +# Firejail profile for youtube-viewer clones +# Description: common profile for Trizen's Youtube viewers +# This file is overwritten after every install/update +# Persistent local customizations +include youtube-viewers-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +noblacklist ${HOME}/.cache/youtube-dl + +# Allow lua (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# Allow perl (blacklisted by disable-interpreters.inc) +include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +netfilter +nodvd +nogroups +noinput +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile new file mode 100644 index 00000000000..c7dbec968f0 --- /dev/null +++ b/etc/profile-m-z/youtube.profile @@ -0,0 +1,24 @@ +# Firejail profile for youtube +# Description: Unofficial electron based desktop warpper for YouTube +# This file is overwritten after every install/update +# Persistent local customizations +include youtube.local +# Persistent global definitions +include globals.local + +# Disabled until someone reported positive feedback +ignore nou2f + +noblacklist ${HOME}/.config/Youtube + +include disable-shell.inc + +mkdir ${HOME}/.config/Youtube +whitelist ${HOME}/.config/Youtube + +private-bin electron,electron[0-9],electron[0-9][0-9],youtube +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt Youtube + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile new file mode 100644 index 00000000000..35ecf059dc2 --- /dev/null +++ b/etc/profile-m-z/youtubemusic-nativefier.profile @@ -0,0 +1,21 @@ +# Firejail profile for youtubemusic-nativefier +# Description: Unofficial electron based desktop warpper for YouTube Music +# This file is overwritten after every install/update +# Persistent local customizations +include youtube.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/youtubemusic-nativefier-040164 + +include disable-shell.inc + +mkdir ${HOME}/.config/youtubemusic-nativefier-040164 +whitelist ${HOME}/.config/youtubemusic-nativefier-040164 + +private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +private-opt youtubemusic-nativefier + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile new file mode 100644 index 00000000000..bfb24b48800 --- /dev/null +++ b/etc/profile-m-z/yt-dlp.profile @@ -0,0 +1,19 @@ +# Firejail profile for yt-dlp +# Description: Downloader of videos of various sites +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include yt-dlp.local +# Persistent global definitions +# added by included profile +#include globals.local + +noblacklist ${HOME}/.cache/yt-dlp +noblacklist ${HOME}/.config/yt-dlp +noblacklist ${HOME}/yt-dlp.conf + +private-bin yt-dlp +private-etc ld.so.preload,yt-dlp.conf + +# Redirect +include youtube-dl.profile diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile new file mode 100644 index 00000000000..84f2f3cb288 --- /dev/null +++ b/etc/profile-m-z/ytmdesktop.profile @@ -0,0 +1,21 @@ +# Firejail profile for ytmdesktop +# Description: Unofficial electron based desktop warpper for YouTube Music +# This file is overwritten after every install/update +# Persistent local customizations +include youtube.local +# Persistent global definitions +include globals.local + +ignore dbus-user none + +noblacklist ${HOME}/.config/youtube-music-desktop-app + +mkdir ${HOME}/.config/youtube-music-desktop-app +whitelist ${HOME}/.config/youtube-music-desktop-app + +# private-bin env,ytmdesktop +private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg +# private-opt + +# Redirect +include electron.profile diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile index 6228ff3bd2a..1f11f133f01 100644 --- a/etc/profile-m-z/zaproxy.profile +++ b/etc/profile-m-z/zaproxy.profile @@ -15,7 +15,6 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc mkdir ${HOME}/.java @@ -31,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile index 3fe3c8ce8a9..f534aee8ff2 100644 --- a/etc/profile-m-z/zart.profile +++ b/etc/profile-m-z/zart.profile @@ -13,8 +13,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc caps.drop all @@ -22,6 +22,7 @@ ipc-namespace net none nodvd nogroups +noinput nonewprivs noroot notv diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile index ba0ea1032f6..68c9b0a9349 100644 --- a/etc/profile-m-z/zathura.profile +++ b/etc/profile-m-z/zathura.profile @@ -14,24 +14,26 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.config/zathura mkdir ${HOME}/.local/share/zathura whitelist /usr/share/doc whitelist /usr/share/zathura +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all -ipc-namespace machine-id net none nodvd nogroups +noinput nonewprivs noroot nosound @@ -40,6 +42,7 @@ nou2f novideo protocol unix seccomp +seccomp.block-secondary shell none tracelog diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile index 12932ea9288..5de13ab905f 100644 --- a/etc/profile-m-z/zcat.profile +++ b/etc/profile-m-z/zcat.profile @@ -7,5 +7,9 @@ include zcat.local # added by included profile #include globals.local +# Allow running kernel config check +ignore include disable-shell.inc +noblacklist /proc/config.gz + # Redirect include gzip.profile diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index fe5f077be57..c148e717b51 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.cache/Zeal @@ -35,6 +35,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile index b39a58420dc..f63dc871fef 100644 --- a/etc/profile-m-z/zgrep.profile +++ b/etc/profile-m-z/zgrep.profile @@ -7,5 +7,9 @@ include zgrep.local # added by included profile #include globals.local +# Allow running kernel config check +ignore include disable-shell.inc +noblacklist /proc/config.gz + # Redirect include gzip.profile diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile new file mode 100644 index 00000000000..fa67b76c77b --- /dev/null +++ b/etc/profile-m-z/zim.profile @@ -0,0 +1,71 @@ +# Firejail profile for Zim +# Description: Desktop wiki & notekeeper +# This file is overwritten after every install/update +# Persistent local customizations +include zim.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/zim +noblacklist ${HOME}/.config/zim + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +blacklist /usr/libexec + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-programs.inc +include disable-shell.inc + +mkdir ${HOME}/.cache/zim +mkdir ${HOME}/.config/zim +mkdir ${HOME}/Notebooks +whitelist ${HOME}/.cache/zim +whitelist ${HOME}/.config/zim +whitelist ${HOME}/Notebooks +whitelist ${DESKTOP} +whitelist ${DOCUMENTS} +whitelist ${DOWNLOADS} +whitelist ${MUSIC} +whitelist ${PICTURES} +whitelist ${VIDEOS} +whitelist /usr/share/zim +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +shell none +tracelog + +disable-mnt +private-bin python*,zim +private-cache +private-dev +private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile index 6eac10703b2..ac615d8614f 100644 --- a/etc/profile-m-z/zoom.profile +++ b/etc/profile-m-z/zoom.profile @@ -1,17 +1,25 @@ # Firejail profile for zoom +# Description: Video Conferencing and Web Conferencing Service # This file is overwritten after every install/update # Persistent local customizations include zoom.local # Persistent global definitions include globals.local +# Disabled until someone reports positive feedback. +ignore apparmor +ignore novideo +ignore dbus-user none +ignore dbus-system none + +# nogroups breaks webcam access on non-systemd systems (see #3711). +# If you use such a system, add 'ignore nogroups' to your zoom.local. +#ignore nogroups + noblacklist ${HOME}/.config/zoomus.conf noblacklist ${HOME}/.zoom -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-programs.inc +nowhitelist ${DOWNLOADS} mkdir ${HOME}/.cache/zoom mkfile ${HOME}/.config/zoomus.conf @@ -19,15 +27,9 @@ mkdir ${HOME}/.zoom whitelist ${HOME}/.cache/zoom whitelist ${HOME}/.config/zoomus.conf whitelist ${HOME}/.zoom -include whitelist-common.inc -caps.drop all -netfilter -nodvd -nonewprivs -noroot -notv -protocol unix,inet,inet6,netlink -seccomp !chroot +# Disable for now, see https://github.com/netblue30/firejail/issues/3726 +#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl -private-tmp +# Redirect +include electron.profile diff --git a/etc/profile-m-z/zstd.profile b/etc/profile-m-z/zstd.profile index be27c10e1c2..faeb5c5c596 100644 --- a/etc/profile-m-z/zstd.profile +++ b/etc/profile-m-z/zstd.profile @@ -7,37 +7,5 @@ include zstd.local # Persistent global definitions include globals.local -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc - -apparmor -caps.drop all -hostname zstd -ipc-namespace -machine-id -net none -no3d -nodvd -nogroups -nonewprivs -#noroot -nosound -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog -x11 none - -private-cache -private-dev - -memory-deny-write-execute +# Redirect +include archiver-common.profile diff --git a/etc/profile-m-z/zstdcat.profile b/etc/profile-m-z/zstdcat.profile index ce9af328683..df4c493fd29 100644 --- a/etc/profile-m-z/zstdcat.profile +++ b/etc/profile-m-z/zstdcat.profile @@ -1,5 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update +# Persistent local customizations +include zstdcat.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff --git a/etc/profile-m-z/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile index ce9af328683..8a2683119cf 100644 --- a/etc/profile-m-z/zstdgrep.profile +++ b/etc/profile-m-z/zstdgrep.profile @@ -1,5 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update +# Persistent local customizations +include zstdgrep.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff --git a/etc/profile-m-z/zstdless.profile b/etc/profile-m-z/zstdless.profile index ce9af328683..e5821e4c52f 100644 --- a/etc/profile-m-z/zstdless.profile +++ b/etc/profile-m-z/zstdless.profile @@ -1,5 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update +# Persistent local customizations +include zstdless.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff --git a/etc/profile-m-z/zstdmt.profile b/etc/profile-m-z/zstdmt.profile index ce9af328683..0a43fd556d0 100644 --- a/etc/profile-m-z/zstdmt.profile +++ b/etc/profile-m-z/zstdmt.profile @@ -1,5 +1,10 @@ # Firejail profile alias for zstd # This file is overwritten after every install/update +# Persistent local customizations +include zstdmt.local +# Persistent global definitions +# added by included profile +#include globals.local # Redirect include zstd.profile diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index 999c2f77ac7..c1c94d74f34 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile @@ -14,8 +14,8 @@ include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc -include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/Zulip @@ -30,6 +30,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv @@ -43,5 +44,5 @@ disable-mnt private-bin locale,zulip private-cache private-dev -private-etc asound.conf,fonts,machine-id +private-etc asound.conf,fonts,ld.so.preload,machine-id private-tmp diff --git a/etc/templates/profile.template b/etc/templates/profile.template index be1175ce3fc..7628313e075 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -1,17 +1,17 @@ # Firejail profile for PROGRAM_NAME -# Description: DESCRIPTION +# Description: DESCRIPTION OF THE PROGRAM # This file is overwritten after every install/update # --- CUT HERE --- -# This is a generic template to help you with creation of profiles -# for new programs. PRs welcome at https://github.com/netblue30/firejail/. +# This is a generic template to help you create profiles. +# PRs welcome at https://github.com/netblue30/firejail/. # # Rules to follow: # - lines with one # are often used in profiles # - lines with two ## are only needed in special situations # - make the profile as restrictive as possible while still keeping the program useful -# (e. g. a program that is unable to save user's work is considered bad practice) -# - dedicate some time (based on the complexity of the application) to profile testing before raising -# a pull request +# (e.g. a program that is unable to save user's work is considered bad practice) +# - dedicate ample time (based on the complexity of the application) to profile testing before +# submitting a pull request # - keep the sections structure, use a single empty line as separator # - entries within sections are alphabetically sorted # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware @@ -42,7 +42,7 @@ # ${DOCUMENTS} # ${DOWNLOADS} # ${HOME} (user's home) -# ${PATH} (contents of PATH envvar) +# ${PATH} (contents of PATH env var) # ${MUSIC} # ${RUNUSER} (/run/user/UID) # ${VIDEOS} @@ -59,14 +59,6 @@ include globals.local ##ignore noexec ${HOME} ##ignore noexec /tmp -##blacklist PATH -# Disable X11 (CLI only), see also 'x11 none' below -#blacklist /tmp/.X11-unix -# Disable Wayland -#blacklist ${RUNUSER}/wayland-* -# Disable RUNUSER (cli only) -#blacklist ${RUNUSER} - # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc # (keep list sorted) and then disable blacklisting below. @@ -81,12 +73,14 @@ include globals.local # `ls -aR` #noblacklist PATH -# Allow python (blacklisted by disable-interpreters.inc) -#include allow-python2.inc -#include allow-python3.inc +# Allow /bin/sh (blacklisted by disable-shell.inc) +#include allow-bin-sh.inc -# Allow perl (blacklisted by disable-interpreters.inc) -#include allow-perl.inc +# Allows files commonly used by IDEs +#include allow-common-devel.inc + +# Allow gjs (blacklisted by disable-interpreters.inc) +#include allow-gjs.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc @@ -94,32 +88,50 @@ include globals.local # Allow lua (blacklisted by disable-interpreters.inc) #include allow-lua.inc +# Allow perl (blacklisted by disable-interpreters.inc) +#include allow-perl.inc + +# Allow python (blacklisted by disable-interpreters.inc) +#include allow-python2.inc +#include allow-python3.inc + # Allow ruby (blacklisted by disable-interpreters.inc) #include allow-ruby.inc -# Allow gjs (blacklisted by disable-interpreters.inc) -#include allow-gjs.inc +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc -# Allows files commonly used by IDEs -#include allow-common-devel.inc +##blacklist PATH +# Disable Wayland +#blacklist ${RUNUSER}/wayland-* +# Disable RUNUSER (cli only; supersedes Disable Wayland) +#blacklist ${RUNUSER} +# Remove the next blacklist if you system has no /usr/libexec dir, +# otherwise try to add it. +#blacklist /usr/libexec +# disable-*.inc includes +# remove disable-write-mnt.inc if you set disable-mnt #include disable-common.inc #include disable-devel.inc #include disable-exec.inc #include disable-interpreters.inc -#include disable-passwdmgr.inc #include disable-programs.inc +#include disable-shell.inc +#include disable-write-mnt.inc +#include disable-X11.inc #include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is -# that if a user feels too restricted (he's unable to save files into -# home directory for instance) he/she may disable whitelist (nowhitelist) +# that if a user feels too restricted (e.g. unable to save files into +# home directory) they may disable whitelist (nowhitelist) # in PROFILE.local but still be protected by BLACKLISTS section -# (further explanation at https://github.com/netblue30/firejail/issues/1569) +# (explanation at https://github.com/netblue30/firejail/issues/1569) #mkdir PATH ##mkfile PATH #whitelist PATH #include whitelist-common.inc +#include whitelist-run-common.inc #include whitelist-runuser-common.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc @@ -131,7 +143,7 @@ include globals.local ##hostname NAME # CLI only ##ipc-namespace -# breaks sound and sometime dbus related functions +# breaks audio and sometimes dbus related functions #machine-id # 'net none' or 'netfilter' #net none @@ -140,6 +152,7 @@ include globals.local ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) #nodvd #nogroups +#noinput #nonewprivs #noroot #nosound @@ -150,14 +163,16 @@ include globals.local # - unix is usually needed # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) # - netlink is rarely needed -# - packet almost never -#protocol unix,inet,inet6,netlink,packet +# - packet and bluetooth almost never +#protocol unix,inet,inet6,netlink,packet,bluetooth #seccomp ##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) +#seccomp.block-secondary +##seccomp-error-action log (only for debugging seccomp issues) #shell none #tracelog -# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set +# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set ##x11 none #disable-mnt @@ -169,16 +184,16 @@ include globals.local #private-etc FILES # private-etc templates (see also #1734, #2093) # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg -# Extra: magic,magic.mgc,passwd,group -# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc -# Extra: proxychains.conf,gai.conf -# Sound: alsa,asound.conf,pulse,machine-id +# Extra: group,magic,magic.mgc,passwd +# 3D: bumblebee,drirc,glvnd,nvidia +# Audio: alsa,asound.conf,machine-id,pulse +# D-Bus: dbus-1,machine-id # GUI: fonts,pango,X11 # GTK: dconf,gconf,gtk-2.0,gtk-3.0 -# Qt: Trolltech.conf # KDE: kde4rc,kde5rc -# 3D: drirc,glvnd,bumblebee,nvidia -# D-Bus: dbus-1,machine-id +# Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl +# Extra: gai.conf,proxychains.conf +# Qt: Trolltech.conf ##private-lib LIBS ##private-opt NAME #private-tmp @@ -187,15 +202,16 @@ include globals.local ##writable-var ##writable-var-log -# Since 0.9.63 also a more granular regulation of dbus is supported. -# To get the dbus-addresses to which an application needs access to. -# You can look at flatpak if the application is also distriputed via flatpak: +# Since 0.9.63 also a more granular control of dbus is supported. +# To get the dbus-addresses an application needs access to you can +# check with flatpak (when the application is distributed that way): # flatpak remote-info --show-metadata flathub # Notes: # - flatpak implicitly allows an app to own on the session bus -# - In order to make dconf work (if it is used by the app) you need to allow -# 'ca.desrt.dconf' even if it is not allowed by flatpak. -# Notes and Policiy about addresses can be found at +# - Some features like native notifications are implemented as portal too. +# - In order to make dconf work (when used by the app) you need to allow +# 'ca.desrt.dconf' even when not allowed by flatpak. +# Notes and policies about addresses can be found at # #dbus-user filter #dbus-user.own com.github.netblue30.firejail @@ -204,7 +220,8 @@ include globals.local #dbus-system none ##env VAR=VALUE +##join-or-start NAME #memory-deny-write-execute ##noexec PATH ##read-only ${HOME} -##join-or-start NAME +##read-write ${HOME} diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index ea3b5a6b059..827b075e57f 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt @@ -33,10 +33,10 @@ Definition of groups @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext -@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup +@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup @default-nodebuggers=@default,ptrace,personality,process_vm_readv -@default-keep=execve,prctl -@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes +@default-keep=execveat,execve,prctl +@file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget @keyring=add_key,keyctl,request_key @@ -62,15 +62,14 @@ Inheritance of groups +---------------+ | @default-keep | -| @mount | +---------------+ +----------------+ +---------+ +--------+ +--------------+ | @cpu-emulation | | @clock | | @chown | | @aio | | @debug | | @module | +--------+ | @basic-io | | @obsolete | | @raw-io | : : | @file-system | -+----------------+ | @reboot | : : | @io-event | - : | @swap | : : | @ipc | +| @mount | | @reboot | : : | @io-event | ++----------------+ | @swap | : : | @ipc | : +---------+ : : | @keyring | : : : : : | @memlock | : ..............: : : : | @network-io | @@ -90,18 +89,24 @@ Inheritance of groups What to do if seccomp breaks a program -------------------------------------- +Start `journalctl --grep=SECCOMP --follow` in a terminal and run +`firejail --seccomp-error-action=log /path/to/program` in a second terminal. +Now switch back to the first terminal (where `journalctl` is running) and look +for the numbers of the blocked syscall(s) (`syscall=`). As soon as you +have found them, you can stop `journalctl` (^C) and execute +`firejail --debug-syscalls | grep NUMBER` to get the name of the syscall. +In the particular case that it is a 32bit syscall on a 64bit system, use `firejail --debug-syscalls32 | grep NUMBER`. +Now you can add a seccomp exception using `seccomp !NAME`. + +If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. + ``` -$ journalctl --grep=syscall --follow -<...> audit[…]: SECCOMP <...> syscall=161 <...> -$ firejail --debug-syscalls | grep 161 -161 - chroot +term1$ journalctl --grep=SECCOMP --follow +term2$ firejail --seccomp-error-action=log /usr/bin/signal-desktop +term1$ (journalctl --grep=SECCOMP --follow) +audit[1234]: SECCOMP ... comm="signal-desktop" exe="/usr/bin/signal-desktop" sig=31 arch=c000003e syscall=161 ... +^C +term1$ firejail --debug-syscalls | grep "^161[[:space:]]" +161 - chroot ``` Profile: `seccomp -> seccomp !chroot` - -Start `journalctl --grep=syscall --follow` in a terminal, then start the broken -program. Now you see one or more long lines containing `syscall=NUMBER` somewhere. -Stop journalctl (^C) and execute `firejail --debug-syscalls | grep NUMBER`. You -will see something like `NUMBER - NAME`, because you now know the name of the -syscall, you can add an exception to seccomp by putting `!NAME` to seccomp. - -If the blocked syscall is ptrace, consider to add allow-debuggers to the profile. diff --git a/gcov.sh b/gcov.sh index ea403bf5a79..9bb2596f6a7 100755 --- a/gcov.sh +++ b/gcov.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 gcov_init() { @@ -24,8 +24,8 @@ gcov_init() { } generate() { - lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new - lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file + lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new + lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file rm -fr gcov-dir genhtml -q gcov-file --output-directory gcov-dir sudo rm `find . -name *.gcda` @@ -35,7 +35,7 @@ generate() { gcov_init -lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old +lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old #make test-utils #generate diff --git a/install.sh b/install.sh index 2fa61cc0a12..e26cea7b0ee 100755 --- a/install.sh +++ b/install.sh @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 echo "installing..." diff --git a/linecnt.sh b/linecnt.sh index 1bf83401536..86bccbc07df 100755 --- a/linecnt.sh +++ b/linecnt.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 gcov_init() { @@ -26,6 +26,6 @@ gcov_init() { rm -fr gcov-dir gcov_init lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \ - -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ - -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file + -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \ + -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file genhtml -q gcov-file --output-directory gcov-dir diff --git a/mkasc.sh b/mkasc.sh index 872127ddae1..31c3f4ffdc5 100755 --- a/mkasc.sh +++ b/mkasc.sh @@ -1,9 +1,9 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 -echo "Calculationg SHA256 for all files in /transfer - firejail version $1" +echo "Calculating SHA256 for all files in /transfer - firejail version $1" cd /transfer sha256sum * > firejail-$1-unsigned diff --git a/mkdeb.sh b/mkdeb.sh deleted file mode 100755 index dd784eb8a86..00000000000 --- a/mkdeb.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/sh -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ -# a code archive should already be available - -set -e - -TOP=`pwd` -CODE_ARCHIVE="$1-$2.tar.xz" -CODE_DIR="$1-$2" -INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" -DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" - -echo "*****************************************" -echo "code archive: $CODE_ARCHIVE" -echo "code directory: $CODE_DIR" -echo "install directory: $INSTALL_DIR" -echo "debian control directory: $DEBIAN_CTRL_DIR" -echo "*****************************************" - -tar -xJvf $CODE_ARCHIVE -#mkdir -p $INSTALL_DIR -cd $CODE_DIR -./configure --prefix=/usr -make -j2 -mkdir debian -DESTDIR=debian make install-strip - -cd .. -echo "*****************************************" -SIZE=`du -s $INSTALL_DIR` -echo "install size $SIZE" -echo "*****************************************" - -mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian -gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian -rm $INSTALL_DIR/usr/share/doc/firejail/COPYING -install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. -mkdir -p $DEBIAN_CTRL_DIR -sed "s/FIREJAILVER/$2/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control - -mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ -install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail - -find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles -chmod 644 $DEBIAN_CTRL_DIR/conffiles -find $INSTALL_DIR -type d | xargs chmod 755 -cd $CODE_DIR -fakeroot dpkg-deb --build debian -lintian debian.deb -mv debian.deb ../firejail_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb -cd .. -rm -fr $CODE_DIR diff --git a/mkdeb-apparmor.sh b/mkdeb.sh.in similarity index 59% rename from mkdeb-apparmor.sh rename to mkdeb.sh.in index 3c560179cb1..e45acf8eb12 100755 --- a/mkdeb-apparmor.sh +++ b/mkdeb.sh.in @@ -1,16 +1,30 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/ # a code archive should already be available set -e +NAME=@PACKAGE_NAME@ +VERSION=@PACKAGE_VERSION@ +PACKAGE_TARNAME=@PACKAGE_TARNAME@ +HAVE_APPARMOR=@HAVE_APPARMOR@ +HAVE_SELINUX=@HAVE_SELINUX@ +EXTRA_VERSION=$1 + +CONFIG_ARGS="--prefix=/usr" +if [ -n "$HAVE_APPARMOR" ]; then + CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor" +fi +if [ -n "$HAVE_SELINUX" ]; then + CONFIG_ARGS="$CONFIG_ARGS --enable-selinux" +fi TOP=`pwd` -CODE_ARCHIVE="$1-$2.tar.xz" -CODE_DIR="$1-$2" +CODE_ARCHIVE="$NAME-$VERSION.tar.xz" +CODE_DIR="$NAME-$VERSION" INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian" DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN" @@ -24,7 +38,7 @@ echo "*****************************************" tar -xJvf $CODE_ARCHIVE #mkdir -p $INSTALL_DIR cd $CODE_DIR -./configure --prefix=/usr --enable-apparmor +./configure $CONFIG_ARGS make -j2 mkdir debian DESTDIR=debian make install-strip @@ -38,19 +52,19 @@ echo "*****************************************" mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian rm $INSTALL_DIR/usr/share/doc/firejail/COPYING -install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. +install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/. mkdir -p $DEBIAN_CTRL_DIR -sed "s/FIREJAILVER/$2/g" platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control +sed "s/FIREJAILVER/$VERSION/g" $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/ -install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail +install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles chmod 644 $DEBIAN_CTRL_DIR/conffiles find $INSTALL_DIR -type d | xargs chmod 755 cd $CODE_DIR fakeroot dpkg-deb --build debian -lintian debian.deb -mv debian.deb ../firejail-apparmor_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb +lintian --no-tag-display-limit debian.deb +mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb cd .. rm -fr $CODE_DIR diff --git a/mketc.sh b/mketc.sh index d9728f3c545..0aa313b170a 100755 --- a/mketc.sh +++ b/mketc.sh @@ -1,16 +1,17 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 sed -i -e ' 1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\ # If this is not your case you can remove --enable-busybox-workaround from\ # ./configure options, for added security.\ +noblacklist \${PATH}/busybox\ +noblacklist \${PATH}/crontab\ noblacklist \${PATH}/mount\ -noblacklist \${PATH}/umount\ +noblacklist \${PATH}/nc\ noblacklist \${PATH}/su\ noblacklist \${PATH}/sudo\ -noblacklist \${PATH}/nc\ -noblacklist \${PATH}/crontab\ -' etc/disable-common.inc +noblacklist \${PATH}/umount\ +' "$1" diff --git a/mkman.sh b/mkman.sh index b8e7e58ebea..8767972d129 100755 --- a/mkman.sh +++ b/mkman.sh @@ -1,8 +1,10 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 +set -e + sed "s/VERSION/$1/g" $2 > $3 MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b` sed -i "s/MONTH/$MONTH/g" $3 diff --git a/mkuid.sh b/mkuid.sh index 96d6fa40140..0264628cc97 100755 --- a/mkuid.sh +++ b/mkuid.sh @@ -1,6 +1,6 @@ #!/bin/sh # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 echo "extracting UID_MIN and GID_MIN" diff --git a/platform/debian/control.amd64 b/platform/debian/control.amd64 index 3d654acd01b..f666200d55f 100644 --- a/platform/debian/control.amd64 +++ b/platform/debian/control.amd64 @@ -1,7 +1,7 @@ Package: firejail Version: FIREJAILVER-1 Architecture: amd64 -Maintainer: netblue30 +Maintainer: netblue30 Installed-Size: 2024 Depends: libc6 Suggests: python, python3 diff --git a/platform/debian/control.i386 b/platform/debian/control.i386 index 300c20db9b7..ab9e0fc525d 100644 --- a/platform/debian/control.i386 +++ b/platform/debian/control.i386 @@ -1,7 +1,7 @@ Package: firejail Version: FIREJAILVER-1 Architecture: i386 -Maintainer: netblue30 +Maintainer: netblue30 Installed-Size: 2024 Depends: libc6 Suggests: python, python3 diff --git a/platform/debian/copyright b/platform/debian/copyright index c0f98104d52..d4bdb12830d 100644 --- a/platform/debian/copyright +++ b/platform/debian/copyright @@ -7,7 +7,7 @@ This is the Debian/Ubuntu prepackaged version of firejail. and networking stack isolation, and it runs on any recent Linux system. It includes a sandbox profile for Mozilla Firefox. - Copyright (C) 2014-2020 Firejail Authors (see README file for more details) + Copyright (C) 2014-2021 Firejail Authors (see README file for more details) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec index b32407c7d0c..86cd6006ef6 100644 --- a/platform/rpm/firejail.spec +++ b/platform/rpm/firejail.spec @@ -1,7 +1,7 @@ Name: __NAME__ Version: __VERSION__ Release: 1 -Summary: Linux namepaces sandbox program +Summary: Linux namespaces sandbox program License: GPLv2+ Group: Development/Tools @@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. %setup -q %build -%configure --disable-userns --disable-contrib-install +%configure __CONFIG_OPT__ make %{?_smp_mflags} %install @@ -35,14 +35,17 @@ rm -rf %{buildroot} %attr(4755, -, -) %{_bindir}/__NAME__ %{_bindir}/firecfg %{_bindir}/firemon +%{_bindir}/jailcheck %{_libdir}/__NAME__ %{_datarootdir}/bash-completion/completions/__NAME__ %{_datarootdir}/bash-completion/completions/firecfg %{_datarootdir}/bash-completion/completions/firemon +%{_datarootdir}/zsh/site-functions/_firejail %{_docdir}/__NAME__ %{_mandir}/man1/__NAME__.1.gz %{_mandir}/man1/firecfg.1.gz %{_mandir}/man1/firemon.1.gz +%{_mandir}/man1/jailcheck.1.gz %{_mandir}/man5/__NAME__-login.5.gz %{_mandir}/man5/__NAME__-profile.5.gz %{_mandir}/man5/__NAME__-users.5.gz diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 348bea7f26f..b8470dd714f 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh @@ -1,9 +1,9 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # -# Usage: ./platform/rpm/mkrpm.sh firejail +# Usage: ./platform/rpm/mkrpm.sh firejail "" # # Builds rpms in a temporary directory then places the result in the # current working directory. @@ -11,6 +11,7 @@ name=$1 # Strip any trailing prefix from the version like -rc1 etc version=$(echo "$2" | sed 's/\-.*//g') +config_opt=$3 if [[ ! -f platform/rpm/${name}.spec ]]; then echo error: spec file not found for name \"${name}\" @@ -22,6 +23,10 @@ if [[ -z "${version}" ]]; then exit 1 fi +if [[ -z "${config_opt}" ]]; then + config_opt="--disable-userns --disable-contrib-install" +fi + # Make a temporary directory and arrange to clean up on exit tmpdir=$(mktemp -d) mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} @@ -32,11 +37,14 @@ trap cleanup EXIT # Create the spec file tmp_spec_file=${tmpdir}/SPECS/${name}.spec -sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file} +sed -e "s/__NAME__/${name}/g" \ + -e "s/__VERSION__/${version}/g" \ + -e "s/__CONFIG_OPT__/${config_opt}/g" \ + platform/rpm/${name}.spec >${tmp_spec_file} # FIXME: We could parse RELNOTES and create a %changelog section here # Copy the source to build into a tarball -tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . +tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . # Build the files (rpm, debug rpm and source rpm) rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} diff --git a/src/bash_completion/Makefile.in b/src/bash_completion/Makefile.in new file mode 100644 index 00000000000..f7db9e6b4ba --- /dev/null +++ b/src/bash_completion/Makefile.in @@ -0,0 +1,17 @@ +.PHONY: all +all: firejail.bash_completion + +include ../common.mk + +firejail.bash_completion: firejail.bash_completion.in + gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp + sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ + rm $@.tmp + +.PHONY: clean +clean: + rm -fr firejail.bash_completion + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion.in similarity index 86% rename from src/bash_completion/firejail.bash_completion rename to src/bash_completion/firejail.bash_completion.in index 0a1b34d7d71..ff411c807ac 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion.in @@ -5,10 +5,21 @@ # http://bash-completion.alioth.debian.org #******************************************************************* -__interfaces(){ +__interfaces() { cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs } +_profiles() { + if [[ -d "$1" ]] ; then + ls -1 $1/*.profile 2>/dev/null | sed -E 's;^.*\/;;g' + fi +} +_all_profiles() { + local sys_profiles=$(_profiles _SYSCONFDIR_/firejail) + local user_profiles=$(_profiles $HOME/.config/firejail) + COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur")) +} + _firejail() { @@ -20,7 +31,7 @@ _firejail() return 0 ;; --profile) - _filedir + _all_profiles return 0 ;; --hosts-file) @@ -79,15 +90,11 @@ _firejail() _filedir return 0 ;; - --audit) - _filedir - return 0 - ;; - --net) - comps=$(__interfaces) + --net) + comps=$(__interfaces) COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) return 0 - ;; + ;; esac $split && return 0 diff --git a/src/common.mk.in b/src/common.mk.in index 8104bc2580a..d117433dcb7 100644 --- a/src/common.mk.in +++ b/src/common.mk.in @@ -9,15 +9,12 @@ sysconfdir=@sysconfdir@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ -HAVE_SECCOMP_H=@HAVE_SECCOMP_H@ -HAVE_SECCOMP=@HAVE_SECCOMP@ HAVE_CHROOT=@HAVE_CHROOT@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ HAVE_NETWORK=@HAVE_NETWORK@ HAVE_USERNS=@HAVE_USERNS@ HAVE_X11=@HAVE_X11@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ -HAVE_WHITELIST=@HAVE_WHITELIST@ HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ HAVE_APPARMOR=@HAVE_APPARMOR@ HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ @@ -25,18 +22,29 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@ HAVE_GCOV=@HAVE_GCOV@ HAVE_SELINUX=@HAVE_SELINUX@ +ifeq (@HAVE_SUID@, yes) +HAVE_SUID=-DHAVE_SUID +else +HAVE_SUID= +endif +HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ +HAVE_USERTMPFS=@HAVE_USERTMPFS@ +HAVE_OUTPUT=@HAVE_OUTPUT@ +HAVE_LTS=@HAVE_LTS@ +HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS = @CFLAGS@ CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) -CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread +CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' -DVARDIR='"/var/lib/firejail"' +MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) +CFLAGS += $(MANFLAGS) +CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security +LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ ifdef NO_EXTRA_CFLAGS diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in deleted file mode 100644 index 44c121a4c7c..00000000000 --- a/src/faudit/Makefile.in +++ /dev/null @@ -1,14 +0,0 @@ -all: faudit - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -faudit: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist - -distclean: clean - rm -fr Makefile diff --git a/src/faudit/caps.c b/src/faudit/caps.c deleted file mode 100644 index 6687fce5aa8..00000000000 --- a/src/faudit/caps.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "faudit.h" -#include - -#define MAXBUF 4098 -static int extract_caps(uint64_t *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "CapBnd:\t", 8) == 0) { - char *ptr = buf + 8; - unsigned long long tmp; - sscanf(ptr, "%llx", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -// return 1 if the capability is in the map -static int check_capability(uint64_t map, int cap) { - int i; - uint64_t mask = 1ULL; - - for (i = 0; i < 64; i++, mask <<= 1) { - if ((i == cap) && (mask & map)) - return 1; - } - - return 0; -} - -void caps_test(void) { - uint64_t caps_val; - - if (extract_caps(&caps_val)) { - printf("SKIP: cannot extract capabilities on this platform.\n"); - return; - } - - if (caps_val) { - printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); - printf("Use \"firejail --caps.drop=all\" to fix it.\n"); - - if (check_capability(caps_val, CAP_SYS_ADMIN)) - printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); - if (check_capability(caps_val, CAP_SYS_BOOT)) - printf("UGLY: CAP_SYS_BOOT is enabled.\n"); - } - else - printf("GOOD: all capabilities are disabled.\n"); -} diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c deleted file mode 100644 index 8c26c52714a..00000000000 --- a/src/faudit/dbus.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - -// return 0 if the connection is possible -int check_unix(const char *sockfile) { - assert(sockfile); - int rv = -1; - - // open socket - int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock == -1) - return rv; - - // connect - struct sockaddr_un remote; - memset(&remote, 0, sizeof(struct sockaddr_un)); - remote.sun_family = AF_UNIX; - strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1); - int len = strlen(remote.sun_path) + sizeof(remote.sun_family); - if (*sockfile == '@') - remote.sun_path[0] = '\0'; - if (connect(sock, (struct sockaddr *)&remote, len) == 0) - rv = 0; - - close(sock); - return rv; -} - -void dbus_test(void) { - // check the session bus - char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); - if (str) { - int rv = 0; - char *bus = strdup(str); - if (!bus) - errExit("strdup"); - char *sockfile; - if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { - sockfile += 13; - *sockfile = '@'; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - *sockfile = '@'; - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - } - else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { - sockfile += 10; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - } - else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) - printf("UGLY: session bus configured for TCP communication.\n"); - else - printf("GOOD: cannot find a D-Bus socket\n"); - - - free(bus); - } - else - printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); -} diff --git a/src/faudit/files.c b/src/faudit/files.c deleted file mode 100644 index 6dd3874b99f..00000000000 --- a/src/faudit/files.c +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - -static char *username = NULL; -static char *homedir = NULL; - -static void check_home_file(const char *name) { - assert(homedir); - - char *fname; - if (asprintf(&fname, "%s/%s", homedir, name) == -1) - errExit("asprintf"); - - if (access(fname, R_OK) == 0) { - printf("UGLY: I can access files in %s directory. ", fname); - printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); - } - else - printf("GOOD: I cannot access files in %s directory.\n", fname); - - free(fname); -} - -void files_test(void) { - struct passwd *pw = getpwuid(getuid()); - if (!pw) { - fprintf(stderr, "Error: cannot retrieve user account information\n"); - return; - } - - username = strdup(pw->pw_name); - if (!username) - errExit("strdup"); - homedir = strdup(pw->pw_dir); - if (!homedir) - errExit("strdup"); - - // check access to .ssh directory - check_home_file(".ssh"); - - // check access to .gnupg directory - check_home_file(".gnupg"); - - // check access to Firefox browser directory - check_home_file(".mozilla"); - - // check access to Chromium browser directory - check_home_file(".config/chromium"); - - // check access to Debian Icedove directory - check_home_file(".icedove"); - - // check access to Thunderbird directory - check_home_file(".thunderbird"); -} diff --git a/src/faudit/main.c b/src/faudit/main.c deleted file mode 100644 index f6df9772da3..00000000000 --- a/src/faudit/main.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -char *prog; - -int main(int argc, char **argv) { - // make test-arguments helper - if (getenv("FIREJAIL_TEST_ARGUMENTS")) { - printf("Arguments:\n"); - - int i; - for (i = 0; i < argc; i++) { - printf("#%s#\n", argv[i]); - } - - return 0; - } - - - if (argc != 1) { - int i; - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "syscall") == 0) { - syscall_helper(argc, argv); - return 0; - } - } - return 1; - } - - printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); - - // extract program name - prog = realpath(argv[0], NULL); - if (prog == NULL) { - prog = strdup("faudit"); - if (!prog) - errExit("strdup"); - } - printf("INFO: starting %s.\n", prog); - - - // check pid namespace - pid_test(); - printf("\n"); - - // check seccomp - seccomp_test(); - printf("\n"); - - // check capabilities - caps_test(); - printf("\n"); - - // check some well-known problematic files and directories - files_test(); - printf("\n"); - - // network - network_test(); - printf("\n"); - - // dbus - dbus_test(); - printf("\n"); - - // x11 test - x11_test(); - printf("\n"); - - // /dev test - dev_test(); - printf("\n"); - - - free(prog); - printf("--------------------------------------------------------------------------------\n"); - - return 0; -} diff --git a/src/faudit/network.c b/src/faudit/network.c deleted file mode 100644 index f28aff554aa..00000000000 --- a/src/faudit/network.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#include -#include - -static void check_ssh(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: SSH server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(22); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: SSH server not available on localhost.\n"); - else { - printf("MAYBE: an SSH server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -static void check_http(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: HTTP server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(80); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: HTTP server not available on localhost.\n"); - else { - printf("MAYBE: an HTTP server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -void check_netlink(void) { - int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); - if (sock == -1) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - return; - } - - struct sockaddr_nl local; - memset(&local, 0, sizeof(local)); - local.nl_family = AF_NETLINK; - local.nl_groups = 0; //subscriptions; - - if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - close(sock); - return; - } - - close(sock); - printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); - printf("You can use \"--protocol\" to disable the socket.\n"); -} - -void network_test(void) { - check_ssh(); - check_http(); - check_netlink(); -} diff --git a/src/faudit/pid.c b/src/faudit/pid.c deleted file mode 100644 index 0a277ddc278..00000000000 --- a/src/faudit/pid.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -void pid_test(void) { - static char *kern_proc[] = { - "kthreadd", - "ksoftirqd", - "kworker", - "rcu_sched", - "rcu_bh", - NULL // NULL terminated list - }; - int i; - - // look at the first 10 processes - int not_visible = 1; - for (i = 1; i <= 10; i++) { - struct stat s; - char *fname; - if (asprintf(&fname, "/proc/%d/comm", i) == -1) - errExit("asprintf"); - if (stat(fname, &s) == -1) { - free(fname); - continue; - } - - // open file - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - free(fname); - continue; - } - - // read file - char buf[100]; - if (fgets(buf, 10, fp) == NULL) { - fclose(fp); - free(fname); - continue; - } - not_visible = 0; - - // clean /n - char *ptr; - if ((ptr = strchr(buf, '\n')) != NULL) - *ptr = '\0'; - - // check process name against the kernel list - int j = 0; - while (kern_proc[j] != NULL) { - if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { - fclose(fp); - free(fname); - printf("BAD: Process %d is not running in a PID namespace. ", getpid()); - printf("Are you sure you're running in a sandbox?\n"); - return; - } - j++; - } - - fclose(fp); - free(fname); - } - - pid_t pid = getpid(); - if (not_visible && pid > 100) - printf("BAD: Process %d is not running in a PID namespace.\n", pid); - else - printf("GOOD: process %d is running in a PID namespace.\n", pid); - - // try to guess the type of container/sandbox - char *str = getenv("container"); - if (str) - printf("INFO: container/sandbox %s.\n", str); - else { - str = getenv("SNAP"); - if (str) - printf("INFO: this is a snap package\n"); - } -} diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c deleted file mode 100644 index ca9d34b8480..00000000000 --- a/src/faudit/seccomp.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -#define MAXBUF 4098 -static int extract_seccomp(int *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "Seccomp:\t", 9) == 0) { - char *ptr = buf + 9; - int tmp; - sscanf(ptr, "%d", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -void seccomp_test(void) { - int seccomp_status; - int rv = extract_seccomp(&seccomp_status); - - if (rv) { - printf("INFO: cannot extract seccomp configuration on this platform.\n"); - return; - } - - if (seccomp_status == 0) { - printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); - } - else if (seccomp_status == 1) - printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); - else if (seccomp_status == 2) { - printf("GOOD: seccomp BPF enabled.\n"); - - printf("checking syscalls: "); fflush(0); - printf("mount... "); fflush(0); - syscall_run("mount"); - - printf("umount2... "); fflush(0); - syscall_run("umount2"); - - printf("ptrace... "); fflush(0); - syscall_run("ptrace"); - - printf("swapon... "); fflush(0); - syscall_run("swapon"); - - printf("swapoff... "); fflush(0); - syscall_run("swapoff"); - - printf("init_module... "); fflush(0); - syscall_run("init_module"); - - printf("delete_module... "); fflush(0); - syscall_run("delete_module"); - - printf("chroot... "); fflush(0); - syscall_run("chroot"); - - printf("pivot_root... "); fflush(0); - syscall_run("pivot_root"); - -#if defined(__i386__) || defined(__x86_64__) - printf("iopl... "); fflush(0); - syscall_run("iopl"); - - printf("ioperm... "); fflush(0); - syscall_run("ioperm"); -#endif - printf("\n"); - } - else - fprintf(stderr, "Error: unrecognized seccomp mode\n"); - -} diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c deleted file mode 100644 index a8aa572a7a5..00000000000 --- a/src/faudit/syscall.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#if defined(__i386__) || defined(__x86_64__) -#include -#endif -#include -extern int init_module(void *module_image, unsigned long len, - const char *param_values); -extern int finit_module(int fd, const char *param_values, - int flags); -extern int delete_module(const char *name, int flags); -extern int pivot_root(const char *new_root, const char *put_old); - -void syscall_helper(int argc, char **argv) { - (void) argc; - - if (argc < 3) - return; - - if (strcmp(argv[2], "mount") == 0) { - int rv = mount(NULL, NULL, NULL, 0, NULL); - (void) rv; - printf("\nUGLY: mount syscall permitted.\n"); - } - else if (strcmp(argv[2], "umount2") == 0) { - umount2(NULL, 0); - printf("\nUGLY: umount2 syscall permitted.\n"); - } - else if (strcmp(argv[2], "ptrace") == 0) { - ptrace(0, 0, NULL, NULL); - printf("\nUGLY: ptrace syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapon") == 0) { - swapon(NULL, 0); - printf("\nUGLY: swapon syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapoff") == 0) { - swapoff(NULL); - printf("\nUGLY: swapoff syscall permitted.\n"); - } - else if (strcmp(argv[2], "init_module") == 0) { - init_module(NULL, 0, NULL); - printf("\nUGLY: init_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "delete_module") == 0) { - delete_module(NULL, 0); - printf("\nUGLY: delete_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "chroot") == 0) { - int rv = chroot("/blablabla-57281292"); - (void) rv; - printf("\nUGLY: chroot syscall permitted.\n"); - } - else if (strcmp(argv[2], "pivot_root") == 0) { - pivot_root(NULL, NULL); - printf("\nUGLY: pivot_root syscall permitted.\n"); - } -#if defined(__i386__) || defined(__x86_64__) - else if (strcmp(argv[2], "iopl") == 0) { - iopl(0L); - printf("\nUGLY: iopl syscall permitted.\n"); - } - else if (strcmp(argv[2], "ioperm") == 0) { - ioperm(0, 0, 0); - printf("\nUGLY: ioperm syscall permitted.\n"); - } -#endif - exit(0); -} - -void syscall_run(const char *name) { - assert(prog); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - execl(prog, prog, "syscall", name, NULL); - perror("execl"); - _exit(1); - } - - // wait for the child to finish - waitpid(child, NULL, 0); -} diff --git a/src/faudit/x11.c b/src/faudit/x11.c deleted file mode 100644 index 5907ca761b6..00000000000 --- a/src/faudit/x11.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (C) 2014-2020 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - - -void x11_test(void) { - // check regular display 0 sockets - if (check_unix("/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); - - if (check_unix("@/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); - - // check all unix sockets in /tmp/.X11-unix directory - DIR *dir; - if (!(dir = opendir("/tmp/.X11-unix"))) { - // sleep 2 seconds and try again - sleep(2); - if (!(dir = opendir("/tmp/.X11-unix"))) { - ; - } - } - - if (dir == NULL) - printf("GOOD: cannot open /tmp/.X11-unix directory\n"); - else { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, "X0") == 0) - continue; - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - char *name; - if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) - errExit("asprintf"); - if (check_unix(name) == 0) - printf("MAYBE: X11 socket %s is available\n", name); - free(name); - } - closedir(dir); - } -} diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in index 2847ca2cb2d..6eaee284b7a 100644 --- a/src/fbuilder/Makefile.in +++ b/src/fbuilder/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fbuilder include ../common.mk @@ -8,7 +9,9 @@ include ../common.mk fbuilder: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fbuilder *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index c6f84dfbcd2..9577042c4df 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -83,11 +83,9 @@ static void process_bin(const char *fname) { continue; *ptr2 = '\0'; - // skip strace - if (strcmp(ptr, "strace") == 0) - continue; - - bin_out = filedb_add(bin_out, ptr); + // skip strace and firejail (in case we hit a symlink in /usr/local/bin) + if (strcmp(ptr, "strace") && strcmp(ptr, "firejail")) + bin_out = filedb_add(bin_out, ptr); } fclose(fp); @@ -121,6 +119,5 @@ void build_bin(const char *fname, FILE *fp) { ptr = ptr->next; } fprintf(fp, "\n"); - fprintf(fp, "# private-lib\n"); } } diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 1b82310332a..019c3ac5abb 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -146,31 +146,49 @@ void build_etc(const char *fname, FILE *fp) { //******************************************* // var directory //******************************************* +#if 0 +// todo: load the list from whitelist-var-common.inc +static char *var_skip[] = { + "/var/lib/ca-certificates", + "/var/lib/dbus", + "/var/lib/menu-xdg", + "/var/lib/uim", + "/var/cache/fontconfig", + "/var/tmp", + "/var/run", + "/var/lock", + NULL +}; +#endif static FileDB *var_out = NULL; +static FileDB *var_skip = NULL; static void var_callback(char *ptr) { - if (strcmp(ptr, "/var/lib") == 0) - ; - else if (strcmp(ptr, "/var/cache") == 0) - ; - else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) - var_out = filedb_add(var_out, "/var/lib/menu-xdg"); - else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) - var_out = filedb_add(var_out, "/var/cache/fontconfig"); - else - var_out = filedb_add(var_out, ptr); + // extract the directory: + assert(strncmp(ptr, "/var", 4) == 0); + char *p1 = ptr + 4; + if (*p1 != '/') + return; + p1++; + + if (*p1 == '/') // double '/' + p1++; + if (*p1 == '\0') + return; + + if (!filedb_find(var_skip, p1)) + var_out = filedb_add(var_out, p1); } void build_var(const char *fname, FILE *fp) { assert(fname); + var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/"); process_files(fname, "/var", var_callback); - if (var_out == NULL) { - fprintf(fp, "blacklist /var\n"); - } else { - filedb_print(var_out, "whitelist ", fp); - fprintf(fp, "include whitelist-var-common.inc\n"); - } + // always whitelist /var + if (var_out) + filedb_print(var_out, "allow /var/", fp); + fprintf(fp, "include whitelist-var-common.inc\n"); } @@ -178,6 +196,7 @@ void build_var(const char *fname, FILE *fp) { // usr/share directory //******************************************* static FileDB *share_out = NULL; +static FileDB *share_skip = NULL; static void share_callback(char *ptr) { // extract the directory: assert(strncmp(ptr, "/usr/share", 10) == 0); @@ -195,21 +214,21 @@ static void share_callback(char *ptr) { if (p2) *p2 = '\0'; - // store the file - share_out = filedb_add(share_out, ptr); + + if (!filedb_find(share_skip, p1)) + share_out = filedb_add(share_out, p1); } void build_share(const char *fname, FILE *fp) { assert(fname); + share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/"); process_files(fname, "/usr/share", share_callback); - if (share_out == NULL) { - fprintf(fp, "blacklist /usr/share\n"); - } else { - filedb_print(share_out, "whitelist ", fp); - fprintf(fp, "include whitelist-usr-share-common.inc\n"); - } + // always whitelist /usr/share + if (share_out) + filedb_print(share_out, "allow /usr/share/", fp); + fprintf(fp, "include whitelist-usr-share-common.inc\n"); } //******************************************* @@ -217,6 +236,14 @@ void build_share(const char *fname, FILE *fp) { //******************************************* static FileDB *tmp_out = NULL; static void tmp_callback(char *ptr) { + // skip strace file + if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) + return; + if (strncmp(ptr, "/tmp/runtime-", 13) == 0) + return; + if (strcmp(ptr, "/tmp") == 0) + return; + tmp_out = filedb_add(tmp_out, ptr); } @@ -228,8 +255,7 @@ void build_tmp(const char *fname, FILE *fp) { if (tmp_out == NULL) fprintf(fp, "private-tmp\n"); else { - fprintf(fp, "\n"); - fprintf(fp, "# private-tmp\n"); + fprintf(fp, "#private-tmp\n"); fprintf(fp, "# File accessed in /tmp directory:\n"); fprintf(fp, "# "); FileDB *ptr = tmp_out; @@ -245,40 +271,37 @@ void build_tmp(const char *fname, FILE *fp) { // dev directory //******************************************* static char *dev_skip[] = { + "/dev/stdin", + "/dev/stdout", + "/dev/stderr", "/dev/zero", "/dev/null", "/dev/full", "/dev/random", + "/dev/srandom", "/dev/urandom", + "/dev/sr0", + "/dev/cdrom", + "/dev/cdrw", + "/dev/dvd", + "/dev/dvdrw", + "/dev/fd", + "/dev/pts", + "/dev/ptmx", + "/dev/log", + + "/dev/aload", // old ALSA devices, not covered in private-dev + "/dev/dsp", // old OSS device, deprecated + "/dev/tty", "/dev/snd", "/dev/dri", - "/dev/pts", - "/dev/nvidia0", - "/dev/nvidia1", - "/dev/nvidia2", - "/dev/nvidia3", - "/dev/nvidia4", - "/dev/nvidia5", - "/dev/nvidia6", - "/dev/nvidia7", - "/dev/nvidia8", - "/dev/nvidia9", - "/dev/nvidiactl", - "/dev/nvidia-modeset", - "/dev/nvidia-uvm", - "/dev/video0", - "/dev/video1", - "/dev/video2", - "/dev/video3", - "/dev/video4", - "/dev/video5", - "/dev/video6", - "/dev/video7", - "/dev/video8", - "/dev/video9", + "/dev/nvidia", + "/dev/video", "/dev/dvb", - "/dev/sr0", + "/dev/hidraw", + "/dev/usb", + "/dev/input", NULL }; @@ -288,7 +311,7 @@ static void dev_callback(char *ptr) { int i = 0; int found = 0; while (dev_skip[i]) { - if (strcmp(ptr, dev_skip[i]) == 0) { + if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) { found = 1; break; } @@ -306,9 +329,8 @@ void build_dev(const char *fname, FILE *fp) { if (dev_out == NULL) fprintf(fp, "private-dev\n"); else { - fprintf(fp, "\n"); - fprintf(fp, "# private-dev\n"); - fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); + fprintf(fp, "#private-dev\n"); + fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); fprintf(fp, "# "); FileDB *ptr = dev_out; while (ptr) { diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index fca3396c4d4..c85474779c2 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,30 +23,6 @@ static FileDB *db_skip = NULL; static FileDB *db_out = NULL; -static void load_whitelist_common(void) { - FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - if (strncmp(buf, "whitelist ${HOME}/", 18) != 0) - continue; - char *fn = buf + 18; - char *ptr = strchr(buf, '\n'); - if (!ptr) - continue; - *ptr = '\0'; - - // add the file to skip list - db_skip = filedb_add(db_skip, fn); - } - - fclose(fp); -} - void process_home(const char *fname, char *home, int home_len) { assert(fname); assert(home); @@ -92,6 +68,8 @@ void process_home(const char *fname, char *home, int home_len) { ptr += 7; else if (strncmp(ptr, "open /home", 10) == 0) ptr += 5; + else if (strncmp(ptr, "opendir /home", 13) == 0) + ptr += 8; else continue; @@ -141,7 +119,7 @@ void process_home(const char *fname, char *home, int home_len) { } // skip files and directories in whitelist-common.inc - if (filedb_find(db_skip, toadd)) { + if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { if (dir) free(dir); continue; @@ -162,7 +140,7 @@ void build_home(const char *fname, FILE *fp) { assert(fname); // load whitelist common - load_whitelist_common(); + db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/"); // find user home directory struct passwd *pw = getpwuid(getuid()); @@ -190,7 +168,7 @@ void build_home(const char *fname, FILE *fp) { // print the out list if any if (db_out) { - filedb_print(db_out, "whitelist ${HOME}/", fp); + filedb_print(db_out, "allow ${HOME}/", fp); fprintf(fp, "include whitelist-common.inc\n"); } else diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index adc00e67b14..0b9a997398d 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -24,21 +24,6 @@ #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" -/* static char *cmdlist[] = { */ -/* "/usr/bin/firejail", */ -/* "--quiet", */ -/* "--output=" TRACE_OUTPUT, */ -/* "--noprofile", */ -/* "--caps.drop=all", */ -/* "--nonewprivs", */ -/* "--trace", */ -/* "--shell=none", */ -/* "/usr/bin/strace", // also used as a marker in build_profile() */ -/* "-c", */ -/* "-f", */ -/* "-o" STRACE_OUTPUT, */ -/* }; */ - void build_profile(int argc, char **argv, int index, FILE *fp) { // next index is the application name if (index >= argc) { @@ -47,44 +32,25 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { } char trace_output[] = "/tmp/firejail-trace.XXXXXX"; - char strace_output[] = "/tmp/firejail-strace.XXXXXX"; - int tfile = mkstemp(trace_output); - int stfile = mkstemp(strace_output); - if(tfile == -1 || stfile == -1) + if(tfile == -1) errExit("mkstemp"); - - // close the files, firejail/strace will overwrite them! close(tfile); - close(stfile); - char *output; - char *stroutput; if(asprintf(&output,"--trace=%s",trace_output) == -1) errExit("asprintf"); - if(asprintf(&stroutput,"-o%s",strace_output) == -1) - errExit("asprintf"); char *cmdlist[] = { BINDIR "/firejail", "--quiet", "--noprofile", "--caps.drop=all", - "--nonewprivs", + "--seccomp", output, "--shell=none", - "/usr/bin/strace", // also used as a marker in build_profile() - "-c", - "-f", - stroutput, }; - // detect strace - int have_strace = 0; - if (access("/usr/bin/strace", X_OK) == 0) - have_strace = 1; - // calculate command length unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; if (arg_debug) @@ -94,12 +60,8 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { // build command unsigned i = 0; - for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { - // skip strace if not installed - if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) - break; + for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) cmd[i] = cmdlist[i]; - } int i2 = index; for (; i < (len - 1); i++, i2++) @@ -131,6 +93,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { if (fp == stdout) printf("--- Built profile beings after this line ---\n"); + fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n"); + fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n"); + fprintf(fp, "# automatically every time you sandbox your application.\n#\n"); + fprintf(fp, "# Run \"firejail application\" to test it. In the file there are\n"); + fprintf(fp, "# some other commands you can try. Enable them by removing the \"#\".\n\n"); + fprintf(fp, "# Firejail profile for %s\n", argv[index]); fprintf(fp, "# Persistent local customizations\n"); fprintf(fp, "#include %s.local\n", argv[index]); @@ -138,59 +106,66 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "#include globals.local\n"); fprintf(fp, "\n"); - fprintf(fp, "### basic blacklisting\n"); - fprintf(fp, "include disable-common.inc\n"); - fprintf(fp, "# include disable-devel.inc\n"); - fprintf(fp, "# include disable-exec.inc\n"); - fprintf(fp, "# include disable-interpreters.inc\n"); - fprintf(fp, "include disable-passwdmgr.inc\n"); - fprintf(fp, "# include disable-programs.inc\n"); - fprintf(fp, "# include disable-xdg.inc\n"); + fprintf(fp, "### Basic Blacklisting ###\n"); + fprintf(fp, "### Enable as many of them as you can! A very important one is\n"); + fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n"); + fprintf(fp, "### and /tmp directories non-executable.\n"); + fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n"); + fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n"); + fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n"); + fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n"); + fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n"); + fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n"); + fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n"); fprintf(fp, "\n"); - fprintf(fp, "### home directory whitelisting\n"); + fprintf(fp, "### Home Directory Whitelisting ###\n"); + fprintf(fp, "### If something goes wrong, this section is the first one to comment out.\n"); + fprintf(fp, "### Instead, you'll have to relay on the basic blacklisting above.\n"); build_home(trace_output, fp); fprintf(fp, "\n"); - fprintf(fp, "### filesystem\n"); - fprintf(fp, "# /usr/share:\n"); + fprintf(fp, "### Filesystem Whitelisting ###\n"); build_share(trace_output, fp); - fprintf(fp, "# /var:\n"); + //todo: include whitelist-runuser-common.inc build_var(trace_output, fp); fprintf(fp, "\n"); - fprintf(fp, "# $PATH:\n"); - build_bin(trace_output, fp); - fprintf(fp, "# /dev:\n"); - build_dev(trace_output, fp); - fprintf(fp, "# /etc:\n"); - build_etc(trace_output, fp); - fprintf(fp, "# /tmp:\n"); - build_tmp(trace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "### security filters\n"); + fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n"); fprintf(fp, "caps.drop all\n"); + fprintf(fp, "ipc-namespace\n"); + fprintf(fp, "netfilter\n"); + fprintf(fp, "#no3d\t# disable 3D acceleration\n"); + fprintf(fp, "#nodvd\t# disable DVD and CD devices\n"); + fprintf(fp, "#nogroups\t# disable supplementary user groups\n"); + fprintf(fp, "#noinput\t# disable input devices\n"); fprintf(fp, "nonewprivs\n"); + fprintf(fp, "noroot\n"); + fprintf(fp, "#notv\t# disable DVB TV devices\n"); + fprintf(fp, "#nou2f\t# disable U2F devices\n"); + fprintf(fp, "#novideo\t# disable video capture devices\n"); + build_protocol(trace_output, fp); fprintf(fp, "seccomp\n"); - if (have_strace) - build_seccomp(strace_output, fp); - else { - fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); - fprintf(fp, "# whitelisted seccomp filter.\n"); - } + fprintf(fp, "shell none\n"); + fprintf(fp, "tracelog\n"); fprintf(fp, "\n"); - fprintf(fp, "### network\n"); - build_protocol(trace_output, fp); + fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n"); + build_bin(trace_output, fp); + fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n"); + build_dev(trace_output, fp); + build_etc(trace_output, fp); + fprintf(fp, "#private-lib\n"); + build_tmp(trace_output, fp); fprintf(fp, "\n"); - fprintf(fp, "### environment\n"); - fprintf(fp, "shell none\n"); + fprintf(fp, "#dbus-user none\n"); + fprintf(fp, "#dbus-system none\n"); + fprintf(fp, "\n"); + fprintf(fp, "#memory-deny-write-execute\n"); - if (!arg_debug) { + if (!arg_debug) unlink(trace_output); - unlink(strace_output); - } } else { fprintf(stderr, "Error: cannot run the sandbox\n"); diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 041d14d0ed9..daf8d63aca4 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "fbuilder.h" +#if 0 void build_seccomp(const char *fname, FILE *fp) { assert(fname); assert(fp); @@ -78,15 +79,17 @@ void build_seccomp(const char *fname, FILE *fp) { fclose(fp2); } +#endif //*************************************** // protocol //*************************************** -int unix_s = 0; -int inet = 0; -int inet6 = 0; -int netlink = 0; -int packet = 0; +static int unix_s = 0; +static int inet = 0; +static int inet6 = 0; +static int netlink = 0; +static int packet = 0; +static int bluetooth = 0; static void process_protocol(const char *fname) { assert(fname); @@ -135,6 +138,8 @@ static void process_protocol(const char *fname) { netlink = 1; else if (strncmp(ptr, "AF_PACKET ", 10) == 0) packet = 1; + else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0) + bluetooth = 1; } fclose(fp); @@ -161,22 +166,22 @@ void build_protocol(const char *fname, FILE *fp) { } int net = 0; - if (unix_s || inet || inet6 || netlink || packet) { + if (unix_s || inet || inet6 || netlink || packet || bluetooth) { fprintf(fp, "protocol "); if (unix_s) fprintf(fp, "unix,"); - if (inet) { - fprintf(fp, "inet,"); - net = 1; - } - if (inet6) { - fprintf(fp, "inet6,"); + if (inet || inet6) { + fprintf(fp, "inet,inet6,"); net = 1; } if (netlink) fprintf(fp, "netlink,"); if (packet) { - fprintf(fp, "packet"); + fprintf(fp, "packet,"); + net = 1; + } + if (bluetooth) { + fprintf(fp, "bluetooth"); net = 1; } fprintf(fp, "\n"); diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 5c043ffece1..08dd35e1022 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -66,5 +66,6 @@ typedef struct filedb_t { FileDB *filedb_add(FileDB *head, const char *fname); FileDB *filedb_find(FileDB *head, const char *fname); void filedb_print(FileDB *head, const char *prefix, FILE *fp); +FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix); #endif diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index bf4e911dde8..94a226cb749 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,9 @@ #include "fbuilder.h" +// find exact name or an exact name in a parent directory FileDB *filedb_find(FileDB *head, const char *fname) { + assert(fname); FileDB *ptr = head; int found = 0; int len = strlen(fname); @@ -52,6 +54,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) { FileDB *filedb_add(FileDB *head, const char *fname) { assert(fname); + // todo: support fnames such as ${RUNUSER}/.mutter-Xwaylandauth.* + // don't add it if it is already there or if the parent directory is already in the list if (filedb_find(head, fname)) return head; @@ -70,9 +74,52 @@ FileDB *filedb_add(FileDB *head, const char *fname) { }; void filedb_print(FileDB *head, const char *prefix, FILE *fp) { + assert(head); + assert(prefix); + FileDB *ptr = head; while (ptr) { - fprintf(fp, "%s%s\n", prefix, ptr->fname); + if (fp) + fprintf(fp, "%s%s\n", prefix, ptr->fname); + else + printf("%s%s\n", prefix, ptr->fname); ptr = ptr->next; } } + +FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) { + assert(fname); + assert(prefix); + int len = strlen(prefix); + char *f; + if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1) + errExit("asprintf"); + FILE *fp = fopen(f, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); + free(f); + exit(1); + } + + char buf[MAX_BUF]; + while (fgets(buf, MAX_BUF, fp)) { + if (strncmp(buf, prefix, len) != 0) + continue; + + char *fn = buf + len; + char *ptr = strchr(buf, '\n'); + if (!ptr) + continue; + *ptr = '\0'; + + // add the file to skip list + head = filedb_add(head, fn); + } + + fclose(fp); + free(f); +//printf("***************************************************\n"); +//filedb_print(head, prefix, NULL); +//printf("***************************************************\n"); + return head; +} diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index 5612c21d5eb..6c9fc507cdc 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -39,7 +39,7 @@ printf("\n"); int i; int prog_index = 0; FILE *fp = stdout; - int prof_file = 0; + char *prof_file = NULL; // parse arguments and extract program index for (i = 1; i < argc; i++) { @@ -58,18 +58,23 @@ printf("\n"); exit(1); } + // don't run if the file exists + if (access(argv[i] + 8, F_OK) == 0) { + fprintf(stderr, "Error: the profile file already exists. Please use a different file name.\n"); + exit(1); + } + // check file access fp = fopen(argv[i] + 8, "w"); if (!fp) { - fprintf(stderr, "Error fbuild: cannot open profile file.\n"); + fprintf(stderr, "Error: cannot open profile file.\n"); exit(1); } - prof_file = 1; - // do nothing, this is passed down from firejail + prof_file = argv[i] + 8; } else { if (*argv[i] == '-') { - fprintf(stderr, "Error fbuilder: invalid program\n"); + fprintf(stderr, "Error: invalid program\n"); usage(); exit(1); } @@ -79,10 +84,13 @@ printf("\n"); } if (prog_index == 0) { - fprintf(stderr, "Error fbuilder: program and arguments required\n"); + fprintf(stderr, "Error : program and arguments required\n"); usage(); - if (prof_file) + if (prof_file) { fclose(fp); + int rv = unlink(prof_file); + (void) rv; + } exit(1); } diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c index 2ae829403b8..52493f47062 100644 --- a/src/fbuilder/utils.c +++ b/src/fbuilder/utils.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 64e277e2d5e..e19f5d3b585 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fcopy include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fcopy: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +fcopy: $(OBJS) ../lib/common.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 83d9c17e663..f279af89fc9 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,11 +19,15 @@ */ #include "../include/common.h" -#include #include #include #include +#include +#ifndef O_PATH +#define O_PATH 010000000 +#endif + #if HAVE_SELINUX #include #include @@ -51,10 +55,11 @@ static int selinux_enabled = -1; #endif // copy from firejail/selinux.c -static void selinux_relabel_path(const char *path, const char *inside_path) -{ +static void selinux_relabel_path(const char *path, const char *inside_path) { + assert(path); + assert(inside_path); #if HAVE_SELINUX - char procfs_path[64]; + char procfs_path[64]; char *fcon = NULL; int fd; struct stat st; @@ -68,20 +73,24 @@ static void selinux_relabel_path(const char *path, const char *inside_path) if (!label_hnd) label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_hnd) + errExit("selabel_open"); + /* Open the file as O_PATH, to pin it while we determine and adjust the label */ - fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); + fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); if (fd < 0) return; if (fstat(fd, &st) < 0) goto close; - if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { + if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { sprintf(procfs_path, "/proc/self/fd/%i", fd); if (arg_debug) printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); - setfilecon_raw(procfs_path, fcon); - } + if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug) + printf("Cannot relabel %s: %s\n", path, strerror(errno)); + } freecon(fcon); close: close(fd); @@ -111,7 +120,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui } // open destination - int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755); + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR); if (dst < 0) { if (!arg_quiet) fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname); @@ -132,7 +141,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui done += rv; } } - fflush(0); + if (len < 0) + goto errexit; if (fchown(dst, uid, gid) == -1) goto errexit; @@ -171,6 +181,51 @@ static void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { } } +static char *proc_pid_to_self(const char *target) { + assert(target); + char *use_target = 0; + char *proc_pid = 0; + + if (!(use_target = realpath(target, NULL))) + goto done; + + // target is under /proc/? + static const char proc[] = "/proc/"; + if (strncmp(use_target, proc, sizeof(proc) - 1)) + goto done; + + int digit = use_target[sizeof(proc) - 1]; + if (digit < '1' || digit > '9') + goto done; + + // check where /proc/self points to + static const char proc_self[] = "/proc/self"; + if (!(proc_pid = realpath(proc_self, NULL))) + goto done; + + // redirect /proc/PID/xxx -> /proc/self/XXX + size_t pfix = strlen(proc_pid); + if (strncmp(use_target, proc_pid, pfix)) + goto done; + + if (use_target[pfix] != 0 && use_target[pfix] != '/') + goto done; + + char *tmp; + if (asprintf(&tmp, "%s%s", proc_self, use_target + pfix) != -1) { + if (arg_debug) + fprintf(stderr, "SYMLINK %s\n --> %s\n", use_target, tmp); + free(use_target); + use_target = tmp; + } + else + errExit("asprintf"); + +done: + if (proc_pid) + free(proc_pid); + return use_target; +} void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, gid_t gid) { (void) mode; @@ -179,10 +234,10 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, // if the link is already there, don't create it struct stat s; - if (stat(linkpath, &s) == 0) + if (lstat(linkpath, &s) == 0) return; - char *rp = realpath(target, NULL); + char *rp = proc_pid_to_self(target); if (rp) { if (symlink(rp, linkpath) == -1) { free(rp); @@ -226,16 +281,14 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str first = 0; else if (!arg_quiet) fprintf(stderr, "Warning fcopy: skipping %s, file already present\n", infname); - free(outfname); - return 0; + goto out; } // extract mode and ownership if (stat(infname, &s) != 0) { if (!arg_quiet) fprintf(stderr, "Warning fcopy: skipping %s, cannot find inode\n", infname); - free(outfname); - return 0; + goto out; } uid_t uid = s.st_uid; gid_t gid = s.st_gid; @@ -245,8 +298,7 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str if ((s.st_size + size_cnt) > copy_limit) { fprintf(stderr, "Error fcopy: size limit of %lu MB reached\n", (copy_limit / 1024) / 1024); size_limit_reached = 1; - free(outfname); - return 0; + goto out; } file_cnt++; @@ -261,7 +313,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str else if (ftype == FTW_SL) { copy_link(infname, outfname, mode, uid, gid); } - +out: + free(outfname); return(0); } @@ -294,7 +347,8 @@ static char *check(const char *src) { return rsrc; // normal exit from the function errexit: - fprintf(stderr, "Error fcopy: invalid file %s\n", src); + free(rsrc); + fprintf(stderr, "Error fcopy: invalid ownership for file %s\n", src); exit(1); } @@ -411,25 +465,21 @@ int main(int argc, char **argv) { exit(1); } - // trim trailing chars - if (src[strlen(src) - 1] == '/') - src[strlen(src) - 1] = '\0'; - if (dest[strlen(dest) - 1] == '/') - dest[strlen(dest) - 1] = '\0'; + warn_dumpable(); // check the two files; remove ending / - int len = strlen(src); - if (src[len - 1] == '/') - src[len - 1] = '\0'; - if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) { + size_t len = strlen(src); + while (len > 1 && src[len - 1] == '/') + src[--len] = '\0'; + if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) { fprintf(stderr, "Error fcopy: invalid source file name %s\n", src); exit(1); } len = strlen(dest); - if (dest[len - 1] == '/') - dest[len - 1] = '\0'; - if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) { + while (len > 1 && dest[len - 1] == '/') + dest[--len] = '\0'; + if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) { fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest); exit(1); } diff --git a/src/fids/Makefile.in b/src/fids/Makefile.in new file mode 100644 index 00000000000..5530bcee2cd --- /dev/null +++ b/src/fids/Makefile.in @@ -0,0 +1,18 @@ +.PHONY: all +all: fids + +include ../common.mk + +%.o : %.c $(H_FILE_LIST) ../include/common.h + $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ + +#fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o +fids: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) + +.PHONY: clean +clean:; rm -fr *.o fids *.gcov *.gcda *.gcno *.plist + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff --git a/src/fids/blake2b.c b/src/fids/blake2b.c new file mode 100644 index 00000000000..f2aa5ae66bf --- /dev/null +++ b/src/fids/blake2b.c @@ -0,0 +1,176 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* A simple unkeyed BLAKE2b Implementation based on the official reference + * from https://github.com/BLAKE2/BLAKE2. + * + * The original code was released under CC0 1.0 Universal license (Creative Commons), + * a public domain license. + */ + +#include "fids.h" + +// little-endian vs big-endian is irrelevant since the checksum is calculated and checked on the same computer. +static inline uint64_t load64( const void *src ) { + uint64_t w; + memcpy( &w, src, sizeof( w ) ); + return w; +} + +// mixing function +#define ROTR64(x, y) (((x) >> (y)) ^ ((x) << (64 - (y)))) +#define G(a, b, c, d, x, y) { \ + v[a] = v[a] + v[b] + x; \ + v[d] = ROTR64(v[d] ^ v[a], 32); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR64(v[b] ^ v[c], 24); \ + v[a] = v[a] + v[b] + y; \ + v[d] = ROTR64(v[d] ^ v[a], 16); \ + v[c] = v[c] + v[d]; \ + v[b] = ROTR64(v[b] ^ v[c], 63); } + +// init vector +static const uint64_t iv[8] = { + 0x6A09E667F3BCC908, 0xBB67AE8584CAA73B, + 0x3C6EF372FE94F82B, 0xA54FF53A5F1D36F1, + 0x510E527FADE682D1, 0x9B05688C2B3E6C1F, + 0x1F83D9ABFB41BD6B, 0x5BE0CD19137E2179 +}; + + +const uint8_t sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + +// blake2b context +typedef struct { + uint8_t b[128]; // input buffer + uint64_t h[8]; // chained state + uint64_t t[2]; // total number of bytes + size_t c; // pointer for b[] + size_t outlen; // digest size +} CTX; + +// compress function +static void compress(CTX *ctx, int last) { + uint64_t m[16]; + uint64_t v[16]; + size_t i; + + for (i = 0; i < 16; i++) + m[i] = load64(&ctx->b[8 * i]); + + for (i = 0; i < 8; i++) { + v[i] = ctx->h[i]; + v[i + 8] = iv[i]; + } + + v[12] ^= ctx->t[0]; + v[13] ^= ctx->t[1]; + if (last) + v[14] = ~v[14]; + + for (i = 0; i < 12; i++) { + G( 0, 4, 8, 12, m[sigma[i][ 0]], m[sigma[i][ 1]]); + G( 1, 5, 9, 13, m[sigma[i][ 2]], m[sigma[i][ 3]]); + G( 2, 6, 10, 14, m[sigma[i][ 4]], m[sigma[i][ 5]]); + G( 3, 7, 11, 15, m[sigma[i][ 6]], m[sigma[i][ 7]]); + G( 0, 5, 10, 15, m[sigma[i][ 8]], m[sigma[i][ 9]]); + G( 1, 6, 11, 12, m[sigma[i][10]], m[sigma[i][11]]); + G( 2, 7, 8, 13, m[sigma[i][12]], m[sigma[i][13]]); + G( 3, 4, 9, 14, m[sigma[i][14]], m[sigma[i][15]]); + } + + for( i = 0; i < 8; ++i ) + ctx->h[i] ^= v[i] ^ v[i + 8]; +} + +static int init(CTX *ctx, size_t outlen) { // (keylen=0: no key) + size_t i; + + if (outlen == 0 || outlen > 64) + return -1; + + for (i = 0; i < 8; i++) + ctx->h[i] = iv[i]; + ctx->h[0] ^= 0x01010000 ^ outlen; + + ctx->t[0] = 0; + ctx->t[1] = 0; + ctx->c = 0; + ctx->outlen = outlen; + + return 0; +} + +static void update(CTX *ctx, const void *in, size_t inlen) { + size_t i; + + for (i = 0; i < inlen; i++) { + if (ctx->c == 128) { + ctx->t[0] += ctx->c; + if (ctx->t[0] < ctx->c) + ctx->t[1]++; + compress(ctx, 0); + ctx->c = 0; + } + ctx->b[ctx->c++] = ((const uint8_t *) in)[i]; + } +} + +static void final(CTX *ctx, void *out) { + size_t i; + + ctx->t[0] += ctx->c; + if (ctx->t[0] < ctx->c) + ctx->t[1]++; + + while (ctx->c < 128) + ctx->b[ctx->c++] = 0; + compress(ctx, 1); + + for (i = 0; i < ctx->outlen; i++) { + ((uint8_t *) out)[i] = + (ctx->h[i >> 3] >> (8 * (i & 7))) & 0xFF; + } +} + +// public function +int blake2b(void *out, size_t outlen, const void *in, size_t inlen) { + CTX ctx; + + if (init(&ctx, outlen)) + return -1; + update(&ctx, in, inlen); + final(&ctx, out); + + return 0; +} diff --git a/src/fids/config b/src/fids/config new file mode 100644 index 00000000000..c18c9726051 --- /dev/null +++ b/src/fids/config @@ -0,0 +1,16 @@ +/bin +/sbin +/usr/bin +/usr/sbin +/usr/games +/opt +/usr/share/ca-certificates + + +/home/netblue/.bashrc +/home/netblue/.config/firejail +/home/netblue/.config/autostart +/home/netblue/Desktop/*.desktop +/home/netblue/.ssh +/home/netblue/.gnupg + diff --git a/src/fids/db.c b/src/fids/db.c new file mode 100644 index 00000000000..35caf7eebd7 --- /dev/null +++ b/src/fids/db.c @@ -0,0 +1,158 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include"fids.h" + +typedef struct db_t { + struct db_t *next; + char *fname; + char *checksum; + char *mode; + int checked; +} DB; + +#define MAXBUF 4096 +static DB *database[HASH_MAX] = {NULL}; + +// djb2 hash function by Dan Bernstein +static unsigned hash(const char *str) { + unsigned long hash = 5381; + int c; + + while ((c = *str++) != '\0') + hash = ((hash << 5) + hash) + c; /* hash * 33 + c */ + + return hash & (HASH_MAX - 1); +} + +#if 0 +// for testing the hash table +static void db_print(void) { + int i; + for (i = 0; i < HASH_MAX; i++) { + int cnt = 0; + DB *ptr = database[i]; + while (ptr) { + cnt++; + ptr = ptr->next; + } + printf("%d ", cnt); + fflush(0); + } + printf("\n"); +} +#endif + +static void db_add(const char *fname, const char *checksum, const char *mode) { + DB *ptr = malloc(sizeof(DB)); + if (!ptr) + errExit("malloc"); + ptr->fname = strdup(fname); + ptr->checksum = strdup(checksum); + ptr->mode = strdup(mode); + ptr->checked = 0; + if (!ptr->fname || !ptr->checksum || !ptr->mode) + errExit("strdup"); + + unsigned h = hash(fname); + ptr->next = database[h]; + database[h] = ptr; +} + +void db_check(const char *fname, const char *checksum, const char *mode) { + assert(fname); + assert(checksum); + assert(mode); + + unsigned h =hash(fname); + DB *ptr = database[h]; + while (ptr) { + if (strcmp(fname, ptr->fname) == 0) { + ptr->checked = 1; + break; + } + ptr = ptr->next; + } + + if (ptr ) { + if (strcmp(checksum, ptr->checksum)) { + f_modified++; + fprintf(stderr, "\nWarning: modified %s\n", fname); + } + if (strcmp(mode, ptr->mode)) { + f_permissions++; + fprintf(stderr, "\nWarning: permissions %s: old %s, new %s\n", + fname, ptr->mode, mode); + } + } + else { + f_new++; + fprintf(stderr, "\nWarning: new file %s\n", fname); + } +} + +void db_missing(void) { + int i; + for (i = 0; i < HASH_MAX; i++) { + DB *ptr = database[i]; + while (ptr) { + if (!ptr->checked) { + f_removed++; + fprintf(stderr, "Warning: removed %s\n", ptr->fname); + } + ptr = ptr->next; + } + } +} + +// return 0 if ok, 1 if error +int db_init(void) { + char buf[MAXBUF]; + while(fgets(buf, MAXBUF, stdin)) { + // split - tab separated + + char *mode = buf; + char *ptr = strchr(buf, '\t'); + if (!ptr) + goto errexit; + *ptr = '\0'; + + char *checksum = ptr + 1; + ptr = strchr(checksum, '\t'); + if (!ptr) + goto errexit; + *ptr = '\0'; + + char *fname = ptr + 1; + ptr = strchr(fname, '\n'); + if (!ptr) + goto errexit; + *ptr = '\0'; + + db_add(fname, checksum, mode); + } +// db_print(); + + return 0; + +errexit: + fprintf(stderr, "Error fids: database corrupted\n"); + exit(1); +} + diff --git a/src/fids/db_exclude.c b/src/fids/db_exclude.c new file mode 100644 index 00000000000..994e6f9df9b --- /dev/null +++ b/src/fids/db_exclude.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include"fids.h" + +typedef struct db_exclude_t { + struct db_exclude_t *next; + char *fname; + int len; +} DB_EXCLUDE; +static DB_EXCLUDE *database = NULL; + +void db_exclude_add(const char *fname) { + assert(fname); + + DB_EXCLUDE *ptr = malloc(sizeof(DB_EXCLUDE)); + if (!ptr) + errExit("malloc"); + + ptr->fname = strdup(fname); + if (!ptr->fname) + errExit("strdup"); + ptr->len = strlen(fname); + ptr->next = database; + database = ptr; +} + +int db_exclude_check(const char *fname) { + assert(fname); + + DB_EXCLUDE *ptr = database; + while (ptr != NULL) { + if (strncmp(fname, ptr->fname, ptr->len) == 0) + return 1; + ptr = ptr->next; + } + + return 0; +} + diff --git a/src/fids/fids.h b/src/fids/fids.h new file mode 100644 index 00000000000..eaf2bbd29ff --- /dev/null +++ b/src/fids/fids.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#ifndef FIDS_H +#define FIDS_H + +#include "../include/common.h" + +// main.c +#define MAX_DIR_LEVEL 20 // max directory tree depth +#define MAX_INCLUDE_LEVEL 10 // max include level for config files +extern int f_scanned; +extern int f_modified; +extern int f_new; +extern int f_removed; +extern int f_permissions; + +// db.c +#define HASH_MAX 2048 // power of 2 +int db_init(void); +void db_check(const char *fname, const char *checksum, const char *mode); +void db_missing(void); + +// db_exclude.c +void db_exclude_add(const char *fname); +int db_exclude_check(const char *fname); + + +// blake2b.c +//#define KEY_SIZE 128 // key size in bytes +#define KEY_SIZE 256 +//#define KEY_SIZE 512 +int blake2b(void *out, size_t outlen, const void *in, size_t inlen); + +#endif diff --git a/src/fids/main.c b/src/fids/main.c new file mode 100644 index 00000000000..c899b55e14d --- /dev/null +++ b/src/fids/main.c @@ -0,0 +1,371 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "fids.h" +#include +#include +#include +#include +#include +#include +#include + +#define MAXBUF 4096 + +static int dir_level = 1; +static int include_level = 0; +int arg_init = 0; +int arg_check = 0; +char *arg_homedir = NULL; +char *arg_dbfile = NULL; + +int f_scanned = 0; +int f_modified = 0; +int f_new = 0; +int f_removed = 0; +int f_permissions = 0; + + + +static inline int is_dir(const char *fname) { + assert(fname); + + struct stat s; + if (stat(fname, &s) == 0) { + if (S_ISDIR(s.st_mode)) + return 1; + } + return 0; +} + +static inline int is_link(const char *fname) { + assert(fname); + + char c; + ssize_t rv = readlink(fname, &c, 1); + return (rv != -1); +} + +// mode is an array of 10 chars or more +static inline void file_mode(const char *fname, char *mode) { + assert(fname); + assert(mode); + + struct stat s; + if (stat(fname, &s)) { + *mode = '\0'; + return; + } + + sprintf(mode, (s.st_mode & S_IRUSR) ? "r" : "-"); + sprintf(mode + 1, (s.st_mode & S_IWUSR) ? "w" : "-"); + sprintf(mode + 2, (s.st_mode & S_IXUSR) ? "x" : "-"); + sprintf(mode + 3, (s.st_mode & S_IRGRP) ? "r" : "-"); + sprintf(mode + 4, (s.st_mode & S_IWGRP) ? "w" : "-"); + sprintf(mode + 5, (s.st_mode & S_IXGRP) ? "x" : "-"); + sprintf(mode + 6, (s.st_mode & S_IROTH) ? "r" : "-"); + sprintf(mode + 7, (s.st_mode & S_IWOTH) ? "w" : "-"); + sprintf(mode + 8, (s.st_mode & S_IXOTH) ? "x" : "-"); +} + + +static void file_checksum(const char *fname) { + assert(fname); + + int fd = open(fname, O_RDONLY); + if (fd == -1) + return; + + off_t size = lseek(fd, 0, SEEK_END); + if (size < 0) { + close(fd); + return; + } + + char *content = "empty"; + int mmapped = 0; + if (size == 0) { + // empty files don't mmap - use "empty" string as the file content + size = 6; // strlen("empty") + 1 + } + else { + content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); + close(fd); + mmapped = 1; + } + + unsigned char checksum[KEY_SIZE / 8]; + blake2b(checksum, sizeof(checksum), content, size); + if (mmapped) + munmap(content, size); + + // calculate blake2 checksum + char str_checksum[(KEY_SIZE / 8) * 2 + 1]; + int long unsigned i; + char *ptr = str_checksum; + for (i = 0; i < sizeof(checksum); i++, ptr += 2) + sprintf(ptr, "%02x", (unsigned char ) checksum[i]); + + // build permissions string + char mode[10]; + file_mode(fname, mode); + + if (arg_init) + printf("%s\t%s\t%s\n", mode, str_checksum, fname); + else if (arg_check) + db_check(fname, str_checksum, mode); + else + assert(0); + + f_scanned++; + if (f_scanned % 500 == 0) + fprintf(stderr, "%d ", f_scanned); + fflush(0); +} + +void list_directory(const char *fname) { + assert(fname); + if (dir_level > MAX_DIR_LEVEL) { + fprintf(stderr, "Warning fids: maximum depth level exceeded for %s\n", fname); + return; + } + + if (db_exclude_check(fname)) + return; + + if (is_link(fname)) + return; + + if (!is_dir(fname)) { + file_checksum(fname); + return; + } + + DIR *dir; + struct dirent *entry; + + if (!(dir = opendir(fname))) + return; + + dir_level++; + while ((entry = readdir(dir)) != NULL) { + if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + continue; + char *path; + if (asprintf(&path, "%s/%s", fname, entry->d_name) == -1) + errExit("asprintf"); + list_directory(path); + free(path); + } + closedir(dir); + dir_level--; +} + +void globbing(const char *fname) { + assert(fname); + + // filter top directory + if (strcmp(fname, "/") == 0) + return; + + glob_t globbuf; + int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); + if (globerr) { + fprintf(stderr, "Error fids: failed to glob pattern %s\n", fname); + exit(1); + } + + long unsigned i; + for (i = 0; i < globbuf.gl_pathc; i++) { + char *path = globbuf.gl_pathv[i]; + assert(path); + + list_directory(path); + } + + globfree(&globbuf); +} + +static void process_config(const char *fname) { + assert(fname); + + if (++include_level >= MAX_INCLUDE_LEVEL) { + fprintf(stderr, "Error ids: maximum include level for config files exceeded\n"); + exit(1); + } + + // make sure the file is owned by root + struct stat s; + if (stat(fname, &s)) { + if (include_level == 1) { + fprintf(stderr, "Error ids: config file not found\n"); + exit(1); + } + return; + } + if (s.st_uid || s.st_gid) { + fprintf(stderr, "Error ids: config file not owned by root\n"); + exit(1); + } + + fprintf(stderr, "Loading %s config file\n", fname); + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error fids: cannot open config file %s\n", fname); + exit(1); + } + + char buf[MAXBUF]; + int line = 0; + while (fgets(buf, MAXBUF, fp)) { + line++; + + // trim \n + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + + // comments + ptr = strchr(buf, '#'); + if (ptr) + *ptr = '\0'; + + // empty space + ptr = buf; + while (*ptr == ' ' || *ptr == '\t') + ptr++; + char *start = ptr; + + // empty line + if (*start == '\0') + continue; + + // trailing spaces + ptr = start + strlen(start); + ptr--; + while (*ptr == ' ' || *ptr == '\t') + *ptr-- = '\0'; + + // replace ${HOME} + if (strncmp(start, "include", 7) == 0) { + ptr = start + 7; + if ((*ptr != ' ' && *ptr != '\t') || *ptr == '\0') { + fprintf(stderr, "Error fids: invalid line %d in %s\n", line, fname); + exit(1); + } + while (*ptr == ' ' || *ptr == '\t') + ptr++; + + if (*ptr == '/') + process_config(ptr); + else { + // assume the file is in /etc/firejail + char *tmp; + if (asprintf(&tmp, "/etc/firejail/%s", ptr) == -1) + errExit("asprintf"); + process_config(tmp); + free(tmp); + } + } + else if (*start == '!') { + // exclude file or dir + start++; + if (strncmp(start, "${HOME}", 7)) + db_exclude_add(start); + else { + char *fname; + if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1) + errExit("asprintf"); + db_exclude_add(fname); + free(fname); + } + } + else if (strncmp(start, "${HOME}", 7)) + globbing(start); + else { + char *fname; + if (asprintf(&fname, "%s%s", arg_homedir, start + 7) == -1) + errExit("asprintf"); + globbing(fname); + free(fname); + } + } + + fclose(fp); + include_level--; +} + + + +void usage(void) { + printf("Usage: fids [--help|-h|-?] --init|--check homedir\n"); +} + +int main(int argc, char **argv) { + int i; + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-h") == 0 || + strcmp(argv[i], "-?") == 0 || + strcmp(argv[i], "--help") == 0) { + usage(); + return 0; + } + else if (strcmp(argv[i], "--init") == 0) + arg_init = 1; + else if (strcmp(argv[i], "--check") == 0) + arg_check = 1; + else if (strncmp(argv[i], "--", 2) == 0) { + fprintf(stderr, "Error fids: invalid argument %s\n", argv[i]); + exit(1); + } + } + + if (argc != 3) { + fprintf(stderr, "Error fids: invalid number of arguments\n"); + exit(1); + } + arg_homedir = argv[2]; + + int op = arg_check + arg_init; + if (op == 0 || op == 2) { + fprintf(stderr, "Error fids: use either --init or --check\n"); + exit(1); + } + + if (arg_init) { + process_config(SYSCONFDIR"/ids.config"); + fprintf(stderr, "\n%d files scanned\n", f_scanned); + fprintf(stderr, "IDS database initialized\n"); + } + else if (arg_check) { + if (db_init()) { + fprintf(stderr, "Error: IDS database not initialized, please run \"firejail --ids-init\"\n"); + exit(1); + } + + process_config(SYSCONFDIR"/ids.config"); + fprintf(stderr, "\n%d files scanned: modified %d, permissions %d, new %d, removed %d\n", + f_scanned, f_modified, f_permissions, f_new, f_removed); + db_missing(); + } + else + assert(0); + + return 0; +} diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index 40f6b96798c..43329be4611 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: firecfg include ../common.mk @@ -8,7 +9,9 @@ include ../common.mk firecfg: $(OBJS) ../lib/common.o ../lib/firejail_user.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o firecfg *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 16aa638b3cf..06b0a117f14 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2ed70664bbc..8b7ae881e0c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -4,6 +4,7 @@ #qemu-system-x86_64 0ad 2048-qt +Books Builder Cheese Cryptocat @@ -20,7 +21,9 @@ Maelstrom Maps Mathematica Natron +PCSX2 PPSSPPQt +PPSSPPSDL QMediathekView QOwnNotes Screenshot @@ -29,16 +32,21 @@ Viber VirtualBox XMind Xephyr +ZeGrapher abiword abrowser akonadi_control akregator +alacarte +alpine +alpinef amarok amule amuled android-studio anydesk apktool +apostrophe # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) arch-audit archaudit-report @@ -61,18 +69,24 @@ audacious audacity audio-recorder authenticator +authenticator-rs autokey-gtk autokey-qt autokey-run autokey-shell +avidemux3_qt5 aweather +ballbuster baloo_file baloo_filemetadata_temp_extractor +balsa baobab barrier basilisk +bcompare beaker bibletime +bijiben bitcoin-qt bitlbee bitwarden @@ -80,6 +94,7 @@ bleachbit blender blender-2.8 bless +blobby blobwars bluefish bnox @@ -100,6 +115,7 @@ calligra calligraauthor calligraconverter calligraflow +calligragemini calligraplan calligraplanwork calligrasheets @@ -108,12 +124,15 @@ calligrawords cameramonitor cantata catfish +cawbird celluloid checkbashisms cheese cherrytree chromium chromium-browser +chromium-browser-privacy +chromium-freeworld cin cinelerra clamdscan @@ -124,27 +143,36 @@ claws-mail clawsker clementine clion -clipit +clion-eap clipgrab +clipit cliqz clocks cmus code code-oss +cola +colorful +com.github.bleakgrey.tootle com.github.dahenson.agenda com.github.johnfactotum.Foliate +com.github.phase1geo.minder +com.gitlab.newsflash conkeror conky conplay corebird +coyim crawl crawl-tiles crow cryptocat cvlc cyberfox +d-feet darktable dconf-editor +ddgr ddgtk deadbeef deluge @@ -156,24 +184,31 @@ dig digikam dillo dino +dino-im discord discord-canary display +display-im6.q16 dnox dnscrypt-proxy dnsmasq -dolphin +dolphin-emu dooble dooble-qt4 dosbox dragon drawio +drill dropbox -d-feet easystroke +ebook-convert +ebook-edit +ebook-meta +ebook-polish ebook-viewer electron-mail electrum +element-desktop elinks empathy enchant @@ -186,13 +221,14 @@ enpass eog eom ephemeral -#epiphany +#epiphany - see #2995 +equalx et etr evince evince-previewer evince-thumbnailer -evolution +#evolution - see #3647 exfalso exiftool falkon @@ -200,12 +236,13 @@ fbreader feedreader feh ferdi -ffmpeg +#ffmpeg ffmpegthumbnailer ffplay ffprobe file-roller filezilla +firedragon firefox firefox-beta firefox-developer-edition @@ -222,6 +259,7 @@ font-manager fontforge fossamail four-in-a-row +fractal franz freecad freecadcmd @@ -233,12 +271,16 @@ freemind freeoffice-planmaker freeoffice-presentations freeoffice-textmaker +freetube freshclam frogatto frozen-bubble +funnyboat gajim gajim-history-manager galculator +gallery-dl +gapplication gcalccmd gcloud gconf-editor @@ -255,16 +297,20 @@ gimp-2.10 gimp-2.8 gist gist-paste +git-cola gitg github-desktop gitter # gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 +gl-117 +glaxium globaltime gmpc gnome-2048 gnome-books gnome-builder gnome-calculator +gnome-calendar gnome-character-map gnome-characters gnome-chess @@ -291,6 +337,7 @@ gnome-recipes gnome-robots gnome-schedule gnome-screenshot +gnome-sound-recorder gnome-sudoku gnome-system-log gnome-taquin @@ -298,7 +345,10 @@ gnome-tetravex gnome-todo gnome-twitch gnome-weather +gnote +gnubik godot +goldendict goobox google-chrome google-chrome-beta @@ -307,6 +357,7 @@ google-chrome-unstable google-earth google-earth-pro google-play-music-desktop-player +googler gpa gpicview gpredict @@ -314,6 +365,11 @@ gradio gramps gravity-beams-and-evaporating-stars gthumb +gtk-pipe-viewer +gtk-straw-viewer +gtk-youtube-viewer +gtk2-youtube-viewer +gtk3-youtube-viewer guayadeque gucharmap gummi @@ -324,6 +380,8 @@ hashcat hedgewars hexchat highlight +hitori +homebank host hugin hyperrogue @@ -332,14 +390,17 @@ icecat icedove iceweasel idea -ideaIC idea.sh +ideaIC imagej img2txt impressive inkscape inkview inox +io.github.lainsce.Notejot +ipcalc +ipcalc-ng iridium iridium-browser jd-gui @@ -355,9 +416,11 @@ kalgebra kalgebramobile karbon kate +kazam kcalc # kdeinit4 kdenlive +kdiff3 keepass keepass2 keepassx @@ -385,15 +448,21 @@ krita # krunner ktorrent ktouch +kube # kwin_x11 kwrite leafpad # less - breaks man +librecad libreoffice +librewolf +librewolf-nightly +lifeograph liferea lightsoff lincity-ng links +links2 linphone lmms lobase @@ -412,13 +481,17 @@ lowriter # lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) # lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) # lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +luarocks luminance-hdr lximage-qt lxmusic lynx +lyx macrofusion magicor +man manaplus +marker masterpdfeditor masterpdfeditor4 masterpdfeditor5 @@ -427,7 +500,10 @@ mate-calculator mate-color-select mate-dictionary mathematica +matrix-mirage +mattermost-desktop mcabber +mcomix mediainfo mediathekview megaglest @@ -435,19 +511,26 @@ megaglest_editor meld mencoder mendeleydesktop +menulibre meteo-qt +microsoft-edge +microsoft-edge-beta +microsoft-edge-dev midori min mindless +minecraft-launcher minetest +minitube +mirage mirrormagic +mocp mousepad mp3splt mp3splt-gtk mp3wrap mpDris2 mpg123 -mpg123.bin mpg123-alsa mpg123-id3dump mpg123-jack @@ -457,6 +540,7 @@ mpg123-oss mpg123-portaudio mpg123-pulse mpg123-strip +mpg123.bin mplayer mpsyt mpv @@ -468,6 +552,7 @@ ms-outlook ms-powerpoint ms-skype ms-word +mtpaint multimc multimc5 mumble @@ -478,6 +563,7 @@ mupdf-x11-curl mupen64plus muraster musescore +musictube musixmatch mutool mutt @@ -485,6 +571,9 @@ mypaint mypaint-ora-thumbnailer natron ncdu +ncdu2 +neochat +neomutt netactview nethack netsurf @@ -492,6 +581,9 @@ neverball neverputt newsbeuter newsboat +newsflash +nextcloud +nextcloud-desktop nheko nicotine nitroshare @@ -501,6 +593,7 @@ nitroshare-send nitroshare-ui nomacs nslookup +nuclear nylas nyx obs @@ -508,13 +601,17 @@ ocenaudio odt2txt oggsplt okular +onboard onionshare-gui ooffice ooviewdoc open-invaders openarena +openarena_ded opencity openclonk +openmw +openmw-launcher openoffice.org openshot openshot-qt @@ -523,25 +620,30 @@ opera opera-beta orage ostrichriders +otter-browser out123 palemoon -pandoc +#pandoc parole patch pavucontrol pavucontrol-qt +pcsxr pdfchain pdfmod pdfsam pdftotext peek penguin-command +photoflare picard pidgin +pinball #ping - disabled until we fix #1912 pingus pinta pioneer +pipe-viewer pithos pitivi pix @@ -549,6 +651,7 @@ planmaker18 planmaker18free playonlinux pluma +plv pngquant polari ppsspp @@ -556,25 +659,31 @@ pragha presentations18 presentations18free profanity +psi psi-plus pybitmessage # pycharm-community - FB note: may enable later # pycharm-professional # pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) qbittorrent +qcomicbook qemu-launcher qgis qlipper qmmp +qnapi qpdfview qt-faststart qtox +quadrapassel quassel +quaternion quiterss qupzilla qutebrowser rambox redeclipse +rednotebook redshift regextester remmina @@ -591,7 +700,6 @@ runenpass.sh sayonara scallion scorched3d -scorched3d-wrapper scorchwentbonkers scribus sdat2img @@ -605,6 +713,7 @@ secret-tool shellcheck shortwave shotcut +shotwell signal-cli signal-desktop silentarmy @@ -617,11 +726,14 @@ slack slashem smplayer smtube +smuxi-frontend-gnome snox soffice sol sound-juicer soundconverter +spectacle +spectral spotify sqlitebrowser ssh @@ -632,12 +744,15 @@ steam steam-native steam-runtime stellarium +straw-viewer +strawberry strings studio.sh subdownloader supertux2 supertuxkart surf +sushi swell-foop sylpheed synfigstudio @@ -705,10 +820,13 @@ transmission-remote-cli transmission-remote-gtk transmission-show tremulous +trojita truecraft tshark +tutanota-desktop tuxguitar tvbrowser +twitch udiskie uefitool uget-gtk @@ -727,6 +845,9 @@ vivaldi-beta vivaldi-snapshot vivaldi-stable vlc +vmware +vmware-player +vmware-workstation vscodium vulturesclaw vultureseye @@ -751,10 +872,10 @@ wire-desktop wireshark wireshark-gtk wireshark-qt +wordwarvi wpp wps wpspdf -wordwarvi x2goclient xbill xcalc @@ -764,14 +885,17 @@ xfburn xfce4-dict xfce4-mixer xfce4-notes +xfce4-screenshooter xiphos xlinks +xlinks2 xmms xmr-stak xonotic xonotic-glx xonotic-sdl xournal +xournalpp xpdf xplayer xplayer-audio-preview @@ -783,11 +907,18 @@ xreader-thumbnailer xviewer yandex-browser yelp +youtube youtube-dl +youtube-dl-gui +youtube-viewer +youtubemusic-nativefier +yt-dlp +ytmdesktop zaproxy zart zathura zeal +zim zoom # zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) # zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 4dfc4194e4c..15826cf37c3 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 1e49a2fc746..363000e15f8 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -486,8 +486,9 @@ int main(int argc, char **argv) { if (arg_debug) printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); - // fix .desktop files in ~/.local/share/applications directory - fix_desktop_files(home); + // if runs as regular user, fix .desktop files in ~/.local/share/applications directory + if (getuid() != 0) + fix_desktop_files(home); return 0; } diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c index e7670c94c4a..e3fcdbd8355 100644 --- a/src/firecfg/sound.c +++ b/src/firecfg/sound.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firecfg/util.c b/src/firecfg/util.c index b46da0be396..14d90b549fe 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index b9bf13b9cfc..793d2cdd1a6 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: firejail include ../common.mk @@ -8,7 +9,9 @@ include ../common.mk firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 6190b6f0156..2266fa499fb 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -21,6 +21,7 @@ // sudo mount -o loop krita-3.0-x86_64.appimage mnt #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -29,7 +30,8 @@ #include static char *devloop = NULL; // device file -static char *mntdir = NULL; // mount point in /tmp directory +static long unsigned size = 0; // offset into appimage file +#define MAXBUF 4096 #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h static void err_loop(void) { @@ -38,36 +40,66 @@ static void err_loop(void) { } #endif +// return 1 if found +int appimage_find_profile(const char *archive) { + assert(archive); + assert(strlen(archive)); + + // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config + FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r"); + if (!fp) { + fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config"); + exit(1); + } + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (*buf == '#') + continue; + char *ptr = strchr(buf, '\n'); + if (ptr) + *ptr = '\0'; + if (strcasestr(archive, buf)) { + fclose(fp); + return profile_find_firejail(buf, 1); + } + } + + fclose(fp); + return 0; + +} + + void appimage_set(const char *appimage) { assert(appimage); assert(devloop == NULL); // don't call this twice! EUID_ASSERT(); #ifdef LOOP_CTL_GET_FREE - // check appimage file + // open appimage file invalid_filename(appimage, 0); // no globbing - if (access(appimage, R_OK) == -1) { - fprintf(stderr, "Error: cannot access AppImage file\n"); + int ffd = open(appimage, O_RDONLY|O_CLOEXEC); + if (ffd == -1) { + fprintf(stderr, "Error: cannot read AppImage file\n"); + exit(1); + } + struct stat s; + if (fstat(ffd, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + fprintf(stderr, "Error: invalid AppImage file\n"); exit(1); } // get appimage type and ELF size // a value of 0 means we are dealing with a type1 appimage - long unsigned int size = appimage2_size(appimage); + size = appimage2_size(ffd); if (arg_debug) printf("AppImage ELF size %lu\n", size); - // open appimage file - /* coverity[toctou] */ - int ffd = open(appimage, O_RDONLY|O_CLOEXEC); - if (ffd == -1) { - fprintf(stderr, "Error: cannot open AppImage file\n"); - exit(1); - } - // find or allocate a free loop device to use EUID_ROOT(); - int cfd = open("/dev/loop-control", O_RDWR); + int cfd = open("/dev/loop-control", O_RDWR|O_CLOEXEC); if (cfd == -1) err_loop(); int devnr = ioctl(cfd, LOOP_CTL_GET_FREE); @@ -77,7 +109,8 @@ void appimage_set(const char *appimage) { if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) errExit("asprintf"); - int lfd = open(devloop, O_RDONLY); + // associate loop device with appimage + int lfd = open(devloop, O_RDONLY|O_CLOEXEC); if (lfd == -1) err_loop(); if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) @@ -90,109 +123,64 @@ void appimage_set(const char *appimage) { if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) err_loop(); } - close(lfd); close(ffd); EUID_USER(); - // creates appimage mount point perms 0700 - if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) - errExit("asprintf"); - EUID_ROOT(); - mkdir_attr(mntdir, 0700, getuid(), getgid()); - EUID_USER(); + // set environment + char* abspath = realpath(appimage, NULL); + if (abspath == NULL) + errExit("Failed to obtain absolute path"); + env_store_name_val("APPIMAGE", abspath, SETENV); + free(abspath); + + env_store_name_val("APPDIR", RUN_FIREJAIL_APPIMAGE_DIR, SETENV); + + if (size != 0) + env_store_name_val("ARGV0", appimage, SETENV); + + if (cfg.cwd) + env_store_name_val("OWD", cfg.cwd, SETENV); + + __gcov_flush(); +#else + fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); + exit(1); +#endif +} + +// mount appimage into sandbox file system +void appimage_mount(void) { + if (!devloop) + return; - // mount - char *mode; - if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) - errExit("asprintf"); unsigned long flags = MS_MGC_VAL|MS_RDONLY; if (getuid()) flags |= MS_NODEV|MS_NOSUID; - EUID_ROOT(); if (size == 0) { fmessage("Mounting appimage type 1\n"); - if (mount(devloop, mntdir, "iso9660", flags, mode) < 0) + char *mode; + if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) + errExit("asprintf"); + if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "iso9660", flags, mode) < 0) errExit("mounting appimage"); + free(mode); } else { fmessage("Mounting appimage type 2\n"); - if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0) + if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "squashfs", flags, NULL) < 0) errExit("mounting appimage"); } - - if (arg_debug) - printf("appimage mounted on %s\n", mntdir); - EUID_USER(); - - char* abspath = realpath(appimage, NULL); - if (abspath == NULL) - errExit("Failed to obtain absolute path"); - - // set environment - if (setenv("APPIMAGE", abspath, 1) < 0) - errExit("setenv"); - if (mntdir && setenv("APPDIR", mntdir, 1) < 0) - errExit("setenv"); - if (size != 0 && setenv("ARGV0", appimage, 1) < 0) - errExit("setenv"); - if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) - errExit("setenv"); - - // build new command line - if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) - errExit("asprintf"); - - free(abspath); - free(mode); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif -#else - fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n"); - exit(1); -#endif } void appimage_clear(void) { - int rv; - EUID_ROOT(); - if (mntdir) { - int i; - int rv = 0; - for (i = 0; i < 5; i++) { - rv = umount2(mntdir, MNT_FORCE); - if (rv == 0) { - fmessage("AppImage unmounted\n"); - - break; - } - if (rv == -1 && errno == EBUSY) { - fwarning("EBUSY error trying to unmount %s\n", mntdir); - sleep(2); - continue; - } - - // rv = -1 - if (!arg_quiet) { - fwarning("error trying to unmount %s\n", mntdir); - perror("umount"); - } - } - - if (rv == 0) { - rmdir(mntdir); - free(mntdir); - } - } - if (devloop) { - int lfd = open(devloop, O_RDONLY); + int lfd = open(devloop, O_RDONLY|O_CLOEXEC); if (lfd != -1) { - rv = ioctl(lfd, LOOP_CLR_FD, 0); - (void) rv; + if (ioctl(lfd, LOOP_CLR_FD, 0) != -1) + fmessage("AppImage detached\n"); close(lfd); } } diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index a58f9a8ca23..43ca501daac 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -132,22 +132,20 @@ static long unsigned int read_elf64(int fd) { // return 0 if error // return 0 if this is not an appimgage2 file -long unsigned int appimage2_size(const char *fname) { +long unsigned int appimage2_size(int fd) { ssize_t ret; - int fd; long unsigned int size = 0; - fd = open(fname, O_RDONLY); if (fd < 0) return 0; ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0); if (ret != EI_NIDENT) - goto getout; + return 0; if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) - goto getout; + return 0; if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { size = read_elf32(fd); @@ -156,23 +154,19 @@ long unsigned int appimage2_size(const char *fname) { size = read_elf64(fd); } else { - goto getout; + return 0; } if (size == 0) - goto getout; + return 0; // look for a LZMA header at this location unsigned char buf[4]; ret = pread(fd, buf, 4, size); - if (ret != 4) { - size = 0; - goto getout; - } + if (ret != 4) + return 0; if (memcmp(buf, "hsqs", 4) != 0) - size = 0; + return 0; -getout: - close(fd); return size; } diff --git a/src/firejail/arp.c b/src/firejail/arp.c index 3714af9a371..c259fc0adfe 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "firejail.h" #include #include +#include #include //TCP/IP Protocol Suite for Linux #include #include @@ -105,8 +106,7 @@ void arp_announce(const char *dev, Bridge *br) { if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) errExit("socket"); - int len; - if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) + if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) errExit("send"); fflush(0); close(sock); @@ -177,8 +177,7 @@ int arp_check(const char *dev, uint32_t destaddr) { if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) errExit("socket"); - int len; - if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) + if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) errExit("send"); fflush(0); @@ -190,9 +189,14 @@ int arp_check(const char *dev, uint32_t destaddr) { FD_SET(sock, &fds); int maxfd = sock; struct timeval ts; - ts.tv_sec = 0; // 0.5 seconds wait time - ts.tv_usec = 500000; + gettimeofday(&ts, NULL); + double timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5; while (1) { + gettimeofday(&ts, NULL); + double now = ts.tv_sec + ts.tv_usec / 1000000.0; + double timeout = timerend - now; + ts.tv_sec = timeout; + ts.tv_usec = (timeout - ts.tv_sec) * 1000000; int nready = select(maxfd + 1, &fds, (fd_set *) 0, (fd_set *) 0, &ts); if (nready < 0) errExit("select"); @@ -201,10 +205,10 @@ int arp_check(const char *dev, uint32_t destaddr) { close(sock); return 0; } - if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) + if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) errExit("send"); - ts.tv_sec = 0; // 0.5 seconds wait time - ts.tv_usec = 500000; + gettimeofday(&ts, NULL); + timerend = ts.tv_sec + ts.tv_usec / 1000000.0 + 0.5; fflush(0); } else { @@ -239,9 +243,7 @@ int arp_check(const char *dev, uint32_t destaddr) { } } - // it will never get here! - close(sock); - return -1; + __builtin_unreachable(); } // assign a random IP address and check it @@ -281,7 +283,7 @@ static uint32_t arp_random(const char *dev, Bridge *br) { int i = 0; for (i = 0; i < 10; i++) { dest = start + ((uint32_t) rand()) % range; - if (dest == ifip) // do not allow the interface address + if (dest == ifip || dest == cfg.defaultgw) // do not allow the interface address or the default gateway continue; // try again // if we've made it up to here, we have a valid address @@ -329,7 +331,7 @@ static uint32_t arp_sequential(const char *dev, Bridge *br) { // loop through addresses and stop as soon as you find an unused one while (dest <= last) { - if (dest == ifip) { + if (dest == ifip || dest == cfg.defaultgw) { dest++; continue; } diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index edef823fd2e..a085f2c27fb 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "firejail.h" @@ -119,26 +120,19 @@ static void bandwidth_create_run_file(pid_t pid) { if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) errExit("asprintf"); - // if the file already exists, do nothing - struct stat s; - if (stat(fname, &s) == 0) { - free(fname); - return; - } - // create an empty file and set mod and ownership - /* coverity[toctou] */ - FILE *fp = fopen(fname, "w"); - if (fp) { - SET_PERMS_STREAM(fp, 0, 0, 0644); - fclose(fp); - } - else { + // if the file already exists, do nothing + FILE *fp = fopen(fname, "wxe"); + free(fname); + if (!fp) { + if (errno == EEXIST) + return; fprintf(stderr, "Error: cannot create bandwidth file\n"); exit(1); } - free(fname); + SET_PERMS_STREAM(fp, 0, 0, 0644); + fclose(fp); } @@ -148,7 +142,7 @@ void network_set_run_file(pid_t pid) { errExit("asprintf"); // create an empty file and set mod and ownership - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (fp) { if (cfg.bridge0.configured) fprintf(fp, "%s:%s\n", cfg.bridge0.dev, cfg.bridge0.devsandbox); @@ -178,7 +172,7 @@ static void read_bandwidth_file(pid_t pid) { if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp) { char buf[1024]; while (fgets(buf, 1024,fp)) { @@ -214,7 +208,7 @@ static void write_bandwidth_file(pid_t pid) { if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (fp) { IFBW *ptr = ifbw; while (ptr) { @@ -307,7 +301,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in char *fname; if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { fprintf(stderr, "Error: cannot read network map file %s\n", fname); exit(1); @@ -327,6 +321,15 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in devname = strdup(buf + len + 1); if (!devname) errExit("strdup"); + // double-check device name + size_t i; + for (i = 0; devname[i]; i++) { + if (isalnum((unsigned char) devname[i]) == 0 && + devname[i] != '-') { + fprintf(stderr, "Error: name of network device is invalid\n"); + exit(1); + } + } // check device in namespace if (if_nametoindex(devname) == 0) { fprintf(stderr, "Error: cannot find network device %s\n", devname); @@ -354,6 +357,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in } bandwidth_remove(pid, devname); } + else assert(strcmp(command, "status") == 0); // build fshaper.sh command char *cmd = NULL; @@ -375,26 +379,16 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in } assert(cmd); - // wipe out environment variables - environ = NULL; - //************************ // build command //************************ - // elevate privileges - if (setreuid(0, 0)) - errExit("setreuid"); - if (setregid(0, 0)) - errExit("setregid"); - char *arg[4]; arg[0] = "/bin/sh"; arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; clearenv(); - execvp(arg[0], arg); + sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg); - // it will never get here - errExit("execvp"); + // it will never get here!! } diff --git a/src/firejail/caps.c b/src/firejail/caps.c index b89e3009a8e..5e02b99c242 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -162,6 +162,21 @@ static CapsEntry capslist[] = { #else {"audit_read", 37 }, #endif +#ifdef CAP_PERFMON + {"perfmon", CAP_PERFMON }, +#else + {"perfmon", 38 }, +#endif +#ifdef CAP_BPF + {"bpf", CAP_BPF }, +#else + {"bpf", 39 }, +#endif +#ifdef CAP_CHECKPOINT_RESTORE + {"checkpoint_restore", CAP_CHECKPOINT_RESTORE }, +#else + {"checkpoint_restore", 40 }, +#endif // // end of generated code @@ -374,7 +389,7 @@ static uint64_t extract_caps(int pid) { errExit("asprintf"); EUID_ROOT(); // grsecurity - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); EUID_USER(); // grsecurity if (!fp) goto errexit; diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 30cd96c42c2..e7ffbca3685 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -26,7 +26,7 @@ void save_cgroup(void) { if (cfg.cgroup == NULL) return; - FILE *fp = fopen(RUN_CGROUP_CFG, "w"); + FILE *fp = fopen(RUN_CGROUP_CFG, "wxe"); if (fp) { fprintf(fp, "%s", cfg.cgroup); fflush(0); @@ -48,7 +48,7 @@ void load_cgroup(const char *fname) { if (!fname) return; - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp) { char buf[MAXBUF]; if (fgets(buf, MAXBUF, fp)) { @@ -91,19 +91,19 @@ void set_cgroup(const char *path) { goto errout; // tasks file exists - struct stat s; - if (stat(path, &s) == -1) + FILE *fp = fopen(path, "ae"); + if (!fp) goto errout; - // task file belongs to the user running the sandbox + int fd = fileno(fp); + if (fd == -1) + errExit("fileno"); + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); if (s.st_uid != getuid() && s.st_gid != getgid()) goto errout2; - // add the task to cgroup - /* coverity[toctou] */ - FILE *fp = fopen(path, "a"); - if (!fp) - goto errout; pid_t pid = getpid(); int rv = fprintf(fp, "%d\n", pid); (void) rv; diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 5d6b4af6648..06e6f0ccb9a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -35,6 +35,8 @@ char *xvfb_extra_params = ""; char *netfilter_default = NULL; unsigned long join_timeout = 5000000; // microseconds char *config_seccomp_error_action_str = "EPERM"; +char *config_seccomp_filter_add = NULL; +char **whitelist_reject_topdirs = NULL; int checkcfg(int val) { assert(val < CFG_MAX); @@ -59,7 +61,7 @@ int checkcfg(int val) { // open configuration file const char *fname = SYSCONFDIR "/firejail.config"; - fp = fopen(fname, "r"); + fp = fopen(fname, "re"); if (!fp) { #ifdef HAVE_GLOBALCFG fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); @@ -102,18 +104,20 @@ int checkcfg(int val) { PARSE_YESNO(CFG_USERNS, "userns") PARSE_YESNO(CFG_CHROOT, "chroot") PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") - PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") PARSE_YESNO(CFG_SECCOMP, "seccomp") - PARSE_YESNO(CFG_WHITELIST, "whitelist") PARSE_YESNO(CFG_NETWORK, "network") PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") - PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") + PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") + PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") + PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc") + PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") - PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") + PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt") + PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv") PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") @@ -130,8 +134,7 @@ int checkcfg(int val) { *end = '\0'; // is the file present? - struct stat s; - if (stat(fname, &s) == -1) { + if (access(fname, F_OK) == -1) { fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); exit(1); } @@ -215,20 +218,23 @@ int checkcfg(int val) { } // file copy limit - else if (strncmp(ptr, "file-copy-limit ", 16) == 0) { - if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1) - errExit("setenv"); - } + else if (strncmp(ptr, "file-copy-limit ", 16) == 0) + env_store_name_val("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, SETENV); // timeout for join option else if (strncmp(ptr, "join-timeout ", 13) == 0) join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds + // add rules to default seccomp filter + else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0) + config_seccomp_filter_add = seccomp_check_list(ptr + 19); + // seccomp error action else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { -#ifdef HAVE_SECCOMP if (strcmp(ptr + 21, "kill") == 0) cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL; + else if (strcmp(ptr + 21, "log") == 0) + cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG; else { cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21); if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1) @@ -237,9 +243,31 @@ int checkcfg(int val) { config_seccomp_error_action_str = strdup(ptr + 21); if (!config_seccomp_error_action_str) errExit("strdup"); -#else - warning_feature_disabled("seccomp"); -#endif + } + + else if (strncmp(ptr, "whitelist-disable-topdir ", 25) == 0) { + char *str = strdup(ptr + 25); + if (!str) + errExit("strdup"); + + size_t cnt = 0; + size_t sz = 4; + whitelist_reject_topdirs = malloc(sz * sizeof(char *)); + if (!whitelist_reject_topdirs) + errExit("malloc"); + + char *tok = strtok(str, ","); + while (tok) { + whitelist_reject_topdirs[cnt++] = tok; + if (cnt >= sz) { + sz *= 2; + whitelist_reject_topdirs = realloc(whitelist_reject_topdirs, sz * sizeof(char *)); + if (!whitelist_reject_topdirs) + errExit("realloc"); + } + tok = strtok(NULL, ","); + } + whitelist_reject_topdirs[cnt] = NULL; } else @@ -273,6 +301,14 @@ int checkcfg(int val) { void print_compiletime_support(void) { printf("Compile time support:\n"); + printf("\t- always force nonewprivs support is %s\n", +#ifdef HAVE_FORCE_NONEWPRIVS + "enabled" +#else + "disabled" +#endif + ); + printf("\t- AppArmor support is %s\n", #ifdef HAVE_APPARMOR "enabled" @@ -297,8 +333,8 @@ void print_compiletime_support(void) { #endif ); - printf("\t- file and directory whitelisting support is %s\n", -#ifdef HAVE_WHITELIST + printf("\t- D-BUS proxy support is %s\n", +#ifdef HAVE_DBUSPROXY "enabled" #else "disabled" @@ -329,6 +365,13 @@ void print_compiletime_support(void) { #endif ); + printf("\t- output logging is %s\n", +#ifdef HAVE_OUTPUT + "enabled" +#else + "disabled" +#endif + ); printf("\t- overlayfs support is %s\n", #ifdef HAVE_OVERLAYFS "enabled" @@ -345,8 +388,8 @@ void print_compiletime_support(void) { #endif ); - printf("\t- seccomp-bpf support is %s\n", -#ifdef HAVE_SECCOMP + printf("\t- private-cache and tmpfs as user %s\n", +#ifdef HAVE_USERTMPFS "enabled" #else "disabled" @@ -376,4 +419,6 @@ void print_compiletime_support(void) { "disabled" #endif ); + + } diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index cae52e20b3d..37ec2211751 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,28 +20,27 @@ #ifdef HAVE_CHROOT #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif - // exit if error void fs_check_chroot_dir(void) { EUID_ASSERT(); assert(cfg.chrootdir); if (strstr(cfg.chrootdir, "..") || - is_link(cfg.chrootdir) || - !is_dir(cfg.chrootdir)) + is_link(cfg.chrootdir)) goto errout; // check chroot dirname exists, chrooting into the root directory is not allowed char *rpath = realpath(cfg.chrootdir, NULL); - if (rpath == NULL || strcmp(rpath, "/") == 0) + if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0) goto errout; char *overlay; @@ -52,6 +51,7 @@ void fs_check_chroot_dir(void) { exit(1); } free(overlay); + cfg.chrootdir = rpath; return; @@ -60,27 +60,33 @@ void fs_check_chroot_dir(void) { exit(1); } -// copy /etc/resolv.conf in chroot directory -static void copy_resolvconf(int parentfd) { - int in = open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC); +// copy /etc/resolv.conf or /etc/machine-id in chroot directory +static void update_file(int parentfd, const char *relpath) { + assert(relpath && relpath[0] && relpath[0] != '/'); + + char *abspath; + if (asprintf(&abspath, "/%s", relpath) == -1) + errExit("asprintf"); + int in = open(abspath, O_RDONLY|O_CLOEXEC); + free(abspath); if (in == -1) goto errout; + struct stat src; if (fstat(in, &src) == -1) errExit("fstat"); - // try to detect if resolv.conf has been bind mounted into the chroot - // do nothing in this case in order to not unlink the real file + // try to detect if file has been bind mounted into the chroot struct stat dst; - if (fstatat(parentfd, "etc/resolv.conf", &dst, 0) == 0) { + if (fstatat(parentfd, relpath, &dst, 0) == 0) { if (src.st_dev == dst.st_dev && src.st_ino == dst.st_ino) { close(in); return; } } if (arg_debug) - printf("Updating /etc/resolv.conf in chroot\n"); - unlinkat(parentfd, "etc/resolv.conf", 0); - int out = openat(parentfd, "etc/resolv.conf", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + printf("Updating chroot /%s\n", relpath); + unlinkat(parentfd, relpath, 0); + int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); if (out == -1) { close(in); goto errout; @@ -92,12 +98,12 @@ static void copy_resolvconf(int parentfd) { return; errout: - fwarning("/etc/resolv.conf not initialized\n"); + fwarning("chroot /%s not initialized\n", relpath); } // exit if error static void check_subdir(int parentfd, const char *subdir, int check_writable) { - assert(subdir); + assert(subdir && subdir[0] && subdir[0] != '/'); struct stat s; if (fstatat(parentfd, subdir, &s, AT_SYMLINK_NOFOLLOW) != 0) { fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir); @@ -125,9 +131,9 @@ void fs_chroot(const char *rootdir) { assert(rootdir); // fails if there is any symlink or if rootdir is not a directory - int parentfd = safe_fd(rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (parentfd == -1) - errExit("safe_fd"); + errExit("safer_openat"); // rootdir has to be owned by root and is not allowed to be generally writable, // this also excludes /tmp and friends struct stat s; @@ -146,6 +152,7 @@ void fs_chroot(const char *rootdir) { check_subdir(parentfd, "etc", 1); check_subdir(parentfd, "proc", 0); check_subdir(parentfd, "tmp", 0); + check_subdir(parentfd, "var", 1); check_subdir(parentfd, "var/tmp", 0); // mount-bind a /dev in rootdir @@ -156,86 +163,112 @@ void fs_chroot(const char *rootdir) { int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd("/dev", fd)) errExit("mounting /dev"); - free(proc); close(fd); - // x11 - if (getenv("FIREJAIL_X11")) { +#ifdef HAVE_X11 + // if users want this mount, they should set FIREJAIL_CHROOT_X11 + if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) { if (arg_debug) printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n"); + struct stat s1, s2; + if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2)) + errExit("mounting /tmp/.X11-unix"); + if ((s1.st_mode & S_ISVTX) != S_ISVTX) { + fprintf(stderr, "Error: sticky bit not set on /tmp directory\n"); + exit(1); + } + if (s2.st_uid != 0) { + fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n"); + exit(1); + } + check_subdir(parentfd, "tmp/.X11-unix", 0); fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd("/tmp/.X11-unix", fd)) errExit("mounting /tmp/.X11-unix"); - free(proc); close(fd); } +#endif // HAVE_X11 // some older distros don't have a /run directory, create one by default if (mkdirat(parentfd, "run", 0755) == -1 && errno != EEXIST) errExit("mkdir"); check_subdir(parentfd, "run", 1); + // pulseaudio; only support for default directory /run/user/$UID/pulse + if (env_get("FIREJAIL_CHROOT_PULSE")) { + char *pulse; + if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1) + errExit("asprintf"); + char *orig_pulse = pulse + strlen(cfg.chrootdir); + + if (arg_debug) + printf("Mounting %s on chroot %s\n", orig_pulse, orig_pulse); + int src = safer_openat(-1, orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (src == -1) { + fprintf(stderr, "Error: cannot open %s\n", orig_pulse); + exit(1); + } + int dst = safer_openat(-1, pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (dst == -1) { + fprintf(stderr, "Error: cannot open %s\n", pulse); + exit(1); + } + if (bind_mount_by_fd(src, dst)) + errExit("mounting pulseaudio"); + close(src); + close(dst); + free(pulse); + + // update /etc/machine-id in chroot + update_file(parentfd, "etc/machine-id"); + } + // create /run/firejail directory in chroot - if (mkdirat(parentfd, RUN_FIREJAIL_DIR+1, 0755) == -1 && errno != EEXIST) + if (mkdirat(parentfd, &RUN_FIREJAIL_DIR[1], 0755) == -1 && errno != EEXIST) errExit("mkdir"); - check_subdir(parentfd, RUN_FIREJAIL_DIR+1, 1); + check_subdir(parentfd, &RUN_FIREJAIL_DIR[1], 1); // create /run/firejail/lib directory in chroot - if (mkdirat(parentfd, RUN_FIREJAIL_LIB_DIR+1, 0755) == -1 && errno != EEXIST) + if (mkdirat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 0755) == -1 && errno != EEXIST) errExit("mkdir"); - check_subdir(parentfd, RUN_FIREJAIL_LIB_DIR+1, 1); + check_subdir(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 1); // mount lib directory into the chroot - fd = openat(parentfd, RUN_FIREJAIL_LIB_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd)) errExit("mount bind"); - free(proc); close(fd); // create /run/firejail/mnt directory in chroot - if (mkdirat(parentfd, RUN_MNT_DIR+1, 0755) == -1 && errno != EEXIST) + if (mkdirat(parentfd, &RUN_MNT_DIR[1], 0755) == -1 && errno != EEXIST) errExit("mkdir"); - check_subdir(parentfd, RUN_MNT_DIR+1, 1); + check_subdir(parentfd, &RUN_MNT_DIR[1], 1); // mount the current mnt directory into the chroot - fd = openat(parentfd, RUN_MNT_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_path_to_fd(RUN_MNT_DIR, fd)) errExit("mount bind"); - free(proc); close(fd); // update chroot resolv.conf - copy_resolvconf(parentfd); + update_file(parentfd, "etc/resolv.conf"); -#ifdef HAVE_GCOV __gcov_flush(); -#endif + // create /run/firejail/mnt/oroot char *oroot = RUN_OVERLAY_ROOT; if (mkdir(oroot, 0755) == -1) errExit("mkdir"); // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay - if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1) - errExit("asprintf"); - if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_fd_to_path(parentfd, oroot)) errExit("mounting rootdir oroot"); - free(proc); close(parentfd); // chroot into the new directory if (arg_debug) @@ -243,15 +276,15 @@ void fs_chroot(const char *rootdir) { if (chroot(oroot) < 0) errExit("chroot"); - // create all other /run/firejail files and directories - preproc_build_firejail_dir(); - // mount a new proc filesystem if (arg_debug) printf("Mounting /proc filesystem representing the PID namespace\n"); if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc"); + // create all other /run/firejail files and directories + preproc_build_firejail_dir(); + // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) // fs_dev_shm(); diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 91279a97746..2fa68a55dbb 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -26,7 +26,7 @@ #include #include -static int cmdline_length(int argc, char **argv, int index) { +static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) { assert(index != -1); unsigned i,j; @@ -46,10 +46,11 @@ static int cmdline_length(int argc, char **argv, int index) { len += 3; in_quotes = false; } else { - if (!in_quotes) + if (!in_quotes && want_extra_quotes) len++; len++; - in_quotes = true; + if (want_extra_quotes) + in_quotes = true; } } if (in_quotes) { @@ -64,7 +65,7 @@ static int cmdline_length(int argc, char **argv, int index) { return len; } -static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) { +static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) { assert(index != -1); unsigned i,j; @@ -103,14 +104,15 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a // anything other else { - if (!in_quotes) { + if (!in_quotes && want_extra_quotes) { // open quotes ptr1[0] = '\''; ptr1++; } ptr1[0] = argv[i + index][j]; ptr1++; - in_quotes = true; + if (want_extra_quotes) + in_quotes = true; } } // close quotes @@ -134,12 +136,12 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a assert((unsigned) len == strlen(command_line)); } -void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) { +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) { // index == -1 could happen if we have --shell=none and no program was specified // the program should exit with an error before entering this function assert(index != -1); - int len = cmdline_length(argc, argv, index); + int len = cmdline_length(argc, argv, index, want_extra_quotes); if (len > ARG_MAX) { errno = E2BIG; errExit("cmdline_length"); @@ -152,7 +154,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar if (!*window_title) errExit("malloc"); - quote_cmdline(*command_line, *window_title, len, argc, argv, index); + quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes); if (arg_debug) printf("Building quoted command line: %s\n", *command_line); @@ -161,30 +163,23 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar assert(*window_title); } -void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) { +void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) { // index == -1 could happen if we have --shell=none and no program was specified // the program should exit with an error before entering this function assert(index != -1); - if (arg_debug) - printf("Building AppImage command line: %s\n", *command_line); - + char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun"; - int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes - int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage - int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun - int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun + int len1 = cmdline_length(argc, argv, index, want_extra_quotes); // length of argv w/o changes + int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage + int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun + int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun if (len4 > ARG_MAX) { errno = E2BIG; errExit("cmdline_length"); } - // save created apprun in cfg.command_line - char *tmp1 = strdup(*command_line); - if (!tmp1) - errExit("strdup"); - // TODO: deal with extra allocated memory. char *command_line_tmp = malloc(len1 + len3 + 1); if (!command_line_tmp) @@ -194,19 +189,18 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, errExit("malloc"); // run default quote_cmdline - quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index); + quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes); assert(command_line_tmp); assert(*window_title); // 'fix' command_line now - if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1) + if (asprintf(command_line, "'%s' %s", apprun_path, command_line_tmp + len2) == -1) errExit("asprintf"); if (arg_debug) printf("AppImage quoted command line: %s\n", *command_line); // free strdup - free(tmp1); free(command_line_tmp); } diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 66fa9fadf4c..fe7258fb047 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -75,7 +75,7 @@ void save_cpu(void) { if (cfg.cpus == 0) return; - FILE *fp = fopen(RUN_CPU_CFG, "w"); + FILE *fp = fopen(RUN_CPU_CFG, "wxe"); if (fp) { fprintf(fp, "%x\n", cfg.cpus); SET_PERMS_STREAM(fp, 0, 0, 0600); @@ -91,7 +91,7 @@ void load_cpu(const char *fname) { if (!fname) return; - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp) { unsigned tmp; int rv = fscanf(fp, "%x", &tmp); @@ -139,7 +139,7 @@ static void print_cpu(int pid) { } EUID_ROOT(); // grsecurity - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); EUID_USER(); // grsecurity if (!fp) { printf(" Error: cannot open %s\n", file); diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 0f4f18c5715..735ff54fa98 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -17,6 +17,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#ifdef HAVE_DBUSPROXY #include "firejail.h" #include #include @@ -41,14 +42,14 @@ #define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user" #define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system" #define DBUS_MAX_NAME_LENGTH 255 -#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy" +// moved to include/common.h - #define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy" static pid_t dbus_proxy_pid = 0; static int dbus_proxy_status_fd = -1; static char *dbus_user_proxy_socket = NULL; static char *dbus_system_proxy_socket = NULL; -int dbus_check_name(const char *name) { +static int check_bus_or_interface_name(const char *name, int hyphens_allowed) { unsigned long length = strlen(name); if (length == 0 || length > DBUS_MAX_NAME_LENGTH) return 0; @@ -62,14 +63,14 @@ int dbus_check_name(const char *name) { if (*p == '.') { ++segments; in_segment = 0; - } else if (!alpha && !digit && *p != '_' && *p != '-') { + } else if (!alpha && !digit && *p != '_' && (!hyphens_allowed || *p != '-')) { return 0; } } else { if (*p == '*') { return *(p + 1) == '\0'; - } else if (!alpha && *p != '_' && *p != '-') { + } else if (!alpha && *p != '_' && (!hyphens_allowed || *p != '-')) { return 0; } in_segment = 1; @@ -79,6 +80,72 @@ int dbus_check_name(const char *name) { return in_segment && segments >= 2; } +static int check_object_path(const char *path) { + unsigned long length = strlen(path); + if (length == 0 || path[0] != '/') + return 0; + // The root path "/" is the only path allowed to have a trailing slash. + if (length == 1) + return 1; + const char *p = path + 1; + int segments = 1; + int in_segment = 0; + while (*p) { + int alpha = (*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z'); + int digit = *p >= '0' && *p <= '9'; + if (in_segment) { + if (*p == '/') { + ++segments; + in_segment = 0; + } else if (!alpha && !digit && *p != '_') { + return 0; + } + } + else { + if (*p == '*') { + return *(p + 1) == '\0'; + } else if (!alpha && *p != '_') { + return 0; + } + in_segment = 1; + } + ++p; + } + return in_segment && segments >= 1; +} + +int dbus_check_name(const char *name) { + return check_bus_or_interface_name(name, 1); +} + +int dbus_check_call_rule(const char *rule) { + char buf[DBUS_MAX_NAME_LENGTH + 1]; + char *name_end = strchr(rule, '='); + if (name_end == NULL) + return 0; + size_t name_length = (size_t) (name_end - rule); + if (name_length > DBUS_MAX_NAME_LENGTH) + return 0; + strncpy(buf, rule, (size_t) name_length); + buf[name_length] = '\0'; + if (!dbus_check_name(buf)) + return 0; + ++name_end; + char *interface_end = strchr(name_end, '@'); + if (interface_end == NULL) + return check_bus_or_interface_name(name_end, 0); + size_t interface_length = (size_t) (interface_end - name_end); + if (interface_length > DBUS_MAX_NAME_LENGTH) + return 0; + if (interface_length > 0) { + strncpy(buf, name_end, interface_length); + buf[interface_length] = '\0'; + if (!check_bus_or_interface_name(buf, 0)) + return 0; + } + return check_object_path(interface_end + 1); +} + static void dbus_check_bus_profile(char const *prefix, DbusPolicy *policy) { if (*policy == DBUS_POLICY_FILTER) { struct stat s; @@ -113,7 +180,7 @@ static void dbus_check_bus_profile(char const *prefix, DbusPolicy *policy) { } } - if (num_matches > 0) { + if (num_matches > 0 && !arg_quiet) { assert(first_match != NULL); if (num_matches == 1) { fprintf(stderr, "Ignoring \"%s\".\n", first_match); @@ -191,12 +258,8 @@ static char *find_user_socket_by_format(char *format) { if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1) errExit("asprintf"); struct stat s; - if (stat(dbus_user_socket, &s) == -1) { - if (errno == ENOENT) - goto fail; - return NULL; - errExit("stat"); - } + if (lstat(dbus_user_socket, &s) == -1) + goto fail; if (!S_ISSOCK(s.st_mode)) goto fail; return dbus_user_socket; @@ -219,6 +282,8 @@ static char *find_user_socket(void) { void dbus_proxy_start(void) { dbus_create_user_dir(); + EUID_USER(); + int status_pipe[2]; if (pipe(status_pipe) == -1) errExit("pipe"); @@ -233,10 +298,21 @@ void dbus_proxy_start(void) { errExit("fork"); if (dbus_proxy_pid == 0) { int i; - for (i = 3; i < FIREJAIL_MAX_FD; i++) { + for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) { if (i != status_pipe[1] && i != args_pipe[0]) close(i); // close open files } + if (arg_dbus_log_file != NULL) { + int output_fd = creat(arg_dbus_log_file, 0666); + if (output_fd < 0) + errExit("creat"); + if (output_fd != STDOUT_FILENO) { + if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO) + errExit("dup2"); + close(output_fd); + } + } + close(STDIN_FILENO); char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL}; if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1 || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1) @@ -249,7 +325,7 @@ void dbus_proxy_start(void) { errExit("close"); if (arg_dbus_user == DBUS_POLICY_FILTER) { - char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV); + const char *user_env = env_get(DBUS_SESSION_BUS_ADDRESS_ENV); if (user_env == NULL) { char *dbus_user_socket = find_user_socket(); write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s", @@ -262,12 +338,15 @@ void dbus_proxy_start(void) { (int) getuid(), (int) getpid()) == -1) errExit("asprintf"); write_arg(args_pipe[1], "%s", dbus_user_proxy_socket); + if (arg_dbus_log_user) { + write_arg(args_pipe[1], "--log"); + } write_arg(args_pipe[1], "--filter"); write_profile(args_pipe[1], "dbus-user."); } if (arg_dbus_system == DBUS_POLICY_FILTER) { - char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV); + const char *system_env = env_get(DBUS_SYSTEM_BUS_ADDRESS_ENV); if (system_env == NULL) { write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET); @@ -278,6 +357,9 @@ void dbus_proxy_start(void) { (int) getuid(), (int) getpid()) == -1) errExit("asprintf"); write_arg(args_pipe[1], "%s", dbus_system_proxy_socket); + if (arg_dbus_log_system) { + write_arg(args_pipe[1], "--log"); + } write_arg(args_pipe[1], "--filter"); write_profile(args_pipe[1], "dbus-system."); } @@ -330,7 +412,7 @@ void dbus_proxy_stop(void) { } static void socket_overlay(char *socket_path, char *proxy_path) { - int fd = safe_fd(proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC); + int fd = safer_openat(-1, proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC); if (fd == -1) errExit("opening DBus proxy socket"); struct stat s; @@ -340,17 +422,13 @@ static void socket_overlay(char *socket_path, char *proxy_path) { errno = ENOTSOCK; errExit("mounting DBus proxy socket"); } - char *proxy_fd_path; - if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1) + if (bind_mount_fd_to_path(fd, socket_path)) errExit("mount bind"); - free(proxy_fd_path); close(fd); } -static char *get_socket_env(const char *name) { - char *value = getenv(name); +static const char *get_socket_env(const char *name) { + const char *value = env_get(name); if (value == NULL) return NULL; if (strncmp(value, DBUS_SOCKET_PATH_PREFIX, @@ -359,6 +437,16 @@ static char *get_socket_env(const char *name) { return NULL; } +void dbus_set_session_bus_env(void) { + env_store_name_val(DBUS_SESSION_BUS_ADDRESS_ENV, + DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, SETENV); +} + +void dbus_set_system_bus_env(void) { + env_store_name_val(DBUS_SYSTEM_BUS_ADDRESS_ENV, + DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, SETENV); +} + static void disable_socket_dir(void) { struct stat s; if (stat(RUN_FIREJAIL_DBUS_DIR, &s) == 0) @@ -380,10 +468,10 @@ void dbus_apply_policy(void) { } create_empty_dir_as_root(RUN_DBUS_DIR, 0755); - create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700); - create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700); if (arg_dbus_user != DBUS_POLICY_ALLOW) { + create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600); + if (arg_dbus_user == DBUS_POLICY_FILTER) { assert(dbus_user_proxy_socket != NULL); socket_overlay(RUN_DBUS_USER_SOCKET, dbus_user_proxy_socket); @@ -402,7 +490,7 @@ void dbus_apply_policy(void) { errExit("asprintf"); disable_file_or_dir(dbus_user_socket2); - char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); + const char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV); if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 && strcmp(user_env, dbus_user_socket2) != 0) disable_file_or_dir(user_env); @@ -410,12 +498,7 @@ void dbus_apply_policy(void) { free(dbus_user_socket); free(dbus_user_socket2); - if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV, - DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) { - fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV - " required by --dbus-user\n"); - exit(1); - } + dbus_set_session_bus_env(); // blacklist the dbus-launch user directory char *path; @@ -426,6 +509,8 @@ void dbus_apply_policy(void) { } if (arg_dbus_system != DBUS_POLICY_ALLOW) { + create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600); + if (arg_dbus_system == DBUS_POLICY_FILTER) { assert(dbus_system_proxy_socket != NULL); socket_overlay(RUN_DBUS_SYSTEM_SOCKET, dbus_system_proxy_socket); @@ -434,16 +519,11 @@ void dbus_apply_policy(void) { disable_file_or_dir(DBUS_SYSTEM_SOCKET); - char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); + const char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV); if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0) disable_file_or_dir(system_env); - if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV, - DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) { - fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV - " required by --dbus-system\n"); - exit(1); - } + dbus_set_system_bus_env(); } // Only disable access to /run/firejail/dbus here, when the sockets have been bind-mounted. @@ -460,10 +540,9 @@ void dbus_apply_policy(void) { return; // --protocol=unix -#ifdef HAVE_SECCOMP if (cfg.protocol && !strstr(cfg.protocol, "unix")) return; -#endif fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n"); } +#endif // HAVE_DBUSPROXY diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index 37547a985cc..ec482e2ea05 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -93,7 +93,7 @@ static pid_t dhcp_read_pidfile(const Dhclient *client) { while (found == 0 && tries < 10) { if (tries >= 1) usleep(100000); - FILE *pidfile = fopen(client->pid_file, "r"); + FILE *pidfile = fopen(client->pid_file, "re"); if (pidfile) { long pid; if (fscanf(pidfile, "%ld", &pid) == 1) @@ -130,7 +130,9 @@ static void dhcp_waitll_all() { dhcp_waitll(cfg.bridge3.devsandbox); } -void dhcp_start(void) { +// Temporarily copy dhclient executable under /run/firejail/mnt and start it from there +// in order to recognize it later in firemon and firetools +void dhcp_store_exec(void) { if (!any_dhcp()) return; @@ -144,6 +146,20 @@ void dhcp_start(void) { } } + sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR); +} + +void dhcp_start(void) { + if (!any_dhcp()) + return; + + char *dhclient_path = RUN_MNT_DIR "/dhclient"; + struct stat s; + if (stat(dhclient_path, &s) == -1) { + fprintf(stderr, "Error: %s was not found.\n", dhclient_path); + exit(1); + } + EUID_ROOT(); if (mkdir(RUN_DHCLIENT_DIR, 0700)) errExit("mkdir"); @@ -163,4 +179,6 @@ void dhcp_start(void) { exit(1); } } + + unlink(dhclient_path); } diff --git a/src/firejail/env.c b/src/firejail/env.c index a8b344544e2..ad16de03730 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -25,8 +25,8 @@ typedef struct env_t { struct env_t *next; - char *name; - char *value; + const char *name; + const char *value; ENV_OP op; } Env; static Env *envlist = NULL; @@ -59,12 +59,7 @@ void env_ibus_load(void) { if (asprintf(&dirname, "%s/.config/ibus/bus", cfg.homedir) == -1) errExit("asprintf"); - struct stat s; - if (stat(dirname, &s) == -1) - return; - // find the file - /* coverity[toctou] */ DIR *dir = opendir(dirname); if (!dir) { free(dirname); @@ -84,7 +79,7 @@ void env_ibus_load(void) { char *fname; if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); free(fname); if (!fp) continue; @@ -117,60 +112,49 @@ void env_ibus_load(void) { // default sandbox env variables void env_defaults(void) { // Qt fixes - if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) - errExit("setenv"); - if (setenv("QML_DISABLE_DISK_CACHE", "1", 1) < 0) - errExit("setenv"); -// if (setenv("QTWEBENGINE_DISABLE_SANDBOX", "1", 1) < 0) -// errExit("setenv"); -// if (setenv("MOZ_NO_REMOTE, "1", 1) < 0) -// errExit("setenv"); - if (setenv("container", "firejail", 1) < 0) // LXC sets container=lxc, - errExit("setenv"); + env_store_name_val("QT_X11_NO_MITSHM", "1", SETENV); + env_store_name_val("QML_DISABLE_DISK_CACHE", "1", SETENV); +// env_store_name_val("QTWEBENGINE_DISABLE_SANDBOX", "1", SETENV); +// env_store_name_val("MOZ_NO_REMOTE, "1", SETENV); + env_store_name_val("container", "firejail", SETENV); // LXC sets container=lxc, if (!cfg.shell) cfg.shell = guess_shell(); - if (cfg.shell && setenv("SHELL", cfg.shell, 1) < 0) - errExit("setenv"); + if (cfg.shell) + env_store_name_val("SHELL", cfg.shell, SETENV); // spawn KIO slaves inside the sandbox - if (setenv("KDE_FORK_SLAVES", "1", 1) < 0) - errExit("setenv"); + env_store_name_val("KDE_FORK_SLAVES", "1", SETENV); // set prompt color to green int set_prompt = 0; if (checkcfg(CFG_FIREJAIL_PROMPT)) set_prompt = 1; else { // check FIREJAIL_PROMPT="yes" environment variable - char *prompt = getenv("FIREJAIL_PROMPT"); + const char *prompt = env_get("FIREJAIL_PROMPT"); if (prompt && strcmp(prompt, "yes") == 0) set_prompt = 1; } - if (set_prompt) { + if (set_prompt) //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' - if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) - errExit("setenv"); - } - else { + env_store_name_val("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", SETENV); + else // remove PROMPT_COMMAND - if (setenv("PROMPT_COMMAND", ":", 1) < 0) // unsetenv() will not work here, bash still picks it up from somewhere - errExit("setenv"); - } + env_store_name_val("PROMPT_COMMAND", ":", SETENV); // unsetenv() will not work here, bash still picks it up from somewhere // set the window title - if (!arg_quiet) + if (!arg_quiet && isatty(STDOUT_FILENO)) printf("\033]0;firejail %s\007", cfg.window_title); // pass --quiet as an environment variable, in case the command calls further firejailed commands if (arg_quiet) - setenv("FIREJAIL_QUIET", "yes", 1); + env_store_name_val("FIREJAIL_QUIET", "yes", SETENV); fflush(0); } // parse and store the environment setting void env_store(const char *str, ENV_OP op) { - EUID_ASSERT(); assert(str); // some basic checking @@ -181,8 +165,7 @@ void env_store(const char *str, ENV_OP op) { if (!ptr) goto errexit; ptr++; - if (*ptr == '\0') - goto errexit; + op = SETENV; } // build list entry @@ -210,8 +193,40 @@ void env_store(const char *str, ENV_OP op) { exit(1); } +void env_store_name_val(const char *name, const char *val, ENV_OP op) { + assert(name); + + // some basic checking + if (*name == '\0') + goto errexit; + + // build list entry + Env *env = calloc(1, sizeof(Env)); + if (!env) + errExit("calloc"); + + env->name = strdup(name); + if (env->name == NULL) + errExit("strdup"); + + if (op == SETENV) { + env->value = strdup(val); + if (env->value == NULL) + errExit("strdup"); + } + env->op = op; + + // add entry to the list + env_add(env); + return; + +errexit: + fprintf(stderr, "Error: invalid --env setting\n"); + exit(1); +} + // set env variables in the new sandbox process -void env_apply(void) { +void env_apply_all(void) { Env *env = envlist; while (env) { @@ -225,3 +240,85 @@ void env_apply(void) { env = env->next; } } + +// get env variable +const char *env_get(const char *name) { + Env *env = envlist; + const char *r = NULL; + + while (env) { + if (strcmp(env->name, name) == 0) { + if (env->op == SETENV) + r = env->value; + else if (env->op == RMENV) + r = NULL; + } + env = env->next; + } + return r; +} + +static const char * const env_whitelist[] = { + "LANG", + "LANGUAGE", + "LC_MESSAGES", + // "PATH", + "DISPLAY" // required by X11 +}; + +static const char * const env_whitelist_sbox[] = { + "FIREJAIL_DEBUG", + "FIREJAIL_FILE_COPY_LIMIT", + "FIREJAIL_PLUGIN", + "FIREJAIL_QUIET", + "FIREJAIL_SECCOMP_ERROR_ACTION", + "FIREJAIL_TEST_ARGUMENTS", + "FIREJAIL_TRACEFILE" +}; + +static void env_apply_list(const char * const *list, unsigned int num_items) { + Env *env = envlist; + + while (env) { + if (env->op == SETENV) { + for (unsigned int i = 0; i < num_items; i++) + if (strcmp(env->name, list[i]) == 0) { + // sanity check for whitelisted environment variables + if (strlen(env->name) + strlen(env->value) >= MAX_ENV_LEN) { + fprintf(stderr, "Error: too long environment variable %s, please use --rmenv\n", env->name); + exit(1); + } + + //fprintf(stderr, "whitelisted env var %s=%s\n", env->name, env->value); + if (setenv(env->name, env->value, 1) < 0) + errExit("setenv"); + break; + } + } else if (env->op == RMENV) + unsetenv(env->name); + + env = env->next; + } +} + +// Filter env variables in main firejail process. All variables will +// be reapplied for the sandboxed app by env_apply_all(). +void env_apply_whitelist(void) { + int r; + + r = clearenv(); + if (r != 0) + errExit("clearenv"); + + env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist)); + + // hardcoding PATH + if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0) + errExit("setenv"); +} + +// Filter env variables for a sbox app +void env_apply_whitelist_sbox(void) { + env_apply_whitelist(); + env_apply_list(env_whitelist_sbox, ARRAY_SIZE(env_whitelist_sbox)); +} diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9b288b1b9d4..e1ba8f48af4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -45,6 +45,15 @@ assert(s.st_gid == gid);\ assert((s.st_mode & 07777) == (mode));\ } while (0) +#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \ + do { \ + assert(file);\ + struct stat s;\ + if (stat_as_user(file, &s) == -1) errExit("stat");\ + assert(s.st_uid == uid);\ + assert(s.st_gid == gid);\ + assert((s.st_mode & 07777) == (mode));\ + } while (0) #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ do { \ struct stat s;\ @@ -81,6 +90,8 @@ (void) rv;\ } while (0) +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + // main.c typedef struct bridge_t { // on the host @@ -120,26 +131,22 @@ typedef struct interface_t { uint8_t configured; } Interface; +typedef struct topdir_t { + char *path; + int fd; +} TopDir; + typedef struct profile_entry_t { struct profile_entry_t *next; char *data; // command // whitelist command parameters - char *link; // link name - set if the file is a link - enum { - WLDIR_HOME = 1, // whitelist in home directory - WLDIR_TMP, // whitelist in /tmp directory - WLDIR_MEDIA, // whitelist in /media directory - WLDIR_MNT, // whitelist in /mnt directory - WLDIR_VAR, // whitelist in /var directory - WLDIR_DEV, // whitelist in /dev directory - WLDIR_OPT, // whitelist in /opt directory - WLDIR_SRV, // whitelist in /srv directory - WLDIR_ETC, // whitelist in /etc directory - WLDIR_SHARE, // whitelist in /usr/share directory - WLDIR_MODULE, // whitelist in /sys/module directory - WLDIR_RUN // whitelist in /run/user/$uid directory - } wldir; + struct wparam_t { + char *file; // resolved file path + char *link; // link path + TopDir *top; // top level directory + } *wparam; + } ProfileEntry; typedef struct config_t { @@ -149,6 +156,8 @@ typedef struct config_t { // filesystem ProfileEntry *profile; + ProfileEntry *profile_rebuild_etc; // blacklist files in /etc directory used by fs_rebuild_etc() + #define MAX_PROFILE_IGNORE 32 char *profile_ignore[MAX_PROFILE_IGNORE]; char *chrootdir; // chroot directory @@ -186,7 +195,7 @@ typedef struct config_t { char *seccomp_list_drop, *seccomp_list_drop32; // seccomp drop list char *seccomp_list_keep, *seccomp_list_keep32; // seccomp keep list char *protocol; // protocol list - char *seccomp_error_action; // error action: kill or errno + char *seccomp_error_action; // error action: kill, log or errno // rlimits long long unsigned rlimit_cpu; @@ -312,7 +321,6 @@ extern int arg_private_cwd; // private working directory extern int arg_scan; // arp-scan all interfaces extern int arg_whitelist; // whitelist command extern int arg_nosound; // disable sound -extern int arg_noautopulse; // disable automatic ~/.config/pulse init extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration extern int arg_quiet; // no output for scripting @@ -321,13 +329,12 @@ extern int arg_join_filesystem; // join only the mount namespace extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc +extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init extern int arg_writable_var; // writable var extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user extern int arg_writable_var_log; // writable /var/log extern int arg_appimage; // appimage -extern int arg_audit; // audit -extern char *arg_audit_prog; // audit extern int arg_apparmor; // apparmor extern int arg_allow_debuggers; // allow debuggers extern int arg_x11_block; // block X11 @@ -339,7 +346,8 @@ extern int arg_noprofile; // use default.profile if none other found/specified extern int arg_memory_deny_write_execute; // block writable and executable memory extern int arg_notv; // --notv extern int arg_nodvd; // --nodvd -extern int arg_nou2f; // --nou2f +extern int arg_nou2f; // --nou2f +extern int arg_noinput; // --noinput extern int arg_deterministic_exit_code; // always exit with first child's exit status typedef enum { @@ -349,6 +357,9 @@ typedef enum { } DbusPolicy; extern DbusPolicy arg_dbus_user; // --dbus-user extern DbusPolicy arg_dbus_system; // --dbus-system +extern int arg_dbus_log_user; +extern int arg_dbus_log_system; +extern const char *arg_dbus_log_file; extern int login_shell; extern int parent_to_child_fds[2]; @@ -367,15 +378,16 @@ void check_user_namespace(void); char *guess_shell(void); // sandbox.c +#define SANDBOX_DONE '1' int sandbox(void* sandbox_arg); -void start_application(int no_sandbox, FILE *fp); +void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); void set_apparmor(void); // network_main.c void net_configure_sandbox_ip(Bridge *br); void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); void net_check_cfg(void); -void net_dns_print(pid_t pid); +void net_dns_print(pid_t pid) __attribute__((noreturn)); void network_main(pid_t child); void net_print(pid_t pid); @@ -445,18 +457,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname); // add a profile entry in cfg.profile list; use str to populate the list void profile_add(char *str); void profile_add_ignore(const char *str); +char *profile_list_normalize(char *list); +char *profile_list_compress(char *list); +void profile_list_augment(char **list, const char *items); // list.c void list(void); void tree(void); void top(void); -void netstats(void); // usage.c void usage(void); // join.c -void join(pid_t pid, int argc, char **argv, int index); +void join(pid_t pid, int argc, char **argv, int index) __attribute__((noreturn)); bool is_ready_for_join(const pid_t pid); void check_join_permission(pid_t pid); pid_t switch_to_child(pid_t pid); @@ -483,9 +497,10 @@ int macro_id(const char *name); // util.c -void errLogExit(char* fmt, ...); +void errLogExit(char* fmt, ...) __attribute__((noreturn)); void fwarning(char* fmt, ...); void fmessage(char* fmt, ...); +long long unsigned parse_arg_size(char *str); void drop_privs(int nogroups); int mkpath_as_root(const char* path); void extract_command_name(int index, char **argv); @@ -495,11 +510,14 @@ void logargs(int argc, char **argv) ; void logerr(const char *msg); void set_nice(int inc); int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); -void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); +void copy_file_as_user(const char *srcname, const char *destname, mode_t mode); void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); void touch_file_as_user(const char *fname, mode_t mode); int is_dir(const char *fname); int is_link(const char *fname); +char *realpath_as_user(const char *fname); +int stat_as_user(const char *fname, struct stat *s); +int lstat_as_user(const char *fname, struct stat *s); void trim_trailing_slash_or_dot(char *path); char *line_remove_spaces(const char *buf); char *split_comma(char *str); @@ -510,7 +528,6 @@ void check_private_dir(void); void update_map(char *mapping, char *map_file); void wait_for_other(int fd); void notify_other(int fd); -const char *gnu_basename(const char *path); uid_t pid_get_uid(pid_t pid); uid_t get_group_id(const char *group); int remove_overlay_directory(void); @@ -523,9 +540,16 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); unsigned extract_timeout(const char *str); void disable_file_or_dir(const char *fname); void disable_file_path(const char *path, const char *file); -int safe_fd(const char *path, int flags); +int safer_openat(int dirfd, const char *path, int flags); +int remount_by_fd(int dst, unsigned long mountflags); +int bind_mount_by_fd(int src, int dst); +int bind_mount_path_to_fd(const char *srcname, int dst); +int bind_mount_fd_to_path(int src, const char *destname); int has_handler(pid_t pid, int signal); void enter_network_namespace(pid_t pid); +int read_pid(const char *name, pid_t *pid); +pid_t require_pid(const char *name); +void check_homedir(const char *dir); // Get info regarding the last kernel mount operation from /proc/self/mountinfo // The return value points to a static area, and will be overwritten by subsequent calls. @@ -539,7 +563,7 @@ typedef struct { // mountinfo.c MountData *get_last_mount(void); -int get_mount_id(const char *path); +int get_mount_id(int fd); char **build_mount_array(const int mount_id, const char *path); // fs_var.c @@ -561,6 +585,7 @@ void fs_dev_disable_video(void); void fs_dev_disable_tv(void); void fs_dev_disable_dvd(void); void fs_dev_disable_u2f(void); +void fs_dev_disable_input(void); // fs_home.c // private mode (--private) @@ -581,7 +606,7 @@ int seccomp_load(const char *fname); int seccomp_filter_drop(bool native); int seccomp_filter_keep(bool native); int seccomp_filter_mdwx(bool native); -void seccomp_print_filter(pid_t pid); +void seccomp_print_filter(pid_t pid) __attribute__((noreturn)); // caps.c void seccomp_load_file_list(void); @@ -592,7 +617,7 @@ void caps_set(uint64_t caps); void caps_check_list(const char *clist, void (*callback)(int)); void caps_drop_list(const char *clist); void caps_keep_list(const char *clist); -void caps_print_filter(pid_t pid); +void caps_print_filter(pid_t pid) __attribute__((noreturn)); void caps_drop_dac_override(void); // fs_trace.c @@ -602,7 +627,6 @@ void fs_trace(void); // fs_hostname.c void fs_hostname(const char *hostname); -void fs_resolvconf(void); char *fs_check_hosts_file(const char *fname); void fs_store_hosts_file(void); void fs_mount_hosts_file(void); @@ -615,7 +639,7 @@ void read_cpu_list(const char *str); void set_cpu_affinity(void); void load_cpu(const char *fname); void save_cpu(void); -void cpu_print_filter(pid_t pid); +void cpu_print_filter(pid_t pid) __attribute__((noreturn)); // cgroup.c void save_cgroup(void); @@ -637,20 +661,23 @@ void netns(const char *nsname); void netns_mounts(const char *nsname); // bandwidth.c -void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); +void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) __attribute__((noreturn)); void network_set_run_file(pid_t pid); // fs_etc.c void fs_machineid(void); +void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list); +void fs_private_dir_mount(const char *private_dir, const char *private_run_dir); void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); +void fs_rebuild_etc(void); // no_sandbox.c int check_namespace_virt(void); int check_kernel_procs(void); -void run_no_sandbox(int argc, char **argv); +void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); #define MAX_ENVS 256 // some sane maximum number of environment variables -#define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH +#define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps // env.c typedef enum { SETENV = 0, @@ -658,8 +685,12 @@ typedef enum { } ENV_OP; void env_store(const char *str, ENV_OP op); -void env_apply(void); +void env_store_name_val(const char *name, const char *val, ENV_OP op); +void env_apply_all(void); +void env_apply_whitelist(void); +void env_apply_whitelist_sbox(void); void env_defaults(void); +const char *env_get(const char *name); void env_ibus_load(void); // fs_whitelist.c @@ -678,7 +709,7 @@ void fs_private_lib(void); // protocol.c void protocol_filter_save(void); void protocol_filter_load(const char *fname); -void protocol_print_filter(pid_t pid); +void protocol_print_filter(pid_t pid) __attribute__((noreturn)); // restrict_users.c void restrict_users(void); @@ -690,7 +721,7 @@ void fs_logger2int(const char *msg1, int d); void fs_logger3(const char *msg1, const char *msg2, const char *msg3); void fs_logger_print(void); void fs_logger_change_owner(void); -void fs_logger_print_log(pid_t pid); +void fs_logger_print_log(pid_t pid) __attribute__((noreturn)); // run_symlink.c void run_symlink(int argc, char **argv, int run_as_is); @@ -716,21 +747,24 @@ void fs_mkfile(const char *name); void fs_x11(void); int x11_display(void); -void x11_start(int argc, char **argv); -void x11_start_xpra(int argc, char **argv); -void x11_start_xephyr(int argc, char **argv); +void x11_start(int argc, char **argv) __attribute__((noreturn)); +void x11_start_xpra(int argc, char **argv) __attribute__((noreturn)); +void x11_start_xephyr(int argc, char **argv) __attribute__((noreturn)); void x11_block(void); -void x11_start_xvfb(int argc, char **argv); +void x11_start_xvfb(int argc, char **argv) __attribute__((noreturn)); void x11_xorg(void); // ls.c enum { SANDBOX_FS_LS = 0, + SANDBOX_FS_CAT, SANDBOX_FS_GET, SANDBOX_FS_PUT, SANDBOX_FS_MAX // this should always be the last entry }; -void sandboxfs(int op, pid_t pid, const char *path1, const char *path2); +void ls(const char *path); +void cat(const char *path); +void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) __attribute__((noreturn)); // checkcfg.c #define DEFAULT_ARP_PROBES 2 @@ -744,23 +778,25 @@ enum { CFG_NETWORK, CFG_RESTRICTED_NETWORK, CFG_FORCE_NONEWPRIVS, - CFG_WHITELIST, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, - CFG_PRIVATE_HOME, + CFG_PRIVATE_BIN, CFG_PRIVATE_BIN_NO_LOCAL, + CFG_PRIVATE_CACHE, + CFG_PRIVATE_ETC, + CFG_PRIVATE_HOME, + CFG_PRIVATE_LIB, + CFG_PRIVATE_OPT, + CFG_PRIVATE_SRV, CFG_FIREJAIL_PROMPT, - CFG_FOLLOW_SYMLINK_AS_USER, CFG_DISABLE_MNT, CFG_JOIN, CFG_ARP_PROBES, CFG_XPRA_ATTACH, CFG_BROWSER_DISABLE_U2F, CFG_BROWSER_ALLOW_DRM, - CFG_PRIVATE_LIB, CFG_APPARMOR, CFG_DBUS, - CFG_PRIVATE_CACHE, CFG_CGROUP, CFG_NAME_CHANGE, CFG_SECCOMP_ERROR_ACTION, @@ -775,28 +811,30 @@ extern char *xvfb_extra_params; extern char *netfilter_default; extern unsigned long join_timeout; extern char *config_seccomp_error_action_str; +extern char *config_seccomp_filter_add; +extern char **whitelist_reject_topdirs; int checkcfg(int val); void print_compiletime_support(void); // appimage.c +int appimage_find_profile(const char *archive); void appimage_set(const char *appimage_path); +void appimage_mount(void); void appimage_clear(void); -const char *appimage_getdir(void); // appimage_size.c -long unsigned int appimage2_size(const char *fname); +long unsigned int appimage2_size(int fd); // cmdline.c -void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); -void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path); +void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes); +void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes); // sbox.c // programs #define PATH_FNET_MAIN (LIBDIR "/firejail/fnet") // when called from main thread #define PATH_FNET (RUN_FIREJAIL_LIB_DIR "/fnet") // when called from sandbox thread -//#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter") #define PATH_FNETFILTER (RUN_FIREJAIL_LIB_DIR "/fnetfilter") #define PATH_FIREMON (PREFIX "/bin/firemon") @@ -809,17 +847,16 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, // it is also run from inside the sandbox by --debug; in this case we do an access(filename, X_OK) test first #define PATH_FSEC_PRINT (LIBDIR "/firejail/fsec-print") -//#define PATH_FSEC_OPTIMIZE (LIBDIR "/firejail/fsec-optimize") #define PATH_FSEC_OPTIMIZE (RUN_FIREJAIL_LIB_DIR "/fsec-optimize") -//#define PATH_FCOPY (LIBDIR "/firejail/fcopy") #define PATH_FCOPY (RUN_FIREJAIL_LIB_DIR "/fcopy") #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin" -//#define PATH_FLDD (LIBDIR "/firejail/fldd") #define PATH_FLDD (RUN_FIREJAIL_LIB_DIR "/fldd") +#define PATH_FIDS (LIBDIR "/firejail/fids") + // bitmapped filters for sbox_run #define SBOX_ROOT (1 << 0) // run the sandbox as root #define SBOX_USER (1 << 1) // run the sandbox as a regular user @@ -836,7 +873,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, // run sbox int sbox_run(unsigned filter, int num, ...); int sbox_run_v(unsigned filter, char * const arg[]); -void sbox_exec_v(unsigned filter, char * const arg[]); +void sbox_exec_v(unsigned filter, char * const arg[]) __attribute__((noreturn)); // run_files.c void delete_run_files(pid_t pid); @@ -847,17 +884,24 @@ void set_profile_run_file(pid_t pid, const char *fname); // dbus.c int dbus_check_name(const char *name); +int dbus_check_call_rule(const char *name); void dbus_check_profile(void); void dbus_proxy_start(void); void dbus_proxy_stop(void); +void dbus_set_session_bus_env(void); +void dbus_set_system_bus_env(void); void dbus_apply_policy(void); // dhcp.c extern pid_t dhclient4_pid; extern pid_t dhclient6_pid; +void dhcp_store_exec(void); void dhcp_start(void); // selinux.c void selinux_relabel_path(const char *path, const char *inside_path); +// ids.c +void run_ids(int argc, char **argv); + #endif diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b906f304771..3144156a3cb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -54,16 +55,10 @@ static char *opstr[] = { [MOUNT_RDWR_NOCHECK] = "read-write", }; -typedef enum { - UNSUCCESSFUL, - SUCCESSFUL -} LAST_DISABLE_OPERATION; -LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL; - static void disable_file(OPERATION op, const char *filename) { assert(filename); assert(op data = strdup(fname); + if (!prf->data) + errExit("strdup"); + prf->next = cfg.profile_rebuild_etc; + cfg.profile_rebuild_etc = prf; + } } } else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) { fs_remount_rec(fname, op); - // todo: last_disable = SUCCESSFUL; } else if (op == MOUNT_TMPFS) { - if (S_ISDIR(s.st_mode)) { - fs_tmpfs(fname, 0); - last_disable = SUCCESSFUL; - } - else + if (!S_ISDIR(s.st_mode)) { fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); + free(fname); + return; + } + + uid_t uid = getuid(); + if (uid != 0) { + // only user owned directories in user home + if (s.st_uid != uid || + strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || + fname[strlen(cfg.homedir)] != '/') { + fwarning("you are not allowed to mount a tmpfs on %s\n", fname); + free(fname); + return; + } + } + + fs_tmpfs(fname, uid); + selinux_relabel_path(fname, fname); } else assert(0); @@ -176,6 +217,7 @@ static int *nbcheck = NULL; // Treat pattern as a shell glob pattern and blacklist matching files static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { assert(pattern); + EUID_ASSERT(); #ifdef TEST_NO_BLACKLIST_MATCHING if (nbcheck_start == 0) { @@ -238,6 +280,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ // blacklist files or directories by mounting empty files on top of them void fs_blacklist(void) { + EUID_ASSERT(); + ProfileEntry *entry = cfg.profile; if (!entry) return; @@ -279,11 +323,13 @@ void fs_blacklist(void) { if (arg_debug) printf("Mount-bind %s on top of %s\n", dname1, dname2); // preserve dname2 mode and ownership + // EUID_ROOT(); - option not accessible to non-root users if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); /* coverity[toctou] */ if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode)) errExit("set_perms"); + // EUID_USER(); entry = entry->next; continue; @@ -361,16 +407,12 @@ void fs_blacklist(void) { op = MOUNT_TMPFS; } else if (strncmp(entry->data, "mkdir ", 6) == 0) { - EUID_USER(); fs_mkdir(entry->data + 6); - EUID_ROOT(); entry = entry->next; continue; } else if (strncmp(entry->data, "mkfile ", 7) == 0) { - EUID_USER(); fs_mkfile(entry->data + 7); - EUID_ROOT(); entry = entry->next; continue; } @@ -434,11 +476,12 @@ void fs_blacklist(void) { // mount a writable tmpfs on directory; requires a resolved path void fs_tmpfs(const char *dir, unsigned check_owner) { + EUID_ASSERT(); assert(dir); if (arg_debug) - printf("Mounting tmpfs on %s\n", dir); + printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no"); // get a file descriptor for dir, fails if there is any symlink - int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("while opening directory"); struct stat s; @@ -456,13 +499,15 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { struct statvfs buf; if (fstatvfs(fd, &buf) == -1) errExit("fstatvfs"); - unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND); + unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT); // mount via the symbolic link in /proc/self/fd char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) errExit("asprintf"); + EUID_ROOT(); if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0) errExit("mounting tmpfs"); + EUID_USER(); // check the last mount operation MountData *mdata = get_last_mount(); if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0) @@ -473,17 +518,18 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { close(fd); } -// remount path, but preserve existing mount flags; requires a resolved path +// remount path, preserving other mount flags; requires a resolved path static void fs_remount_simple(const char *path, OPERATION op) { + EUID_ASSERT(); assert(path); // open path without following symbolic links - int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) + int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (fd < 0) goto out; - // identify file owner + struct stat s; - if (fstat(fd, &s) == -1) { + if (fstat(fd, &s) < 0) { // fstat can fail with EACCES if path is a FUSE mount, // mounted without 'allow_root' or 'allow_other' if (errno != EACCES) @@ -493,8 +539,10 @@ static void fs_remount_simple(const char *path, OPERATION op) { } // get mount flags struct statvfs buf; - if (fstatvfs(fd, &buf) == -1) - errExit("fstatvfs"); + if (fstatvfs(fd, &buf) < 0) { + close(fd); + goto out; + } unsigned long flags = buf.f_flag; // read-write option @@ -505,7 +553,7 @@ static void fs_remount_simple(const char *path, OPERATION op) { return; } // allow only user owned directories, except the user is root - if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) { + if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) { fwarning("you are not allowed to change %s to read-write\n", path); close(fd); return; @@ -535,24 +583,37 @@ static void fs_remount_simple(const char *path, OPERATION op) { if (arg_debug) printf("Mounting %s %s\n", opstr[op], path); - // mount --bind /bin /bin - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount"); - free(proc); - close(fd); - // mount --bind -o remount,ro /bin - // we need to open path again - fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) - errExit("mount"); + // make path a mount point: + // mount --bind path path + EUID_ROOT(); + int err = bind_mount_by_fd(fd, fd); + EUID_USER(); + if (err) { + close(fd); + goto out; + } + + // remount the mount point + // need to open path again + int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); + close(fd); // earliest timepoint to close fd + if (fd2 < 0) + goto out; + + // device and inode number should be the same + struct stat s2; + if (fstat(fd2, &s2) < 0) + errExit("fstat"); + if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino) + errLogExit("invalid %s mount", opstr[op]); + + EUID_ROOT(); + err = remount_by_fd(fd2, flags); + EUID_USER(); + close(fd2); + if (err) + goto out; // run a sanity check on /proc/self/mountinfo and confirm that target of the last // mount operation was path; if there are other mount points contained inside path, @@ -563,9 +624,8 @@ static void fs_remount_simple(const char *path, OPERATION op) { (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) && strcmp(path, "/") != 0) // support read-only=/ errLogExit("invalid %s mount", opstr[op]); + fs_logger2(opstr[op], path); - free(proc); - close(fd); return; out: @@ -573,32 +633,30 @@ static void fs_remount_simple(const char *path, OPERATION op) { } // remount recursively; requires a resolved path -static void fs_remount_rec(const char *dir, OPERATION op) { - assert(dir); - struct stat s; - if (stat(dir, &s) != 0) - return; - if (!S_ISDIR(s.st_mode)) { - // no need to search in /proc/self/mountinfo for submounts if not a directory - fs_remount_simple(dir, op); +static void fs_remount_rec(const char *path, OPERATION op) { + EUID_ASSERT(); + assert(op < OPERATION_MAX); + assert(path); + + // no need to search /proc/self/mountinfo for submounts if not a directory + int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd < 0) { + fs_remount_simple(path, op); return; } - // get mount point of the directory - int mountid = get_mount_id(dir); - if (mountid == -1) - return; - if (mountid == -2) { - // falling back to a simple remount on old kernels - static int mount_warning = 0; - if (!mount_warning) { - fwarning("read-only, read-write and noexec options are not applied recursively\n"); - mount_warning = 1; - } - fs_remount_simple(dir, op); + + // get mount id of the directory + int mountid = get_mount_id(fd); + close(fd); + if (mountid < 0) { + // falling back to a simple remount + fwarning("%s %s not applied recursively\n", opstr[op], path); + fs_remount_simple(path, op); return; } + // build array with all mount points that need to get remounted - char **arr = build_mount_array(mountid, dir); + char **arr = build_mount_array(mountid, path); assert(arr); // remount char **tmp = arr; @@ -612,6 +670,14 @@ static void fs_remount_rec(const char *dir, OPERATION op) { // resolve a path and remount it void fs_remount(const char *path, OPERATION op, int rec) { assert(path); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + char *rpath = realpath(path, NULL); if (rpath) { if (rec) @@ -620,10 +686,14 @@ void fs_remount(const char *path, OPERATION op, int rec) { fs_remount_simple(rpath, op); free(rpath); } + + if (called_as_root) + EUID_ROOT(); } // Disable /mnt, /media, /run/mount and /run/media access void fs_mnt(const int enforce) { + EUID_USER(); if (enforce) { // disable-mnt set in firejail.config // overriding with noblacklist is not possible in this case @@ -633,13 +703,12 @@ void fs_mnt(const int enforce) { disable_file(BLACKLIST_FILE, "/run/media"); } else { - EUID_USER(); profile_add("blacklist /mnt"); profile_add("blacklist /media"); profile_add("blacklist /run/mount"); profile_add("blacklist /run/media"); - EUID_ROOT(); } + EUID_ROOT(); } @@ -654,7 +723,6 @@ void fs_proc_sys_dev_boot(void) { errExit("mounting /proc/sys"); fs_logger("read-only /proc/sys"); - /* Mount a version of /sys that describes the network namespace */ if (arg_debug) printf("Remounting /sys directory\n"); @@ -669,13 +737,13 @@ void fs_proc_sys_dev_boot(void) { else fs_logger("remount /sys"); + EUID_USER(); + disable_file(BLACKLIST_FILE, "/sys/firmware"); disable_file(BLACKLIST_FILE, "/sys/hypervisor"); { // allow user access to some directories in /sys/ by specifying 'noblacklist' option - EUID_USER(); profile_add("blacklist /sys/fs"); profile_add("blacklist /sys/module"); - EUID_ROOT(); } disable_file(BLACKLIST_FILE, "/sys/power"); disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); @@ -719,12 +787,8 @@ void fs_proc_sys_dev_boot(void) { // disable /dev/port disable_file(BLACKLIST_FILE, "/dev/port"); - - // disable various ipc sockets in /run/user if (!arg_writable_run_user) { - struct stat s; - char *fname; if (asprintf(&fname, "/run/user/%d", getuid()) == -1) errExit("asprintf"); @@ -735,8 +799,7 @@ void fs_proc_sys_dev_boot(void) { errExit("asprintf"); if (create_empty_dir_as_user(fnamegpg, 0700)) fs_logger2("create", fnamegpg); - if (stat(fnamegpg, &s) == 0) - disable_file(BLACKLIST_FILE, fnamegpg); + disable_file(BLACKLIST_FILE, fnamegpg); free(fnamegpg); // disable /run/user/{uid}/systemd @@ -745,8 +808,7 @@ void fs_proc_sys_dev_boot(void) { errExit("asprintf"); if (create_empty_dir_as_user(fnamesysd, 0755)) fs_logger2("create", fnamesysd); - if (stat(fnamesysd, &s) == 0) - disable_file(BLACKLIST_FILE, fnamesysd); + disable_file(BLACKLIST_FILE, fnamesysd); free(fnamesysd); } free(fname); @@ -757,35 +819,30 @@ void fs_proc_sys_dev_boot(void) { disable_file(BLACKLIST_FILE, "/dev/kmsg"); disable_file(BLACKLIST_FILE, "/proc/kmsg"); } + + EUID_ROOT(); } // disable firejail configuration in ~/.config/firejail void disable_config(void) { - struct stat s; - + EUID_USER(); char *fname; if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1) errExit("asprintf"); - if (stat(fname, &s) == 0) - disable_file(BLACKLIST_FILE, fname); + disable_file(BLACKLIST_FILE, fname); free(fname); // disable run time information - if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); - if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); - if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); - if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); - if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0) - disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR); + disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR); + EUID_ROOT(); } // build a basic read-only filesystem -// top level directories could be links, run no after-mount checks void fs_basic_fs(void) { uid_t uid = getuid(); @@ -795,6 +852,7 @@ void fs_basic_fs(void) { if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc"); + EUID_USER(); if (arg_debug) printf("Basic read-only filesystem:\n"); if (!arg_writable_etc) { @@ -814,6 +872,7 @@ void fs_basic_fs(void) { fs_remount("/lib64", MOUNT_READONLY, 1); fs_remount("/lib32", MOUNT_READONLY, 1); fs_remount("/libx32", MOUNT_READONLY, 1); + EUID_ROOT(); // update /var directory in order to support multiple sandboxes running on the same root directory fs_var_lock(); @@ -842,6 +901,7 @@ void fs_basic_fs(void) { #ifdef HAVE_OVERLAYFS char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { assert(subdirname); + EUID_ASSERT(); struct stat s; char *dirname; @@ -972,9 +1032,9 @@ void fs_overlayfs(void) { char *firejail; if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); - int fd = safe_fd(firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) - errExit("safe_fd"); + errExit("safer_openat"); free(firejail); // create basedir if it doesn't exist // the new directory will be owned by root @@ -1157,9 +1217,8 @@ void fs_overlayfs(void) { fs_logger("whitelist /tmp"); // chroot in the new filesystem -#ifdef HAVE_GCOV __gcov_flush(); -#endif + if (chroot(oroot) == -1) errExit("chroot"); @@ -1201,11 +1260,12 @@ void fs_overlayfs(void) { // this function is called from sandbox.c before blacklist/whitelist functions void fs_private_tmp(void) { + EUID_ASSERT(); if (arg_debug) printf("Generate private-tmp whitelist commands\n"); // check XAUTHORITY file, KDE keeps it under /tmp - char *xauth = getenv("XAUTHORITY"); + const char *xauth = env_get("XAUTHORITY"); if (xauth) { char *rp = realpath(xauth, NULL); if (rp && strncmp(rp, "/tmp/", 5) == 0) { @@ -1221,8 +1281,11 @@ void fs_private_tmp(void) { // whitelist x11 directory profile_add("whitelist /tmp/.X11-unix"); - // read-only x11 directory - profile_add("read-only /tmp/.X11-unix"); + // read-only x11 directory + profile_add("read-only /tmp/.X11-unix"); + + // whitelist sndio directory + profile_add("whitelist /tmp/sndio"); // whitelist any pulse* file in /tmp directory // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user @@ -1247,28 +1310,3 @@ void fs_private_tmp(void) { } closedir(dir); } - -// this function is called from sandbox.c before blacklist/whitelist functions -void fs_private_cache(void) { - char *cache; - if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) - errExit("asprintf"); - // check if ~/.cache is a valid destination - struct stat s; - if (lstat(cache, &s) == -1) { - fwarning("skipping private-cache: cannot find %s\n", cache); - free(cache); - return; - } - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fwarning("skipping private-cache: %s is a symbolic link\n", cache); - else - fwarning("skipping private-cache: %s is not a directory\n", cache); - free(cache); - return; - } - // do the mount - fs_tmpfs(cache, getuid()); // check ownership of ~/.cache - free(cache); -} diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index a48d6cf67f1..61398f12be7 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index fbce72429f1..a43b1834432 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -25,6 +25,7 @@ #include #include #include +#include #ifndef _BSD_SOURCE #define _BSD_SOURCE #endif @@ -40,6 +41,7 @@ typedef enum { DEV_TV, DEV_DVD, DEV_U2F, + DEV_INPUT } DEV_TYPE; @@ -88,6 +90,7 @@ static DevEntry dev[] = { {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F + {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT}, {NULL, NULL, DEV_NONE} }; @@ -102,7 +105,8 @@ static void deventry_mount(void) { (dev[i].type == DEV_VIDEO && arg_novideo == 0) || (dev[i].type == DEV_TV && arg_notv == 0) || (dev[i].type == DEV_DVD && arg_nodvd == 0) || - (dev[i].type == DEV_U2F && arg_nou2f == 0)) { + (dev[i].type == DEV_U2F && arg_nou2f == 0) || + (dev[i].type == DEV_INPUT && arg_noinput == 0)) { int dir = is_dir(dev[i].run_fname); if (arg_debug) @@ -118,7 +122,7 @@ static void deventry_mount(void) { i++; continue; } - FILE *fp = fopen(dev[i].dev_fname, "w"); + FILE *fp = fopen(dev[i].dev_fname, "we"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); @@ -148,7 +152,7 @@ static void create_char_dev(const char *path, mode_t mode, int major, int minor) return; errexit: - fprintf(stderr, "Error: cannot create %s device\n", path); + fprintf(stderr, "Error: cannot create %s device: %s\n", path, strerror(errno)); exit(1); } @@ -183,8 +187,10 @@ static void mount_dev_shm(void) { static void process_dev_shm(void) { // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...) // looking for jack socket + EUID_USER(); glob_t globbuf; int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf); + EUID_ROOT(); if (globerr && !arg_keep_dev_shm) { empty_dev_shm(); return; @@ -214,7 +220,7 @@ void fs_private_dev(void){ struct stat s; if (stat("/dev/log", &s) == 0) { have_devlog = 1; - FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); + FILE *fp = fopen(RUN_DEVLOG_FILE, "we"); if (!fp) have_devlog = 0; else { @@ -235,7 +241,7 @@ void fs_private_dev(void){ // bring back /dev/log if (have_devlog) { - FILE *fp = fopen("/dev/log", "w"); + FILE *fp = fopen("/dev/log", "we"); if (fp) { fprintf(fp, "\n"); fclose(fp); @@ -243,6 +249,8 @@ void fs_private_dev(void){ errExit("mounting /dev/log"); fs_logger("clone /dev/log"); } + if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("blacklisting " RUN_DEVLOG_FILE); } // bring forward the current /dev/shm directory if necessary @@ -322,8 +330,10 @@ void fs_dev_disable_sound(void) { } // disable all jack sockets in /dev/shm + EUID_USER(); glob_t globbuf; int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); + EUID_ROOT(); if (globerr) return; @@ -383,3 +393,12 @@ void fs_dev_disable_u2f(void) { i++; } } + +void fs_dev_disable_input(void) { + int i = 0; + while (dev[i].dev_fname != NULL) { + if (dev[i].type == DEV_INPUT) + disable_file_or_dir(dev[i].dev_fname); + i++; + } +} diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 271e46855e3..76054b4854d 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,11 +18,13 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include #include #include #include #include #include +#include // spoof /etc/machine_id void fs_machineid(void) { @@ -51,7 +53,7 @@ void fs_machineid(void) { mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; // write it in a file - FILE *fp = fopen(RUN_MACHINEID, "w"); + FILE *fp = fopen(RUN_MACHINEID, "we"); if (!fp) errExit("fopen"); fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); @@ -75,6 +77,44 @@ void fs_machineid(void) { } } +// Duplicate directory structure from src to dst by creating empty directories. +// The paths _must_ be identical after their respective prefixes. +// When finished, dst will point to the target directory. That is, if +// it starts out pointing to a file, it will instead be truncated so +// that it contains the parent directory instead. +static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) { + char *p = src + src_prefix_len + 1; + char *q = dst + dst_prefix_len + 1; + char *r = dst + dst_prefix_len; + struct stat s; + bool last = false; + *r = '\0'; + for (; !last; p++, q++) { + if (*p == '\0') { + last = true; + } + if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) { + // We found a new component of our src path. + // Null-terminate it temporarily here so that we can work + // with it. + *p = '\0'; + if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { + // Null-terminate the dst path and undo its previous + // termination. + *q = '\0'; + *r = '/'; + r = q; + create_empty_dir_as_root(dst, s.st_mode); + } + if (!last) { + // If we're not at the final terminating null, restore + // the slash so that we can continue our traversal. + *p = '/'; + } + } + } +} + // return 0 if file not found, 1 if found static int check_dir_or_file(const char *fname) { assert(fname); @@ -102,7 +142,7 @@ static int check_dir_or_file(const char *fname) { static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { assert(fname); - if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { + if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); exit(1); } @@ -118,27 +158,22 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr } if (arg_debug) - printf("copying %s to private %s\n", src, private_dir); + printf("Copying %s to private %s\n", src, private_dir); - struct stat s; - if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { - // create the directory in RUN_ETC_DIR - char *dirname; - if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) - errExit("asprintf"); - create_empty_dir_as_root(dirname, s.st_mode); - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); - free(dirname); - } - else - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); + char *dst; + if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1) + errExit("asprintf"); + build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); + sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); + + free(dst); fs_logger2("clone", src); free(src); } -void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { +void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list) { assert(private_dir); assert(private_run_dir); assert(private_list); @@ -147,12 +182,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c struct stat s; if (stat(private_dir, &s) == -1) { if (arg_debug) - printf("Cannot find %s\n", private_dir); + printf("Cannot find %s: %s\n", private_dir, strerror(errno)); return; } - timetrace_start(); - // create /run/firejail/mnt/etc directory mkdir_attr(private_run_dir, 0755, 0, 0); selinux_relabel_path(private_run_dir, private_dir); @@ -185,9 +218,23 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c free(dlist); fs_logger_print(); } +} + +void fs_private_dir_mount(const char *private_dir, const char *private_run_dir) { + assert(private_dir); + assert(private_run_dir); if (arg_debug) printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); + + // nothing to do if directory does not exist + struct stat s; + if (stat(private_dir, &s) == -1) { + if (arg_debug) + printf("Cannot find %s: %s\n", private_dir, strerror(errno)); + return; + } + if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); fs_logger2("mount", private_dir); @@ -196,6 +243,136 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting tmpfs"); fs_logger2("tmpfs", private_run_dir); +} +void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { + timetrace_start(); + fs_private_dir_copy(private_dir, private_run_dir, private_list); + fs_private_dir_mount(private_dir, private_run_dir); fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); } + +void fs_rebuild_etc(void) { + int have_dhcp = 1; + if (cfg.dns1 == NULL && !any_dhcp()) + have_dhcp = 0; + + if (arg_debug) + printf("rebuilding /etc directory\n"); + if (mkdir(RUN_DNS_ETC, 0755)) + errExit("mkdir"); + selinux_relabel_path(RUN_DNS_ETC, "/etc"); + fs_logger("tmpfs /etc"); + + DIR *dir = opendir("/etc"); + if (!dir) + errExit("opendir"); + + struct stat s; + struct dirent *entry; + while ((entry = readdir(dir))) { + if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + continue; + + // skip files in cfg.profile_rebuild_etc list + // these files are already blacklisted + { + ProfileEntry *prf = cfg.profile_rebuild_etc; + int found = 0; + while (prf) { + if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/") + found = 1; + break; + } + prf = prf->next; + } + if (found) + continue; + } + + // for resolv.conf we might have to create a brand new file later + if (have_dhcp && + (strcmp(entry->d_name, "resolv.conf") == 0 || + strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)) + continue; +// printf("linking %s\n", entry->d_name); + + char *src; + if (asprintf(&src, "/etc/%s", entry->d_name) == -1) + errExit("asprintf"); + if (stat(src, &s) != 0) { + free(src); + continue; + } + + char *dest; + if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1) + errExit("asprintf"); + + int symlink_done = 0; + if (is_link(src)) { + char *rp =realpath(src, NULL); + if (rp == NULL) { + free(src); + free(dest); + continue; + } + if (symlink(rp, dest)) + errExit("symlink"); + else + symlink_done = 1; + } + else if (S_ISDIR(s.st_mode)) + create_empty_dir_as_root(dest, s.st_mode); + else + create_empty_file_as_root(dest, s.st_mode); + + // bind-mount src on top of dest + if (!symlink_done) { + if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind mirroring /etc"); + } + fs_logger2("clone", src); + + free(src); + free(dest); + } + closedir(dir); + + // mount bind our private etc directory on top of /etc + if (arg_debug) + printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC); + if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind mirroring /etc"); + fs_logger("mount /etc"); + + if (have_dhcp == 0) + return; + + if (arg_debug) + printf("Creating a new /etc/resolv.conf file\n"); + FILE *fp = fopen("/etc/resolv.conf", "wxe"); + if (!fp) { + fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); + exit(1); + } + + if (cfg.dns1) { + if (any_dhcp()) + fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); + fprintf(fp, "nameserver %s\n", cfg.dns1); + } + if (cfg.dns2) + fprintf(fp, "nameserver %s\n", cfg.dns2); + if (cfg.dns3) + fprintf(fp, "nameserver %s\n", cfg.dns3); + if (cfg.dns4) + fprintf(fp, "nameserver %s\n", cfg.dns4); + + // mode and owner + SET_PERMS_STREAM(fp, 0, 0, 0644); + + fclose(fp); + + fs_logger("create /etc/resolv.conf"); +} diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index af891d61f42..590337da176 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -31,27 +31,27 @@ #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif -static void skel(const char *homedir, uid_t u, gid_t g) { - char *fname; +static void skel(const char *homedir) { + EUID_ASSERT(); // zsh if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) { // copy skel files + char *fname; if (asprintf(&fname, "%s/.zshrc", homedir) == -1) errExit("asprintf"); - struct stat s; // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) return; - if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (stat("/etc/skel/.zshrc", &s) == 0) { - copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user + if (access("/etc/skel/.zshrc", R_OK) == 0) { + copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user fs_logger("clone /etc/skel/.zshrc"); fs_logger2("clone", fname); } @@ -65,19 +65,18 @@ static void skel(const char *homedir, uid_t u, gid_t g) { // csh else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) { // copy skel files + char *fname; if (asprintf(&fname, "%s/.cshrc", homedir) == -1) errExit("asprintf"); - struct stat s; - // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) return; - if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (stat("/etc/skel/.cshrc", &s) == 0) { - copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user + if (access("/etc/skel/.cshrc", R_OK) == 0) { + copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user fs_logger("clone /etc/skel/.cshrc"); fs_logger2("clone", fname); } @@ -91,18 +90,18 @@ static void skel(const char *homedir, uid_t u, gid_t g) { // bash etc. else { // copy skel files + char *fname; if (asprintf(&fname, "%s/.bashrc", homedir) == -1) errExit("asprintf"); - struct stat s; // don't copy it if we already have the file - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) return; - if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat + if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat fprintf(stderr, "Error: invalid %s file\n", fname); exit(1); } - if (stat("/etc/skel/.bashrc", &s) == 0) { - copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user + if (access("/etc/skel/.bashrc", R_OK) == 0) { + copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user fs_logger("clone /etc/skel/.bashrc"); fs_logger2("clone", fname); } @@ -112,6 +111,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { } static int store_xauthority(void) { + EUID_ASSERT(); if (arg_x11_block) return 0; @@ -122,15 +122,16 @@ static int store_xauthority(void) { errExit("asprintf"); struct stat s; - if (stat(src, &s) == 0) { - if (is_link(src)) { + if (lstat(src, &s) == 0) { + if (S_ISLNK(s.st_mode)) { fwarning("invalid .Xauthority file\n"); free(src); return 0; } // create an empty file as root, and change ownership to user - FILE *fp = fopen(dest, "w"); + EUID_ROOT(); + FILE *fp = fopen(dest, "we"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); @@ -138,10 +139,11 @@ static int store_xauthority(void) { } else errExit("fopen"); + EUID_USER(); - copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user - fs_logger2("clone", dest); + copy_file_as_user(src, dest, 0600); // regular user selinux_relabel_path(dest, src); + fs_logger2("clone", dest); free(src); return 1; // file copied } @@ -151,6 +153,7 @@ static int store_xauthority(void) { } static int store_asoundrc(void) { + EUID_ASSERT(); if (arg_nosound) return 0; @@ -161,11 +164,11 @@ static int store_asoundrc(void) { errExit("asprintf"); struct stat s; - if (stat(src, &s) == 0) { - if (is_link(src)) { + if (lstat(src, &s) == 0) { + if (S_ISLNK(s.st_mode)) { // make sure the real path of the file is inside the home directory /* coverity[toctou] */ - char* rp = realpath(src, NULL); + char *rp = realpath(src, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", src); exit(1); @@ -178,7 +181,8 @@ static int store_asoundrc(void) { } // create an empty file as root, and change ownership to user - FILE *fp = fopen(dest, "w"); + EUID_ROOT(); + FILE *fp = fopen(dest, "we"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); @@ -186,10 +190,11 @@ static int store_asoundrc(void) { } else errExit("fopen"); + EUID_USER(); - copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user - selinux_relabel_path(dest, src); + copy_file_as_user(src, dest, 0644); // regular user fs_logger2("clone", dest); + selinux_relabel_path(dest, src); free(src); return 1; // file copied } @@ -199,6 +204,7 @@ static int store_asoundrc(void) { } static void copy_xauthority(void) { + EUID_ASSERT(); // copy XAUTHORITY_FILE in the new home directory char *src = RUN_XAUTHORITY_FILE ; char *dest; @@ -211,16 +217,18 @@ static void copy_xauthority(void) { exit(1); } - copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user - selinux_relabel_path(dest, src); + copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); + selinux_relabel_path(dest, dest); free(dest); - // delete the temporary file - unlink(src); + EUID_ROOT(); + unlink(src); // delete the temporary file + EUID_USER(); } static void copy_asoundrc(void) { + EUID_ASSERT(); // copy ASOUNDRC_FILE in the new home directory char *src = RUN_ASOUNDRC_FILE ; char *dest; @@ -233,12 +241,14 @@ static void copy_asoundrc(void) { exit(1); } - copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user + copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user fs_logger2("clone", dest); + selinux_relabel_path(dest, dest); free(dest); - // delete the temporary file - unlink(src); + EUID_ROOT(); + unlink(src); // delete the temporary file + EUID_USER(); } // private mode (--private=homedir): @@ -251,21 +261,22 @@ void fs_private_homedir(void) { char *private_homedir = cfg.home_private; assert(homedir); assert(private_homedir); + EUID_ASSERT(); + + uid_t u = getuid(); + // gid_t g = getgid(); int xflag = store_xauthority(); int aflag = store_asoundrc(); - uid_t u = getuid(); - gid_t g = getgid(); - // mount bind private_homedir on top of homedir if (arg_debug) printf("Mount-bind %s on top of %s\n", private_homedir, homedir); // get file descriptors for homedir and private_homedir, fails if there is any symlink - int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (src == -1) errExit("opening private directory"); - int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int dst = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (dst == -1) errExit("opening home directory"); // both mount source and target should be owned by the user @@ -286,17 +297,11 @@ void fs_private_homedir(void) { exit(1); } // mount via the links in /proc/self/fd - char *proc_src, *proc_dst; - if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) - errExit("asprintf"); - if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) - errExit("asprintf"); - if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) + EUID_ROOT(); + if (bind_mount_by_fd(src, dst)) errExit("mount bind"); - free(proc_src); - free(proc_dst); - close(src); - close(dst); + EUID_USER(); + // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); size_t len = strlen(homedir); @@ -304,6 +309,8 @@ void fs_private_homedir(void) { (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) errLogExit("invalid private mount"); + close(src); + close(dst); fs_logger3("mount-bind", private_homedir, homedir); fs_logger2("whitelist", homedir); // preserve mode and ownership @@ -312,6 +319,7 @@ void fs_private_homedir(void) { // if (chmod(homedir, s.st_mode) == -1) // errExit("mount-bind chmod"); + EUID_ROOT(); if (u != 0) { // mask /root if (arg_debug) @@ -330,8 +338,9 @@ void fs_private_homedir(void) { selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); } + EUID_USER(); - skel(homedir, u, g); + skel(homedir); if (xflag) copy_xauthority(); if (aflag) @@ -346,12 +355,15 @@ void fs_private_homedir(void) { void fs_private(void) { char *homedir = cfg.homedir; assert(homedir); + EUID_ASSERT(); + uid_t u = getuid(); gid_t g = getgid(); int xflag = store_xauthority(); int aflag = store_asoundrc(); + EUID_ROOT(); // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); @@ -360,46 +372,45 @@ void fs_private(void) { selinux_relabel_path("/root", "/root"); fs_logger("tmpfs /root"); - if (arg_allusers) { - if (u != 0) - // mask user home directory - // the directory should be owned by the current user - fs_tmpfs(homedir, 1); - } - else { // mask /home + // mask /home + if (!arg_allusers) { if (arg_debug) printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mounting /home directory"); selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); + } - if (u != 0) { - if (strncmp(homedir, "/home/", 6) == 0) { - // create /home/user - if (arg_debug) - printf("Create a new user directory\n"); - if (mkdir(homedir, S_IRWXU) == -1) { - if (mkpath_as_root(homedir) == -1) - errExit("mkpath"); - if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) - errExit("mkdir"); - } - if (chown(homedir, u, g) < 0) - errExit("chown"); - - selinux_relabel_path(homedir, homedir); - fs_logger2("mkdir", homedir); - fs_logger2("tmpfs", homedir); + if (u != 0) { + if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) { + // create new empty /home/user directory + if (arg_debug) + printf("Create a new user directory\n"); + if (mkdir(homedir, S_IRWXU) == -1) { + if (mkpath_as_root(homedir) == -1) + errExit("mkpath"); + if (mkdir(homedir, S_IRWXU) == -1) + errExit("mkdir"); } - else - // mask user home directory - // the directory should be owned by the current user - fs_tmpfs(homedir, 1); + if (chown(homedir, u, g) < 0) + errExit("chown"); + fs_logger2("mkdir", homedir); + fs_logger2("tmpfs", homedir); } + else { + // mask user home directory + // the directory should be owned by the current user + EUID_USER(); + fs_tmpfs(homedir, 1); + EUID_ROOT(); + } + + selinux_relabel_path(homedir, homedir); } + EUID_USER(); - skel(homedir, u, g); + skel(homedir); if (xflag) copy_xauthority(); if (aflag) @@ -442,6 +453,7 @@ void fs_check_private_cwd(const char *dir) { // --private-home //*********************************************************************************** static char *check_dir_or_file(const char *name) { + EUID_ASSERT(); assert(name); // basic checks @@ -502,6 +514,7 @@ static char *check_dir_or_file(const char *name) { } static void duplicate(char *name) { + EUID_ASSERT(); char *fname = check_dir_or_file(name); if (arg_debug) @@ -539,28 +552,32 @@ static void duplicate(char *name) { // set skel files, // restore .Xauthority void fs_private_home_list(void) { - timetrace_start(); - char *homedir = cfg.homedir; char *private_list = cfg.home_private_keep; assert(homedir); assert(private_list); + EUID_ASSERT(); - int xflag = store_xauthority(); - int aflag = store_asoundrc(); + timetrace_start(); uid_t uid = getuid(); gid_t gid = getgid(); + int xflag = store_xauthority(); + int aflag = store_asoundrc(); + + EUID_ROOT(); // create /run/firejail/mnt/home directory mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); - selinux_relabel_path(RUN_HOME_DIR, "/home"); - fs_logger_print(); // save the current log + selinux_relabel_path(RUN_HOME_DIR, homedir); - if (arg_debug) - printf("Copying files in the new home:\n"); + // save the current log + fs_logger_print(); + EUID_USER(); // copy the list of files in the new home directory + if (arg_debug) + printf("Copying files in the new home:\n"); char *dlist = strdup(cfg.home_private_keep); if (!dlist) errExit("strdup"); @@ -580,7 +597,7 @@ void fs_private_home_list(void) { if (arg_debug) printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir); - int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + int fd = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) errExit("opening home directory"); // home directory should be owned by the user @@ -593,24 +610,19 @@ void fs_private_home_list(void) { exit(1); } // mount using the file descriptor - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + EUID_ROOT(); + if (bind_mount_path_to_fd(RUN_HOME_DIR, fd)) errExit("mount bind"); - free(proc); + EUID_USER(); close(fd); + // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) errLogExit("invalid private-home mount"); fs_logger2("tmpfs", homedir); - // mask RUN_HOME_DIR, it is writable and not noexec - if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs"); - fs_logger2("tmpfs", RUN_HOME_DIR); - + EUID_ROOT(); if (uid != 0) { // mask /root if (arg_debug) @@ -630,7 +642,12 @@ void fs_private_home_list(void) { fs_logger("tmpfs /home"); } - skel(homedir, uid, gid); + // mask RUN_HOME_DIR, it is writable and not noexec + if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs"); + EUID_USER(); + + skel(homedir); if (xflag) copy_xauthority(); if (aflag) diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 5d6fddf8e8e..7d320e90b12 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -47,11 +47,11 @@ void fs_hostname(const char *hostname) { printf("Creating a new /etc/hosts file\n"); // copy /etc/host into our new file, and modify it on the fly /* coverity[toctou] */ - FILE *fp1 = fopen("/etc/hosts", "r"); + FILE *fp1 = fopen("/etc/hosts", "re"); if (!fp1) goto errexit; - FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); + FILE *fp2 = fopen(RUN_HOSTS_FILE, "we"); if (!fp2) { fclose(fp1); goto errexit; @@ -88,118 +88,11 @@ void fs_hostname(const char *hostname) { exit(1); } -void fs_resolvconf(void) { - if (cfg.dns1 == NULL && !any_dhcp()) - return; - - if (arg_debug) - printf("mirroring /etc directory\n"); - if (mkdir(RUN_DNS_ETC, 0755)) - errExit("mkdir"); - selinux_relabel_path(RUN_DNS_ETC, "/etc"); - fs_logger("tmpfs /etc"); - - DIR *dir = opendir("/etc"); - if (!dir) - errExit("opendir"); - - struct stat s; - struct dirent *entry; - while ((entry = readdir(dir))) { - if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) - continue; - // for resolv.conf we create a brand new file - if (strcmp(entry->d_name, "resolv.conf") == 0 || - strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0) - continue; -// printf("linking %s\n", entry->d_name); - - char *src; - if (asprintf(&src, "/etc/%s", entry->d_name) == -1) - errExit("asprintf"); - if (stat(src, &s) != 0) { - free(src); - continue; - } - - char *dest; - if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1) - errExit("asprintf"); - - int symlink_done = 0; - if (is_link(src)) { - char *rp =realpath(src, NULL); - if (rp == NULL) { - free(src); - free(dest); - continue; - } - if (symlink(rp, dest)) - errExit("symlink"); - else - symlink_done = 1; - } - else if (S_ISDIR(s.st_mode)) - create_empty_dir_as_root(dest, s.st_mode); - else - create_empty_file_as_root(dest, s.st_mode); - - // bind-mount src on top of dest - if (!symlink_done) { - if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind mirroring /etc"); - } - fs_logger2("clone", src); - - free(src); - free(dest); - } - closedir(dir); - - // mount bind our private etc directory on top of /etc - if (arg_debug) - printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC); - if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind mirroring /etc"); - fs_logger("mount /etc"); - - if (arg_debug) - printf("Creating a new /etc/resolv.conf file\n"); - FILE *fp = fopen("/etc/resolv.conf", "w"); - if (!fp) { - fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n"); - exit(1); - } - - if (cfg.dns1) { - if (any_dhcp()) - fwarning("network setup uses DHCP, nameservers will likely be overwritten\n"); - fprintf(fp, "nameserver %s\n", cfg.dns1); - } - if (cfg.dns2) - fprintf(fp, "nameserver %s\n", cfg.dns2); - if (cfg.dns3) - fprintf(fp, "nameserver %s\n", cfg.dns3); - if (cfg.dns4) - fprintf(fp, "nameserver %s\n", cfg.dns4); - - // mode and owner - SET_PERMS_STREAM(fp, 0, 0, 0644); - - fclose(fp); - - fs_logger("create /etc/resolv.conf"); -} - char *fs_check_hosts_file(const char *fname) { assert(fname); invalid_filename(fname, 0); // no globbing char *rv = expand_macros(fname); - // no a link - if (is_link(rv)) - goto errexit; - // the user has read access to the file if (access(rv, R_OK)) goto errexit; @@ -222,9 +115,6 @@ void fs_mount_hosts_file(void) { struct stat s; if (stat("/etc/hosts", &s) == -1) goto errexit; - // not a link - if (is_link("/etc/hosts")) - goto errexit; // owned by root if (s.st_uid != 0) goto errexit; diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 64444bba286..848c186fa3d 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,30 +23,89 @@ #include #include #include -#include +#include +#include #include #define MAXBUF 4096 extern void fslib_install_stdc(void); +extern void fslib_install_firejail(void); extern void fslib_install_system(void); static int lib_cnt = 0; static int dir_cnt = 0; -static void report_duplication(const char *full_path) { - char *fname = strrchr(full_path, '/'); - if (fname && *(++fname) != '\0') { - // report the file on all bin paths - int i = 0; - while (default_lib_paths[i]) { - char *p; - if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1) - errExit("asprintf"); - fs_logger2("clone", p); - free(p); - i++; +static const char *masked_lib_dirs[] = { + "/usr/lib64", + "/lib64", + "/usr/lib", + "/lib", + "/usr/local/lib64", + "/usr/local/lib", + NULL, +}; + +// return 1 if the file is in masked_lib_dirs[] +static int valid_full_path(const char *full_path) { + if (strstr(full_path, "..")) + return 0; + + int i = 0; + while (masked_lib_dirs[i]) { + size_t len = strlen(masked_lib_dirs[i]); + if (strncmp(full_path, masked_lib_dirs[i], len) == 0 && + full_path[len] == '/') + return 1; + i++; + } + return 0; +} + +char *find_in_path(const char *program) { + EUID_ASSERT(); + if (arg_debug) + printf("Searching $PATH for %s\n", program); + + char self[MAXBUF]; + ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1); + if (len < 0) + errExit("readlink"); + self[len] = '\0'; + + const char *path = env_get("PATH"); + if (!path) + return NULL; + + char *dup = strdup(path); + if (!dup) + errExit("strdup"); + char *tok = strtok(dup, ":"); + while (tok) { + char *fname; + if (asprintf(&fname, "%s/%s", tok, program) == -1) + errExit("asprintf"); + + if (arg_debug) + printf("trying #%s#\n", fname); + struct stat s; + if (stat(fname, &s) == 0) { + // but skip links created by firecfg + char *rp = realpath(fname, NULL); + if (!rp) + errExit("realpath"); + if (strcmp(self, rp) != 0) { + free(rp); + free(dup); + return fname; + } + free(rp); } + free(fname); + tok = strtok(NULL, ":"); } + + free(dup); + return NULL; } static char *build_dest_dir(const char *full_path) { @@ -56,71 +115,117 @@ static char *build_dest_dir(const char *full_path) { return RUN_LIB_DIR; } -// copy fname in private_run_dir -void fslib_duplicate(const char *full_path) { +// return name of mount target in allocated memory +static char *build_dest_name(const char *full_path) { assert(full_path); + char *fname = strrchr(full_path, '/'); + assert(fname); + fname++; + // no trailing slash or dot + assert(fname[0] != '\0' && (fname[0] != '.' || fname[1] != '\0')); - struct stat s; - if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) - return; + char *dest; + if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1) + errExit("asprintf"); + return dest; +} - char *dest_dir = build_dest_dir(full_path); +static void fslib_mount_dir(const char *full_path) { + // create new directory and mount the original on top of it + char *dest = build_dest_name(full_path); + if (mkdir(dest, 0755) == -1) { + if (errno == EEXIST) { // directory has been mounted already, nothing to do + free(dest); + return; + } + errExit("mkdir"); + } - // don't copy it if the file is already there - char *ptr = strrchr(full_path, '/'); - if (!ptr) - return; - ptr++; - if (*ptr == '\0') - return; + if (arg_debug || arg_debug_private_lib) + printf(" mounting %s on %s\n", full_path, dest); + // if full_path is a symbolic link, mount will follow it + if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + free(dest); + dir_cnt++; +} - char *name; - if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1) - errExit("asprintf"); - if (stat(name, &s) == 0) { - free(name); - return; +static void fslib_mount_file(const char *full_path) { + // create new file and mount the original on top of it + char *dest = build_dest_name(full_path); + int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); + if (fd == -1) { + if (errno == EEXIST) { // file has been mounted already, nothing to do + free(dest); + return; + } + errExit("open"); } - free(name); + close(fd); if (arg_debug || arg_debug_private_lib) - printf(" copying %s to private %s\n", full_path, dest_dir); - - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); - report_duplication(full_path); + printf(" mounting %s on %s\n", full_path, dest); + // if full_path is a symbolic link, mount will follow it + if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0) + errExit("mount bind"); + free(dest); lib_cnt++; } +void fslib_mount(const char *full_path) { + assert(full_path); + struct stat s; + + if (*full_path == '\0' || + !valid_full_path(full_path) || + stat_as_user(full_path, &s) != 0 || + s.st_uid != 0) + return; + + if (S_ISDIR(s.st_mode)) + fslib_mount_dir(full_path); + else if (S_ISREG(s.st_mode) && is_lib_64(full_path)) + fslib_mount_file(full_path); +} // requires full path for lib // it could be a library or an executable // lib is not copied, only libraries used by it -void fslib_copy_libs(const char *full_path) { +void fslib_mount_libs(const char *full_path, unsigned user) { assert(full_path); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_copy_libs %s\n", full_path); - // if library/executable does not exist or the user does not have read access to it // print a warning and exit the function. - if (access(full_path, R_OK)) { + if (access(full_path, F_OK)) { if (arg_debug || arg_debug_private_lib) - printf("cannot find %s for private-lib, skipping...\n", full_path); + printf("Cannot find %s, skipping...\n", full_path); + return; + } + if (user && access(full_path, R_OK)) { + if (arg_debug || arg_debug_private_lib) + printf("Cannot read %s, skipping...\n", full_path); return; } + if (arg_debug || arg_debug_private_lib) + printf(" fslib_mount_libs %s\n", full_path); // create an empty RUN_LIB_FILE and allow the user to write to it unlink(RUN_LIB_FILE); // in case is there create_empty_file_as_root(RUN_LIB_FILE, 0644); - if (chown(RUN_LIB_FILE, getuid(), getgid())) + if (user && chown(RUN_LIB_FILE, getuid(), getgid())) errExit("chown"); // run fldd to extract the list of files if (arg_debug || arg_debug_private_lib) - printf(" running fldd %s\n", full_path); - sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); + printf(" running fldd %s as %s\n", full_path, user ? "user" : "root"); + unsigned mask; + if (user) + mask = SBOX_USER; + else + mask = SBOX_ROOT; + sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); // open the list of libraries and install them on by one - FILE *fp = fopen(RUN_LIB_FILE, "r"); + FILE *fp = fopen(RUN_LIB_FILE, "re"); if (!fp) errExit("fopen"); @@ -130,68 +235,31 @@ void fslib_copy_libs(const char *full_path) { char *ptr = strchr(buf, '\n'); if (ptr) *ptr = '\0'; - fslib_duplicate(buf); + + trim_trailing_slash_or_dot(buf); + fslib_mount(buf); } fclose(fp); unlink(RUN_LIB_FILE); } - -void fslib_copy_dir(const char *full_path) { - assert(full_path); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_copy_dir %s\n", full_path); - - // do nothing if the directory does not exist or is not owned by root - struct stat s; - if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) - return; - - char *dir_name = strrchr(full_path, '/'); - assert(dir_name); - dir_name++; - assert(*dir_name != '\0'); - - // do nothing if the directory is already there - char *dest; - if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) - errExit("asprintf"); - if (stat(dest, &s) == 0) { - free(dest); - return; - } - - // create new directory and mount the original on top of it - mkdir_attr(dest, 0755, 0, 0); - - if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("clone", full_path); - fs_logger2("mount", full_path); - dir_cnt++; - free(dest); -} - -// fname should be a vallid full path at this point +// fname should be a full path at this point static void load_library(const char *fname) { assert(fname); assert(*fname == '/'); - // existing file owned by root, read access + // existing file owned by root struct stat s; - if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) { + if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) { // load directories, regular 64 bit libraries, and 64 bit executables - if (is_dir(fname) || is_lib_64(fname)) { - if (is_dir(fname)) - fslib_copy_dir(fname); - else { - if (strstr(fname, ".so") || - access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries - fslib_duplicate(fname); - - fslib_copy_libs(fname); - } + if (S_ISDIR(s.st_mode)) + fslib_mount(fname); + else if (S_ISREG(s.st_mode) && is_lib_64(fname)) { + if (strstr(fname, ".so") || + access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries + fslib_mount(fname); + + fslib_mount_libs(fname, 1); // parse as user } } } @@ -222,17 +290,24 @@ static void install_list_entry(const char *lib) { #define DO_GLOBBING #ifdef DO_GLOBBING // globbing + EUID_USER(); glob_t globbuf; int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); if (globerr) { fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname); exit(1); } + EUID_ROOT(); size_t j; for (j = 0; j < globbuf.gl_pathc; j++) { assert(globbuf.gl_pathv[j]); //printf("glob %s\n", globbuf.gl_pathv[j]); // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway + + // foobar/* expands to foobar/. and foobar/.. + const char *base = gnu_basename(globbuf.gl_pathv[j]); + if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0) + continue; load_library(globbuf.gl_pathv[j]); } @@ -247,7 +322,6 @@ static void install_list_entry(const char *lib) { return; } - void fslib_install_list(const char *lib_list) { assert(lib_list); if (arg_debug || arg_debug_private_lib) @@ -262,42 +336,31 @@ void fslib_install_list(const char *lib_list) { fprintf(stderr, "Error: invalid private-lib argument\n"); exit(1); } + trim_trailing_slash_or_dot(ptr); install_list_entry(ptr); - while ((ptr = strtok(NULL, ",")) != NULL) + while ((ptr = strtok(NULL, ",")) != NULL) { + trim_trailing_slash_or_dot(ptr); install_list_entry(ptr); + } free(dlist); fs_logger_print(); } - - static void mount_directories(void) { - if (arg_debug || arg_debug_private_lib) - printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); - - if (is_dir("/lib")) { - if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/lib"); - fs_logger("mount /lib"); - } - - if (is_dir("/lib64")) { - if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/lib64"); - fs_logger("mount /lib64"); - } - - if (is_dir("/usr/lib")) { - if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/usr/lib"); - fs_logger("mount /usr/lib"); + fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself + + int i = 0; + while (masked_lib_dirs[i]) { + if (is_dir(masked_lib_dirs[i])) { + if (arg_debug || arg_debug_private_lib) + printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]); + if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + fs_logger2("tmpfs", masked_lib_dirs[i]); + fs_logger2("mount", masked_lib_dirs[i]); + } + i++; } // for amd64 only - we'll deal with i386 later @@ -333,6 +396,11 @@ void fs_private_lib(void) { printf("Installing standard C library\n"); fslib_install_stdc(); + // install other libraries needed by firejail + if (arg_debug || arg_debug_private_lib) + printf("Installing Firejail libraries\n"); + fslib_install_firejail(); + // start timetrace timetrace_start(); @@ -340,7 +408,18 @@ void fs_private_lib(void) { if (cfg.original_program_index > 0) { if (arg_debug || arg_debug_private_lib) printf("Installing sandboxed program libraries\n"); - fslib_install_list(cfg.original_argv[cfg.original_program_index]); + + if (strchr(cfg.original_argv[cfg.original_program_index], '/')) + fslib_install_list(cfg.original_argv[cfg.original_program_index]); + else { // search executable in $PATH + EUID_USER(); + char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]); + EUID_ROOT(); + if (fname) { + fslib_install_list(fname); + free(fname); + } + } } // for the shell @@ -351,7 +430,6 @@ void fs_private_lib(void) { fslib_install_list(cfg.shell); // a shell is useless without some basic commands fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); - } // for the listed libs and directories @@ -369,15 +447,11 @@ void fs_private_lib(void) { } fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); - // install the reset of the system libraries + // install the rest of the system libraries if (arg_debug || arg_debug_private_lib) printf("Installing system libraries\n"); fslib_install_system(); - // bring in firejail directory for --trace and seccomp post exec - // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail - fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable - fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", dir_cnt, (dir_cnt == 1)? "directory": "directories"); diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index b2ae07f3ed9..a347b380c59 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -21,15 +21,15 @@ #include #include -extern void fslib_duplicate(const char *full_path); -extern void fslib_copy_libs(const char *full_path); -extern void fslib_copy_dir(const char *full_path); +extern void fslib_mount_libs(const char *full_path, unsigned user); +extern void fslib_mount(const char *full_path); //*************************************************************** // Standard C library //*************************************************************** // standard libc libraries based on Debian's libc6 package // selinux seems to be linked in most command line utilities +// libpcre2 is a dependency of selinux // locale (/usr/lib/locale) - without it, the program will default to "C" locale typedef struct liblist_t { const char *name; @@ -38,6 +38,7 @@ typedef struct liblist_t { static LibList libc_list[] = { { "libselinux.so.", 0 }, + { "libpcre2-8.so.", 0 }, { "libapparmor.so.", 0}, { "ld-linux-x86-64.so.", 0 }, { "libanl.so.", 0 }, @@ -95,7 +96,8 @@ static void stdc(const char *dirname) { if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) errExit("asprintf"); - fslib_duplicate(fname); + fslib_mount(fname); + free(fname); } } closedir(dir); @@ -104,25 +106,70 @@ static void stdc(const char *dirname) { void fslib_install_stdc(void) { // install standard C libraries + timetrace_start(); struct stat s; - char *stdclib = "/lib64"; // CentOS, Fedora, Arch - if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu"); - stdclib = "/lib/x86_64-linux-gnu"; + stdc("/lib/x86_64-linux-gnu"); } - timetrace_start(); - stdc(stdclib); + stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends // install locale if (stat("/usr/lib/locale", &s) == 0) - fslib_copy_dir("/usr/lib/locale"); + fslib_mount("/usr/lib/locale"); fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); } +//*************************************************************** +// Firejail libraries +//*************************************************************** + +static void fdir(void) { + // firejail directory itself + fslib_mount(LIBDIR "/firejail"); + + // executables and libraries from firejail directory + static const char * const fbin[] = { + PATH_FCOPY, // currently sufficient to find all needed libraries + // PATH_FSECCOMP, + // PATH_FSEC_OPTIMIZE, + // PATH_FSEC_PRINT, + // RUN_FIREJAIL_LIB_DIR "/libtrace.so", + // RUN_FIREJAIL_LIB_DIR "/libtracelog.so", + // RUN_FIREJAIL_LIB_DIR "/libpostexecseccomp.so", + NULL, + }; + + // need to parse as root user, unprivileged users have no read permission on some of these binaries + int i; + for (i = 0; fbin[i]; i++) + fslib_mount_libs(fbin[i], 0); +} + +void fslib_install_firejail(void) { + timetrace_start(); + // bring in firejail executable libraries, in case we are redirected here + // by a firejail symlink from /usr/local/bin/firejail + // fldd might have no read permission on the firejail executable + // parse as root in order to support these setups + fslib_mount_libs(PATH_FIREJAIL, 0); + + // bring in firejail directory + fdir(); + + // bring in dhclient libraries + if (any_dhcp()) + fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user + + // bring in xauth libraries + if (arg_x11_xorg) + fslib_mount_libs("/usr/bin/xauth", 1); // parse as user + + fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end()); +} //*************************************************************** // various system libraries @@ -268,8 +315,8 @@ void fslib_install_system(void) { if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } else { free(name); @@ -277,8 +324,8 @@ void fslib_install_system(void) { if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } } free(name); @@ -288,8 +335,8 @@ void fslib_install_system(void) { if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } else { free(name); @@ -297,8 +344,8 @@ void fslib_install_system(void) { if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) errExit("asprintf"); if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); + fslib_mount_libs(name, 1); // parse as user + fslib_mount(name); } } free(name); diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 892c91e3fae..604e297b1c0 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -92,7 +92,7 @@ void fs_logger_print(void) { if (!head) return; - FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); + FILE *fp = fopen(RUN_FSLOGGER_FILE, "ae"); if (!fp) { perror("fopen"); return; @@ -123,15 +123,8 @@ void fs_logger_print_log(pid_t pid) { // in case the pid is that of a firejail process, use the pid of the first child process pid = switch_to_child(pid); - // check privileges for non-root users - uid_t uid = getuid(); - if (uid != 0) { - uid_t sandbox_uid = pid_get_uid(pid); - if (uid != sandbox_uid) { - fprintf(stderr, "Error: permission denied\n"); - exit(1); - } - } + // exit if no permission to join the sandbox + check_join_permission(pid); // print RUN_FSLOGGER_FILE char *fname; @@ -139,24 +132,16 @@ void fs_logger_print_log(pid_t pid) { errExit("asprintf"); EUID_ROOT(); - struct stat s; - if (stat(fname, &s) == -1 || s.st_uid != 0) { - fprintf(stderr, "Error: Cannot access filesystem log\n"); - exit(1); - } - - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); + free(fname); if (!fp) { fprintf(stderr, "Error: Cannot open filesystem log\n"); exit(1); } - char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) printf("%s", buf); fclose(fp); - free(fname); exit(0); } diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 0e213f2f824..4983db0a0a2 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -25,7 +26,6 @@ #include #include - static void check(const char *fname) { // manufacture /run/user directory char *runuser; @@ -46,7 +46,7 @@ static void mkdir_recursive(char *path) { struct stat s; if (chdir("/")) { - fprintf(stderr, "Error: can't chdir to /"); + fprintf(stderr, "Error: can't chdir to /\n"); return; } @@ -63,7 +63,7 @@ static void mkdir_recursive(char *path) { return; } if (chdir(subdir)) { - fprintf(stderr, "Error: can't chdir to %s", subdir); + fprintf(stderr, "Error: can't chdir to %s\n", subdir); return; } @@ -95,9 +95,9 @@ void fs_mkdir(const char *name) { // create directory mkdir_recursive(expanded); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 1894784a80e..475a391ecbd 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -33,8 +33,7 @@ void fs_trace_preload(void) { if (stat("/etc/ld.so.preload", &s)) { if (arg_debug) printf("Creating an empty /etc/ld.so.preload file\n"); - /* coverity[toctou] */ - FILE *fp = fopen("/etc/ld.so.preload", "w"); + FILE *fp = fopen("/etc/ld.so.preload", "wxe"); if (!fp) errExit("fopen"); SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); @@ -64,20 +63,16 @@ void fs_tracefile(void) { if (ftruncate(fd, 0) == -1) errExit("ftruncate"); EUID_ROOT(); - FILE *fp = fopen(RUN_TRACE_FILE, "w"); + FILE *fp = fopen(RUN_TRACE_FILE, "we"); if (!fp) errExit("fopen " RUN_TRACE_FILE); fclose(fp); - fs_logger2("touch ", arg_tracefile); + fs_logger2("touch", arg_tracefile); // mount using the symbolic link in /proc/self/fd if (arg_debug) printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE)) errExit("mount bind " RUN_TRACE_FILE); - free(proc); close(fd); // now that RUN_TRACE_FILE is user-writable, mount it noexec fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0); @@ -88,7 +83,7 @@ void fs_trace(void) { if (arg_debug) printf("Create the new ld.so.preload file\n"); - FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); + FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we"); if (!fp) errExit("fopen"); const char *prefix = RUN_FIREJAIL_LIB_DIR; diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index cafe9fa494a..20e262d80ba 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -127,7 +127,7 @@ void fs_var_log(void) { // create an empty /var/log/wtmp file /* coverity[toctou] */ - FILE *fp = fopen("/var/log/wtmp", "w"); + FILE *fp = fopen("/var/log/wtmp", "wxe"); if (fp) { SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); fclose(fp); @@ -135,7 +135,7 @@ void fs_var_log(void) { fs_logger("touch /var/log/wtmp"); // create an empty /var/log/btmp file - fp = fopen("/var/log/btmp", "w"); + fp = fopen("/var/log/btmp", "wxe"); if (fp) { SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); fclose(fp); @@ -158,8 +158,7 @@ void fs_var_lib(void) { fs_logger("tmpfs /var/lib/dhcp"); // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file - FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); - + FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "wxe"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); @@ -287,7 +286,7 @@ void fs_var_utmp(void) { if (stat(UTMP_FILE, &s) == 0) utmp_group = s.st_gid; else { - fwarning("cannot find /var/run/utmp\n"); + fwarning("cannot find %s\n", UTMP_FILE); return; } @@ -296,7 +295,7 @@ void fs_var_utmp(void) { printf("Create the new utmp file\n"); /* coverity[toctou] */ - FILE *fp = fopen(RUN_UTMP_FILE, "w"); + FILE *fp = fopen(RUN_UTMP_FILE, "we"); if (!fp) errExit("fopen"); @@ -323,5 +322,9 @@ void fs_var_utmp(void) { printf("Mount the new utmp file\n"); if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mount bind utmp"); - fs_logger("create /var/run/utmp"); + fs_logger2("create", UTMP_FILE); + + // blacklist RUN_UTMP_FILE + if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0) + errExit("mount bind"); } diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 1d75523398b..7afebed1fce 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -16,50 +16,46 @@ * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ + */ #include "firejail.h" #include #include -#include #include #include -#include #include #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif +#define TOP_MAX 64 // maximum number of top level directories + // mountinfo functionality test; // 1. enable TEST_MOUNTINFO definition // 2. run firejail --whitelist=/any/directory //#define TEST_MOUNTINFO -#define EMPTY_STRING ("") -static size_t homedir_len; // cache length of homedir string -static size_t runuser_len; // cache length of runuser string -static char *runuser; +static size_t homedir_len = 0; // cache length of homedir string +static size_t runuser_len = 0; // cache length of runuser string +static char *runuser = NULL; -static int mkpath(const char* path, mode_t mode) { - assert(path && *path); - mode |= 0111; - // create directories with uid/gid as root, or as current user if inside home or run/user/$uid directory - int userprivs = 0; - if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || - (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { - EUID_USER(); - userprivs = 1; - } +static void whitelist_error(const char *path) { + assert(path); + fprintf(stderr, "Error: invalid whitelist path %s\n", path); + exit(1); +} + +static int whitelist_mkpath(const char* path, mode_t mode) { // work on a copy of the path char *dup = strdup(path); if (!dup) errExit("strdup"); - // don't create the last path element + // only create leading directories, don't create the file char *p = strrchr(dup, '/'); assert(p); *p = '\0'; @@ -69,10 +65,10 @@ static int mkpath(const char* path, mode_t mode) { errExit("open"); // traverse the path, return -1 if a symlink is encountered - int done = 0; int fd = -1; + int done = 0; char *tok = strtok(dup, "/"); - assert(tok); // path is no top level directory + assert(tok); while (tok) { // create the directory if necessary if (mkdirat(parentfd, tok, mode) == -1) { @@ -81,9 +77,6 @@ static int mkpath(const char* path, mode_t mode) { perror("mkdir"); close(parentfd); free(dup); - if (userprivs) { - EUID_ROOT(); - } return -1; } } @@ -96,9 +89,6 @@ static int mkpath(const char* path, mode_t mode) { perror("open"); close(parentfd); free(dup); - if (userprivs) { - EUID_ROOT(); - } return -1; } // move on to next path segment @@ -111,195 +101,96 @@ static int mkpath(const char* path, mode_t mode) { fs_logger2("mkpath", path); free(dup); - if (userprivs) { - EUID_ROOT(); - } return fd; } -static void whitelist_path(ProfileEntry *entry) { - assert(entry); - const char *path = entry->data + 10; - const char *fname; - char *wfile = NULL; - - if (entry->wldir == WLDIR_HOME) { - if (strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') - // either symlink pointing outside home directory - // or entire home directory, skip the mount - return; - - fname = path + homedir_len + 1; // strlen("/home/user/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_TMP) { - fname = path + 5; // strlen("/tmp/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_MEDIA) { - fname = path + 7; // strlen("/media/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_MNT) { - fname = path + 5; // strlen("/mnt/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_VAR) { - if (strncmp(path, "/var/", 5) != 0) - // symlink pointing outside /var, skip the mount - return; - - fname = path + 5; // strlen("/var/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_DEV) { - if (strncmp(path, "/dev/", 5) != 0) - // symlink pointing outside /dev, skip the mount - return; - - fname = path + 5; // strlen("/dev/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_OPT) { - fname = path + 5; // strlen("/opt/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_SRV) { - fname = path + 5; // strlen("/srv/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_ETC) { - if (strncmp(path, "/etc/", 5) != 0) - // symlink pointing outside /etc, skip the mount - return; - - fname = path + 5; // strlen("/etc/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_SHARE) { - fname = path + 11; // strlen("/usr/share/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_MODULE) { - fname = path + 12; // strlen("/sys/module/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) - errExit("asprintf"); - } - else if (entry->wldir == WLDIR_RUN) { - fname = path + runuser_len + 1; // strlen("/run/user/$uid/") - - if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_RUN_USER_DIR, fname) == -1) - errExit("asprintf"); - } - assert(wfile); - - if (arg_debug || arg_debug_whitelists) - printf("Whitelisting %s\n", path); - - // confirm again the mount source exists and there is no symlink - struct stat wfilestat; - EUID_USER(); - int fd = safe_fd(wfile, O_PATH|O_NOFOLLOW|O_CLOEXEC); - EUID_ROOT(); +static void whitelist_file(int dirfd, const char *relpath, const char *path) { + EUID_ASSERT(); + assert(relpath && path); + + // open mount source, using a file descriptor that refers to the + // top level directory + // as the top level directory was opened before mounting the tmpfs + // we still have full access to all directory contents + // take care to not follow symbolic links (dirfd was obtained without + // following a link, too) + int fd = safer_openat(dirfd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) { if (arg_debug || arg_debug_whitelists) - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - free(wfile); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); return; } - if (fstat(fd, &wfilestat) == -1) + struct stat s; + if (fstat(fd, &s) == -1) errExit("fstat"); - close(fd); - if (S_ISLNK(wfilestat.st_mode)) { + if (S_ISLNK(s.st_mode)) { if (arg_debug || arg_debug_whitelists) - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - free(wfile); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); + close(fd); return; } - // create path of the mount target if necessary - int fd2 = mkpath(path, 0755); + // create mount target as root, except if inside home or run/user/$UID directory + if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') && + (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/')) + EUID_ROOT(); + + // create path of the mount target + int fd2 = whitelist_mkpath(path, 0755); if (fd2 == -1) { // something went wrong during path creation or a symlink was found; // if there is a symlink somewhere in the path of the mount target, // assume the file is whitelisted already if (arg_debug || arg_debug_whitelists) - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - free(wfile); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); + close(fd); + EUID_USER(); return; } // get file name of the mount target const char *file = gnu_basename(path); - // create the mount target if necessary and open it, a symlink is rejected + // create mount target itself and open it, a symlink is rejected int fd3 = -1; - if (S_ISDIR(wfilestat.st_mode)) { + if (S_ISDIR(s.st_mode)) { // directory foo can exist already: - // firejail --whitelist=/foo/bar --whitelist=/foo + // firejail --whitelist=~/foo/bar --whitelist=~/foo if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) { if (arg_debug || arg_debug_whitelists) { perror("mkdir"); - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); } + close(fd); close(fd2); - free(wfile); + EUID_USER(); return; } fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); } - else { + else // create an empty file, fails with EEXIST if it is whitelisted already: // firejail --whitelist=/foo --whitelist=/foo/bar fd3 = openat(fd2, file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR|S_IWUSR); - } if (fd3 == -1) { - if (arg_debug || arg_debug_whitelists) { - if (errno != EEXIST) { - perror("open"); - printf("Debug %d: skip whitelisting of %s\n", __LINE__, path); - } + if (errno != EEXIST && (arg_debug || arg_debug_whitelists)) { + perror("open"); + printf("Debug %d: skip whitelist %s\n", __LINE__, path); } + close(fd); close(fd2); - free(wfile); + EUID_USER(); return; } close(fd2); - fs_logger2("whitelist", path); - - // in order to make this mount resilient against symlink attacks, use - // a magic link in /proc/self/fd instead of mounting on path directly - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd3) == -1) - errExit("asprintf"); - if (mount(wfile, proc, NULL, MS_BIND|MS_REC, NULL) < 0) + if (arg_debug || arg_debug_whitelists) + printf("Whitelisting %s\n", path); + EUID_ROOT(); + if (bind_mount_by_fd(fd, fd3)) errExit("mount bind"); - free(proc); - close(fd3); - + EUID_USER(); // check the last mount operation MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found #ifdef TEST_MOUNTINFO @@ -316,37 +207,47 @@ static void whitelist_path(ProfileEntry *entry) { // - there should be more than one '/' char in dest string if (mptr->dir == strrchr(mptr->dir, '/')) errLogExit("invalid whitelist mount"); - // confirm the right file was mounted by comparing device and inode numbers - int fd4 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd4 == -1) - errExit("safe_fd"); - struct stat s; - if (fstat(fd4, &s) == -1) - errExit("fstat"); - if (s.st_dev != wfilestat.st_dev || s.st_ino != wfilestat.st_ino) - errLogExit("invalid whitelist mount"); - close(fd4); - - free(wfile); - return; + close(fd); + close(fd3); + fs_logger2("whitelist", path); } -static void whitelist_home(int topdir) { - ProfileEntry entry; - memset(&entry, 0, sizeof(entry)); - char *cmd; - if (asprintf(&cmd, "whitelist %s", cfg.homedir) == -1) - errExit("asprintf"); - entry.data = cmd; - entry.wldir = topdir; - // creates path owned by root, except homedir is inside /run/user/$uid - // does nothing if homedir does not exist - whitelist_path(&entry); - free(cmd); -} +static void whitelist_symlink(const char *link, const char *target) { + EUID_ASSERT(); + assert(link && target); + + // create files as root, except if inside home or run/user/$UID directory + if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') && + (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/')) + EUID_ROOT(); + + int fd = whitelist_mkpath(link, 0755); + if (fd == -1) { + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); + EUID_USER(); + return; + } + // get file name of symlink + const char *file = gnu_basename(link); + + // create the link + if (symlinkat(target, fd, file) == -1) { + if (arg_debug || arg_debug_whitelists) { + perror("symlink"); + printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); + } + } + else if (arg_debug || arg_debug_whitelists) + printf("Created symbolic link %s -> %s\n", link, target); + + close(fd); + EUID_USER(); +} static void globbing(const char *pattern) { + EUID_ASSERT(); assert(pattern); // globbing @@ -363,6 +264,11 @@ static void globbing(const char *pattern) { // testing for GLOB_NOCHECK - no pattern matched returns the original pattern if (strcmp(globbuf.gl_pathv[i], pattern) == 0) continue; + // foo/* expands to foo/. and foo/.. + const char *base = gnu_basename(globbuf.gl_pathv[i]); + if (strcmp(base, ".") == 0 || + strcmp(base, "..") == 0) + continue; // build the new profile command char *newcmd; @@ -378,8 +284,231 @@ static void globbing(const char *pattern) { globfree(&globbuf); } +// mount tmpfs on all top level directories +static void tmpfs_topdirs(const TopDir *topdirs) { + int tmpfs_home = 0; + int tmpfs_runuser = 0; + + int i; + for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { + // do nested top level directories last + // this way '--whitelist=nested_top_level_dir' + // yields the full, unmodified directory + // instead of the tmpfs + if (strcmp(topdirs[i].path, cfg.homedir) == 0) { + tmpfs_home = 1; + continue; + } + if (strcmp(topdirs[i].path, runuser) == 0) { + tmpfs_runuser = 1; + continue; + } + + // special case /run + // open /run/firejail, so it can be restored right after mounting the tmpfs + int fd = -1; + if (strcmp(topdirs[i].path, "/run") == 0) { + fd = open(RUN_FIREJAIL_DIR, O_PATH|O_CLOEXEC); + if (fd == -1) + errExit("open"); + } + + // mount tmpfs + fs_tmpfs(topdirs[i].path, 0); + selinux_relabel_path(topdirs[i].path, topdirs[i].path); + + // init tmpfs + if (strcmp(topdirs[i].path, "/run") == 0) { + // restore /run/firejail directory + EUID_ROOT(); + mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0); + if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) + errExit("mount bind"); + EUID_USER(); + close(fd); + fs_logger2("whitelist", RUN_FIREJAIL_DIR); + + // restore /run/user/$UID directory + // get path relative to /run + const char *rel = runuser + 5; + whitelist_file(topdirs[i].fd, rel, runuser); + } + else if (strcmp(topdirs[i].path, "/tmp") == 0) { + // fix pam-tmpdir (#2685) + const char *env = env_get("TMP"); + if (env) { + char *pamtmpdir; + if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) + errExit("asprintf"); + if (strcmp(env, pamtmpdir) == 0) { + // create empty user-owned /tmp/user/$UID directory + EUID_ROOT(); + mkdir_attr("/tmp/user", 0711, 0, 0); + selinux_relabel_path("/tmp/user", "/tmp/user"); + fs_logger("mkdir /tmp/user"); + mkdir_attr(pamtmpdir, 0700, getuid(), 0); + selinux_relabel_path(pamtmpdir, pamtmpdir); + fs_logger2("mkdir", pamtmpdir); + EUID_USER(); + } + free(pamtmpdir); + } + } + + // restore user home directory if it is masked by the tmpfs + // creates path owned by root + // does nothing if user home directory doesn't exist + size_t topdir_len = strlen(topdirs[i].path); + if (strncmp(topdirs[i].path, cfg.homedir, topdir_len) == 0 && cfg.homedir[topdir_len] == '/') { + // get path relative to top level directory + const char *rel = cfg.homedir + topdir_len + 1; + whitelist_file(topdirs[i].fd, rel, cfg.homedir); + } + } + + // user home directory + if (tmpfs_home) + fs_private(); // checks owner if outside /home + + // /run/user/$UID directory + if (tmpfs_runuser) { + fs_tmpfs(runuser, 0); + selinux_relabel_path(runuser, runuser); + } +} + +static int reject_topdir(const char *dir) { + if (!whitelist_reject_topdirs) + return 0; + + size_t i; + for (i = 0; whitelist_reject_topdirs[i]; i++) { + if (strcmp(dir, whitelist_reject_topdirs[i]) == 0) + return 1; + } + return 0; +} + +// keep track of whitelist top level directories by adding them to an array +// open each directory +static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { + EUID_ASSERT(); + assert(dir && path); + + // /proc and /sys are not allowed + if (strcmp(dir, "/") == 0 || + strcmp(dir, "/proc") == 0 || + strcmp(dir, "/sys") == 0) + whitelist_error(path); + + // whitelisting home directory is disabled if --private option is present + if (arg_private && strcmp(dir, cfg.homedir) == 0) { + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path); + return NULL; + } + + // do nothing if directory doesn't exist + struct stat s; + if (lstat(dir, &s) != 0) { + if (arg_debug || arg_debug_whitelists) + printf("Cannot access whitelist top level directory %s: %s\n", dir, strerror(errno)); + return NULL; + } + // do nothing if directory is a link + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) { + fwarning("skipping whitelist %s because %s is a symbolic link\n", path, dir); + return NULL; + } + whitelist_error(path); + } + // do nothing if directory is disabled by administrator + if (reject_topdir(dir)) { + fmessage("Whitelist top level directory %s is disabled in Firejail configuration file\n", dir); + return NULL; + } + + // add directory to array + if (arg_debug || arg_debug_whitelists) + printf("Adding whitelist top level directory %s\n", dir); + static int cnt = 0; + if (cnt >= TOP_MAX) { + fprintf(stderr, "Error: too many whitelist top level directories\n"); + exit(1); + } + TopDir *rv = topdirs + cnt; + cnt++; + + rv->path = strdup(dir); + if (!rv->path) + errExit("strdup"); + + // open the directory, don't follow symbolic links + rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); + if (rv->fd == -1) { + fprintf(stderr, "Error: cannot open %s\n", dir); + exit(1); + } + + return rv; +} + +static TopDir *have_topdir(const char *dir, TopDir *topdirs) { + assert(dir); + + int i; + for (i = 0; i < TOP_MAX; i++) { + TopDir *rv = topdirs + i; + if (!rv->path) + break; + if (strcmp(dir, rv->path) == 0) + return rv; + } + return NULL; +} + +static char *extract_topdir(const char *path) { + assert(path); + + char *dup = strdup(path); + if (!dup) + errExit("strdup"); + + // user home directory can be anywhere; disconnect user home + // whitelisting from top level directory whitelisting + // by treating user home as separate whitelist top level directory + if (strncmp(dup, cfg.homedir, homedir_len) == 0 && dup[homedir_len] == '/') + dup[homedir_len] = '\0'; + // /run/user/$UID is treated as top level directory + else if (strncmp(dup, runuser, runuser_len) == 0 && dup[runuser_len] == '/') + dup[runuser_len] = '\0'; + // whitelisting in /sys is not allowed, but /sys/module is an exception + // and is treated as top level directory here + else if (strncmp(dup, "/sys/module", 11) == 0 && dup[11] == '/') + dup[11] = '\0'; + // treat /usr subdirectories as top level directories + else if (strncmp(dup, "/usr/", 5) == 0) { + char *p = strchr(dup+5, '/'); + if (!p) + whitelist_error(path); + *p = '\0'; + } + // all other top level directories + else { + assert(dup[0] == '/'); + char *p = strchr(dup+1, '/'); + if (!p) + whitelist_error(path); + *p = '\0'; + } + + return dup; +} void fs_whitelist(void) { + EUID_ASSERT(); + ProfileEntry *entry = cfg.profile; if (!entry) return; @@ -389,29 +518,17 @@ void fs_whitelist(void) { runuser_len = strlen(runuser); homedir_len = strlen(cfg.homedir); - char *new_name = NULL; - int home_dir = 0; // /home/user directory flag - int tmp_dir = 0; // /tmp directory flag - int media_dir = 0; // /media directory flag - int mnt_dir = 0; // /mnt directory flag - int var_dir = 0; // /var directory flag - int dev_dir = 0; // /dev directory flag - int opt_dir = 0; // /opt directory flag - int srv_dir = 0; // /srv directory flag - int etc_dir = 0; // /etc directory flag - int share_dir = 0; // /usr/share directory flag - int module_dir = 0; // /sys/module directory flag - int run_dir = 0; // /run/user/$uid directory flag - size_t nowhitelist_c = 0; size_t nowhitelist_m = 32; char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist)); if (nowhitelist == NULL) - errExit("failed allocating memory for nowhitelist entries"); + errExit("calloc"); + + TopDir *topdirs = calloc(TOP_MAX, sizeof(*topdirs)); + if (topdirs == NULL) + errExit("calloc"); // verify whitelist files, extract symbolic links, etc. - EUID_USER(); - struct stat s; while (entry) { int nowhitelist_flag = 0; @@ -424,48 +541,73 @@ void fs_whitelist(void) { entry = entry->next; continue; } - char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; - - // replace ~/ or ${HOME} into /home/username or resolve macro - new_name = expand_macros(dataptr); - assert(new_name); - - // mount empty home directory if resolving the macro was not successful - if (is_macro(new_name) && macro_id(new_name) > -1) { - // no warning if home does not exist (e.g. in a chroot) - if (stat(cfg.homedir, &s) == 0 && !nowhitelist_flag && !arg_private) { - home_dir = 1; - if (!arg_quiet) { - fprintf(stderr, "***\n"); - fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name); - fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); - fprintf(stderr, "***\n"); - } + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: %s\n", __LINE__, entry->data); + + const char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; + + // replace ~ into /home/username or resolve macro + char *expanded = expand_macros(dataptr); + + // check if respolving the macro was successful + if (is_macro(expanded) && macro_id(expanded) > -1) { + if (!nowhitelist_flag && (have_topdir(cfg.homedir, topdirs) || add_topdir(cfg.homedir, topdirs, expanded)) && !arg_quiet) { + fprintf(stderr, "***\n"); + fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", expanded); + fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); + fprintf(stderr, "***\n"); } - entry->data = EMPTY_STRING; entry = entry->next; - free(new_name); + free(expanded); continue; } - // remove trailing slashes and single dots - if (!nowhitelist_flag) - trim_trailing_slash_or_dot(new_name); + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: expanded: %s\n", __LINE__, expanded); + + // path should be absolute at this point + if (expanded[0] != '/') + whitelist_error(expanded); + + // sane pathname + char *new_name = clean_pathname(expanded); + free(expanded); if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); + printf("Debug %d: new_name: %s\n", __LINE__, new_name); + + if (strstr(new_name, "..")) + whitelist_error(new_name); - // valid path referenced to filesystem root - if (*new_name != '/') { + // /run/firejail is not allowed + if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) + whitelist_error(new_name); + + TopDir *current_top = NULL; + if (!nowhitelist_flag) { + // extract whitelist top level directory + char *dir = extract_topdir(new_name); if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Debug %d: \n", __LINE__); - goto errexit; + printf("Debug %d: dir: %s\n", __LINE__, dir); + + // check if this top level directory has been processed already + current_top = have_topdir(dir, topdirs); + if (!current_top) { // got new top level directory + current_top = add_topdir(dir, topdirs, new_name); + if (!current_top) { // skip this command, top level directory not valid + entry = entry->next; + free(new_name); + free(dir); + continue; + } + } + free(dir); } - // extract the absolute path of the file + // extract resolved path of the file // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr - char *fname; + char *fname = NULL; if (strcmp(new_name, "/dev/fd") == 0) fname = strdup("/proc/self/fd"); else if (strcmp(new_name, "/dev/stdin") == 0) @@ -477,60 +619,30 @@ void fs_whitelist(void) { else fname = realpath(new_name, NULL); - // if this is not a real path, let's try globbing - // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list - // the new profile entries will be processed in this loop - // currently there is no globbing support for nowhitelist - if (!fname && !nowhitelist_flag) - globbing(new_name); - if (!fname) { - // file not found, blank the entry in the list and continue if (arg_debug || arg_debug_whitelists) { - printf("Removed whitelist/nowhitelist path: %s\n", entry->data); - printf("\texpanded: %s\n", new_name); - printf("\treal path: (null)\n"); - printf("\t");fflush(0); - perror("realpath"); + printf("Removed path: %s\n", entry->data); + printf("\tnew_name: %s\n", new_name); + printf("\trealpath: (null)\n"); + printf("\t%s\n", strerror(errno)); } - // if 1 the file was not found; mount an empty directory if (!nowhitelist_flag) { - if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') { - if(!arg_private) - home_dir = 1; - } - else if (strncmp(new_name, "/tmp/", 5) == 0) - tmp_dir = 1; - else if (strncmp(new_name, "/media/", 7) == 0) - media_dir = 1; - else if (strncmp(new_name, "/mnt/", 5) == 0) - mnt_dir = 1; - else if (strncmp(new_name, "/var/", 5) == 0) - var_dir = 1; - else if (strncmp(new_name, "/dev/", 5) == 0) - dev_dir = 1; - else if (strncmp(new_name, "/opt/", 5) == 0) - opt_dir = 1; - else if (strncmp(new_name, "/srv/", 5) == 0) - srv_dir = 1; - else if (strncmp(new_name, "/etc/", 5) == 0) - etc_dir = 1; - else if (strncmp(new_name, "/usr/share/", 11) == 0) - share_dir = 1; - else if (strncmp(new_name, "/sys/module/", 12) == 0) - module_dir = 1; - else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') - run_dir = 1; + // if this is not a real path, let's try globbing + // push the new paths at the end of profile entry list + // the new profile entries will be processed in this loop + // currently there is no globbing support for nowhitelist + globbing(new_name); } - entry->data = EMPTY_STRING; entry = entry->next; free(new_name); continue; } - else if (arg_debug_whitelists) - printf("real path %s\n", fname); + + // /run/firejail is not allowed + if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) + whitelist_error(fname); if (nowhitelist_flag) { // store the path in nowhitelist array @@ -544,175 +656,12 @@ void fs_whitelist(void) { errExit("failed increasing memory for nowhitelist entries"); } nowhitelist[nowhitelist_c++] = fname; - entry->data = EMPTY_STRING; entry = entry->next; free(new_name); continue; } - - // check for supported directories - if (strncmp(new_name, cfg.homedir, homedir_len) == 0 && new_name[homedir_len] == '/') { - // whitelisting home directory is disabled if --private option is present - if (arg_private) { - if (arg_debug || arg_debug_whitelists) - printf("\"%s\" disabled by --private\n", entry->data); - - entry->data = EMPTY_STRING; - entry = entry->next; - free(fname); - free(new_name); - continue; - } - - entry->wldir = WLDIR_HOME; - home_dir = 1; - if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", - __LINE__, fname, cfg.homedir); - - // both path and absolute path are in user home, - // if not check if the symlink destination is owned by the user - if (strncmp(fname, cfg.homedir, homedir_len) != 0 || fname[homedir_len] != '/') { - if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { - if (stat(fname, &s) == 0 && s.st_uid != getuid()) { - free(fname); - goto errexit; - } - } - } - } - else if (strncmp(new_name, "/tmp/", 5) == 0) { - entry->wldir = WLDIR_TMP; - tmp_dir = 1; - - // both path and absolute path are under /tmp - if (strncmp(fname, "/tmp/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/media/", 7) == 0) { - entry->wldir = WLDIR_MEDIA; - media_dir = 1; - // both path and absolute path are under /media - if (strncmp(fname, "/media/", 7) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/mnt/", 5) == 0) { - entry->wldir = WLDIR_MNT; - mnt_dir = 1; - // both path and absolute path are under /mnt - if (strncmp(fname, "/mnt/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/var/", 5) == 0) { - entry->wldir = WLDIR_VAR; - var_dir = 1; - // both path and absolute path are under /var - // exceptions: /var/tmp, /var/run and /var/lock - if (strcmp(new_name, "/var/run")== 0 && strcmp(fname, "/run") == 0); - else if (strcmp(new_name, "/var/lock")== 0 && strcmp(fname, "/run/lock") == 0); - else if (strcmp(new_name, "/var/tmp")== 0 && strcmp(fname, "/tmp") == 0); - else { - // both path and absolute path are under /var - if (strncmp(fname, "/var/", 5) != 0) { - free(fname); - goto errexit; - } - } - } - else if (strncmp(new_name, "/dev/", 5) == 0) { - entry->wldir = WLDIR_DEV; - dev_dir = 1; - // special handling for /dev/shm - // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm - if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); - // special handling for /dev/log, which can be a symlink to /run/systemd/journal/dev-log - else if (strcmp(new_name, "/dev/log") == 0 && strcmp(fname, "/run/systemd/journal/dev-log") == 0); - // special processing for /proc/self/fd files - else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0); - else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0); - else if (strcmp(new_name, "/dev/stdout") == 0 && strcmp(fname, "/proc/self/fd/1") == 0); - else if (strcmp(new_name, "/dev/stderr") == 0 && strcmp(fname, "/proc/self/fd/2") == 0); - else { - // both path and absolute path are under /dev - if (strncmp(fname, "/dev/", 5) != 0) { - free(fname); - goto errexit; - } - } - } - else if (strncmp(new_name, "/opt/", 5) == 0) { - entry->wldir = WLDIR_OPT; - opt_dir = 1; - // both path and absolute path are under /dev - if (strncmp(fname, "/opt/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/srv/", 5) == 0) { - entry->wldir = WLDIR_SRV; - srv_dir = 1; - // both path and absolute path are under /srv - if (strncmp(fname, "/srv/", 5) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/etc/", 5) == 0) { - entry->wldir = WLDIR_ETC; - etc_dir = 1; - // special handling for some of the symlinks - if (strcmp(new_name, "/etc/localtime") == 0); - else if (strcmp(new_name, "/etc/mtab") == 0); - else if (strcmp(new_name, "/etc/os-release") == 0); - // both path and absolute path are under /etc - else { - if (strncmp(fname, "/etc/", 5) != 0) { - free(fname); - goto errexit; - } - } - } - else if (strncmp(new_name, "/usr/share/", 11) == 0) { - entry->wldir = WLDIR_SHARE; - share_dir = 1; - // both path and absolute path are under /etc - if (strncmp(fname, "/usr/share/", 11) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, "/sys/module/", 12) == 0) { - entry->wldir = WLDIR_MODULE; - module_dir = 1; - // both path and absolute path are under /sys/module - if (strncmp(fname, "/sys/module/", 12) != 0) { - free(fname); - goto errexit; - } - } - else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') { - entry->wldir = WLDIR_RUN; - run_dir = 1; - // both path and absolute path are under /run/user/$uid - if (strncmp(fname, runuser, runuser_len) != 0 || fname[runuser_len] != '/') { - free(fname); - goto errexit; - } - } else { - free(fname); - goto errexit; - } - - // check if the path is in nowhitelist array - if (nowhitelist_flag == 0) { + // check if the path is in nowhitelist array size_t i; int found = 0; for (i = 0; i < nowhitelist_c; i++) { @@ -726,494 +675,79 @@ void fs_whitelist(void) { if (found) { if (arg_debug || arg_debug_whitelists) printf("Skip nowhitelisted path %s\n", fname); - entry->data = EMPTY_STRING; entry = entry->next; - free(fname); free(new_name); + free(fname); continue; } } - // mark symbolic links + // attach whitelist parameters to profile entry + entry->wparam = calloc(1, sizeof(struct wparam_t)); + if (!entry->wparam) + errExit("calloc"); + + assert(current_top); + entry->wparam->top = current_top; + entry->wparam->file = fname; + + // mark link if (is_link(new_name)) - entry->link = new_name; - else { + entry->wparam->link = new_name; + else free(new_name); - entry->link = NULL; - } - // change file name in entry->data - if (strcmp(fname, entry->data + 10) != 0) { - char *newdata; - if (asprintf(&newdata, "whitelist %s", fname) == -1) - errExit("asprintf"); - entry->data = newdata; - if (arg_debug || arg_debug_whitelists) - printf("Replaced whitelist path: %s\n", entry->data); - } - free(fname); entry = entry->next; } // release nowhitelist memory - assert(nowhitelist); free(nowhitelist); - EUID_ROOT(); - // /tmp mountpoint - if (tmp_dir) { - // check if /tmp directory exists - if (stat("/tmp", &s) == 0) { - // keep a copy of real /tmp directory in RUN_WHITELIST_TMP_DIR - mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); - if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /tmp - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /tmp directory\n"); - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0) - errExit("mounting tmpfs on /tmp"); - selinux_relabel_path("/tmp", "/tmp"); - fs_logger("tmpfs /tmp"); - - // pam-tmpdir - issue #2685 - char *env = getenv("TMP"); - if (env) { - char *pamtmpdir; - if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) - errExit("asprintf"); - if (strcmp(env, pamtmpdir) == 0) { - // create empty user-owned /tmp/user/$uid directory - mkdir_attr("/tmp/user", 0711, 0, 0); - selinux_relabel_path("/tmp/user", "/tmp/user"); - fs_logger("mkdir /tmp/user"); - mkdir_attr(pamtmpdir, 0700, getuid(), 0); - selinux_relabel_path(pamtmpdir, pamtmpdir); - fs_logger2("mkdir", pamtmpdir); - } - free(pamtmpdir); - } - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/tmp/", 5) == 0) - whitelist_home(WLDIR_TMP); - } - else - tmp_dir = 0; - } - - // /media mountpoint - if (media_dir) { - // some distros don't have a /media directory - if (stat("/media", &s) == 0) { - // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR - mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); - if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /media - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /media directory\n"); - if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /media"); - selinux_relabel_path("/media", "/media"); - fs_logger("tmpfs /media"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/media/", 7) == 0) - whitelist_home(WLDIR_MEDIA); - } - else - media_dir = 0; - } - - // /mnt mountpoint - if (mnt_dir) { - // check if /mnt directory exists - if (stat("/mnt", &s) == 0) { - // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR - mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0); - if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /mnt - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /mnt directory\n"); - if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /mnt"); - selinux_relabel_path("/mnt", "/mnt"); - fs_logger("tmpfs /mnt"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/mnt/", 5) == 0) - whitelist_home(WLDIR_MNT); - } - else - mnt_dir = 0; - } - - // /var mountpoint - if (var_dir) { - // check if /var directory exists - if (stat("/var", &s) == 0) { - // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR - mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); - if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /var - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /var directory\n"); - if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /var"); - selinux_relabel_path("/var", "/var"); - fs_logger("tmpfs /var"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/var/", 5) == 0) - whitelist_home(WLDIR_VAR); - } - else - var_dir = 0; - } - - // /dev mountpoint - if (dev_dir) { - // check if /dev directory exists - if (stat("/dev", &s) == 0) { - // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR - mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); - if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) - errExit("mount bind"); - - // mount tmpfs on /dev - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /dev directory\n"); - if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /dev"); - selinux_relabel_path("/dev", "/dev"); - fs_logger("tmpfs /dev"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/dev/", 5) == 0) - whitelist_home(WLDIR_DEV); - } - else - dev_dir = 0; - } - - // /opt mountpoint - if (opt_dir) { - // check if /opt directory exists - if (stat("/opt", &s) == 0) { - // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR - mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); - if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /opt - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /opt directory\n"); - if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /opt"); - selinux_relabel_path("/opt", "/opt"); - fs_logger("tmpfs /opt"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/opt/", 5) == 0) - whitelist_home(WLDIR_OPT); - } - else - opt_dir = 0; - } - - // /srv mountpoint - if (srv_dir) { - // check if /srv directory exists - if (stat("/srv", &s) == 0) { - // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR - mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0); - if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /srv - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /srv directory\n"); - if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /srv"); - selinux_relabel_path("/srv", "/srv"); - fs_logger("tmpfs /srv"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/srv/", 5) == 0) - whitelist_home(WLDIR_SRV); - } - else - srv_dir = 0; - } - - // /etc mountpoint - if (etc_dir) { - // check if /etc directory exists - if (stat("/etc", &s) == 0) { - // keep a copy of real /etc directory in RUN_WHITELIST_ETC_DIR - mkdir_attr(RUN_WHITELIST_ETC_DIR, 0755, 0, 0); - if (mount("/etc", RUN_WHITELIST_ETC_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /etc - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /etc directory\n"); - if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /etc"); - selinux_relabel_path("/etc", "/etc"); - fs_logger("tmpfs /etc"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/etc/", 5) == 0) - whitelist_home(WLDIR_ETC); - } - else - etc_dir = 0; - } - - // /usr/share mountpoint - if (share_dir) { - // check if /usr/share directory exists - if (stat("/usr/share", &s) == 0) { - // keep a copy of real /usr/share directory in RUN_WHITELIST_ETC_DIR - mkdir_attr(RUN_WHITELIST_SHARE_DIR, 0755, 0, 0); - if (mount("/usr/share", RUN_WHITELIST_SHARE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /srv - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /usr/share directory\n"); - if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /usr/share"); - selinux_relabel_path("/usr/share", "/usr/share"); - fs_logger("tmpfs /usr/share"); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, "/usr/share/", 11) == 0) - whitelist_home(WLDIR_SHARE); - } - else - share_dir = 0; - } - - // /sys/module mountpoint - if (module_dir) { - // check if /sys/module directory exists - if (stat("/sys/module", &s) == 0) { - // keep a copy of real /sys/module directory in RUN_WHITELIST_MODULE_DIR - mkdir_attr(RUN_WHITELIST_MODULE_DIR, 0755, 0, 0); - if (mount("/sys/module", RUN_WHITELIST_MODULE_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /sys/module - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on /sys/module directory\n"); - if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting tmpfs on /sys/module"); - selinux_relabel_path("/sys/module", "/sys/module"); - fs_logger("tmpfs /sys/module"); - } - else - module_dir = 0; - } - - // /run/user/$uid mountpoint - if (run_dir) { - // check if /run/user/$uid directory exists - if (stat(runuser, &s) == 0) { - // keep a copy of real /run/user/$uid directory in RUN_WHITELIST_RUN_USER_DIR - mkdir_attr(RUN_WHITELIST_RUN_USER_DIR, 0700, getuid(), getgid()); - if (mount(runuser, RUN_WHITELIST_RUN_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - - // mount tmpfs on /run/user/$uid - if (arg_debug || arg_debug_whitelists) - printf("Mounting tmpfs on %s directory\n", runuser); - char *options; - if (asprintf(&options, "mode=700,uid=%u,gid=%u", getuid(), getgid()) == -1) - errExit("asprintf"); - if (mount("tmpfs", runuser, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, options) < 0) - errExit("mounting tmpfs on /run/user/"); - selinux_relabel_path(runuser, runuser); - free(options); - fs_logger2("tmpfs", runuser); - - // autowhitelist home directory if it is masked by the tmpfs - if (strncmp(cfg.homedir, runuser, runuser_len) == 0 && cfg.homedir[runuser_len] == '/') - whitelist_home(WLDIR_RUN); - } - else - run_dir = 0; - } - - // home mountpoint - if (home_dir) { - // check if home directory exists - if (stat(cfg.homedir, &s) == 0) { - // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR - mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); - int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(proc); - close(fd); - - // mount a tmpfs and initialize home directory - fs_private(); - } - else - home_dir = 0; - } + // mount tmpfs on all top level directories + tmpfs_topdirs(topdirs); // go through profile rules again, and interpret whitelist commands entry = cfg.profile; while (entry) { - // handle only whitelist commands - if (strncmp(entry->data, "whitelist ", 10)) { - entry = entry->next; - continue; - } + if (entry->wparam) { + char *file = entry->wparam->file; + char *link = entry->wparam->link; + const char *topdir = entry->wparam->top->path; + size_t topdir_len = strlen(topdir); + int dirfd = entry->wparam->top->fd; + + // top level directories of link and file can differ + // whitelist the file only if it is in same top level directory + if (strncmp(file, topdir, topdir_len) == 0 && file[topdir_len] == '/') { + // get path relative to top level directory + const char *rel = file + topdir_len + 1; -//printf("here %d#%s#\n", __LINE__, entry->data); - // whitelist the real file - whitelist_path(entry); - - // create the link if any - if (entry->link) { - // if the link is already there, do not bother - if (lstat(entry->link, &s) != 0) { - // create the path if necessary - // entry->link has no trailing slashes or single dots - int fd = mkpath(entry->link, 0755); - if (fd == -1) { - if (arg_debug || arg_debug_whitelists) - printf("Debug %d: cannot create symbolic link %s\n", __LINE__, entry->link); - free(entry->link); - entry->link = NULL; - entry = entry->next; - continue; - } - // get file name of symlink - const char *file = gnu_basename(entry->link); - // create the link - int rv = symlinkat(entry->data + 10, fd, file); - if (rv) { - if (arg_debug || arg_debug_whitelists) { - perror("symlink"); - printf("Debug %d: cannot create symbolic link %s\n", __LINE__, entry->link); - } - } - else if (arg_debug || arg_debug_whitelists) - printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); - close(fd); + if (arg_debug || arg_debug_whitelists) + printf("Debug %d: file: %s; dirfd: %d; topdir: %s; rel: %s\n", __LINE__, file, dirfd, topdir, rel); + whitelist_file(dirfd, rel, file); } - free(entry->link); - entry->link = NULL; - } - - entry = entry->next; - } - // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR - if (home_dir) { - if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); - } - - // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR - if (tmp_dir) { - if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); - } - - // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR - if (var_dir) { - if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); - } - - // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR - if (opt_dir) { - if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); - } - - // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR - if (dev_dir) { - if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); - } - - // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR - if (media_dir) { - if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); - } - - // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR - if (mnt_dir) { - if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); - } - - // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR - if (srv_dir) { - if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); - } - - // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR - if (etc_dir) { - if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR); - } - - // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR - if (share_dir) { - if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); - } + // create the link if any + if (link) { + whitelist_symlink(link, file); + free(link); + } - // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR - if (module_dir) { - if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); - } + free(file); + free(entry->wparam); + entry->wparam = NULL; + } - // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_RUN_USER_DIR - if (run_dir) { - if (mount("tmpfs", RUN_WHITELIST_RUN_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_RUN_USER_DIR); + entry = entry->next; } + // release resources free(runuser); - return; -errexit: - fprintf(stderr, "Error: invalid whitelist path %s\n", new_name); - exit(1); + size_t i; + for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { + free(topdirs[i].path); + close(topdirs[i].fd); + } + free(topdirs); } diff --git a/src/firejail/ids.c b/src/firejail/ids.c new file mode 100644 index 00000000000..a9ff59be402 --- /dev/null +++ b/src/firejail/ids.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#include "firejail.h" +#include +#include +#include + + +static void ids_init(void) { + // store checksums as root in /var/lib/firejail/${USERNAME}.ids + char *fname; + if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1) + errExit("asprintf"); + + int rv = unlink(fname); + (void) rv; + int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0600); + if (fd < 0) { + fprintf(stderr, "Error: cannot create %s\n", fname); + exit(1); + } + + // redirect output + close(STDOUT_FILENO); + if (dup(fd) != STDOUT_FILENO) + errExit("dup"); + close(fd); + + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); +} + +static void ids_check(void) { + // store checksums as root in /var/lib/firejail/${USERNAME}.ids + char *fname; + if (asprintf(&fname, VARDIR"/%s.ids", cfg.username) == -1) + errExit("asprintf"); + + int fd = open(fname, O_RDONLY); + if (fd < 0) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } + + // redirect input + close(STDIN_FILENO); + if (dup(fd) != STDIN_FILENO) + errExit("dup"); + close(fd); + + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); +} + +void run_ids(int argc, char **argv) { + if (argc != 2) { + fprintf(stderr, "Error: only one IDS command expected\n"); + exit(1); + } + + EUID_ROOT(); + struct stat s; + if (stat(VARDIR, &s)) // /var/lib/firejail + create_empty_dir_as_root(VARDIR, 0700); + + if (strcmp(argv[1], "--ids-init") == 0) + ids_init(); + else if (strcmp(argv[1], "--ids-check") == 0) + ids_check(); + else + fprintf(stderr, "Error: unrecognized IDS command\n"); + + exit(0); +} diff --git a/src/firejail/join.c b/src/firejail/join.c index fa1f643335c..a869f6b64f3 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,10 +20,14 @@ #include "firejail.h" #include #include -#include #include #include +#include +#ifndef O_PATH +#define O_PATH 010000000 +#endif + #include #ifndef PR_SET_NO_NEW_PRIVS #define PR_SET_NO_NEW_PRIVS 38 @@ -41,7 +45,7 @@ static unsigned display = 0; static void signal_handler(int sig){ flush_stdin(); - exit(sig); + exit(128 + sig); } static void install_handler(void) { @@ -99,7 +103,7 @@ static void extract_x11_display(pid_t pid) { if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); free(fname); if (!fp) return; @@ -143,7 +147,7 @@ static void extract_command(int argc, char **argv, int index) { } // build command - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true); } static void extract_nogroups(pid_t pid) { @@ -215,7 +219,7 @@ static void extract_caps(pid_t pid) { perror("asprintf"); exit(1); } - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); if (!fp) goto errexit; @@ -262,7 +266,7 @@ static void extract_user_namespace(pid_t pid) { char *uidmap; if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) errExit("asprintf"); - FILE *fp = fopen(uidmap, "r"); + FILE *fp = fopen(uidmap, "re"); if (!fp) { free(uidmap); return; @@ -292,77 +296,59 @@ static void extract_umask(pid_t pid) { fprintf(stderr, "Error: cannot open umask file\n"); exit(1); } - if (fscanf(fp, "%3o", &orig_umask) < 1) { + if (fscanf(fp, "%3o", &orig_umask) != 1) { fprintf(stderr, "Error: cannot read umask\n"); exit(1); } fclose(fp); } +static int open_shell(void) { + EUID_ASSERT(); + assert(cfg.shell); + + if (arg_debug) + printf("Opening shell %s\n", cfg.shell); + // file descriptor will leak if not opened with O_CLOEXEC !! + int fd = open(cfg.shell, O_PATH|O_CLOEXEC); + if (fd == -1) { + fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell); + exit(1); + } + return fd; +} + // return false if the sandbox identified by pid is not fully set up yet or if // it is no firejail sandbox at all, return true if the sandbox is complete bool is_ready_for_join(const pid_t pid) { EUID_ASSERT(); - // check if a file "ready-for-join" exists + // check if a file /run/firejail/mnt/join exists char *fname; - if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1) + if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_JOIN_FILE) == -1) errExit("asprintf"); EUID_ROOT(); - FILE *fp = fopen(fname, "re"); + int fd = open(fname, O_RDONLY|O_CLOEXEC); EUID_USER(); free(fname); - if (!fp) - return false; - // regular file owned by root - int fd = fileno(fp); if (fd == -1) - errExit("fileno"); + return false; struct stat s; if (fstat(fd, &s) == -1) errExit("fstat"); - if (!S_ISREG(s.st_mode) || s.st_uid != 0) { - fclose(fp); + if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) { + close(fd); return false; } - // check if it is non-empty - char buf[BUFLEN]; - if (fgets(buf, BUFLEN, fp) == NULL) { - fclose(fp); - return false; - } - fclose(fp); - // confirm "ready" string was written - if (strcmp(buf, "ready\n") != 0) - return false; - - // walk down the process tree a few nodes, there should be no firejail leaf -#define MAXNODES 5 - pid_t current = pid, next; - int i; - for (i = 0; i < MAXNODES; i++) { - if (find_child(current, &next) == 1) { - // found a leaf - EUID_ROOT(); - char *comm = pid_proc_comm(current); - EUID_USER(); - if (!comm) { - fprintf(stderr, "Error: cannot read /proc file\n"); - exit(1); - } - if (strcmp(comm, "firejail") == 0) { - free(comm); - return false; - } - free(comm); - break; - } - current = next; + char status; + if (read(fd, &status, 1) == 1 && status == SANDBOX_DONE) { + close(fd); + return true; } - - return true; + close(fd); + return false; } -#define SNOOZE 100000 // sleep interval in microseconds +#define SNOOZE 10000 // sleep interval in microseconds void check_join_permission(pid_t pid) { // check if pid belongs to a fully set up firejail sandbox unsigned long i; @@ -398,6 +384,7 @@ pid_t switch_to_child(pid_t pid) { exit(1); } EUID_USER(); + if (strcmp(comm, "firejail") == 0) { if (find_child(pid, &rv) == 1) { fprintf(stderr, "Error: no valid sandbox\n"); @@ -423,6 +410,10 @@ void join(pid_t pid, int argc, char **argv, int index) { extract_x11_display(parent); + int shfd = -1; + if (!arg_shell_none) + shfd = open_shell(); + EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { @@ -432,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) { extract_cgroup(pid); extract_nogroups(pid); extract_user_namespace(pid); + extract_umask(pid); #ifdef HAVE_APPARMOR extract_apparmor(pid); #endif @@ -441,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) { if (cfg.cgroup) // not available for uid 0 set_cgroup(cfg.cgroup); - // set umask, also uid 0 - extract_umask(pid); - // join namespaces if (arg_join_network) { if (join_namespace(pid, "net")) @@ -497,10 +486,8 @@ void join(pid_t pid, int argc, char **argv, int index) { EUID_ROOT(); if (apply_caps == 1) // not available for uid 0 caps_set(caps); -#ifdef HAVE_SECCOMP if (getuid() != 0) seccomp_load_file_list(); -#endif // mount user namespace or drop privileges if (arg_noroot) { // not available for uid 0 @@ -549,41 +536,51 @@ void join(pid_t pid, int argc, char **argv, int index) { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); #ifdef HAVE_APPARMOR - // add apparmor confinement after the execve set_apparmor(); #endif extract_command(argc, argv, index); if (cfg.command_line == NULL) { assert(cfg.shell); - cfg.command_line = cfg.shell; cfg.window_title = cfg.shell; } - if (arg_debug) + else if (arg_debug) printf("Extracted command #%s#\n", cfg.command_line); // set cpu affinity if (cfg.cpus) // not available for uid 0 set_cpu_affinity(); - // set nice value - if (arg_nice) - set_nice(cfg.nice); - // add x11 display if (display) { char *display_str; if (asprintf(&display_str, ":%d", display) == -1) errExit("asprintf"); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); free(display_str); } - start_application(0, NULL); +#ifdef HAVE_DBUSPROXY + // set D-Bus environment variables + struct stat s; + if (stat(RUN_DBUS_USER_SOCKET, &s) == 0) + dbus_set_session_bus_env(); + if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0) + dbus_set_system_bus_env(); +#endif - // it will never get here!!! + // set nice and rlimits + if (arg_nice) + set_nice(cfg.nice); + set_rlimits(); + + start_application(0, shfd, NULL); + + __builtin_unreachable(); } EUID_USER(); + if (shfd != -1) + close(shfd); int status = 0; //***************************** @@ -599,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) { // end of signal-safe code //***************************** - flush_stdin(); if (WIFEXITED(status)) { + // if we had a proper exit, return that exit status status = WEXITSTATUS(status); } else if (WIFSIGNALED(status)) { - status = WTERMSIG(status); + // distinguish fatal signals by adding 128 + status = 128 + WTERMSIG(status); } else { - status = 0; + status = -1; } + flush_stdin(); exit(status); } diff --git a/src/firejail/ls.c b/src/firejail/ls.c index aa33d838b33..70985ba9e73 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -26,6 +27,7 @@ #include #include #include +#include //#include //#include //#include @@ -34,18 +36,12 @@ static uid_t c_uid = 0; static char *c_uid_name = NULL; -static void print_file_or_dir(const char *path, const char *fname, int separator) { +static void print_file_or_dir(const char *path, const char *fname) { assert(fname); char *name; - if (separator) { - if (asprintf(&name, "%s/%s", path, fname) == -1) - errExit("asprintf"); - } - else { - if (asprintf(&name, "%s%s", path, fname) == -1) - errExit("asprintf"); - } + if (asprintf(&name, "%s/%s", path, fname) == -1) + errExit("asprintf"); struct stat s; if (stat(name, &s) == -1) { @@ -54,6 +50,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator return; } } + free(name); // permissions if (S_ISLNK(s.st_mode)) @@ -177,14 +174,83 @@ static void print_directory(const char *path) { if (n < 0) errExit("scandir"); else { - for (i = 0; i < n; i++) { - print_file_or_dir(path, namelist[i]->d_name, 0); + for (i = 0; i < n; i++) + print_file_or_dir(path, namelist[i]->d_name); + // get rid of false psitive reported by GCC -fanalyze + for (i = 0; i < n; i++) free(namelist[i]); - } } free(namelist); } +void ls(const char *path) { + EUID_ASSERT(); + assert(path); + + char *rp = realpath(path, NULL); + if (!rp || access(rp, R_OK) == -1) { + fprintf(stderr, "Error: cannot access %s\n", path); + exit(1); + } + if (arg_debug) + printf("ls %s\n", rp); + + // list directory contents + struct stat s; + if (stat(rp, &s) == -1) { + fprintf(stderr, "Error: cannot access %s\n", rp); + exit(1); + } + if (S_ISDIR(s.st_mode)) + print_directory(rp); + else { + char *split = strrchr(rp, '/'); + if (split) { + *split = '\0'; + char *rp2 = split + 1; + if (arg_debug) + printf("path %s, file %s\n", rp, rp2); + print_file_or_dir(rp, rp2); + } + } + free(rp); +} + +void cat(const char *path) { + EUID_ASSERT(); + assert(path); + + if (arg_debug) + printf("cat %s\n", path); + FILE *fp = fopen(path, "re"); + if (!fp) { + fprintf(stderr, "Error: cannot read %s\n", path); + exit(1); + } + int fd = fileno(fp); + if (fd == -1) + errExit("fileno"); + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + fprintf(stderr, "Error: %s is not a regular file\n", path); + exit(1); + } + bool tty = isatty(STDOUT_FILENO); + + int c; + while ((c = fgetc(fp)) != EOF) { + // file is untrusted + // replace control characters when printing to a terminal + if (tty && c != '\t' && c != '\n' && iscntrl((unsigned char) c)) + c = '?'; + fputc(c, stdout); + } + fflush(stdout); + fclose(fp); +} + char *expand_path(const char *path) { char *fname = NULL; if (*path == '/') { @@ -219,14 +285,49 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { check_join_permission(pid); // expand paths - char *fname1 = expand_path(path1);; + char *fname1 = expand_path(path1); char *fname2 = NULL; if (path2 != NULL) { fname2 = expand_path(path2); } if (arg_debug) { printf("file1 %s\n", fname1); - printf("file2 %s\n", fname2); + printf("file2 %s\n", fname2 ? fname2 : "(null)"); + } + + // get file from sandbox and store it in the current directory + // implemented using --cat + if (op == SANDBOX_FS_GET) { + char *dest_fname = strrchr(fname1, '/'); + if (!dest_fname || *(++dest_fname) == '\0') { + fprintf(stderr, "Error: invalid file name %s\n", fname1); + exit(1); + } + // create destination file if necessary + EUID_ASSERT(); + int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE); + if (fd == -1) { + fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname); + exit(1); + } + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + fprintf(stderr, "Error: %s is no regular file\n", dest_fname); + exit(1); + } + if (ftruncate(fd, 0) == -1) + errExit("ftruncate"); + // go quiet - messages on stdout will corrupt the file + arg_debug = 0; + arg_quiet = 1; + // redirection + if (dup2(fd, STDOUT_FILENO) == -1) + errExit("dup2"); + assert(fd != STDOUT_FILENO); + close(fd); + op = SANDBOX_FS_CAT; } // sandbox root directory @@ -234,7 +335,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) errExit("asprintf"); - if (op == SANDBOX_FS_LS) { + if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) { EUID_ROOT(); // chroot if (chroot(rootdir) < 0) @@ -245,130 +346,12 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // drop privileges drop_privs(0); - // check access - if (access(fname1, R_OK) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); - exit(1); - } - /* coverity[toctou] */ - char *rp = realpath(fname1, NULL); - if (!rp) { - fprintf(stderr, "Error: Cannot access %s\n", fname1); - exit(1); - } - if (arg_debug) - printf("realpath %s\n", rp); - - - // list directory contents - struct stat s; - if (stat(rp, &s) == -1) { - fprintf(stderr, "Error: Cannot access %s\n", rp); - exit(1); - } - if (S_ISDIR(s.st_mode)) { - char *dir; - if (asprintf(&dir, "%s/", rp) == -1) - errExit("asprintf"); + if (op == SANDBOX_FS_LS) + ls(fname1); + else + cat(fname1); - print_directory(dir); - free(dir); - } - else { - char *split = strrchr(rp, '/'); - if (split) { - *split = '\0'; - char *rp2 = split + 1; - if (arg_debug) - printf("path %s, file %s\n", rp, rp2); - print_file_or_dir(rp, rp2, 1); - } - } - free(rp); - } - - // get file from sandbox and store it in the current directory - else if (op == SANDBOX_FS_GET) { - char *src_fname =fname1; - char *dest_fname = strrchr(fname1, '/'); - if (!dest_fname || *(++dest_fname) == '\0') { - fprintf(stderr, "Error: invalid file name %s\n", fname1); - exit(1); - } - - EUID_ROOT(); - if (arg_debug) - printf("copy %s to %s\n", src_fname, dest_fname); - - // create a user-owned temporary file in /run/firejail directory - char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; - int fd = mkstemp(tmp_fname); - if (fd != -1) { - SET_PERMS_FD(fd, getuid(), getgid(), 0600); - close(fd); - } - - // copy the source file into the temporary file - we need to chroot - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // chroot - if (chroot(rootdir) < 0) - errExit("chroot"); - if (chdir("/") < 0) - errExit("chdir"); - - // drop privileges - drop_privs(0); - - // copy the file - if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user - _exit(1); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - - // wait for the child to finish - int status = 0; - waitpid(child, &status, 0); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else { - unlink(tmp_fname); - exit(1); - } - - // copy the temporary file into the destination file - child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // drop privileges - drop_privs(0); - - // copy the file - if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user - _exit(1); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - - // wait for the child to finish - status = 0; - waitpid(child, &status, 0); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0); - else { - unlink(tmp_fname); - exit(1); - } - - // remove the temporary file - unlink(tmp_fname); - EUID_USER(); + __gcov_flush(); } // get file from host and store it in the sandbox else if (op == SANDBOX_FS_PUT && path2) { @@ -400,9 +383,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // copy the file if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } @@ -432,9 +415,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // copy the file if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user _exit(1); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } diff --git a/src/firejail/macros.c b/src/firejail/macros.c index e52a7a43029..cd29d8f85a7 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -99,7 +99,7 @@ static char *resolve_xdg(const char *var) { if (asprintf(&fname, "%s/.config/user-dirs.dirs", cfg.homedir) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { free(fname); return NULL; @@ -149,6 +149,7 @@ static char *resolve_xdg(const char *var) { // returns mallocated memory static char *resolve_hardcoded(char *entries[]) { + EUID_ASSERT(); char *fname; struct stat s; @@ -208,7 +209,11 @@ char *expand_macros(const char *path) { // Replace home macro char *new_name = NULL; - if (strncmp(path, "${HOME}", 7) == 0) { + if (strncmp(path, "$HOME", 5) == 0) { + fprintf(stderr, "Error: $HOME is not allowed in profile files, please replace it with ${HOME}\n"); + exit(1); + } + else if (strncmp(path, "${HOME}", 7) == 0) { if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1) errExit("asprintf"); if(called_as_root) diff --git a/src/firejail/main.c b/src/firejail/main.c index dc213b98825..81d148257af 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "firejail.h" #include "../include/pid.h" #include "../include/firejail_user.h" +#include "../include/gcov_wrapper.h" #include "../include/syscall.h" #include "../include/seccomp.h" #define _GNU_SOURCE @@ -31,7 +32,7 @@ #include #include #include -#include +//#include #include #include #include @@ -116,7 +117,6 @@ int arg_private_cwd = 0; // private working directory int arg_scan = 0; // arp-scan all interfaces int arg_whitelist = 0; // whitelist command int arg_nosound = 0; // disable sound -int arg_noautopulse = 0; // disable automatic ~/.config/pulse init int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration int arg_quiet = 0; // no output for scripting @@ -125,13 +125,12 @@ int arg_join_filesystem = 0; // join only the mount namespace int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc +int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init int arg_writable_var = 0; // writable var int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage -int arg_audit = 0; // audit -char *arg_audit_prog = NULL; // audit int arg_apparmor = 0; // apparmor int arg_allow_debuggers = 0; // allow debuggers int arg_x11_block = 0; // block X11 @@ -145,20 +144,15 @@ int arg_memory_deny_write_execute = 0; // block writable and executable memory int arg_notv = 0; // --notv int arg_nodvd = 0; // --nodvd int arg_nou2f = 0; // --nou2f +int arg_noinput = 0; // --noinput int arg_deterministic_exit_code = 0; // always exit with first child's exit status DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system +const char *arg_dbus_log_file = NULL; +int arg_dbus_log_user = 0; +int arg_dbus_log_system = 0; int login_shell = 0; -//********************************************************************************** -// work in progress!!! -//********************************************************************************** -//#define POSTMORTEM -#ifdef POSTMORTEM -#include -pid_t pm_child = 0; -#endif - int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -167,7 +161,6 @@ int fullargc = 0; static pid_t child = 0; pid_t sandbox_pid; mode_t orig_umask = 022; -unsigned long long start_timestamp; static void clear_atexit(void) { EUID_ROOT(); @@ -181,7 +174,9 @@ static void myexit(int rv) { // delete sandbox files in shared memory +#ifdef HAVE_DBUSPROXY dbus_proxy_stop(); +#endif EUID_ROOT(); delete_run_files(sandbox_pid); appimage_clear(); @@ -193,27 +188,16 @@ static void my_handler(int s) { fmessage("\nParent received signal %d, shutting down the child process...\n", s); logsignal(s); -#ifdef POSTMORTEM -printf("attempt to kill %d\n", pm_child); - if (pm_child) { - if (waitpid(pm_child, NULL, WNOHANG) == 0) { - if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet - kill(pm_child, s); - else - kill(pm_child, SIGKILL); - waitpid(pm_child, NULL, 0); - } - } -#endif - if (waitpid(child, NULL, WNOHANG) == 0) { - if (has_handler(child, s)) // signals are not delivered if there is no handler yet + // child is pid 1 of a pid namespace: + // signals are not delivered if there is no handler yet + if (has_handler(child, s)) kill(child, s); else kill(child, SIGKILL); waitpid(child, NULL, 0); } - myexit(s); + myexit(128 + s); } static void install_handler(void) { @@ -234,74 +218,6 @@ static void install_handler(void) { sigaction(SIGTERM, &sga, NULL); } -// return 1 if error, 0 if a valid pid was found -static int extract_pid(const char *name, pid_t *pid) { - int retval = 0; - EUID_ASSERT(); - if (!name || strlen(name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); - } - - EUID_ROOT(); - if (name2pid(name, pid)) { - retval = 1; - } - EUID_USER(); - return retval; -} - -// return 1 if error, 0 if a valid pid was found -static int read_pid(const char *name, pid_t *pid) { - char *endptr; - errno = 0; - long int pidtmp = strtol(name, &endptr, 10); - if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) - || (errno != 0 && pidtmp == 0)) { - return extract_pid(name,pid); - } - // endptr points to '\0' char in name if the entire string is valid - if (endptr == NULL || endptr[0]!='\0') { - return extract_pid(name,pid); - } - *pid =(pid_t)pidtmp; - return 0; -} - -static pid_t require_pid(const char *name) { - pid_t pid; - if (read_pid(name,&pid)) { - fprintf(stderr, "Error: cannot find sandbox %s\n", name); - exit(1); - } - return pid; -} - -// return 1 if there is a link somewhere in path of directory -static int has_link(const char *dir) { - assert(dir); - int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) { - if (errno == ENOTDIR && is_dir(dir)) - return 1; - } - else - close(fd); - return 0; -} - -static void check_homedir(void) { - assert(cfg.homedir); - if (cfg.homedir[0] != '/') { - fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); - exit(1); - } - // symlinks are rejected in many places - if (has_link(cfg.homedir)) { - fprintf(stderr, "No full support for symbolic links in path of user directory.\n" - "Please provide resolved path in password database (/etc/passwd).\n\n"); - } -} // init configuration static void init_cfg(int argc, char **argv) { @@ -346,8 +262,8 @@ static void init_cfg(int argc, char **argv) { fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); exit(1); } + check_homedir(pw->pw_dir); cfg.homedir = clean_pathname(pw->pw_dir); - check_homedir(); // initialize random number generator sandbox_pid = getpid(); @@ -358,6 +274,24 @@ static void init_cfg(int argc, char **argv) { cfg.seccomp_error_action = "EPERM"; } +static void fix_single_std_fd(int fd, const char *file, int flags) { + struct stat s; + if (fstat(fd, &s) == -1 && errno == EBADF) { + // something is wrong with fd, probably it is not opened + int nfd = open(file, flags); + if (nfd != fd || fstat(fd, &s) != 0) + _exit(1); // no further attempts to fix the situation + } +} + +// glibc does this automatically if Firejail was started by a regular user +// run this for root user and as a fallback +static void fix_std_streams(void) { + fix_single_std_fd(0, "/dev/full", O_RDONLY|O_NOFOLLOW); + fix_single_std_fd(1, "/dev/null", O_WRONLY|O_NOFOLLOW); + fix_single_std_fd(2, "/dev/null", O_WRONLY|O_NOFOLLOW); +} + static void check_network(Bridge *br) { assert(br); if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address @@ -365,7 +299,7 @@ static void check_network(Bridge *br) { else if (br->ipsandbox) { // for macvlan check network range char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); if (rv) { - fprintf(stderr, "%s", rv); + fprintf(stderr, "%s\n", rv); exit(1); } } @@ -548,7 +482,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { //************************************* // independent commands - the program will exit! //************************************* -#ifdef HAVE_SECCOMP else if (strcmp(argv[i], "--debug-syscalls") == 0) { if (checkcfg(CFG_SECCOMP)) { int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls"); @@ -598,7 +531,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit_err_feature("seccomp"); exit(0); } -#endif else if (strncmp(argv[i], "--profile.print=", 16) == 0) { pid_t pid = require_pid(argv[i] + 16); @@ -606,7 +538,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { char *fname; if (asprintf(&fname, RUN_FIREJAIL_PROFILE_DIR "/%d", pid) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { fprintf(stderr, "Error: sandbox %s not found\n", argv[i] + 16); exit(1); @@ -790,6 +722,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } // list directory contents + if (!arg_debug) + arg_quiet = 1; pid_t pid = require_pid(argv[i] + 5); sandboxfs(SANDBOX_FS_LS, pid, path, NULL); exit(0); @@ -797,6 +731,35 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else exit_err_feature("file transfer"); } + else if (strncmp(argv[i], "--cat=", 6) == 0) { + if (checkcfg(CFG_FILE_TRANSFER)) { + logargs(argc, argv); + if (arg_private_cwd) { + fprintf(stderr, "Error: --cat and --private-cwd options are mutually exclusive\n"); + exit(1); + } + + if ((i + 2) != argc) { + fprintf(stderr, "Error: invalid --cat option, path expected\n"); + exit(1); + } + char *path = argv[i + 1]; + invalid_filename(path, 0); // no globbing + if (strstr(path, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path); + exit(1); + } + + // write file contents to stdout + if (!arg_debug) + arg_quiet = 1; + pid_t pid = require_pid(argv[i] + 6); + sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); + exit(0); + } + else + exit_err_feature("file transfer"); + } #endif else if (strncmp(argv[i], "--join=", 7) == 0) { if (checkcfg(CFG_JOIN) || getuid() == 0) { @@ -900,45 +863,53 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } char *guess_shell(void) { - char *shell = NULL; - struct stat s; + const char *shell; + char *retval; - shell = getenv("SHELL"); + shell = env_get("SHELL"); if (shell) { invalid_filename(shell, 0); // no globbing - if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0) - return shell; + if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL && + strcmp(shell, PATH_FIREJAIL) != 0) + goto found; } // shells in order of preference - char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; + static const char * const shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; int i = 0; while (shells[i] != NULL) { // access call checks as real UID/GID, not as effective UID/GID - if (stat(shells[i], &s) == 0 && access(shells[i], X_OK) == 0) { + if (access(shells[i], X_OK) == 0) { shell = shells[i]; - break; + goto found; } i++; } - return shell; + return NULL; + + found: + retval = strdup(shell); + if (!retval) + errExit("strdup"); + return retval; } +// return argument index static int check_arg(int argc, char **argv, const char *argument, int strict) { int i; int found = 0; for (i = 1; i < argc; i++) { if (strict) { if (strcmp(argv[i], argument) == 0) { - found = 1; + found = i; break; } } else { if (strncmp(argv[i], argument, strlen(argument)) == 0) { - found = 1; + found = i; break; } } @@ -963,9 +934,13 @@ static void run_builder(int argc, char **argv) { if (setresuid(-1, getuid(), getuid()) != 0) errExit("setresuid"); + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); umask(orig_umask); + // restore original environment variables + env_apply_all(); + argv[0] = LIBDIR "/firejail/fbuilder"; execvp(argv[0], argv); @@ -988,18 +963,16 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b (void) native; } -#ifdef HAVE_SECCOMP static int check_postexec(const char *list) { char *prelist, *postlist; - if (list) { + if (list && list[0]) { syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true); if (postlist) return 1; } return 0; } -#endif //******************************************* // Main program @@ -1014,16 +987,19 @@ int main(int argc, char **argv, char **envp) { int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) char **ptr; + // sanitize the umask + orig_umask = umask(022); + // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); - // sanitize the umask - orig_umask = umask(022); + // check standard streams before opening any file + fix_std_streams(); // argument count should be larger than 0 if (argc == 0 || !argv || strlen(argv[0]) == 0) { - fprintf(stderr, "Error: argv[0] is NULL\n"); + fprintf(stderr, "Error: argv is invalid\n"); exit(1); } else if (argc >= MAX_ARGS) { fprintf(stderr, "Error: too many arguments\n"); @@ -1042,78 +1018,29 @@ int main(int argc, char **argv, char **envp) { } } + // Stash environment variables + for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) + env_store(*ptr, SETENV); + // sanity check for environment variables - for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) { - if (strlen(*ptr) >= MAX_ENV_LEN) { - fprintf(stderr, "Error: too long environment variables\n"); - exit(1); - } - } if (i >= MAX_ENVS) { fprintf(stderr, "Error: too many environment variables\n"); exit(1); } - // check if the user is allowed to use firejail - init_cfg(argc, argv); + // Reapply a minimal set of environment variables + env_apply_whitelist(); - // get starting timestamp, process --quiet - start_timestamp = getticks(); - char *env_quiet = getenv("FIREJAIL_QUIET"); + // process --quiet + const char *env_quiet = env_get("FIREJAIL_QUIET"); if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0)) arg_quiet = 1; - // cleanup at exit - EUID_ROOT(); - atexit(clear_atexit); - - // build /run/firejail directory structure - preproc_build_firejail_dir(); - char *container_name = getenv("container"); - if (!container_name || strcmp(container_name, "firejail")) { - lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); - if (lockfd_directory != -1) { - int rv = fchown(lockfd_directory, 0, 0); - (void) rv; - flock(lockfd_directory, LOCK_EX); - } - preproc_clean_run(); - flock(lockfd_directory, LOCK_UN); - close(lockfd_directory); - } - EUID_USER(); - - - // process allow-debuggers - if (check_arg(argc, argv, "--allow-debuggers", 1)) { - // check kernel version - struct utsname u; - int rv = uname(&u); - if (rv != 0) - errExit("uname"); - int major; - int minor; - if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { - fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); - exit(1); - } - if (major < 4 || (major == 4 && minor < 8)) { - fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " - "A bug in ptrace call allows a full bypass of the seccomp filter. " - "Your current kernel version is %d.%d.\n", major, minor); - exit(1); - } - - arg_allow_debuggers = 1; - char *cmd = strdup("noblacklist ${PATH}/strace"); - if (!cmd) - errExit("strdup"); - profile_add(cmd); - } + // check if the user is allowed to use firejail + init_cfg(argc, argv); - // profile builder - if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename - run_builder(argc, argv); // this function will not return + // get starting timestamp + timetrace_start(); // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') @@ -1135,19 +1062,47 @@ int main(int argc, char **argv, char **envp) { // start the program directly without sandboxing run_no_sandbox(argc, argv); - // it will never get here! - assert(0); + __builtin_unreachable(); } } - EUID_ASSERT(); + // profile builder + if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename + run_builder(argc, argv); // this function will not return + + // intrusion detection system + if (check_arg(argc, argv, "--ids-", 0)) // supports both --ids-init and --ids-check + run_ids(argc, argv); // this function will not return - // check firejail directories EUID_ROOT(); - delete_run_files(sandbox_pid); +#ifndef HAVE_SUID + if (geteuid() != 0) { + fprintf(stderr, "Error: Firejail needs to be SUID.\n"); + fprintf(stderr, "Assuming firejail is installed in /usr/bin, execute the following command as root:\n"); + fprintf(stderr, " chmod u+s /usr/bin/firejail\n"); + } +#endif + + // build /run/firejail directory structure + preproc_build_firejail_dir(); + const char *container_name = env_get("container"); + if (!container_name || strcmp(container_name, "firejail")) { + lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); + if (lockfd_directory != -1) { + int rv = fchown(lockfd_directory, 0, 0); + (void) rv; + flock(lockfd_directory, LOCK_EX); + } + preproc_clean_run(); + flock(lockfd_directory, LOCK_UN); + close(lockfd_directory); + } + + delete_run_files(getpid()); + atexit(clear_atexit); EUID_USER(); - //check if the parent is sshd daemon + // check if the parent is sshd daemon int parent_sshd = 0; { pid_t ppid = getppid(); @@ -1161,7 +1116,7 @@ int main(int argc, char **argv, char **envp) { #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "w"); + FILE *fp = fopen("/firelog", "we"); if (fp) { int i; fprintf(fp, "argc %d: ", argc); @@ -1180,7 +1135,7 @@ int main(int argc, char **argv, char **envp) { strncmp(argv[2], "scp ", 4) == 0) { #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "run without a sandbox\n"); fclose(fp); @@ -1190,6 +1145,9 @@ int main(int argc, char **argv, char **envp) { drop_privs(1); umask(orig_umask); + + // restore original environment variables + env_apply_all(); int rv = system(argv[2]); exit(rv); } @@ -1201,7 +1159,8 @@ int main(int argc, char **argv, char **envp) { } EUID_ASSERT(); - // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users + // is this a login shell, or a command passed by sshd, + // insert command line options from /etc/firejail/login.users if (*argv[0] == '-' || parent_sshd) { if (argc == 1) login_shell = 1; @@ -1210,7 +1169,7 @@ int main(int argc, char **argv, char **envp) { #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "fullargc %d: ", fullargc); int i; @@ -1232,7 +1191,7 @@ int main(int argc, char **argv, char **envp) { #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "argc %d: ", argc); int i; @@ -1245,12 +1204,54 @@ int main(int argc, char **argv, char **envp) { #endif } } +#ifdef HAVE_OUTPUT else { // check --output option and execute it; check_output(argc, argv); // the function will not return if --output or --output-stderr option was found } +#endif EUID_ASSERT(); + // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient) + // these paths are disabled in disable-common.inc + if ((i = check_arg(argc, argv, "--ip", 0)) != 0) { + if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) { + profile_add("noblacklist /sbin"); + profile_add("noblacklist /usr/sbin"); + } + } + + // process allow-debuggers + if (check_arg(argc, argv, "--allow-debuggers", 1)) { + // check kernel version + struct utsname u; + int rv = uname(&u); + if (rv != 0) + errExit("uname"); + int major; + int minor; + if (2 != sscanf(u.release, "%d.%d", &major, &minor)) { + fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); + exit(1); + } + if (major < 4 || (major == 4 && minor < 8)) { + fprintf(stderr, "Error: --allow-debuggers is disabled on Linux kernels prior to 4.8. " + "A bug in ptrace call allows a full bypass of the seccomp filter. " + "Your current kernel version is %d.%d.\n", major, minor); + exit(1); + } + + arg_allow_debuggers = 1; + char *cmd = strdup("noblacklist ${PATH}/strace"); + if (!cmd) + errExit("strdup"); + profile_add(cmd); + } + + // for appimages we need to remove "include disable-shell.inc from the profile + // a --profile command can show up before --appimage + if (check_arg(argc, argv, "--appimage", 1)) + arg_appimage = 1; // check for force-nonewprivs in /etc/firejail/firejail.config file if (checkcfg(CFG_FORCE_NONEWPRIVS)) @@ -1260,8 +1261,10 @@ int main(int argc, char **argv, char **envp) { for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized - if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) + if (strcmp(argv[i], "--debug") == 0) { arg_debug = 1; + arg_quiet = 0; + } else if (strcmp(argv[i], "--debug-blacklists") == 0) arg_debug_blacklists = 1; else if (strcmp(argv[i], "--debug-whitelists") == 0) @@ -1269,8 +1272,8 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--debug-private-lib") == 0) arg_debug_private_lib = 1; else if (strcmp(argv[i], "--quiet") == 0) { - arg_quiet = 1; - arg_debug = 0; + if (!arg_debug) + arg_quiet = 1; } else if (strcmp(argv[i], "--allow-debuggers") == 0) { // already handled @@ -1296,18 +1299,12 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--apparmor") == 0) arg_apparmor = 1; #endif -#ifdef HAVE_SECCOMP else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { - if (cfg.protocol) { - fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); - } - else { - // store list - cfg.protocol = strdup(argv[i] + 11); - if (!cfg.protocol) - errExit("strdup"); - } + const char *add = argv[i] + 11; + profile_list_augment(&cfg.protocol, add); + if (arg_debug) + fprintf(stderr, "[option] combined protocol list: \"%s\"\n", cfg.protocol); } else exit_err_feature("seccomp"); @@ -1418,6 +1415,8 @@ int main(int argc, char **argv, char **envp) { if (config_seccomp_error_action == -1) { if (strcmp(argv[i] + 23, "kill") == 0) arg_seccomp_error_action = SECCOMP_RET_KILL; + else if (strcmp(argv[i] + 23, "log") == 0) + arg_seccomp_error_action = SECCOMP_RET_LOG; else { arg_seccomp_error_action = errno_find_name(argv[i] + 23); if (arg_seccomp_error_action == -1) @@ -1432,7 +1431,6 @@ int main(int argc, char **argv, char **envp) { } else exit_err_feature("seccomp"); } -#endif else if (strcmp(argv[i], "--caps") == 0) { arg_caps_default_filter = 1; arg_caps_cmdline = 1; @@ -1497,8 +1495,11 @@ int main(int argc, char **argv, char **envp) { arg_rlimit_nproc = 1; } else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) { - check_unsigned(argv[i] + 15, "Error: invalid rlimit"); - sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize); + cfg.rlimit_fsize = parse_arg_size(argv[i] + 15); + if (cfg.rlimit_fsize == 0) { + perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_fsize = 1; } else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) { @@ -1507,8 +1508,11 @@ int main(int argc, char **argv, char **envp) { arg_rlimit_sigpending = 1; } else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { - check_unsigned(argv[i] + 12, "Error: invalid rlimit"); - sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as); + cfg.rlimit_as = parse_arg_size(argv[i] + 12); + if (cfg.rlimit_as == 0) { + perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_as = 1; } else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) @@ -1563,6 +1567,8 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + + // blacklist/deny else if (strncmp(argv[i], "--blacklist=", 12) == 0) { char *line; if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) @@ -1571,6 +1577,14 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--deny=", 7) == 0) { + char *line; + if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { char *line; if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) @@ -1579,19 +1593,31 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--nodeny=", 9) == 0) { + char *line; + if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } -#ifdef HAVE_WHITELIST + // whitelist else if (strncmp(argv[i], "--whitelist=", 12) == 0) { - if (checkcfg(CFG_WHITELIST)) { - char *line; - if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) - errExit("asprintf"); + char *line; + if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) + errExit("asprintf"); - profile_check_line(line, 0, NULL); // will exit if something wrong - profile_add(line); - } - else - exit_err_feature("whitelist"); + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + else if (strncmp(argv[i], "--allow=", 8) == 0) { + char *line; + if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); } else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { char *line; @@ -1601,8 +1627,36 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } -#endif + else if (strncmp(argv[i], "--noallow=", 10) == 0) { + char *line; + if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + + else if (strncmp(argv[i], "--mkdir=", 8) == 0) { + char *line; + if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1) + errExit("asprintf"); + /* Note: Applied both immediately in profile_check_line() + * and later on via fs_blacklist(). + */ + profile_check_line(line, 0, NULL); + profile_add(line); + } + else if (strncmp(argv[i], "--mkfile=", 9) == 0) { + char *line; + if (asprintf(&line, "mkfile %s", argv[i] + 9) == -1) + errExit("asprintf"); + /* Note: Applied both immediately in profile_check_line() + * and later on via fs_blacklist(). + */ + profile_check_line(line, 0, NULL); + profile_add(line); + } else if (strncmp(argv[i], "--read-only=", 12) == 0) { char *line; if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) @@ -1743,6 +1797,34 @@ int main(int argc, char **argv, char **envp) { } } #endif + else if (strncmp(argv[i], "--include=", 10) == 0) { + char *ppath = expand_macros(argv[i] + 10); + if (!ppath) + errExit("strdup"); + + char *ptr = ppath; + while (*ptr != '/' && *ptr != '\0') + ptr++; + if (*ptr == '\0') { + if (access(ppath, R_OK)) { + profile_read(ppath); + } + else { + // ppath contains no '/' and is not a local file, assume it's a name + int rv = profile_find_firejail(ppath, 0); + if (!rv) { + fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath); + exit(1); + } + } + } + else { + // ppath contains a '/', assume it's a path + profile_read(ppath); + } + + free(ppath); + } else if (strncmp(argv[i], "--profile=", 10) == 0) { // multiple profile files are allowed! @@ -1794,6 +1876,8 @@ int main(int argc, char **argv, char **envp) { exit(1); } arg_noprofile = 1; + // force keep-config-pulse in order to keep ~/.config/pulse as is + arg_keep_config_pulse = 1; } else if (strncmp(argv[i], "--ignore=", 9) == 0) { if (custom_profile) { @@ -1844,6 +1928,9 @@ int main(int argc, char **argv, char **envp) { } arg_writable_etc = 1; } + else if (strcmp(argv[i], "--keep-config-pulse") == 0) { + arg_keep_config_pulse = 1; + } else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } @@ -1914,61 +2001,77 @@ int main(int argc, char **argv, char **envp) { arg_keep_dev_shm = 1; } else if (strncmp(argv[i], "--private-etc=", 14) == 0) { - if (arg_writable_etc) { - fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); - exit(1); - } + if (checkcfg(CFG_PRIVATE_ETC)) { + if (arg_writable_etc) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } - // extract private etc list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-etc option\n"); - exit(1); + // extract private etc list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-etc option\n"); + exit(1); + } + if (cfg.etc_private_keep) { + if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.etc_private_keep = argv[i] + 14; + arg_private_etc = 1; } - if (cfg.etc_private_keep) { - if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.etc_private_keep = argv[i] + 14; - arg_private_etc = 1; + else + exit_err_feature("private-etc"); } else if (strncmp(argv[i], "--private-opt=", 14) == 0) { - // extract private opt list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-opt option\n"); - exit(1); + if (checkcfg(CFG_PRIVATE_OPT)) { + // extract private opt list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-opt option\n"); + exit(1); + } + if (cfg.opt_private_keep) { + if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.opt_private_keep = argv[i] + 14; + arg_private_opt = 1; } - if (cfg.opt_private_keep) { - if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.opt_private_keep = argv[i] + 14; - arg_private_opt = 1; + else + exit_err_feature("private-opt"); } else if (strncmp(argv[i], "--private-srv=", 14) == 0) { - // extract private srv list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-srv option\n"); - exit(1); + if (checkcfg(CFG_PRIVATE_SRV)) { + // extract private srv list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-srv option\n"); + exit(1); + } + if (cfg.srv_private_keep) { + if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.srv_private_keep = argv[i] + 14; + arg_private_srv = 1; } - if (cfg.srv_private_keep) { - if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.srv_private_keep = argv[i] + 14; - arg_private_srv = 1; + else + exit_err_feature("private-srv"); } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { - // extract private bin list - if (*(argv[i] + 14) == '\0') { - fprintf(stderr, "Error: invalid private-bin option\n"); - exit(1); + if (checkcfg(CFG_PRIVATE_BIN)) { + // extract private bin list + if (*(argv[i] + 14) == '\0') { + fprintf(stderr, "Error: invalid private-bin option\n"); + exit(1); + } + if (cfg.bin_private_keep) { + if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.bin_private_keep = argv[i] + 14; + arg_private_bin = 1; } - if (cfg.bin_private_keep) { - if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) - errExit("asprintf"); - } else - cfg.bin_private_keep = argv[i] + 14; - arg_private_bin = 1; + else + exit_err_feature("private-bin"); } else if (strncmp(argv[i], "--private-lib", 13) == 0) { if (checkcfg(CFG_PRIVATE_LIB)) { @@ -1988,12 +2091,14 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; } +#ifdef HAVE_USERTMPFS else if (strcmp(argv[i], "--private-cache") == 0) { if (checkcfg(CFG_PRIVATE_CACHE)) arg_private_cache = 1; else exit_err_feature("private-cache"); } +#endif else if (strcmp(argv[i], "--private-cwd") == 0) { cfg.cwd = NULL; arg_private_cwd = 1; @@ -2044,7 +2149,7 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--nosound") == 0) arg_nosound = 1; else if (strcmp(argv[i], "--noautopulse") == 0) - arg_noautopulse = 1; + arg_keep_config_pulse = 1; else if (strcmp(argv[i], "--novideo") == 0) arg_novideo = 1; else if (strcmp(argv[i], "--no3d") == 0) @@ -2055,24 +2160,43 @@ int main(int argc, char **argv, char **envp) { arg_nodvd = 1; else if (strcmp(argv[i], "--nou2f") == 0) arg_nou2f = 1; + else if (strcmp(argv[i], "--noinput") == 0) + arg_noinput = 1; else if (strcmp(argv[i], "--nodbus") == 0) { arg_dbus_user = DBUS_POLICY_BLOCK; arg_dbus_system = DBUS_POLICY_BLOCK; } + + //************************************* + // D-BUS proxy + //************************************* +#ifdef HAVE_DBUSPROXY else if (strncmp("--dbus-user=", argv[i], 12) == 0) { if (strcmp("filter", argv[i] + 12) == 0) { if (arg_dbus_user == DBUS_POLICY_BLOCK) { - fprintf(stderr, "Error: Cannot relax --dbus-user policy, it is already set to block\n"); - exit(1); + fprintf(stderr, "Warning: Cannot relax --dbus-user policy, it is already set to block\n"); + } else { + arg_dbus_user = DBUS_POLICY_FILTER; } - arg_dbus_user = DBUS_POLICY_FILTER; } else if (strcmp("none", argv[i] + 12) == 0) { + if (arg_dbus_log_user) { + fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); + exit(1); + } arg_dbus_user = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12); exit(1); } } + else if (strncmp(argv[i], "--dbus-user.see=", 16) == 0) { + char *line; + if (asprintf(&line, "dbus-user.see %s", argv[i] + 16) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } else if (strncmp(argv[i], "--dbus-user.talk=", 17) == 0) { char *line; if (asprintf(&line, "dbus-user.talk %s", argv[i] + 17) == -1) @@ -2089,20 +2213,48 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--dbus-user.call=", 17) == 0) { + char *line; + if (asprintf(&line, "dbus-user.call %s", argv[i] + 17) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + else if (strncmp(argv[i], "--dbus-user.broadcast=", 22) == 0) { + char *line; + if (asprintf(&line, "dbus-user.broadcast %s", argv[i] + 22) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } else if (strncmp("--dbus-system=", argv[i], 14) == 0) { if (strcmp("filter", argv[i] + 14) == 0) { if (arg_dbus_system == DBUS_POLICY_BLOCK) { - fprintf(stderr, "Error: Cannot relax --dbus-system policy, it is already set to block\n"); - exit(1); + fprintf(stderr, "Warning: Cannot relax --dbus-system policy, it is already set to block\n"); + } else { + arg_dbus_system = DBUS_POLICY_FILTER; } - arg_dbus_system = DBUS_POLICY_FILTER; } else if (strcmp("none", argv[i] + 14) == 0) { + if (arg_dbus_log_system) { + fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); + exit(1); + } arg_dbus_system = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14); exit(1); } } + else if (strncmp(argv[i], "--dbus-system.see=", 18) == 0) { + char *line; + if (asprintf(&line, "dbus-system.see %s", argv[i] + 18) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } else if (strncmp(argv[i], "--dbus-system.talk=", 19) == 0) { char *line; if (asprintf(&line, "dbus-system.talk %s", argv[i] + 19) == -1) @@ -2119,6 +2271,44 @@ int main(int argc, char **argv, char **envp) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } + else if (strncmp(argv[i], "--dbus-system.call=", 19) == 0) { + char *line; + if (asprintf(&line, "dbus-system.call %s", argv[i] + 19) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + else if (strncmp(argv[i], "--dbus-system.broadcast=", 24) == 0) { + char *line; + if (asprintf(&line, "dbus-system.broadcast %s", argv[i] + 24) == -1) + errExit("asprintf"); + + profile_check_line(line, 0, NULL); // will exit if something wrong + profile_add(line); + } + else if (strncmp(argv[i], "--dbus-log=", 11) == 0) { + if (arg_dbus_log_file != NULL) { + fprintf(stderr, "Error: --dbus-log option already specified\n"); + exit(1); + } + arg_dbus_log_file = argv[i] + 11; + } + else if (strcmp(argv[i], "--dbus-user.log") == 0) { + if (arg_dbus_user != DBUS_POLICY_FILTER) { + fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); + exit(1); + } + arg_dbus_log_user = 1; + } + else if (strcmp(argv[i], "--dbus-system.log") == 0) { + if (arg_dbus_system != DBUS_POLICY_FILTER) { + fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); + exit(1); + } + arg_dbus_log_system = 1; + } +#endif //************************************* // network @@ -2301,6 +2491,13 @@ int main(int argc, char **argv, char **envp) { fprintf(stderr, "Error: invalid MAC address\n"); exit(1); } + + // check multicast address + if (br->macsandbox[0] & 1) { + fprintf(stderr, "Error: invalid MAC address (multicast)\n"); + exit(1); + } + } else exit_err_feature("networking"); @@ -2485,28 +2682,9 @@ int main(int argc, char **argv, char **envp) { //************************************* else if (strncmp(argv[i], "--timeout=", 10) == 0) cfg.timeout = extract_timeout(argv[i] + 10); - else if (strcmp(argv[i], "--audit") == 0) { - arg_audit_prog = LIBDIR "/firejail/faudit"; - arg_audit = 1; - } - else if (strncmp(argv[i], "--audit=", 8) == 0) { - if (strlen(argv[i] + 8) == 0) { - fprintf(stderr, "Error: invalid audit program\n"); - exit(1); - } - arg_audit_prog = strdup(argv[i] + 8); - if (!arg_audit_prog) - errExit("strdup"); - - struct stat s; - if (stat(arg_audit_prog, &s) != 0) { - fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); - exit(1); - } - arg_audit = 1; + else if (strcmp(argv[i], "--appimage") == 0) { + // already handled } - else if (strcmp(argv[i], "--appimage") == 0) - arg_appimage = 1; else if (strcmp(argv[i], "--shell=none") == 0) { arg_shell_none = 1; if (cfg.shell) { @@ -2681,7 +2859,12 @@ int main(int argc, char **argv, char **envp) { // build the sandbox command if (prog_index == -1 && cfg.shell) { - cfg.command_line = cfg.shell; + assert(cfg.command_line == NULL); // runs cfg.shell + if (arg_appimage) { + fprintf(stderr, "Error: no appimage archive specified\n"); + exit(1); + } + cfg.window_title = cfg.shell; cfg.command_name = cfg.shell; } @@ -2689,10 +2872,11 @@ int main(int argc, char **argv, char **envp) { if (arg_debug) printf("Configuring appimage environment\n"); appimage_set(cfg.command_name); - build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line); + build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); } else { - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); + // Only add extra quotes if we were not launched by sshd. + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd); } /* else { fprintf(stderr, "Error: command must be specified when --shell=none used.\n"); @@ -2706,7 +2890,13 @@ int main(int argc, char **argv, char **envp) { // load the profile if (!arg_noprofile && !custom_profile) { - custom_profile = profile_find_firejail(cfg.command_name, 1); + if (arg_appimage) { + custom_profile = appimage_find_profile(cfg.command_name); + // disable shell=* for appimages + arg_shell_none = 0; + } + else + custom_profile = profile_find_firejail(cfg.command_name, 1); } // use default.profile as the default @@ -2720,7 +2910,7 @@ int main(int argc, char **argv, char **envp) { custom_profile = profile_find_firejail(profile_name, 1); if (!custom_profile) { - fprintf(stderr, "Error: no default.profile installed\n"); + fprintf(stderr, "Error: no %s installed\n", profile_name); exit(1); } @@ -2736,10 +2926,18 @@ int main(int argc, char **argv, char **envp) { // check network configuration options - it will exit if anything went wrong net_check_cfg(); -#ifdef HAVE_SECCOMP + // customization of default seccomp filter + if (config_seccomp_filter_add) { + if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop) + profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add); + + if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32) + profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add); + } + if (arg_seccomp) arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop); -#endif + bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32)) fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n"); @@ -2747,7 +2945,7 @@ int main(int argc, char **argv, char **envp) { // check and assign an IP address - for macvlan it will be done again in the sandbox! if (any_bridge_configured()) { EUID_ROOT(); - lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); if (lockfd_network != -1) { int rv = fchown(lockfd_network, 0, 0); (void) rv; @@ -2769,12 +2967,6 @@ int main(int argc, char **argv, char **envp) { } EUID_ASSERT(); - // create the parent-child communication pipe - if (pipe(parent_to_child_fds) < 0) - errExit("pipe"); - if (pipe(child_to_parent_fds) < 0) - errExit("pipe"); - if (arg_noroot && arg_overlay) { fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); arg_noroot = 0; @@ -2787,7 +2979,7 @@ int main(int argc, char **argv, char **envp) { // set name and x11 run files EUID_ROOT(); - lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); + lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); if (lockfd_directory != -1) { int rv = fchown(lockfd_directory, 0, 0); (void) rv; @@ -2804,6 +2996,7 @@ int main(int argc, char **argv, char **envp) { } EUID_USER(); +#ifdef HAVE_DBUSPROXY if (checkcfg(CFG_DBUS)) { dbus_check_profile(); if (arg_dbus_user == DBUS_POLICY_FILTER || @@ -2813,6 +3006,13 @@ int main(int argc, char **argv, char **envp) { EUID_USER(); } } +#endif + + // create the parent-child communication pipe + if (pipe2(parent_to_child_fds, O_CLOEXEC) < 0) + errExit("pipe"); + if (pipe2(child_to_parent_fds, O_CLOEXEC) < 0) + errExit("pipe"); // clone environment int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; @@ -2870,9 +3070,9 @@ int main(int argc, char **argv, char **envp) { network_main(child); if (arg_debug) printf("Host network configured\n"); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } @@ -2923,8 +3123,15 @@ int main(int argc, char **argv, char **envp) { ptr += strlen(ptr); if (!arg_nogroups) { + // add firejail group + gid_t g = get_group_id("firejail"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + // add tty group - gid_t g = get_group_id("tty"); + g = get_group_id("tty"); if (g) { sprintf(ptr, "%d %d 1\n", g, g); ptr += strlen(ptr); @@ -2969,44 +3176,6 @@ int main(int argc, char **argv, char **envp) { } EUID_USER(); - -#ifdef POSTMORTEM - pm_child = fork(); - if (pm_child == -1) - fprintf(stderr, "Error: cannot start POSTMORTEM process\n"); - else if (pm_child == 0) { - // running --join as root - EUID_ROOT(); - int rv = setgroups(0, NULL); - rv |= setuid(0); - rv |= setgid(0); - if (rv) { - fprintf(stderr, "Error: cannot start POSTMORTEM process\n"); - exit(1); - } - - prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); -/*problem???*/ sleep(1); // we need to give the sandbox some time to start the namespaces - char *joincmd; - if (asprintf(&joincmd, "--join-network=%d", child) == -1) - errExit("asprintf"); - - // we join only the network ns, the filesystem is intact so we can find tcpdump - char *arg[] = { - "/usr/bin/firejail", - joincmd, - "/usr/sbin/tcpdump", - "-n", - "-q", - NULL - }; - execvp(arg[0], arg); - assert(0); -printf("**********************************\n"); - exit(1); - } -#endif - int status = 0; //***************************** // following code is signal-safe @@ -3024,25 +3193,36 @@ printf("**********************************\n"); // end of signal-safe code //***************************** +#if 0 +// at this point the sandbox was closed and we are on our way out +// it would make sense to move this before waitpid above to free some memory +// crash for now as of issue #3662 from dhcp code // free globals if (cfg.profile) { ProfileEntry *prf = cfg.profile; while (prf != NULL) { ProfileEntry *next = prf->next; - free(prf->data); - free(prf->link); +printf("data #%s#\n", prf->data); + if (prf->data) + free(prf->data); +printf("link #%s#\n", prf->link); + if (prf->link) + free(prf->link); free(prf); prf = next; } } +#endif + if (WIFEXITED(status)){ myexit(WEXITSTATUS(status)); } else if (WIFSIGNALED(status)) { - myexit(WTERMSIG(status)); + // distinguish fatal signals by adding 128 + myexit(128 + WTERMSIG(status)); } else { - myexit(0); + myexit(1); } - return 0; + return 1; } diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 34d8d17001f..304f80eee46 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,10 +19,11 @@ */ #include "firejail.h" +#include #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif #define MAX_BUF 4096 @@ -151,50 +152,71 @@ MountData *get_last_mount(void) { return &mdata; } -// Extract the mount id from /proc/self/fdinfo and return it. -int get_mount_id(const char *path) { - assert(path); +// Returns mount id, or -1 if fd refers to a procfs or sysfs file +static int get_mount_id_from_handle(int fd) { + EUID_ASSERT(); + + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + struct file_handle *fh = malloc(sizeof *fh); + if (!fh) + errExit("malloc"); + fh->handle_bytes = 0; + + int rv = -1; + int tmp; + if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) { + fprintf(stderr, "Error: unexpected result from name_to_handle_at\n"); + exit(1); + } + if (errno == EOVERFLOW && fh->handle_bytes) + rv = tmp; + + free(proc); + free(fh); + return rv; +} - int fd = open(path, O_PATH|O_CLOEXEC); - if (fd == -1) - return -1; +// Returns mount id, or -1 on kernels < 3.15 +static int get_mount_id_from_fdinfo(int fd) { + EUID_ASSERT(); + int rv = -1; - char *fdinfo; - if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) + char *proc; + if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1) errExit("asprintf"); - FILE *fp = fopen(fdinfo, "re"); - free(fdinfo); + EUID_ROOT(); + FILE *fp = fopen(proc, "re"); + EUID_USER(); if (!fp) goto errexit; - // read the file char buf[MAX_BUF]; - if (fgets(buf, MAX_BUF, fp) == NULL) - goto errexit; - do { + while (fgets(buf, MAX_BUF, fp)) { if (strncmp(buf, "mnt_id:", 7) == 0) { - char *ptr = buf + 7; - while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { - ptr++; - } - if (*ptr == '\0') + if (sscanf(buf + 7, "%d", &rv) != 1) goto errexit; - fclose(fp); - close(fd); - return atoi(ptr); + break; } - } while (fgets(buf, MAX_BUF, fp)); + } - // fallback, kernels older than 3.15 don't expose the mount id in this place + free(proc); fclose(fp); - close(fd); - return -2; + return rv; errexit: fprintf(stderr, "Error: cannot read proc file\n"); exit(1); } +int get_mount_id(int fd) { + int rv = get_mount_id_from_fdinfo(fd); + if (rv < 0) + rv = get_mount_id_from_handle(fd); + return rv; +} + // Check /proc/self/mountinfo if path contains any mounts points. // Returns an array that can be iterated over for recursive remounting. char **build_mount_array(const int mount_id, const char *path) { diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index e0a2ce086af..fc79dddec9d 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firejail/netns.c b/src/firejail/netns.c index 104453376ac..b5d6fb63676 100644 --- a/src/firejail/netns.c +++ b/src/firejail/netns.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020 Firejail Authors + * Copyright (C) 2020-2021 Firejail Authors * * This file is part of firejail project * @@ -60,7 +60,7 @@ void check_netns(const char *nsname) { nsname, control_file, strerror(errno)); exit(1); } - if (!S_ISREG(st.st_mode)) { + if (!S_ISREG(st.st_mode) && !S_ISLNK(st.st_mode)) { fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n", nsname, control_file); exit(1); diff --git a/src/firejail/network.c b/src/firejail/network.c index aa05e3bd082..289e164c6a3 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -183,7 +183,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { int sock; struct rtentry route; struct sockaddr_in *addr; - int err = 0; // create the socket if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) @@ -205,7 +204,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { route.rt_flags = RTF_UP | RTF_GATEWAY; route.rt_metric = 0; - if ((err = ioctl(sock, SIOCADDRT, &route)) != 0) { + if (ioctl(sock, SIOCADDRT, &route) != 0) { close(sock); return -1; } @@ -218,7 +217,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) { #define BUFSIZE 1024 uint32_t network_get_defaultgw(void) { - FILE *fp = fopen("/proc/self/net/route", "r"); + FILE *fp = fopen("/proc/self/net/route", "re"); if (!fp) errExit("fopen"); diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 85896e52826..d3e75bbedd8 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -120,7 +120,7 @@ void net_configure_sandbox_ip(Bridge *br) { // check network range char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); if (rv) { - fprintf(stderr, "%s", rv); + fprintf(stderr, "%s\n", rv); exit(1); } // send an ARP request and check if there is anybody on this IP address @@ -292,7 +292,7 @@ void net_dns_print(pid_t pid) { errExit("chdir"); // access /etc/resolv.conf - FILE *fp = fopen("/etc/resolv.conf", "r"); + FILE *fp = fopen("/etc/resolv.conf", "re"); if (!fp) { fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); exit(1); diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 01df77ee679..0e5562d90ba 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,6 +20,7 @@ #include "firejail.h" #include #include +#include #include #include @@ -41,13 +42,14 @@ int check_namespace_virt(void) { EUID_ASSERT(); // check container environment variable - char *str = getenv("container"); + const char *str = env_get("container"); if (str && is_container(str)) return 1; // check PID 1 container environment variable EUID_ROOT(); - FILE *fp = fopen("/proc/1/environ", "r"); + FILE *fp = fopen("/proc/1/environ", "re"); + EUID_USER(); if (fp) { int c = 0; while (c != EOF) { @@ -68,7 +70,6 @@ int check_namespace_virt(void) { // found it if (is_container(buf + 10)) { fclose(fp); - EUID_USER(); return 1; } } @@ -78,7 +79,6 @@ int check_namespace_virt(void) { fclose(fp); } - EUID_USER(); return 0; } @@ -105,20 +105,15 @@ int check_kernel_procs(void) { // look at the first 10 processes // if a kernel process is found, return 1 for (i = 1; i <= 10; i++) { - struct stat s; char *fname; if (asprintf(&fname, "/proc/%d/comm", i) == -1) errExit("asprintf"); - if (stat(fname, &s) == -1) { - free(fname); - continue; - } // open file - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) { - fwarning("cannot open %s\n", fname); + if (errno != ENOENT) + fwarning("cannot open %s\n", fname); free(fname); continue; } @@ -168,29 +163,17 @@ void run_no_sandbox(int argc, char **argv) { errExit("setresuid"); // process limited subset of options + // and find first non option arg: + // - first argument not starting with --, + // - whatever follows after -c (example: firejail -c ls) + int prog_index = 0; int i; - for (i = 0; i < argc; i++) { + for (i = 1; i < argc; i++) { if (strcmp(argv[i], "--debug") == 0) arg_debug = 1; else if (strncmp(argv[i], "--shell=", 8) == 0) - fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); - } - - // use $SHELL to get shell used in sandbox, guess shell otherwise - cfg.shell = guess_shell(); - if (!cfg.shell) { - fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); - exit(1); - } - else if (arg_debug) - printf("Selecting %s as shell\n", cfg.shell); - - int prog_index = 0; - // find first non option arg: - // - first argument not starting with --, - // - whatever follows after -c (example: firejail -c ls) - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-c") == 0) { + fwarning("shell-related command line options are disregarded\n"); + else if (strcmp(argv[i], "-c") == 0) { prog_index = i + 1; if (prog_index == argc) { fprintf(stderr, "Error: option -c requires an argument\n"); @@ -199,36 +182,37 @@ void run_no_sandbox(int argc, char **argv) { break; } // check first argument not starting with -- - if (strncmp(argv[i],"--",2) != 0) { + else if (strncmp(argv[i],"--",2) != 0) { prog_index = i; break; } } - // if shell is /usr/bin/firejail, replace it with /bin/bash - if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) { - cfg.shell = "/bin/bash"; - prog_index = 0; - } if (prog_index == 0) { - cfg.command_line = cfg.shell; + // got no command, require a shell and try to execute it + cfg.shell = guess_shell(); + if (!cfg.shell) { + fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); + exit(1); + } + + assert(cfg.command_line == NULL); cfg.window_title = cfg.shell; } else { - build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); + // this sandbox might not allow execution of a shell + // force --shell=none in order to not break firecfg symbolic links + arg_shell_none = 1; + + build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true); } + fwarning("an existing sandbox was detected. " + "%s will run without any additional sandboxing features\n", prog_index ? argv[prog_index] : cfg.shell); + cfg.original_argv = argv; cfg.original_program_index = prog_index; - char *command; - if (prog_index == 0) - command = cfg.shell; - else - command = argv[prog_index]; - fwarning("an existing sandbox was detected. " - "%s will run without any additional sandboxing features\n", command); - arg_quiet = 1; - start_application(1, NULL); + start_application(1, -1, NULL); } diff --git a/src/firejail/output.c b/src/firejail/output.c index d4a7f464afb..ce10ab15747 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,7 @@ #include #include +#ifdef HAVE_OUTPUT void check_output(int argc, char **argv) { EUID_ASSERT(); @@ -30,6 +31,12 @@ void check_output(int argc, char **argv) { int enable_stderr = 0; for (i = 1; i < argc; i++) { + if (strncmp(argv[i], "--", 2) != 0) { + return; + } + if (strcmp(argv[i], "--") == 0) { + return; + } if (strncmp(argv[i], "--output=", 9) == 0) { outindex = i; break; @@ -43,13 +50,21 @@ void check_output(int argc, char **argv) { if (!outindex) return; - - // check filename drop_privs(0); char *outfile = argv[outindex]; outfile += (enable_stderr)? 16:9; + + // check filename invalid_filename(outfile, 0); // no globbing + // expand user home directory + if (outfile[0] == '~') { + char *full; + if (asprintf(&full, "%s%s", cfg.homedir, outfile + 1) == -1) + errExit("asprintf"); + outfile = full; + } + // do not accept directories, links, and files with ".." if (strstr(outfile, "..") || is_link(outfile) || is_dir(outfile)) { fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); @@ -71,39 +86,76 @@ void check_output(int argc, char **argv) { } } - // build the new command line - int len = 0; - for (i = 0; i < argc; i++) { - len += strlen(argv[i]) + 1; // + ' ' + int pipefd[2]; + if (pipe(pipefd) == -1) { + errExit("pipe"); + } + + pid_t pid = fork(); + if (pid == -1) { + errExit("fork"); + } else if (pid == 0) { + /* child */ + if (dup2(pipefd[0], STDIN_FILENO) == -1) { + errExit("dup2"); + } + close(pipefd[1]); + if (pipefd[0] != STDIN_FILENO) { + close(pipefd[0]); + } + + // restore some environment variables + env_apply_whitelist_sbox(); + + char *args[3]; + args[0] = LIBDIR "/firejail/ftee"; + args[1] = outfile; + args[2] = NULL; + execv(args[0], args); + perror("execvp"); + exit(1); + } + + /* parent */ + if (dup2(pipefd[1], STDOUT_FILENO) == -1) { + errExit("dup2"); } - len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command - - char *cmd = malloc(len + 1); // + '\0' - if (!cmd) - errExit("malloc"); - - char *ptr = cmd; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--output=", 9) == 0) - continue; - if (strncmp(argv[i], "--output-stderr=", 16) == 0) - continue; - ptr += sprintf(ptr, "%s ", argv[i]); + if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) { + errExit("dup2"); + } + close(pipefd[0]); + if (pipefd[1] != STDOUT_FILENO) { + close(pipefd[1]); + } + + char **args = calloc(argc + 1, sizeof(char *)); + if (!args) { + errExit("calloc"); + } + bool found_separator = false; + /* copy argv into args, but drop --output(-stderr) arguments */ + int j; + for (i = 0, j = 0; i < argc; i++) { + if (!found_separator && i > 0) { + if (strncmp(argv[i], "--output=", 9) == 0) { + continue; + } + if (strncmp(argv[i], "--output-stderr=", 16) == 0) { + continue; + } + if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) { + found_separator = true; + } + } + args[j++] = argv[i]; } - if (enable_stderr) - sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); - else - sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile); + // restore original environment variables + env_apply_all(); - // run command - char *a[4]; - a[0] = "/bin/bash"; - a[1] = "-c"; - a[2] = cmd; - a[3] = NULL; - execvp(a[0], a); + execvp(args[0], args); perror("execvp"); exit(1); } +#endif diff --git a/src/firejail/paths.c b/src/firejail/paths.c index f03d98e2907..d58a9d272d5 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -26,13 +26,13 @@ static unsigned int longest_path_elt = 0; static char *elt = NULL; // moved from inside init_paths in order to get rid of scan-build warning static void init_paths(void) { - char *path = getenv("PATH"); + const char *env_path = env_get("PATH"); char *p; - if (!path) { - path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; - setenv("PATH", path, 1); + if (!env_path) { + env_path = "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin"; + env_store_name_val("PATH", env_path, SETENV); } - path = strdup(path); + char *path = strdup(env_path); if (!path) errExit("strdup"); @@ -45,6 +45,7 @@ static void init_paths(void) { paths = calloc(path_cnt, sizeof(char *)); if (!paths) errExit("calloc"); + memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer // fill in 'paths' with pointers to elements of 'path' unsigned int i = 0, j; @@ -135,7 +136,7 @@ int program_in_path(const char *program) { // ('x' permission means something different for directories). // exec follows symlinks, so use stat, not lstat. struct stat st; - if (stat(scratch, &st)) { + if (stat_as_user(scratch, &st)) { perror(scratch); exit(1); } diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index c0b09e9454d..1aafd1ca20c 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) { if (arg_tracefile) fs_tracefile(); -#ifdef HAVE_SECCOMP create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755); if (arg_seccomp_block_secondary) @@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) { create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644); if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644)) errExit("set_perms"); -#endif } } @@ -166,7 +164,7 @@ void preproc_clean_run(void) { int max_pids=32769; int start_pid = 100; // extract real max_pids - FILE *fp = fopen("/proc/sys/kernel/pid_max", "r"); + FILE *fp = fopen("/proc/sys/kernel/pid_max", "re"); if (fp) { int val; if (fscanf(fp, "%d", &val) == 1) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 0be11990342..059100fcb99 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,10 +18,12 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include "../include/seccomp.h" #include "../include/syscall.h" #include #include + extern char *xephyr_screen; #define MAX_READ 8192 // line buffer for profile files @@ -157,8 +159,12 @@ static int check_nosound(void) { return arg_nosound != 0; } +static int check_private(void) { + return arg_private; +} + static int check_x11(void) { - return (arg_x11_block || arg_x11_xorg || getenv("FIREJAIL_X11")); + return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11")); } static int check_disable_u2f(void) { @@ -174,6 +180,7 @@ Cond conditionals[] = { {"HAS_NET", check_netoptions}, {"HAS_NODBUS", check_nodbus}, {"HAS_NOSOUND", check_nosound}, + {"HAS_PRIVATE", check_private}, {"HAS_X11", check_x11}, {"BROWSER_DISABLE_U2F", check_disable_u2f}, {"BROWSER_ALLOW_DRM", check_allow_drm}, @@ -327,12 +334,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "seccomp") == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_seccomp = 1; else warning_feature_disabled("seccomp"); -#endif return 0; } else if (strcmp(ptr, "caps") == 0) { @@ -385,10 +390,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "private-cache") == 0) { +#ifdef HAVE_USERTMPFS if (checkcfg(CFG_PRIVATE_CACHE)) arg_private_cache = 1; else warning_feature_disabled("private-cache"); +#endif return 0; } else if (strcmp(ptr, "private-dev") == 0) { @@ -404,7 +411,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "nogroups") == 0) { - arg_nogroups = 1; + // nvidia cards require video group; disable nogroups + if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { + fwarning("Warning: NVIDIA card detected, nogroups command disabled\n"); + arg_nogroups = 0; + } + else + arg_nogroups = 1; return 0; } else if (strcmp(ptr, "nosound") == 0) { @@ -412,7 +425,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "noautopulse") == 0) { - arg_noautopulse = 1; + arg_keep_config_pulse = 1; return 0; } else if (strcmp(ptr, "notv") == 0) { @@ -431,69 +444,149 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_no3d = 1; return 0; } + else if (strcmp(ptr, "noinput") == 0) { + arg_noinput = 1; + return 0; + } else if (strcmp(ptr, "nodbus") == 0) { +#ifdef HAVE_DBUSPROXY arg_dbus_user = DBUS_POLICY_BLOCK; arg_dbus_system = DBUS_POLICY_BLOCK; +#endif return 0; } else if (strncmp("dbus-user ", ptr, 10) == 0) { +#ifdef HAVE_DBUSPROXY ptr += 10; if (strcmp("filter", ptr) == 0) { if (arg_dbus_user == DBUS_POLICY_BLOCK) { fprintf(stderr, "Error: Cannot relax dbus-user policy, it is already set to block\n"); - exit(1); + } else { + arg_dbus_user = DBUS_POLICY_FILTER; } - arg_dbus_user = DBUS_POLICY_FILTER; } else if (strcmp("none", ptr) == 0) { + if (arg_dbus_log_user) { + fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n"); + exit(1); + } arg_dbus_user = DBUS_POLICY_BLOCK; } else { fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr); exit(1); } +#endif return 0; } + else if (strncmp(ptr, "dbus-user.see ", 14) == 0) { +#ifdef HAVE_DBUSPROXY + if (!dbus_check_name(ptr + 14)) { + fprintf(stderr, "Invalid dbus-user.see name: %s\n", ptr + 15); + exit(1); + } +#endif + return 1; + } else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) { +#ifdef HAVE_DBUSPROXY if (!dbus_check_name(ptr + 15)) { - printf("Invalid dbus-user.talk name: %s\n", ptr + 15); + fprintf(stderr, "Error: Invalid dbus-user.talk name: %s\n", ptr + 15); exit(1); } +#endif return 1; } else if (strncmp(ptr, "dbus-user.own ", 14) == 0) { +#ifdef HAVE_DBUSPROXY if (!dbus_check_name(ptr + 14)) { - fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14); + fprintf(stderr, "Error: Invalid dbus-user.own name: %s\n", ptr + 14); exit(1); } +#endif + return 1; + } + else if (strncmp(ptr, "dbus-user.call ", 15) == 0) { +#ifdef HAVE_DBUSPROXY + if (!dbus_check_call_rule(ptr + 15)) { + fprintf(stderr, "Error: Invalid dbus-user.call rule: %s\n", ptr + 15); + exit(1); + } +#endif + return 1; + } + else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) { +#ifdef HAVE_DBUSPROXY + if (!dbus_check_call_rule(ptr + 20)) { + fprintf(stderr, "Error: Invalid dbus-user.broadcast rule: %s\n", ptr + 20); + exit(1); + } +#endif return 1; } else if (strncmp("dbus-system ", ptr, 12) == 0) { +#ifdef HAVE_DBUSPROXY ptr += 12; if (strcmp("filter", ptr) == 0) { if (arg_dbus_system == DBUS_POLICY_BLOCK) { fprintf(stderr, "Error: Cannot relax dbus-system policy, it is already set to block\n"); - exit(1); + } else { + arg_dbus_system = DBUS_POLICY_FILTER; } - arg_dbus_system = DBUS_POLICY_FILTER; } else if (strcmp("none", ptr) == 0) { + if (arg_dbus_log_system) { + fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n"); + exit(1); + } arg_dbus_system = DBUS_POLICY_BLOCK; } else { - fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr); + fprintf(stderr, "Error: Unknown dbus-system policy: %s\n", ptr); exit(1); } +#endif return 0; } + else if (strncmp(ptr, "dbus-system.see ", 16) == 0) { +#ifdef HAVE_DBUSPROXY + if (!dbus_check_name(ptr + 16)) { + fprintf(stderr, "Error: Invalid dbus-system.see name: %s\n", ptr + 17); + exit(1); + } +#endif + return 1; + } else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) { +#ifdef HAVE_DBUSPROXY if (!dbus_check_name(ptr + 17)) { - fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17); + fprintf(stderr, "Error: Invalid dbus-system.talk name: %s\n", ptr + 17); exit(1); } +#endif return 1; } else if (strncmp(ptr, "dbus-system.own ", 16) == 0) { +#ifdef HAVE_DBUSPROXY if (!dbus_check_name(ptr + 16)) { - fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16); + fprintf(stderr, "Error: Invalid dbus-system.own name: %s\n", ptr + 16); exit(1); } +#endif + return 1; + } + else if (strncmp(ptr, "dbus-system.call ", 17) == 0) { +#ifdef HAVE_DBUSPROXY + if (!dbus_check_call_rule(ptr + 17)) { + fprintf(stderr, "Error: Invalid dbus-system.call rule: %s\n", ptr + 17); + exit(1); + } +#endif + return 1; + } + else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) { +#ifdef HAVE_DBUSPROXY + if (!dbus_check_call_rule(ptr + 22)) { + fprintf(stderr, "Error: Invalid dbus-system.broadcast rule: %s\n", ptr + 22); + exit(1); + } +#endif return 1; } else if (strcmp(ptr, "nou2f") == 0) { @@ -534,6 +627,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else warning_feature_disabled("networking"); +#endif + return 0; + } + else if (strncmp(ptr, "netns ", 6) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + arg_netns = ptr + 6; + check_netns(arg_netns); + } + else + warning_feature_disabled("networking"); #endif return 0; } @@ -663,6 +767,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { fprintf(stderr, "Error: invalid MAC address\n"); exit(1); } + + // check multicast address + if (br->macsandbox[0] & 1) { + fprintf(stderr, "Error: invalid MAC address (multicast)\n"); + exit(1); + } } else warning_feature_disabled("networking"); @@ -811,21 +921,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } if (strncmp(ptr, "protocol ", 9) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { - if (cfg.protocol) { - fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol); - return 0; - } - - // store list - cfg.protocol = strdup(ptr + 9); - if (!cfg.protocol) - errExit("strdup"); + const char *add = ptr + 9; + profile_list_augment(&cfg.protocol, add); + if (arg_debug) + fprintf(stderr, "[profile] combined protocol list: \"%s\"\n", cfg.protocol); } else warning_feature_disabled("seccomp"); -#endif return 0; } @@ -840,107 +943,92 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // seccomp drop list on top of default list if (strncmp(ptr, "seccomp ", 8) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; cfg.seccomp_list = seccomp_check_list(ptr + 8); } else if (!arg_quiet) warning_feature_disabled("seccomp"); -#endif return 0; } if (strncmp(ptr, "seccomp.32 ", 11) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; cfg.seccomp_list32 = seccomp_check_list(ptr + 11); } else if (!arg_quiet) warning_feature_disabled("seccomp"); -#endif return 0; } if (strcmp(ptr, "seccomp.block-secondary") == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp_block_secondary = 1; } else warning_feature_disabled("seccomp"); -#endif return 0; } // seccomp drop list without default list if (strncmp(ptr, "seccomp.drop ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } // seccomp keep list if (strncmp(ptr, "seccomp.keep ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp = 1; cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { arg_seccomp32 = 1; cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13); } else warning_feature_disabled("seccomp"); -#endif return 0; } // memory deny write&execute if (strcmp(ptr, "memory-deny-write-execute") == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_memory_deny_write_execute = 1; else warning_feature_disabled("seccomp"); -#endif return 0; } // seccomp error action if (strncmp(ptr, "seccomp-error-action ", 21) == 0) { -#ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION); if (config_seccomp_error_action == -1) { if (strcmp(ptr + 21, "kill") == 0) arg_seccomp_error_action = SECCOMP_RET_KILL; + else if (strcmp(ptr + 21, "log") == 0) + arg_seccomp_error_action = SECCOMP_RET_LOG; else { arg_seccomp_error_action = errno_find_name(ptr + 21); if (arg_seccomp_error_action == -1) @@ -956,7 +1044,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } } else warning_feature_disabled("seccomp"); -#endif return 0; } @@ -1058,6 +1145,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_machineid = 1; return 0; } + + if (strcmp(ptr, "keep-config-pulse") == 0) { + arg_keep_config_pulse = 1; + return 0; + } + // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; @@ -1099,7 +1192,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strcmp(ptr, "x11 xephyr") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1128,7 +1221,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strcmp(ptr, "x11 xpra") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1147,7 +1240,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strcmp(ptr, "x11 xvfb") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1166,7 +1259,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strcmp(ptr, "x11") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { - char *x11env = getenv("FIREJAIL_X11"); + const char *x11env = env_get("FIREJAIL_X11"); if (x11env && strcmp(x11env, "yes") == 0) { return 0; } @@ -1184,56 +1277,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { - if (arg_writable_etc) { - fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); - exit(1); - } - if (cfg.etc_private_keep) { - if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.etc_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_ETC)) { + if (arg_writable_etc) { + fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); + exit(1); + } + if (cfg.etc_private_keep) { + if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.etc_private_keep = ptr + 12; + } + arg_private_etc = 1; } - arg_private_etc = 1; - + else + warning_feature_disabled("private-etc"); return 0; } // private /opt list of files and directories if (strncmp(ptr, "private-opt ", 12) == 0) { - if (cfg.opt_private_keep) { - if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.opt_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_OPT)) { + if (cfg.opt_private_keep) { + if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.opt_private_keep = ptr + 12; + } + arg_private_opt = 1; } - arg_private_opt = 1; - + else + warning_feature_disabled("private-opt"); return 0; } // private /srv list of files and directories if (strncmp(ptr, "private-srv ", 12) == 0) { - if (cfg.srv_private_keep) { - if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.srv_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_SRV)) { + if (cfg.srv_private_keep) { + if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.srv_private_keep = ptr + 12; + } + arg_private_srv = 1; } - arg_private_srv = 1; - + else + warning_feature_disabled("private-srv"); return 0; } // private /bin list of files if (strncmp(ptr, "private-bin ", 12) == 0) { - if (cfg.bin_private_keep) { - if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) - errExit("asprintf"); - } else { - cfg.bin_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_BIN)) { + if (cfg.bin_private_keep) { + if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.bin_private_keep = ptr + 12; + } + arg_private_bin = 1; } - arg_private_bin = 1; + else + warning_feature_disabled("private-bin"); return 0; } @@ -1349,12 +1455,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // filesystem bind if (strncmp(ptr, "bind ", 5) == 0) { if (checkcfg(CFG_BIND)) { + // extract two directories if (getuid() != 0) { fprintf(stderr, "Error: --bind option is available only if running as root\n"); exit(1); } - // extract two directories char *dname1 = ptr + 5; char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories if (dname2 == NULL) { @@ -1401,8 +1507,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_rlimit_nproc = 1; } else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { - check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); - sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize); + cfg.rlimit_fsize = parse_arg_size(ptr + 13); + if (cfg.rlimit_fsize == 0) { + perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_fsize = 1; } else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { @@ -1411,12 +1520,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_rlimit_sigpending = 1; } else if (strncmp(ptr, "rlimit-as ", 10) == 0) { - check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: "); - sscanf(ptr + 10, "%llu", &cfg.rlimit_as); + cfg.rlimit_as = parse_arg_size(ptr + 10); + if (cfg.rlimit_as == 0) { + perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix."); + exit(1); + } arg_rlimit_as = 1; } else { - fprintf(stderr, "Invalid rlimit option on line %d\n", lineno); + fprintf(stderr, "Error: Invalid rlimit option on line %d\n", lineno); exit(1); } @@ -1432,7 +1544,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (checkcfg(CFG_JOIN) || getuid() == 0) { // try to join by name only pid_t pid; - if (!name2pid(ptr + 14, &pid)) { + EUID_ROOT(); + int r = name2pid(ptr + 14, &pid); + EUID_USER(); + if (!r) { if (!cfg.shell && !arg_shell_none) cfg.shell = guess_shell(); @@ -1474,22 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { else if (strncmp(ptr, "noblacklist ", 12) == 0) ptr += 12; else if (strncmp(ptr, "whitelist ", 10) == 0) { -#ifdef HAVE_WHITELIST - if (checkcfg(CFG_WHITELIST)) { - arg_whitelist = 1; - ptr += 10; - } - else { - static int whitelist_warning_printed = 0; - if (!whitelist_warning_printed) { - warning_feature_disabled("whitelist"); - whitelist_warning_printed = 1; - } - return 0; - } -#else - return 0; -#endif + arg_whitelist = 1; + ptr += 10; } else if (strncmp(ptr, "nowhitelist ", 12) == 0) ptr += 12; @@ -1500,10 +1601,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { else if (strncmp(ptr, "noexec ", 7) == 0) ptr += 7; else if (strncmp(ptr, "tmpfs ", 6) == 0) { +#ifndef HAVE_USERTMPFS if (getuid() != 0) { fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); exit(1); } +#endif ptr += 6; } else { @@ -1570,17 +1673,18 @@ void profile_read(const char *fname) { exit(1); } if (access(fname, R_OK)) { + int errsv = errno; // if the file ends in ".local", do not exit const char *base = gnu_basename(fname); char *ptr = strstr(base, ".local"); - if (ptr && strlen(ptr) == 6) + if (ptr && strlen(ptr) == 6 && errsv != EACCES) return; fprintf(stderr, "Error: cannot access profile file: %s\n", fname); exit(1); } - // allow debuggers + // --allow-debuggers - skip disable-devel.inc file if (arg_allow_debuggers) { char *tmp = strrchr(fname, '/'); if (tmp && *(tmp + 1) != '\0') { @@ -1589,9 +1693,18 @@ void profile_read(const char *fname) { return; } } + // --appimage - skip disable-shell.inc file + if (arg_appimage) { + char *tmp = strrchr(fname, '/'); + if (tmp && *(tmp + 1) != '\0') { + tmp++; + if (strcmp(tmp, "disable-shell.inc") == 0) + return; + } + } // open profile file: - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (fp == NULL) { fprintf(stderr, "Error: cannot open profile file %s\n", fname); exit(1); @@ -1608,23 +1721,65 @@ void profile_read(const char *fname) { int lineno = 0; while (fgets(buf, MAX_READ, fp)) { ++lineno; + + // remove comments + char *ptr = strchr(buf, '#'); + if (ptr) + *ptr = '\0'; + // remove empty space - ptr in allocated memory - char *ptr = line_remove_spaces(buf); + ptr = line_remove_spaces(buf); if (ptr == NULL) continue; - - // comments - if (*ptr == '#' || *ptr == '\0') { + if (*ptr == '\0') { free(ptr); continue; } + // translate allow/deny to whitelist/blacklist + if (strncmp(ptr, "allow ", 6) == 0) { + char *tmp; + if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1) + errExit("asprintf"); + free(ptr); + ptr = tmp; + } + else if (strncmp(ptr, "deny ", 5) == 0) { + char *tmp; + if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1) + errExit("asprintf"); + free(ptr); + ptr = tmp; + } + else if (strncmp(ptr, "deny-nolog ", 11) == 0) { + char *tmp; + if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1) + errExit("asprintf"); + free(ptr); + ptr = tmp; + } + // translate noallow/nodeny to nowhitelist/noblacklist + else if (strncmp(ptr, "noallow ", 8) == 0) { + char *tmp; + if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1) + errExit("asprintf"); + free(ptr); + ptr = tmp; + } + else if (strncmp(ptr, "nodeny ", 7) == 0) { + char *tmp; + if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1) + errExit("asprintf"); + free(ptr); + ptr = tmp; + } + // process quiet // todo: a quiet in the profile file cannot be disabled by --ignore on command line if (strcmp(ptr, "quiet") == 0) { if (is_in_ignore_list(ptr)) arg_quiet = 0; - else + else if (!arg_debug) arg_quiet = 1; free(ptr); continue; @@ -1635,7 +1790,7 @@ void profile_read(const char *fname) { } // process include - if (strncmp(ptr, "include ", 8) == 0) { + if (strncmp(ptr, "include ", 8) == 0 && !is_in_ignore_list(ptr)) { include_level++; // expand macros in front of the include profile file @@ -1671,9 +1826,148 @@ void profile_read(const char *fname) { // else { // free(ptr); // } -#ifdef HAVE_GCOV + __gcov_flush(); -#endif } fclose(fp); } + +char *profile_list_normalize(char *list) +{ + /* Remove redundant commas. + * + * As result is always shorter than original, + * in-place copying can be used. + */ + size_t i = 0; + size_t j = 0; + int c; + while (list[i] == ',') + ++i; + while ((c = list[i++])) { + if (c == ',') { + while (list[i] == ',') + ++i; + if (list[i] == 0) + break; + } + list[j++] = c; + } + list[j] = 0; + return list; +} + +char *profile_list_compress(char *list) +{ + size_t i; + + /* Comma separated list is processed so that: + * "item" -> adds item to list + * "-item" -> removes item from list + * "+item" -> adds item to list + * "=item" -> clear list, add item + * + * For example: + * ,a,,,b,,,c, -> a,b,c + * a,,b,,,c,a -> a,b,c + * a,b,c,-a -> b,c + * a,b,c,-a,a -> b,c,a + * a,+b,c -> a,b,c + * a,b,=c,d -> c,d + * a,b,c,= -> + */ + profile_list_normalize(list); + + /* Count items: comma count + 1 */ + size_t count = 1; + for (i = 0; list[i]; ++i) { + if (list[i] == ',') + ++count; + } + + /* Collect items in an array */ + char *in[count]; + count = 0; + in[count++] = list; + for (i = 0; list[i]; ++i) { + if (list[i] != ',') + continue; + list[i] = 0; + in[count++] = list + i + 1; + } + + /* Filter array: add, remove, reset, filter out duplicates */ + for (i = 0; i < count; ++i) { + char *item = in[i]; + assert(item); + + size_t k; + switch (*item) { + case '-': + ++item; + /* Do not include this item */ + in[i] = 0; + /* Remove if already included */ + for (k = 0; k < i; ++k) { + if (in[k] && !strcmp(in[k], item)) { + in[k] = 0; + break; + } + } + break; + case '+': + /* Allow +/- symmetry */ + in[i] = ++item; + /* FALLTHRU */ + default: + /* Adding empty item is a NOP */ + if (!*item) { + in[i] = 0; + break; + } + /* Include item unless it is already included */ + for (k = 0; k < i; ++k) { + if (in[k] && !strcmp(in[k], item)) { + in[i] = 0; + break; + } + } + break; + case '=': + in[i] = ++item; + /* Include non-empty item */ + if (!*item) + in[i] = 0; + /* Remove all already included items */ + for (k = 0; k < i; ++k) + in[k] = 0; + break; + } + } + + /* Copying back using in-place data works because the + * original order is retained and no item gets longer + * than what it used to be. + */ + char *pos = list; + for (i = 0; i < count; ++i) { + char *item = in[i]; + if (!item) + continue; + if (pos > list) + *pos++ = ','; + while (*item) + *pos++ = *item++; + } + *pos = 0; + return list; +} + +void profile_list_augment(char **list, const char *items) +{ + char *tmp = 0; + if (asprintf(&tmp, "%s,%s", *list ?: "", items ?: "") < 0) + errExit("asprintf"); + free(*list); + *list = profile_list_compress(tmp); +} diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 6402afbc69d..f21f8c96e02 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,13 +18,12 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#ifdef HAVE_SECCOMP #include "firejail.h" #include "../include/seccomp.h" void protocol_filter_save(void) { // save protocol filter configuration in PROTOCOL_CFG - FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); + FILE *fp = fopen(RUN_PROTOCOL_CFG, "wxe"); if (!fp) errExit("fopen"); fprintf(fp, "%s\n", cfg.protocol); @@ -36,7 +35,7 @@ void protocol_filter_load(const char *fname) { assert(fname); // read protocol filter configuration from PROTOCOL_CFG - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) return; @@ -90,9 +89,6 @@ void protocol_print_filter(pid_t pid) { exit(0); #else fwarning("--protocol not supported on this platform\n"); - return; + exit(1); #endif } - - -#endif // HAVE_SECCOMP diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index b4df78dda59..f8d4c2f3c14 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,6 +23,7 @@ #include #include #include +#include #include #include @@ -30,6 +31,8 @@ #define O_PATH 010000000 #endif +#define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" + // disable pulseaudio socket void pulseaudio_disable(void) { if (arg_debug) @@ -39,7 +42,7 @@ void pulseaudio_disable(void) { // blacklist pulseaudio socket in XDG_RUNTIME_DIR - char *name = getenv("XDG_RUNTIME_DIR"); + const char *name = env_get("XDG_RUNTIME_DIR"); if (name) disable_file_path(name, "pulse/native"); @@ -47,7 +50,7 @@ void pulseaudio_disable(void) { char *path; if (asprintf(&path, "/run/user/%d", getuid()) == -1) errExit("asprintf"); - disable_file_path(path, "pulse/native"); + disable_file_path(path, "pulse"); free(path); @@ -72,37 +75,41 @@ void pulseaudio_disable(void) { closedir(dir); } -static void pulseaudio_set_environment(const char *path) { - assert(path); - if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0) - errExit("setenv"); -} - // disable shm in pulseaudio (issue #69) void pulseaudio_init(void) { - struct stat s; - // do we have pulseaudio in the system? - if (stat("/etc/pulse/client.conf", &s) == -1) { + if (access(PULSE_CLIENT_SYSCONF, R_OK)) { if (arg_debug) - printf("/etc/pulse/client.conf not found\n"); + printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF); return; } + // create ~/.config/pulse directory if not present + char *homeusercfg = NULL; + if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1) + errExit("asprintf"); + if (create_empty_dir_as_user(homeusercfg, 0700)) + fs_logger2("create", homeusercfg); + + free(homeusercfg); + if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) + errExit("asprintf"); + if (create_empty_dir_as_user(homeusercfg, 0700)) + fs_logger2("create", homeusercfg); + // create the new user pulseaudio directory + // that will be mounted over ~/.config/pulse if (mkdir(RUN_PULSE_DIR, 0700) == -1) errExit("mkdir"); - selinux_relabel_path(RUN_PULSE_DIR, RUN_PULSE_DIR); - // mount it nosuid, noexec, nodev + selinux_relabel_path(RUN_PULSE_DIR, homeusercfg); fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0); - // create the new client.conf file char *pulsecfg = NULL; if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) errExit("asprintf"); - if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed + if (copy_file(PULSE_CLIENT_SYSCONF, pulsecfg, -1, -1, 0644)) // root needed errExit("copy_file"); - FILE *fp = fopen(pulsecfg, "a"); + FILE *fp = fopen(pulsecfg, "ae"); if (!fp) errExit("fopen"); fprintf(fp, "%s", "\nenable-shm = no\n"); @@ -112,32 +119,14 @@ void pulseaudio_init(void) { if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700)) errExit("set_perms"); - // create ~/.config/pulse directory if not present - char *homeusercfg = NULL; - if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1) - errExit("asprintf"); - if (create_empty_dir_as_user(homeusercfg, 0700)) - fs_logger2("create", homeusercfg); - - free(homeusercfg); - if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) - errExit("asprintf"); - if (create_empty_dir_as_user(homeusercfg, 0700)) - fs_logger2("create", homeusercfg); - - // if ~/.config/pulse now exists and there are no symbolic links, mount the new directory + // if ~/.config/pulse exists and there are no symbolic links, mount the new directory // else set environment variable - int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + EUID_USER(); + int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + EUID_ROOT(); if (fd == -1) { - pulseaudio_set_environment(pulsecfg); - goto out; - } - // confirm the actual mount destination is owned by the user - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (s.st_uid != getuid()) { - close(fd); - pulseaudio_set_environment(pulsecfg); + fwarning("not mounting tmpfs on %s\n", homeusercfg); + env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV); goto out; } // preserve a read-only mount @@ -149,26 +138,27 @@ void pulseaudio_init(void) { // mount via the link in /proc/self/fd if (arg_debug) printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0) + if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd)) errExit("mount pulseaudio"); // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) errLogExit("invalid pulseaudio mount"); fs_logger2("tmpfs", homeusercfg); - free(proc); close(fd); char *p; if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) errExit("asprintf"); + env_store_name_val("PULSE_CLIENTCONFIG", p, SETENV); fs_logger2("create", p); - pulseaudio_set_environment(p); free(p); + // RUN_PULSE_DIR not needed anymore, mask it + if (mount("tmpfs", RUN_PULSE_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mount pulseaudio"); + fs_logger2("tmpfs", RUN_PULSE_DIR); + out: free(pulsecfg); free(homeusercfg); diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index c12227406bf..6f17231a4a0 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -72,58 +72,48 @@ static void sanitize_home(void) { if (arg_debug) printf("Cleaning /home directory\n"); - // keep a copy of the user home directory - int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) { - if (errno == ENOENT) - fwarning("cannot find user home directory\n"); - else - fwarning("cannot clean /home directory\n"); - return; + // open user home directory in order to keep it around + int fd = safer_openat(-1, cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) + goto errout; + if (fstat(fd, &s) == -1) { // FUSE + if (errno != EACCES) + errExit("fstat"); + close(fd); + goto errout; } - if (fstat(fd, &s) == -1) - errExit("fstat"); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) - errExit("mkdir"); - if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(proc); - close(fd); - // mount tmpfs in the new home + // mount tmpfs on /home if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); - // create user home directory + // create new user home directory if (mkdir(cfg.homedir, 0755) == -1) { - if (mkpath_as_root(cfg.homedir)) + if (mkpath_as_root(cfg.homedir) == -1) errExit("mkpath"); if (mkdir(cfg.homedir, 0755) == -1) errExit("mkdir"); - selinux_relabel_path(cfg.homedir, cfg.homedir); } fs_logger2("mkdir", cfg.homedir); // set mode and ownership if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) errExit("set_perms"); + selinux_relabel_path(cfg.homedir, cfg.homedir); - // mount user home directory - if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + // bring back real user home directory + if (bind_mount_fd_to_path(fd, cfg.homedir)) errExit("mount bind"); + close(fd); - // mask home dir under /run - if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); if (!arg_private) fs_logger2("whitelist", cfg.homedir); + return; +errout: + fwarning("cannot clean /home directory\n"); } static void sanitize_run(void) { @@ -134,22 +124,15 @@ static void sanitize_run(void) { if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) errExit("asprintf"); - struct stat s; - if (stat(runuser, &s) == -1) { - // cannot find /user/run/$UID directory, just return + // open /run/user/$UID directory in order to keep it around + int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) { if (arg_debug) - printf("Cannot find %s directory\n", runuser); + printf("Cannot open %s directory\n", runuser); free(runuser); return; } - if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) - errExit("mkdir"); - - // keep a copy of the /run/user/$UID directory - if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - // mount tmpfs on /run/user if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); @@ -159,22 +142,19 @@ static void sanitize_run(void) { // create new user directory if (mkdir(runuser, 0700) == -1) errExit("mkdir"); - selinux_relabel_path(runuser, runuser); fs_logger2("mkdir", runuser); // set mode and ownership if (set_perms(runuser, getuid(), getgid(), 0700)) errExit("set_perms"); + selinux_relabel_path(runuser, runuser); - // mount /run/user/$UID directory - if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) + // bring back real run/user/$UID directory + if (bind_mount_fd_to_path(fd, runuser)) errExit("mount bind"); + close(fd); - // mask mirrored /run/user/$UID directory - if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); - + fs_logger2("whitelist", runuser); free(runuser); } @@ -195,10 +175,10 @@ static void sanitize_passwd(void) { // open files /* coverity[toctou] */ - fpin = fopen("/etc/passwd", "r"); + fpin = fopen("/etc/passwd", "re"); if (!fpin) goto errout; - fpout = fopen(RUN_PASSWD_FILE, "w"); + fpout = fopen(RUN_PASSWD_FILE, "we"); if (!fpout) goto errout; @@ -258,6 +238,11 @@ static void sanitize_passwd(void) { // mount-bind tne new password file if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("mount"); + + // blacklist RUN_PASSWD_FILE + if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("mount"); + fs_logger("create /etc/passwd"); return; @@ -330,10 +315,10 @@ static void sanitize_group(void) { // open files /* coverity[toctou] */ - fpin = fopen("/etc/group", "r"); + fpin = fopen("/etc/group", "re"); if (!fpin) goto errout; - fpout = fopen(RUN_GROUP_FILE, "w"); + fpout = fopen(RUN_GROUP_FILE, "we"); if (!fpout) goto errout; @@ -388,6 +373,11 @@ static void sanitize_group(void) { // mount-bind tne new group file if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) errExit("mount"); + + // blacklist RUN_GROUP_FILE + if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("mount"); + fs_logger("create /etc/group"); return; diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index b80d4ae55f9..ed66903b55c 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -32,7 +32,7 @@ int restricted_shell(const char *user) { char *fname; if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) errExit("asprintf"); - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); free(fname); if (fp == NULL) return 0; @@ -96,7 +96,7 @@ int restricted_shell(const char *user) { fullargv[i] = ptr; #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); - FILE *fp = fopen("/firelog", "a"); + FILE *fp = fopen("/firelog", "ae"); if (fp) { fprintf(fp, "i %d ptr #%s#\n", i, fullargv[i]); fclose(fp); diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index 0ca4a34df3e..f177f4b89ca 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include @@ -33,9 +34,9 @@ void set_rlimits(void) { // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_cpu; rl.rlim_max = (rlim_t) cfg.rlimit_cpu; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_CPU, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -50,9 +51,10 @@ void set_rlimits(void) { // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; rl.rlim_max = (rlim_t) cfg.rlimit_nofile; -#ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point + + // gcov-instrumented programs might crash at this point __gcov_dump(); -#endif + if (setrlimit(RLIMIT_NOFILE, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -67,9 +69,9 @@ void set_rlimits(void) { // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; rl.rlim_max = (rlim_t) cfg.rlimit_nproc; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_NPROC, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -84,9 +86,9 @@ void set_rlimits(void) { // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; rl.rlim_max = (rlim_t) cfg.rlimit_fsize; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_FSIZE, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -101,9 +103,9 @@ void set_rlimits(void) { // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) errExit("setrlimit"); if (arg_debug) @@ -118,9 +120,9 @@ void set_rlimits(void) { // set the new limit rl.rlim_cur = (rlim_t) cfg.rlimit_as; rl.rlim_max = (rlim_t) cfg.rlimit_as; -#ifdef HAVE_GCOV + __gcov_dump(); -#endif + if (setrlimit(RLIMIT_AS, &rl) == -1) errExit("setrlimit"); if (arg_debug) diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index b9c80c459a2..c28c3e01b75 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -101,7 +101,7 @@ void set_name_run_file(pid_t pid) { errExit("asprintf"); // the file is deleted first - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (!fp) { fprintf(stderr, "Error: cannot create %s\n", fname); exit(1); @@ -120,7 +120,7 @@ void set_x11_run_file(pid_t pid, int display) { errExit("asprintf"); // the file is deleted first - FILE *fp = fopen(fname, "w"); + FILE *fp = fopen(fname, "we"); if (!fp) { fprintf(stderr, "Error: cannot create %s\n", fname); exit(1); @@ -139,7 +139,7 @@ void set_profile_run_file(pid_t pid, const char *fname) { EUID_ROOT(); // the file is deleted first - FILE *fp = fopen(runfile, "w"); + FILE *fp = fopen(runfile, "we"); if (!fp) { fprintf(stderr, "Error: cannot create %s\n", runfile); exit(1); diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index ea38890244a..77fac54380b 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -22,6 +22,8 @@ #include #include +extern char *find_in_path(const char *program); + void run_symlink(int argc, char **argv, int run_as_is) { EUID_ASSERT(); @@ -40,58 +42,25 @@ void run_symlink(int argc, char **argv, int run_as_is) { errExit("setresuid"); // find the real program by looking in PATH - char *p = getenv("PATH"); - if (!p) { + const char *path = env_get("PATH"); + if (!path) { fprintf(stderr, "Error: PATH environment variable not set\n"); exit(1); } - char *path = strdup(p); - if (!path) - errExit("strdup"); - - char *selfpath = realpath("/proc/self/exe", NULL); - if (!selfpath) - errExit("realpath"); - - // look in path for our program - char *tok = strtok(path, ":"); - int found = 0; - while (tok) { - char *name; - if (asprintf(&name, "%s/%s", tok, program) == -1) - errExit("asprintf"); - - struct stat s; - if (stat(name, &s) == 0) { - /* coverity[toctou] */ - char* rp = realpath(name, NULL); - if (!rp) - errExit("realpath"); - - if (strcmp(selfpath, rp) != 0) { - program = strdup(name); - found = 1; - free(rp); - break; - } - - free(rp); - } - - free(name); - tok = strtok(NULL, ":"); - } - if (!found) { + char *p = find_in_path(program); + if (!p) { fprintf(stderr, "Error: cannot find the program in the path\n"); exit(1); } - - free(selfpath); + program = p; // restore original umask umask(orig_umask); + // restore original environment variables + env_apply_all(); + // desktop integration is not supported for root user; instead, the original program is started if (getuid() == 0 || run_as_is) { argv[0] = program; @@ -108,6 +77,7 @@ void run_symlink(int argc, char **argv, int run_as_is) { a[i + 2] = argv[i + 1]; } a[i + 2] = NULL; + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(a[0], a); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 631f721ad77..83e50aee2f9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,11 +19,12 @@ */ #include "firejail.h" +#include "../include/gcov_wrapper.h" #include "../include/seccomp.h" +#include #include #include #include -#include #include #include #include @@ -49,7 +50,6 @@ #include #endif - static int force_nonewprivs = 0; static int monitored_pid = 0; @@ -67,7 +67,7 @@ static void sandbox_handler(int sig){ if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1) errExit("asprintf"); while (monsec) { - FILE *fp = fopen(monfile, "r"); + FILE *fp = fopen(monfile, "re"); if (!fp) break; @@ -87,9 +87,9 @@ static void sandbox_handler(int sig){ // broadcast a SIGKILL kill(-1, SIGKILL); - flush_stdin(); - exit(sig); + flush_stdin(); + exit(128 + sig); } static void install_handler(void) { @@ -141,11 +141,28 @@ void set_apparmor(void) { } #endif +static void seccomp_debug(void) { + if (arg_debug == 0) + return; + + EUID_USER(); + printf("Seccomp directory:\n"); + ls(RUN_SECCOMP_DIR); + struct stat s; + if (stat(RUN_SECCOMP_LIST, &s) == 0) { + printf("Active seccomp files:\n"); + cat(RUN_SECCOMP_LIST); + } + else + printf("No active seccomp files\n"); + EUID_ROOT(); +} + static void save_nogroups(void) { if (arg_nogroups == 0) return; - FILE *fp = fopen(RUN_GROUPS_CFG, "w"); + FILE *fp = fopen(RUN_GROUPS_CFG, "wxe"); if (fp) { fprintf(fp, "\n"); SET_PERMS_STREAM(fp, 0, 0, 0644); // assume mode 0644 @@ -186,43 +203,18 @@ static void save_umask(void) { } } -static FILE *create_ready_for_join_file(void) { - FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe"); - if (fp) { - ASSERT_PERMS_STREAM(fp, 0, 0, 0644); - return fp; - } - else { - fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN); - exit(1); - } -} - -#ifdef HAVE_SECCOMP -static void seccomp_debug(void) { - if (arg_debug == 0) - return; - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - // dropping privs before calling system(3) - drop_privs(1); - printf("Seccomp directory:\n"); - int rv = system("ls -l " RUN_SECCOMP_DIR); - (void) rv; - printf("Active seccomp files:\n"); - rv = system("cat " RUN_SECCOMP_LIST); - (void) rv; -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - _exit(0); - } - waitpid(child, NULL, 0); +static char *create_join_file(void) { + int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); + if (fd == -1) + errExit("open"); + if (ftruncate(fd, 1) == -1) + errExit("ftruncate"); + char *rv = mmap(NULL, 1, PROT_WRITE, MAP_SHARED, fd, 0); + if (rv == MAP_FAILED) + errExit("mmap"); + close(fd); + return rv; } -#endif static void sandbox_if_up(Bridge *br) { assert(br); @@ -235,7 +227,7 @@ static void sandbox_if_up(Bridge *br) { if (br->arg_ip_none == 1); // do nothing else if (br->arg_ip_none == 0 && br->macvlan == 0) { if (br->ipsandbox == br->ip) { - fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev); + fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev); exit(1); } @@ -253,13 +245,17 @@ static void sandbox_if_up(Bridge *br) { br->ipsandbox = arp_assign(dev, br); //br->ip, br->mask); else { if (br->ipsandbox == br->ip) { - fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev); + fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev); + exit(1); + } + if (br->ipsandbox == cfg.defaultgw) { + fprintf(stderr, "Error: %d.%d.%d.%d is the default gateway, exiting...\n", PRINT_IP(br->ipsandbox)); exit(1); } uint32_t rv = arp_check(dev, br->ipsandbox); if (rv) { - fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use.\n", PRINT_IP(br->ipsandbox)); + fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use, exiting...\n", PRINT_IP(br->ipsandbox)); exit(1); } } @@ -276,8 +272,7 @@ static void sandbox_if_up(Bridge *br) { static void chk_chroot(void) { // if we are starting firejail inside some other container technology, we don't care about this - char *mycont = getenv("container"); - if (mycont) + if (env_get("container")) return; // check if this is a regular chroot @@ -408,19 +403,8 @@ static int monitor_application(pid_t app_pid) { } static void print_time(void) { - if (start_timestamp) { - unsigned long long end_timestamp = getticks(); - // measure 1 ms - usleep(1000); - unsigned long long onems = getticks() - end_timestamp; - if (onems) { - fmessage("Child process initialized in %.02f ms\n", - (float) (end_timestamp - start_timestamp) / (float) onems); - return; - } - } - - fmessage("Child process initialized\n"); + float delta = timetrace_end(); + fmessage("Child process initialized in %.02f ms\n", delta); } @@ -438,7 +422,7 @@ static int ok_to_run(const char *program) { return 1; } else { // search $PATH - char *path1 = getenv("PATH"); + const char *path1 = env_get("PATH"); if (path1) { if (arg_debug) printf("Searching $PATH for %s\n", program); @@ -480,45 +464,24 @@ static int ok_to_run(const char *program) { return 0; } -void start_application(int no_sandbox, FILE *fp) { +void start_application(int no_sandbox, int fd, char *set_sandbox_status) { // set environment - if (no_sandbox == 0) { + if (no_sandbox == 0) env_defaults(); - env_apply(); - } + env_apply_all(); + // restore original umask umask(orig_umask); if (arg_debug) { - printf("starting application\n"); + printf("Starting application\n"); printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); } - //**************************************** - // audit - //**************************************** - if (arg_audit) { - assert(arg_audit_prog); - - if (fp) { - fprintf(fp, "ready\n"); - fclose(fp); - } -#ifdef HAVE_GCOV - __gcov_dump(); -#endif -#ifdef HAVE_SECCOMP - seccomp_install_filters(); -#endif - execl(arg_audit_prog, arg_audit_prog, NULL); - - perror("execl"); - exit(1); - } //**************************************** // start the program without using a shell //**************************************** - else if (arg_shell_none) { + if (arg_shell_none) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { @@ -536,58 +499,55 @@ void start_application(int no_sandbox, FILE *fp) { if (!arg_command && !arg_quiet) print_time(); - int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); - - if (fp) { - fprintf(fp, "ready\n"); - fclose(fp); + if (ok_to_run(cfg.original_argv[cfg.original_program_index]) == 0) { + fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]); + exit(1); } -#ifdef HAVE_GCOV + __gcov_dump(); -#endif -#ifdef HAVE_SECCOMP + seccomp_install_filters(); -#endif - if (rv) - execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); - else - fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]); - exit(1); + + if (set_sandbox_status) + *set_sandbox_status = SANDBOX_DONE; + execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); } //**************************************** // start the program using a shell //**************************************** else { assert(cfg.shell); - assert(cfg.command_line); char *arg[5]; int index = 0; arg[index++] = cfg.shell; - if (login_shell) { - arg[index++] = "-l"; - if (arg_debug) - printf("Starting %s login shell\n", cfg.shell); - } else { - arg[index++] = "-c"; + if (cfg.command_line) { if (arg_debug) printf("Running %s command through %s\n", cfg.command_line, cfg.shell); + arg[index++] = "-c"; if (arg_doubledash) arg[index++] = "--"; arg[index++] = cfg.command_line; } - arg[index] = NULL; + else if (login_shell) { + if (arg_debug) + printf("Starting %s login shell\n", cfg.shell); + arg[index++] = "-l"; + } + else if (arg_debug) + printf("Starting %s shell\n", cfg.shell); + assert(index < 5); + arg[index] = NULL; if (arg_debug) { char *msg; - if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1) + if (asprintf(&msg, "sandbox %d, execvp into %s", + sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1) errExit("asprintf"); logmsg(msg); free(msg); - } - if (arg_debug) { int i; for (i = 0; i < 5; i++) { if (arg[i] == NULL) @@ -599,30 +559,30 @@ void start_application(int no_sandbox, FILE *fp) { if (!arg_command && !arg_quiet) print_time(); - if (fp) { - fprintf(fp, "ready\n"); - fclose(fp); - } -#ifdef HAVE_GCOV __gcov_dump(); -#endif -#ifdef HAVE_SECCOMP + seccomp_install_filters(); -#endif + + if (set_sandbox_status) + *set_sandbox_status = SANDBOX_DONE; execvp(arg[0], arg); + + // join sandbox without shell in the mount namespace + if (fd > -1) + fexecve(fd, arg, environ); } - perror("execvp"); - exit(1); // it should never get here!!! + perror("Cannot start application"); + exit(1); } static void enforce_filters(void) { + fmessage("\n** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **\n\n"); // enforce NO_NEW_PRIVS arg_nonewprivs = 1; force_nonewprivs = 1; // disable all capabilities - fmessage("\n** Warning: dropping all Linux capabilities **\n\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot @@ -667,8 +627,11 @@ int sandbox(void* sandbox_arg) { // ... and mount a tmpfs on top of /run/firejail/mnt directory preproc_mount_mnt_dir(); // bind-mount firejail binaries and helper programs - if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) + if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 || + mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0) errExit("mounting " RUN_FIREJAIL_LIB_DIR); + // keep a copy of dhclient executable before the filesystem is modified + dhcp_store_exec(); //**************************** // log sandbox data @@ -809,7 +772,6 @@ int sandbox(void* sandbox_arg) { // - build seccomp filters // - create an empty /etc/ld.so.preload //**************************** -#ifdef HAVE_SECCOMP if (cfg.protocol) { if (arg_debug) printf("Build protocol filter: %s\n", cfg.protocol); @@ -820,16 +782,19 @@ int sandbox(void* sandbox_arg) { if (rv) exit(rv); } -#endif - // need ld.so.preload if tracing or seccomp with any non-default lists - bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; +#ifdef HAVE_FORCE_NONEWPRIVS + bool always_enforce_filters = true; +#else + bool always_enforce_filters = false; +#endif // for --appimage, --chroot and --overlay* we force NO_NEW_PRIVS // and drop all capabilities - if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay)) { + if (getuid() != 0 && (arg_appimage || cfg.chrootdir || arg_overlay || always_enforce_filters)) enforce_filters(); - need_preload = arg_trace || arg_tracelog; - } + + // need ld.so.preload if tracing or seccomp with any non-default lists + bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec; // trace pre-install if (need_preload) @@ -861,10 +826,16 @@ int sandbox(void* sandbox_arg) { #endif fs_basic_fs(); + //**************************** + // appimage + //**************************** + appimage_mount(); + //**************************** // private mode //**************************** if (arg_private) { + EUID_USER(); if (cfg.home_private) { // --private= if (cfg.chrootdir) fwarning("private=directory feature is disabled in chroot\n"); @@ -883,6 +854,7 @@ int sandbox(void* sandbox_arg) { } else // --private fs_private(); + EUID_ROOT(); } if (arg_private_dev) @@ -939,14 +911,13 @@ int sandbox(void* sandbox_arg) { } } +#ifdef HAVE_USERTMPFS if (arg_private_cache) { - if (cfg.chrootdir) - fwarning("private-cache feature is disabled in chroot\n"); - else if (arg_overlay) - fwarning("private-cache feature is disabled in overlay\n"); - else - fs_private_cache(); + EUID_USER(); + profile_add("tmpfs ${HOME}/.cache"); + EUID_ROOT(); } +#endif if (arg_private_tmp) { // private-tmp is implemented as a whitelist @@ -958,8 +929,9 @@ int sandbox(void* sandbox_arg) { //**************************** // Session D-BUS //**************************** +#ifdef HAVE_DBUSPROXY dbus_apply_policy(); - +#endif //**************************** // hosts and hostname @@ -996,11 +968,35 @@ int sandbox(void* sandbox_arg) { else if (arg_overlay) fwarning("private-etc feature is disabled in overlay\n"); else { - fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); - fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE + /* Current /etc/passwd and /etc/group files are bind + * mounted filtered versions of originals. Leaving + * them underneath private-etc mount causes problems + * in devices with older kernels, e.g. attempts to + * update the real /etc/passwd file yield EBUSY. + * + * As we do want to retain filtered /etc content: + * 1. duplicate /etc content to RUN_ETC_DIR + * 2. unmount bind mounts from /etc + * 3. mount RUN_ETC_DIR at /etc + */ + timetrace_start(); + fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep); + + if (umount2("/etc/group", MNT_DETACH) == -1) + fprintf(stderr, "/etc/group: unmount: %s\n", strerror(errno)); + if (umount2("/etc/passwd", MNT_DETACH) == -1) + fprintf(stderr, "/etc/passwd: unmount: %s\n", strerror(errno)); + + fs_private_dir_mount("/etc", RUN_ETC_DIR); + fmessage("Private /etc installed in %0.2f ms\n", timetrace_end()); + // create /etc/ld.so.preload file again if (need_preload) fs_trace_preload(); + + // openSUSE configuration is split between /etc and /usr/etc + // process private-etc a second time + fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); } } @@ -1008,10 +1004,12 @@ int sandbox(void* sandbox_arg) { // apply the profile file //**************************** // apply all whitelist commands ... + EUID_USER(); fs_whitelist(); // ... followed by blacklist commands fs_blacklist(); // mkdir and mkfile are processed all over again + EUID_ROOT(); //**************************** // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 @@ -1023,7 +1021,7 @@ int sandbox(void* sandbox_arg) { // disable /dev/snd fs_dev_disable_sound(); } - else if (!arg_noautopulse) + else if (!arg_keep_config_pulse) pulseaudio_init(); if (arg_no3d) @@ -1041,22 +1039,13 @@ int sandbox(void* sandbox_arg) { if (arg_novideo) fs_dev_disable_video(); - //**************************** - // install trace - //**************************** - if (need_preload) - fs_trace(); + if (arg_noinput) + fs_dev_disable_input(); //**************************** // set dns //**************************** - fs_resolvconf(); - - //**************************** - // fs post-processing - //**************************** - fs_logger_print(); - fs_logger_change_owner(); + fs_rebuild_etc(); //**************************** // start dhcp client @@ -1106,6 +1095,12 @@ int sandbox(void* sandbox_arg) { // save original umask save_umask(); + //**************************** + // fs post-processing + //**************************** + fs_logger_print(); + fs_logger_change_owner(); + //**************************** // set security filters //**************************** @@ -1119,7 +1114,6 @@ int sandbox(void* sandbox_arg) { save_cgroup(); // set seccomp -#ifdef HAVE_SECCOMP // install protocol filter #ifdef SYS_socket if (cfg.protocol) { @@ -1163,17 +1157,23 @@ int sandbox(void* sandbox_arg) { // make seccomp filters read-only fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0); seccomp_debug(); -#endif + //**************************** + // install trace - still need capabilities + //**************************** + if (need_preload) + fs_trace(); + + //**************************** + // continue security filters + //**************************** // set capabilities set_caps(); //**************************************** - // communicate progress of sandbox set up - // to --join + // relay status information to join option //**************************************** - - FILE *rj = create_ready_for_join_file(); + char *set_sandbox_status = create_join_file(); //**************************************** // create a new user namespace @@ -1233,7 +1233,6 @@ int sandbox(void* sandbox_arg) { //**************************************** // set cpu affinity //**************************************** - if (cfg.cpus) set_cpu_affinity(); @@ -1246,7 +1245,6 @@ int sandbox(void* sandbox_arg) { if (app_pid == 0) { #ifdef HAVE_APPARMOR - // add apparmor confinement after the execve set_apparmor(); #endif @@ -1255,19 +1253,23 @@ int sandbox(void* sandbox_arg) { set_nice(cfg.nice); set_rlimits(); - start_application(0, rj); + start_application(0, -1, set_sandbox_status); } - fclose(rj); + munmap(set_sandbox_status, 1); int status = monitor_application(app_pid); // monitor application - flush_stdin(); if (WIFEXITED(status)) { // if we had a proper exit, return that exit status - return WEXITSTATUS(status); + status = WEXITSTATUS(status); + } else if (WIFSIGNALED(status)) { + // distinguish fatal signals by adding 128 + status = 128 + WTERMSIG(status); } else { - // something else went wrong! - return -1; + status = -1; } + + flush_stdin(); + return status; } diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 91c658f9679..37111324a44 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -31,12 +31,12 @@ #define O_PATH 010000000 #endif -static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) { +static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * const arg[]) { // build a new, clean environment int env_index = 0; char *new_environment[256] = { NULL }; // preserve firejail-specific env vars - char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT"); + const char *cl = env_get("FIREJAIL_FILE_COPY_LIMIT"); if (cl) { if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1) errExit("asprintf"); @@ -45,6 +45,10 @@ static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) { new_environment[env_index++] = "FIREJAIL_QUIET=yes"; if (arg_debug) // --debug is passed as an environment variable new_environment[env_index++] = "FIREJAIL_DEBUG=yes"; + if (cfg.seccomp_error_action) + if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1) + errExit("asprintf"); + new_environment[env_index++] = "FIREJAIL_PLUGIN="; // always set if (filtermask & SBOX_STDIN_FROM_FILE) { int fd; @@ -116,7 +120,7 @@ static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) { // handle X32 ABI BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0), BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0), - RETURN_ERRNO(EPERM), + KILL_OR_RETURN_ERRNO, #endif // syscall list @@ -199,15 +203,16 @@ static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) { } } - if (filtermask & SBOX_ROOT) { + if (filtermask & SBOX_USER) + drop_privs(1); + else if (filtermask & SBOX_ROOT) { // elevate privileges in order to get grsecurity working if (setreuid(0, 0)) errExit("setreuid"); if (setregid(0, 0)) errExit("setregid"); } - else if (filtermask & SBOX_USER) - drop_privs(1); + else assert(0); if (arg[0]) { // get rid of scan-build warning int fd = open(arg[0], O_PATH | O_CLOEXEC); @@ -243,7 +248,9 @@ int sbox_run(unsigned filtermask, int num, ...) { va_start(valist, num); // build argument list - char **arg = malloc((num + 1) * sizeof(char *)); + char **arg = calloc(num + 1, sizeof(char *)); + if (!arg) + errExit("calloc"); int i; for (i = 0; i < num; i++) arg[i] = va_arg(valist, char *); @@ -258,7 +265,7 @@ int sbox_run(unsigned filtermask, int num, ...) { } int sbox_run_v(unsigned filtermask, char * const arg[]) { - EUID_ROOT(); + assert(arg); if (arg_debug) { printf("sbox run: "); @@ -277,6 +284,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { if (child < 0) errExit("fork"); if (child == 0) { + EUID_ROOT(); sbox_do_exec_v(filtermask, arg); } @@ -284,8 +292,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { if (waitpid(child, &status, 0) == -1 ) { errExit("waitpid"); } - if (WIFEXITED(status) && status != 0) { - fprintf(stderr, "Error: failed to run %s\n", arg[0]); + if (WIFEXITED(status) && WEXITSTATUS(status) != 0) { + fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); exit(1); } diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 7f55ccc0e98..3d9bf9082e5 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,7 +18,6 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#ifdef HAVE_SECCOMP #include "firejail.h" #include "../include/seccomp.h" #include @@ -87,7 +86,7 @@ int seccomp_install_filters(void) { static void seccomp_save_file_list(const char *fname) { assert(fname); - FILE *fp = fopen(RUN_SECCOMP_LIST, "a+"); + FILE *fp = fopen(RUN_SECCOMP_LIST, "ae"); if (!fp) errExit("fopen"); @@ -100,7 +99,7 @@ static void seccomp_save_file_list(const char *fname) { #define MAXBUF 4096 static int load_file_list_flag = 0; void seccomp_load_file_list(void) { - FILE *fp = fopen(RUN_SECCOMP_LIST, "r"); + FILE *fp = fopen(RUN_SECCOMP_LIST, "re"); if (!fp) return; // no seccomp configuration whatsoever @@ -123,7 +122,7 @@ int seccomp_load(const char *fname) { assert(fname); // open filter file - int fd = open(fname, O_RDONLY); + int fd = open(fname, O_RDONLY|O_CLOEXEC); if (fd == -1) goto errexit; @@ -209,7 +208,8 @@ int seccomp_filter_drop(bool native) { // - seccomp if (cfg.seccomp_list_drop == NULL) { // default seccomp if error action is not changed - if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) { + if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0') + && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) { if (arg_seccomp_block_secondary) seccomp_filter_block_secondary(); else { @@ -222,11 +222,29 @@ int seccomp_filter_drop(bool native) { } // default seccomp filter with additional drop list else { // cfg.seccomp_list != NULL - if (arg_seccomp_block_secondary) + int rv; + + if (arg_seccomp_block_secondary) { + if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) { + if (arg_debug) + printf("Rebuild secondary block seccomp filter\n"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "secondary", "block", RUN_SECCOMP_BLOCK_SECONDARY); + if (rv) + exit(rv); + } seccomp_filter_block_secondary(); - else { + } else { #if defined(__x86_64__) #if defined(__LP64__) + if (arg_seccomp_error_action != DEFAULT_SECCOMP_ERROR_ACTION) { + if (arg_debug) + printf("Rebuild 32 bit seccomp filter\n"); + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, "secondary", "32", RUN_SECCOMP_32); + if (rv) + exit(rv); + } seccomp_filter_32(); #endif #endif @@ -243,16 +261,22 @@ int seccomp_filter_drop(bool native) { list = cfg.seccomp_list32; } - if (list == NULL) - list = ""; // build the seccomp filter as a regular user - int rv; - if (arg_allow_debuggers) - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, - PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); + if (list && list[0]) + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, + PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, + PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6, - PATH_FSECCOMP, command, "drop", filter, postexec_filter, list); + if (arg_allow_debuggers) + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, + PATH_FSECCOMP, command, filter, "allow-debuggers"); + else + rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, + PATH_FSECCOMP, command, filter); + if (rv) exit(rv); @@ -415,7 +439,7 @@ void seccomp_print_filter(pid_t pid) { if (stat(fname, &s) == -1) goto errexit; - FILE *fp = fopen(fname, "r"); + FILE *fp = fopen(fname, "re"); if (!fp) goto errexit; free(fname); @@ -445,5 +469,3 @@ void seccomp_print_filter(pid_t pid) { printf("Cannot access seccomp filter.\n"); exit(1); } - -#endif // HAVE_SECCOMP diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 52d6788efcb..fa59882ed74 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020 Firejail and systemd authors + * Copyright (C) 2020-2021 Firejail and systemd authors * * This file is part of firejail project, from systemd selinux-util.c * @@ -19,10 +19,14 @@ */ #if HAVE_SELINUX #include "firejail.h" - #include #include +#include + #include +#ifndef O_PATH +#define O_PATH 010000000 +#endif #include #include @@ -35,7 +39,7 @@ static int selinux_enabled = -1; void selinux_relabel_path(const char *path, const char *inside_path) { #if HAVE_SELINUX - char procfs_path[64]; + char procfs_path[64]; char *fcon = NULL; int fd; struct stat st; @@ -43,26 +47,48 @@ void selinux_relabel_path(const char *path, const char *inside_path) if (selinux_enabled == -1) selinux_enabled = is_selinux_enabled(); - if (!selinux_enabled && arg_debug) + if (!selinux_enabled) return; if (!label_hnd) label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); - /* Open the file as O_PATH, to pin it while we determine and adjust the label */ - fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); + if (!label_hnd) + errExit("selabel_open"); + + /* Open the file as O_PATH, to pin it while we determine and adjust the label + * Defeat symlink races by not allowing symbolic links */ + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + if (called_as_root) + EUID_USER(); + + fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); + + if (called_as_root) + EUID_ROOT(); + if (fd < 0) return; if (fstat(fd, &st) < 0) goto close; - if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { + if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { sprintf(procfs_path, "/proc/self/fd/%i", fd); if (arg_debug) printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); - setfilecon_raw(procfs_path, fcon); - } + if (!called_as_root) + EUID_ROOT(); + + if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug) + printf("Cannot relabel %s: %s\n", path, strerror(errno)); + + if (!called_as_root) + EUID_USER(); + } + freecon(fcon); close: close(fd); diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index a7d0b2fbe15..d1be6eed41c 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -36,8 +36,10 @@ void shut(pid_t pid) { } free(comm); } - else - errExit("/proc/PID/comm"); + else { + fprintf(stderr, "Error: cannot find process %d\n", pid); + exit(1); + } // check privileges for non-root users uid_t uid = getuid(); @@ -63,7 +65,9 @@ void shut(pid_t pid) { sleep(1); monsec--; - FILE *fp = fopen(monfile, "r"); + EUID_ROOT(); + FILE *fp = fopen(monfile, "re"); + EUID_USER(); if (!fp) { killdone = 1; break; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 08546fa512e..43f862b9d7d 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -33,7 +33,6 @@ static char *usage_str = " --apparmor - enable AppArmor confinement.\n" " --apparmor.print=name|pid - print apparmor status.\n" " --appimage - sandbox an AppImage application.\n" - " --audit[=test-program] - audit the sandbox.\n" #ifdef HAVE_NETWORK " --bandwidth=name|pid - set bandwidth limits.\n" #endif @@ -47,18 +46,34 @@ static char *usage_str = " --caps.drop=capability,capability - blacklist capabilities filter.\n" " --caps.keep=capability,capability - whitelist capabilities filter.\n" " --caps.print=name|pid - print the caps filter.\n" +#ifdef HAVE_FILE_TRANSFER + " --cat=name|pid filename - print content of file from sandbox container.\n" +#endif " --cgroup=tasks-file - place the sandbox in the specified control group.\n" #ifdef HAVE_CHROOT " --chroot=dirname - chroot into directory.\n" #endif " --cpu=cpu-number,cpu-number - set cpu affinity.\n" " --cpu.print=name|pid - print the cpus in use.\n" +#ifdef HAVE_DBUSPROXY + " --dbus-log=file - set DBus log file location.\n" " --dbus-system=filter|none - set system DBus access policy.\n" + " --dbus-system.broadcast=rule - allow signals on the system DBus according\n" + "\tto rule.\n" + " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" + " --dbus-system.log - turn on logging for the system DBus.\n" " --dbus-system.own=name - allow ownership of name on the system DBus.\n" + " --dbus-system.see=name - allow seeing name on the system DBus.\n" " --dbus-system.talk=name - allow talking to name on the system DBus.\n" " --dbus-user=filter|none - set session DBus access policy.\n" + " --dbus-user.broadcast=rule - allow signals on the session DBus according\n" + "\tto rule.\n" + " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" + " --dbus-user.log - turn on logging for the user DBus.\n" " --dbus-user.own=name - allow ownership of name on the session DBus.\n" + " --dbus-user.see=name - allow seeing name on the session DBus.\n" " --dbus-user.talk=name - allow talking to name on the session DBus.\n" +#endif " --debug - print sandbox debug messages.\n" " --debug-blacklists - debug blacklisting.\n" " --debug-caps - print all recognized capabilities.\n" @@ -67,9 +82,7 @@ static char *usage_str = " --debug-protocols - print all recognized protocols.\n" " --debug-syscalls - print all recognized system calls.\n" " --debug-syscalls32 - print all recognized 32 bit system calls.\n" -#ifdef HAVE_WHITELIST " --debug-whitelists - debug whitelisting.\n" -#endif #ifdef HAVE_NETWORK " --defaultgw=address - configure default gateway.\n" #endif @@ -84,6 +97,8 @@ static char *usage_str = " --help, -? - this help screen.\n" " --hostname=name - set sandbox hostname.\n" " --hosts-file=file - use file as /etc/hosts.\n" + " --ids-check - verify file system.\n" + " --ids-init - initialize IDS database.\n" " --ignore=command - ignore command in profile files.\n" #ifdef HAVE_NETWORK " --interface=name - move interface in sandbox.\n" @@ -101,7 +116,8 @@ static char *usage_str = " --join-network=name|pid - join the network namespace.\n" #endif " --join-or-start=name|pid - join the sandbox or start a new one.\n" - " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" + " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" + " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER @@ -111,10 +127,10 @@ static char *usage_str = " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" #endif " --machine-id - preserve /etc/machine-id\n" -#ifdef HAVE_SECCOMP " --memory-deny-write-execute - seccomp filter to block attempts to create\n" "\tmemory mappings that are both writable and executable.\n" -#endif + " --mkdir=dirname - create a directory.\n" + " --mkfile=filename - create a file.\n" #ifdef HAVE_NETWORK " --mtu=number - set interface MTU.\n" #endif @@ -129,8 +145,8 @@ static char *usage_str = " --netfilter.print=name|pid - print the firewall.\n" " --netfilter6=filename - enable IPv6 firewall.\n" " --netfilter6.print=name|pid - print the IPv6 firewall.\n" - " --netmask=address - define a network mask when dealing with unconfigured" - "\tparrent interfaces.\n" + " --netmask=address - define a network mask when dealing with unconfigured\n" + "\tparent interfaces.\n" " --netns=name - Run the program in a named, persistent network namespace.\n" " --netstats - monitor network statistics.\n" #endif @@ -141,6 +157,7 @@ static char *usage_str = " --nodvd - disable DVD and audio CD devices.\n" " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" " --nogroups - disable supplementary groups.\n" + " --noinput - disable input devices.\n" " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" " --noprofile - do not use a security profile.\n" #ifdef HAVE_USERNS @@ -151,14 +168,18 @@ static char *usage_str = " --novideo - disable video devices.\n" " --nou2f - disable U2F devices.\n" " --nowhitelist=filename - disable whitelist for file or directory.\n" +#ifdef HAVE_OUTPUT " --output=logfile - stdout logging and log rotation.\n" " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" +#endif +#ifdef HAVE_OVERLAYFS " --overlay - mount a filesystem overlay on top of the current filesystem.\n" " --overlay-named=name - mount a filesystem overlay on top of the current\n" "\tfilesystem, and store it in name directory.\n" " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" "\tcurrent filesystem.\n" " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" +#endif " --private - temporary home directory.\n" " --private=directory - use directory as user home.\n" " --private-cache - temporary ~/.cache directory.\n" @@ -203,7 +224,6 @@ static char *usage_str = #ifdef HAVE_NETWORK " --scan - ARP-scan all the networks from inside a network namespace.\n" #endif -#ifdef HAVE_SECCOMP " --seccomp - enable seccomp filter and apply the default blacklist.\n" " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" "\tdefault syscall list and the syscalls specified by the command.\n" @@ -215,8 +235,8 @@ static char *usage_str = " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" "\tidentified by name or PID.\n" " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" - " --seccomp-error-action=errno|kill - change error code or kill process.\n" -#endif + " --seccomp-error-action=errno|kill|log - change error code, kill process\n" + "\tor log the attempt.\n" " --shell=none - run the program directly without a user shell.\n" " --shell=program - set default user shell.\n" " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" @@ -234,9 +254,7 @@ static char *usage_str = #ifdef HAVE_NETWORK " --veth-name=name - use this name for the interface connected to the bridge.\n" #endif -#ifdef HAVE_WHITELIST " --whitelist=filename - whitelist directory or file.\n" -#endif " --writable-etc - /etc directory is mounted read-write.\n" " --writable-run-user - allow access to /run/user/$UID/systemd and\n" "\t/run/user/$UID/gnupg.\n" diff --git a/src/firejail/util.c b/src/firejail/util.c index 6bfc80903e1..f0df45eb2a3 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,6 +19,7 @@ */ #define _XOPEN_SOURCE 500 #include "firejail.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -29,10 +30,19 @@ #include #include #include +#include + +#include +#include #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 +#endif + +#include +#ifdef __NR_openat2 +#include #endif #define MAX_GROUPS 1024 @@ -40,6 +50,44 @@ #define EMPTY_STRING ("") +long long unsigned parse_arg_size(char *str) { + long long unsigned result = 0; + int len = strlen(str); + sscanf(str, "%llu", &result); + + char suffix = *(str + len - 1); + if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) { + len -= 1; + } + + /* checks for is value valid positive number */ + for (int i = 0; i < len; i++) { + if (!isdigit(*(str+i))) { + return 0; + } + } + + if (isdigit(suffix)) + return result; + + switch (suffix) { + case 'k': + result *= 1024; + break; + case 'm': + result *= 1024 * 1024; + break; + case 'g': + result *= 1024 * 1024 * 1024; + break; + default: + result = 0; + break; + } + + return result; +} + // send the error to /var/log/auth.log and exit after a small delay void errLogExit(char* fmt, ...) { va_list args; @@ -69,10 +117,11 @@ static void clean_supplementary_groups(gid_t gid) { goto clean_all; // clean supplementary group list - // allow only tty, audio, video, games + // allow only firejail, tty, audio, video, games gid_t new_groups[MAX_GROUPS]; int new_ngroups = 0; char *allowed[] = { + "firejail", "tty", "audio", "video", @@ -280,8 +329,9 @@ static int copy_file_by_fd(int src, int dst) { done += rv; } } -// fflush(0); - return 0; + if (len == 0) + return 0; + return -1; } // return -1 if error, 0 if no error; if destname already exists, return error @@ -290,14 +340,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m assert(destname); // open source - int src = open(srcname, O_RDONLY); + int src = open(srcname, O_RDONLY|O_CLOEXEC); if (src < 0) { fwarning("cannot open source file %s, file not copied\n", srcname); return -1; } // open destination - int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { fwarning("cannot open destination file %s, file not copied\n", destname); close(src); @@ -317,7 +367,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m } // return -1 if error, 0 if no error -void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { +void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) { pid_t child = fork(); if (child < 0) errExit("fork"); @@ -325,13 +375,13 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid // drop privileges drop_privs(0); - // copy, set permissions and ownership - int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user + // copy, set permissions + int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user if (rv) fwarning("cannot copy %s\n", srcname); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish @@ -340,7 +390,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { // open destination - int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { fwarning("cannot open destination file %s, file not copied\n", destname); return; @@ -353,7 +403,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ // drop privileges drop_privs(0); - int src = open(srcname, O_RDONLY); + int src = open(srcname, O_RDONLY|O_CLOEXEC); if (src < 0) { fwarning("cannot open source file %s, file not copied\n", srcname); } else { @@ -363,9 +413,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ close(src); } close(dst); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish @@ -386,15 +436,17 @@ void touch_file_as_user(const char *fname, mode_t mode) { // drop privileges drop_privs(0); - FILE *fp = fopen(fname, "wx"); - if (fp) { - fprintf(fp, "\n"); - SET_PERMS_STREAM(fp, -1, -1, mode); - fclose(fp); + int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); + if (fd > -1) { + int err = fchmod(fd, mode); + (void) err; + close(fd); } -#ifdef HAVE_GCOV + else + fwarning("cannot create %s\n", fname); + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish @@ -411,14 +463,14 @@ int is_dir(const char *fname) { int rv; struct stat s; if (fname[strlen(fname) - 1] == '/') - rv = stat(fname, &s); + rv = stat_as_user(fname, &s); else { char *tmp; if (asprintf(&tmp, "%s/", fname) == -1) { fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); errExit("asprintf"); } - rv = stat(tmp, &s); + rv = stat_as_user(tmp, &s); free(tmp); } @@ -431,35 +483,87 @@ int is_dir(const char *fname) { return 0; } - // return 1 if the file is a link int is_link(const char *fname) { assert(fname); if (*fname == '\0') return 0; - char *dup = NULL; - struct stat s; - if (lstat(fname, &s) == 0) { - if (S_ISLNK(s.st_mode)) - return 1; - if (S_ISDIR(s.st_mode)) { - // remove trailing slashes and single dots and try again - dup = strdup(fname); - if (!dup) - errExit("strdup"); - trim_trailing_slash_or_dot(dup); - if (lstat(dup, &s) == 0) { - if (S_ISLNK(s.st_mode)) { - free(dup); - return 1; - } - } - } - } + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; - free(dup); - return 0; + if (called_as_root) + EUID_USER(); + + // remove trailing '/' if any + char *tmp = strdup(fname); + if (!tmp) + errExit("strdup"); + trim_trailing_slash_or_dot(tmp); + + char c; + ssize_t rv = readlink(tmp, &c, 1); + free(tmp); + + if (called_as_root) + EUID_ROOT(); + + return (rv != -1); +} + +char *realpath_as_user(const char *fname) { + assert(fname); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + char *rv = realpath(fname, NULL); + + if (called_as_root) + EUID_ROOT(); + + return rv; +} + +int stat_as_user(const char *fname, struct stat *s) { + assert(fname); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + int rv = stat(fname, s); + + if (called_as_root) + EUID_ROOT(); + + return rv; +} + +int lstat_as_user(const char *fname, struct stat *s) { + assert(fname); + + int called_as_root = 0; + if (geteuid() == 0) + called_as_root = 1; + + if (called_as_root) + EUID_USER(); + + int rv = lstat(fname, s); + + if (called_as_root) + EUID_ROOT(); + + return rv; } // remove all slashes and single dots from the end of a path @@ -547,37 +651,38 @@ char *split_comma(char *str) { } -// remove consecutive and trailing slashes -// and return allocated memory -// e.g. /home//user/ -> /home/user +// simplify absolute path by removing +// 1) consecutive and trailing slashes, and +// 2) segments with a single dot +// for example /foo//./bar/ -> /foo/bar char *clean_pathname(const char *path) { - assert(path); + assert(path && path[0] == '/'); + size_t len = strlen(path); char *rv = malloc(len + 1); if (!rv) errExit("malloc"); - if (len > 0) { - size_t i = 0, j = 0, cnt = 0; - for (; i < len; i++) { - if (path[i] == '/') - cnt++; - else - cnt = 0; - - if (cnt < 2) { - rv[j] = path[i]; - j++; - } + size_t i = 0; + size_t j = 0; + while (path[i]) { + if (path[i] == '/') { + while (path[i+1] == '/' || + (path[i+1] == '.' && path[i+2] == '/')) + i++; } - rv[j] = '\0'; - // remove a trailing slash - if (j > 1 && rv[j - 1] == '/') - rv[j - 1] = '\0'; + rv[j++] = path[i++]; } - else - *rv = '\0'; + rv[j] = '\0'; + + // remove a trailing dot + if (j > 1 && rv[j - 1] == '.' && rv[j - 2] == '/') + rv[--j] = '\0'; + + // remove a trailing slash + if (j > 1 && rv[j - 1] == '/') + rv[--j] = '\0'; return rv; } @@ -628,7 +733,7 @@ int find_child(pid_t parent, pid_t *child) { perror("asprintf"); exit(1); } - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); if (!fp) { free(file); continue; @@ -646,8 +751,15 @@ int find_child(pid_t parent, pid_t *child) { fprintf(stderr, "Error: cannot read /proc file\n"); exit(1); } - if (parent == atoi(ptr)) - *child = pid; + if (parent == atoi(ptr)) { + // we don't want /usr/bin/xdg-dbus-proxy! + char *cmdline = pid_proc_cmdline(pid); + if (cmdline) { + if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) + *child = pid; + free(cmdline); + } + } break; // stop reading the file } } @@ -729,7 +841,7 @@ void update_map(char *mapping, char *map_file) { if (mapping[j] == ',') mapping[j] = '\n'; - fd = open(map_file, O_RDWR); + fd = open(map_file, O_RDWR|O_CLOEXEC); if (fd == -1) { fprintf(stderr, "Error: cannot open %s: %s\n", map_file, strerror(errno)); exit(EXIT_FAILURE); @@ -749,9 +861,9 @@ void wait_for_other(int fd) { // wait for the parent to be initialized //**************************** char childstr[BUFLEN + 1]; - int newfd = dup(fd); + int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); if (newfd == -1) - errExit("dup"); + errExit("fcntl"); FILE* stream; stream = fdopen(newfd, "r"); *childstr = '\0'; @@ -798,29 +910,15 @@ void wait_for_other(int fd) { void notify_other(int fd) { FILE* stream; - int newfd = dup(fd); + int newfd = fcntl(fd, F_DUPFD_CLOEXEC, 0); if (newfd == -1) - errExit("dup"); + errExit("fcntl"); stream = fdopen(newfd, "w"); fprintf(stream, "arg_noroot=%d\n", arg_noroot); fflush(stream); fclose(stream); } - - - -// Equivalent to the GNU version of basename, which is incompatible with -// the POSIX basename. A few lines of code saves any portability pain. -// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename -const char *gnu_basename(const char *path) { - const char *last_slash = strrchr(path, '/'); - if (!last_slash) - return path; - return last_slash+1; -} - - uid_t pid_get_uid(pid_t pid) { EUID_ASSERT(); uid_t rv = 0; @@ -832,7 +930,7 @@ uid_t pid_get_uid(pid_t pid) { exit(1); } EUID_ROOT(); // grsecurity fix - FILE *fp = fopen(file, "r"); + FILE *fp = fopen(file, "re"); if (!fp) { free(file); fprintf(stderr, "Error: cannot open /proc file\n"); @@ -900,35 +998,37 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla int remove_overlay_directory(void) { EUID_ASSERT(); - struct stat s; sleep(1); char *path; if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); - if (lstat(path, &s) == 0) { - // deal with obvious problems such as symlinks and root ownership - if (!S_ISDIR(s.st_mode)) { - if (S_ISLNK(s.st_mode)) - fprintf(stderr, "Error: %s is a symbolic link\n", path); - else - fprintf(stderr, "Error: %s is not a directory\n", path); - exit(1); - } - if (s.st_uid != getuid()) { - fprintf(stderr, "Error: %s is not owned by the current user\n", path); - exit(1); - } - + if (access(path, F_OK) == 0) { pid_t child = fork(); if (child < 0) errExit("fork"); if (child == 0) { - // open ~/.firejail, fails if there is any symlink - int fd = safe_fd(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); + // open ~/.firejail + int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) { + fprintf(stderr, "Error: cannot open %s\n", path); + exit(1); + } + struct stat s; + if (fstat(fd, &s) == -1) + errExit("fstat"); + if (!S_ISDIR(s.st_mode)) { + if (S_ISLNK(s.st_mode)) + fprintf(stderr, "Error: %s is a symbolic link\n", path); + else + fprintf(stderr, "Error: %s is not a directory\n", path); + exit(1); + } + if (s.st_uid != getuid()) { + fprintf(stderr, "Error: %s is not owned by the current user\n", path); + exit(1); + } // chdir to ~/.firejail if (fchdir(fd) == -1) errExit("fchdir"); @@ -943,39 +1043,49 @@ int remove_overlay_directory(void) { // remove ~/.firejail if (rmdir(path) == -1) errExit("rmdir"); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } // wait for the child to finish waitpid(child, NULL, 0); // check if ~/.firejail was deleted - if (stat(path, &s) == 0) + if (access(path, F_OK) == 0) return 1; } return 0; } +// flush stdin if it is connected to a tty and has input void flush_stdin(void) { - if (isatty(STDIN_FILENO)) { - int cnt = 0; - int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); - if (rv == 0 && cnt) { - fwarning("removing %d bytes from stdin\n", cnt); - rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); - (void) rv; - } - } + if (!isatty(STDIN_FILENO)) + return; + + int cnt = 0; + int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); + if (rv != 0 || cnt == 0) + return; + + fwarning("removing %d bytes from stdin\n", cnt); + + // If this process is backgrounded, below ioctl() will trigger + // SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for + // the duration of the ioctl. + sighandler_t hdlr = signal(SIGTTOU, SIG_IGN); + rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + signal(SIGTTOU, hdlr); + + if (rv) + fwarning("Flushing stdin failed: %s\n", strerror(errno)); } // return 1 if new directory was created, else return 0 int create_empty_dir_as_user(const char *dir, mode_t mode) { assert(dir); mode &= 07777; - struct stat s; - if (stat(dir, &s)) { + if (access(dir, F_OK) != 0) { if (arg_debug) printf("Creating empty %s directory\n", dir); pid_t child = fork(); @@ -986,22 +1096,18 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) { drop_privs(0); if (mkdir(dir, mode) == 0) { - if (chmod(dir, mode) == -1) - {;} // do nothing + int err = chmod(dir, mode); + (void) err; } - else if (arg_debug) { - char *str; - if (asprintf(&str, "Directory %s not created", dir) == -1) - errExit("asprintf"); - perror(str); - } -#ifdef HAVE_GCOV + else if (arg_debug) + printf("Directory %s not created: %s\n", dir, strerror(errno)); + __gcov_flush(); -#endif + _exit(0); } waitpid(child, NULL, 0); - if (stat(dir, &s) == 0) + if (access(dir, F_OK) == 0) return 1; } return 0; @@ -1034,9 +1140,10 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { if (stat(fname, &s)) { if (arg_debug) printf("Creating empty %s file\n", fname); - /* coverity[toctou] */ - FILE *fp = fopen(fname, "w"); + // don't fail if file already exists. This can be the case in a race + // condition, when two jails launch at the same time. Compare to #1013 + FILE *fp = fopen(fname, "we"); if (!fp) errExit("fopen"); SET_PERMS_STREAM(fp, 0, 0, mode); @@ -1111,20 +1218,35 @@ unsigned extract_timeout(const char *str) { } void disable_file_or_dir(const char *fname) { + assert(geteuid() == 0); + assert(fname); + + EUID_USER(); + int fd = open(fname, O_PATH|O_CLOEXEC); + EUID_ROOT(); + if (fd < 0) + return; + struct stat s; - if (stat(fname, &s) != -1) { - if (arg_debug) - printf("blacklist %s\n", fname); - if (is_dir(fname)) { - if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable directory"); - } - else { - if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - } - fs_logger2("blacklist", fname); + if (fstat(fd, &s) < 0) { // FUSE + if (errno != EACCES) + errExit("fstat"); + close(fd); + return; } + + if (arg_debug) + printf("blacklist %s\n", fname); + if (S_ISDIR(s.st_mode)) { + if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0) + errExit("disable directory"); + } + else { + if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0) + errExit("disable file"); + } + close(fd); + fs_logger2("blacklist", fname); } void disable_file_path(const char *path, const char *file) { @@ -1139,46 +1261,62 @@ void disable_file_path(const char *path, const char *file) { free(fname); } -// open file without following any symbolic link -// returns a file descriptor on success, or -1 if a symlink is found -int safe_fd(const char *path, int flags) { - assert(path); - if (*path != '/') - goto errexit; - if (strstr(path, "..")) - goto errexit; +// open an existing file without following any symbolic link +// relative paths are interpreted relative to dirfd +// ignore dirfd if path is absolute +// https://web.archive.org/web/20180419120236/https://blogs.gnome.org/jamesh/2018/04/19/secure-mounts +int safer_openat(int dirfd, const char *path, int flags) { + assert(path && path[0]); + flags |= O_NOFOLLOW; - int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC); - if (parentfd == -1) - errExit("open"); int fd = -1; - char *last_tok = EMPTY_STRING; +#ifdef __NR_openat2 // kernel 5.6 or better + struct open_how oh; + memset(&oh, 0, sizeof(oh)); + oh.flags = flags; + oh.resolve = RESOLVE_NO_SYMLINKS; + fd = syscall(__NR_openat2, dirfd, path, &oh, sizeof(struct open_how)); + if (fd != -1 || errno != ENOSYS) + return fd; +#endif + + // openat2 syscall is not available, traverse path and + // check each component if it is a symbolic link or not char *dup = strdup(path); if (!dup) errExit("strdup"); char *tok = strtok(dup, "/"); - if (!tok) { // root directory + if (!tok) { // nothing to do, path is the root directory free(dup); - return parentfd; + return openat(dirfd, path, flags); } + char *last_tok = EMPTY_STRING; - while(1) { - // open the element, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link - // if token is a single dot, the previous directory is reopened + int parentfd; + if (path[0] == '/') + parentfd = open("/", O_PATH|O_CLOEXEC); + else + parentfd = fcntl(dirfd, F_DUPFD_CLOEXEC, 0); + if (parentfd == -1) + errExit("open/fcntl"); + + while (1) { + // open path component, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link + // if token is a single dot, the directory referred to by parentfd is reopened fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) { - // if the following token is NULL, the current token is the final path element + // if the following token is NULL, the current token is the final path component // try again to open it, this time using the passed flags, and return -1 or the descriptor last_tok = tok; tok = strtok(NULL, "/"); if (!tok) - fd = openat(parentfd, last_tok, flags|O_NOFOLLOW); + fd = openat(parentfd, last_tok, flags); close(parentfd); free(dup); - return fd; // -1 if open failed + return fd; } - // move on to next path segment + // move on to next path component last_tok = tok; tok = strtok(NULL, "/"); if (!tok) @@ -1186,18 +1324,67 @@ int safe_fd(const char *path, int flags) { close(parentfd); parentfd = fd; } - - // we are here because the last path element exists and is of file type directory + // getting here when the last path component exists and is of file type directory // reopen it using the passed flags close(fd); - fd = openat(parentfd, last_tok, flags|O_NOFOLLOW); + fd = openat(parentfd, last_tok, flags); close(parentfd); free(dup); - return fd; // -1 if open failed + return fd; +} -errexit: - fprintf(stderr, "Error: cannot open \"%s\": invalid path\n", path); - exit(1); +int remount_by_fd(int dst, unsigned long mountflags) { + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0) + errExit("asprintf"); + + int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc); + return rv; +} + +int bind_mount_by_fd(int src, int dst) { + char *proc_src, *proc_dst; + if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 || + asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0) + errExit("asprintf"); + + int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc_src); + free(proc_dst); + return rv; +} + +int bind_mount_fd_to_path(int src, const char *destname) { + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", src) < 0) + errExit("asprintf"); + + int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc); + return rv; +} + +int bind_mount_path_to_fd(const char *srcname, int dst) { + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0) + errExit("asprintf"); + + int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL); + if (rv < 0 && arg_debug) + printf("Failed mount: %s\n", strerror(errno)); + + free(proc); + return rv; } int has_handler(pid_t pid, int signal) { @@ -1254,3 +1441,69 @@ void enter_network_namespace(pid_t pid) { exit(1); } } + +// return 1 if error, 0 if a valid pid was found +static int extract_pid(const char *name, pid_t *pid) { + int retval = 0; + EUID_ASSERT(); + if (!name || strlen(name) == 0) { + fprintf(stderr, "Error: invalid sandbox name\n"); + exit(1); + } + + EUID_ROOT(); + if (name2pid(name, pid)) { + retval = 1; + } + EUID_USER(); + return retval; +} + +// return 1 if error, 0 if a valid pid was found +int read_pid(const char *name, pid_t *pid) { + char *endptr; + errno = 0; + long int pidtmp = strtol(name, &endptr, 10); + if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) + || (errno != 0 && pidtmp == 0)) { + return extract_pid(name,pid); + } + // endptr points to '\0' char in name if the entire string is valid + if (endptr == NULL || endptr[0]!='\0') { + return extract_pid(name,pid); + } + *pid =(pid_t)pidtmp; + return 0; +} + +pid_t require_pid(const char *name) { + pid_t pid; + if (read_pid(name,&pid)) { + fprintf(stderr, "Error: cannot find sandbox %s\n", name); + exit(1); + } + return pid; +} + +// return 1 if there is a link somewhere in path of directory +static int has_link(const char *dir) { + assert(dir); + int fd = safer_openat(-1, dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd != -1) + close(fd); + else if (errno == ELOOP || (errno == ENOTDIR && is_dir(dir))) + return 1; + return 0; +} + +void check_homedir(const char *dir) { + assert(dir); + if (dir[0] != '/') { + fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); + exit(1); + } + // symlinks are rejected in many places + if (has_link(dir)) + fmessage("No full support for symbolic links in path of user directory.\n" + "Please provide resolved path in password database (/etc/passwd).\n\n"); +} diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 98ac184d959..896aa2fd343 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -34,14 +34,14 @@ #include #ifndef O_PATH -# define O_PATH 010000000 +#define O_PATH 010000000 #endif // Parse the DISPLAY environment variable and return a display number. // Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. int x11_display(void) { - const char *display_str = getenv("DISPLAY"); + const char *display_str = env_get("DISPLAY"); char *endp; unsigned long display; @@ -84,7 +84,7 @@ int x11_display(void) { static int x11_abstract_sockets_present(void) { EUID_ROOT(); // grsecurity fix - FILE *fp = fopen("/proc/net/unix", "r"); + FILE *fp = fopen("/proc/net/unix", "re"); if (!fp) errExit("fopen"); EUID_USER(); @@ -204,11 +204,10 @@ static int random_display_number(void) { void x11_start_xvfb(int argc, char **argv) { EUID_ASSERT(); int i; - struct stat s; pid_t jail = 0; pid_t server = 0; - setenv("FIREJAIL_X11", "yes", 1); + env_store_name_val("FIREJAIL_X11", "yes", SETENV); // never try to run X servers as root!!! if (getuid() == 0) { @@ -326,7 +325,11 @@ void x11_start_xvfb(int argc, char **argv) { if (arg_debug) printf("Starting xvfb...\n"); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -344,7 +347,7 @@ void x11_start_xvfb(int argc, char **argv) { // wait for x11 server to start while (++n < 10) { sleep(1); - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) break; }; @@ -355,7 +358,7 @@ void x11_start_xvfb(int argc, char **argv) { free(fname); assert(display_str); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); // run attach command jail = fork(); if (jail < 0) @@ -363,7 +366,11 @@ void x11_start_xvfb(int argc, char **argv) { if (jail == 0) { fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(jail_argv[0], jail_argv); perror("execvp"); @@ -419,7 +426,6 @@ static char *extract_setting(int argc, char **argv, const char *argument) { void x11_start_xephyr(int argc, char **argv) { EUID_ASSERT(); int i; - struct stat s; pid_t jail = 0; pid_t server = 0; @@ -428,7 +434,7 @@ void x11_start_xephyr(int argc, char **argv) { if (newscreen) xephyr_screen = newscreen; - setenv("FIREJAIL_X11", "yes", 1); + env_store_name_val("FIREJAIL_X11", "yes", SETENV); // unfortunately, xephyr does a number of weird things when started by root user!!! if (getuid() == 0) { @@ -556,7 +562,11 @@ void x11_start_xephyr(int argc, char **argv) { if (arg_debug) printf("Starting xephyr...\n"); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -574,7 +584,7 @@ void x11_start_xephyr(int argc, char **argv) { // wait for x11 server to start while (++n < 10) { sleep(1); - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) break; }; @@ -585,7 +595,7 @@ void x11_start_xephyr(int argc, char **argv) { free(fname); assert(display_str); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); // run attach command jail = fork(); if (jail < 0) @@ -594,8 +604,12 @@ void x11_start_xephyr(int argc, char **argv) { if (!arg_quiet) printf("\n*** Attaching to Xephyr display %d ***\n\n", display); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); + assert(env_get("LD_PRELOAD") == NULL); execvp(jail_argv[0], jail_argv); perror("execvp"); _exit(1); @@ -682,10 +696,9 @@ static char * get_title_arg_str() { } -void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { +static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { EUID_ASSERT(); int i; - struct stat s; pid_t client = 0; pid_t server = 0; @@ -780,8 +793,12 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { dup2(fd_null,2); } + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above assert(getenv("LD_PRELOAD") == NULL); + assert(env_get("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); _exit(1); @@ -798,7 +815,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { // wait for x11 server to start while (++n < 10) { sleep(1); - if (stat(fname, &s) == 0) + if (access(fname, F_OK) == 0) break; } @@ -827,7 +844,11 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { fmessage("\n*** Attaching to xpra display %d ***\n\n", display); + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(attach_argv[0], attach_argv); perror("execvp"); @@ -835,7 +856,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { } assert(display_str); - setenv("DISPLAY", display_str, 1); + env_store_name_val("DISPLAY", display_str, SETENV); // build jail command char *firejail_argv[argc+2]; @@ -857,7 +878,12 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { errExit("fork"); if (jail == 0) { // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); + + // restore original environment variables + env_apply_all(); + if (firejail_argv[0]) // shut up llvm scan-build execvp(firejail_argv[0], firejail_argv); perror("execvp"); @@ -883,7 +909,12 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { dup2(fd_null,1); dup2(fd_null,2); } + + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(stop_argv[0], stop_argv); perror("execvp"); @@ -921,7 +952,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { } -void x11_start_xpra_new(int argc, char **argv, char *display_str) { +static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv, char *display_str) { EUID_ASSERT(); int i; pid_t server = 0; @@ -1051,7 +1082,11 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) { dup2(fd_null,2); } + // restore original environment variables + env_apply_all(); + // running without privileges - see drop_privs call above + assert(env_get("LD_PRELOAD") == NULL); assert(getenv("LD_PRELOAD") == NULL); execvp(server_argv[0], server_argv); perror("execvp"); @@ -1072,7 +1107,7 @@ void x11_start_xpra_new(int argc, char **argv, char *display_str) { void x11_start_xpra(int argc, char **argv) { EUID_ASSERT(); - setenv("FIREJAIL_X11", "yes", 1); + env_store_name_val("FIREJAIL_X11", "yes", SETENV); // unfortunately, xpra does a number of weird things when started by root user!!! if (getuid() == 0) { @@ -1129,28 +1164,17 @@ void x11_start(int argc, char **argv) { } #endif -// Porting notes: -// -// 1. merge #1100 from zackw: -// Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8 -// with this message: -// xauth: timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4 -// Failed to create untrusted X cookie: xauth: exit 1 -// For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was -// a partial merge. -// -// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home -// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not -// something picked up on $PATH. -// -// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens -// when using a network namespace. Somehow, xauth tries to connect to the abstract socket, -// and it fails because of the network namespace - it should try to connect to the regular -// Unix socket! If we ignore the fail condition, the program will be started on X server without -// the security extension loaded. + void x11_xorg(void) { #ifdef HAVE_X11 + // get DISPLAY env + const char *display = env_get("DISPLAY"); + if (!display) { + fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); + exit(1); + } + // check xauth utility is present in the system struct stat s; if (stat("/usr/bin/xauth", &s) == -1) { @@ -1160,110 +1184,60 @@ void x11_xorg(void) { fprintf(stderr, " Fedora: sudo dnf install xorg-x11-xauth\n"); exit(1); } - if (s.st_uid != 0 && s.st_gid != 0) { + if ((s.st_uid != 0 && s.st_gid != 0) || (s.st_mode & S_IWOTH)) { fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); exit(1); } - - // get DISPLAY env - char *display = getenv("DISPLAY"); - if (!display) { - fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); + if (s.st_size > 1024 * 1024) { + fprintf(stderr, "Error: /usr/bin/xauth executable is too large\n"); exit(1); } - - // temporarily mount a tempfs on top of /tmp directory - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0) - errExit("mounting /tmp"); - - // create the temporary .Xauthority file + // copy /usr/bin/xauth in the sandbox and set mode to 0711 + // users are not able to trace the running xauth this way if (arg_debug) - printf("Generating a new .Xauthority file\n"); - char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; + printf("Copying /usr/bin/xauth to %s\n", RUN_XAUTH_FILE); + if (copy_file("/usr/bin/xauth", RUN_XAUTH_FILE, 0, 0, 0711)) { + fprintf(stderr, "Error: cannot copy /usr/bin/xauth executable\n"); + exit(1); + } + + fmessage("Generating a new .Xauthority file\n"); + mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid()); + // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR + EUID_USER(); + char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX"; int fd = mkstemp(tmpfname); if (fd == -1) { fprintf(stderr, "Error: cannot create .Xauthority file\n"); exit(1); } - if (fchown(fd, getuid(), getgid()) == -1) - errExit("chown"); close(fd); - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - drop_privs(1); - clearenv(); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - if (arg_debug) { - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, - "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); - } - else { - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", tmpfname, - "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); - } - - _exit(127); - } - - // wait for the xauth process to finish - int status; - if (waitpid(child, &status, 0) != child) - errExit("waitpid"); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { - /* success */ - } - else if (WIFEXITED(status)) { - fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n", - WEXITSTATUS(status)); - exit(1); - } - else if (WIFSIGNALED(status)) { - fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n", - strsignal(WTERMSIG(status))); - exit(1); - } - else { - fprintf(stderr, "Failed to create untrusted X cookie: " - "xauth: un-decodable exit status %04x\n", status); - exit(1); - } - - // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted - // automatically when the sandbox is closed (rename doesn't work) + // run xauth if (arg_debug) - printf("Copying the new .Xauthority file\n"); - copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600); - - /* coverity[toctou] */ - unlink(tmpfname); - umount("/tmp"); - - // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid - fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0); + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 8, RUN_XAUTH_FILE, "-v", "-f", tmpfname, + "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted"); + else + sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname, + "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted"); - // Ensure there is already a file in the usual location, so that bind-mount below will work. + // ensure there is already a file ~/.Xauthority, so that bind-mount below will work. char *dest; if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) errExit("asprintf"); - if (lstat(dest, &s) == -1) { + if (access(dest, F_OK) == -1) { touch_file_as_user(dest, 0600); - if (stat(dest, &s) == -1) { + if (access(dest, F_OK) == -1) { fprintf(stderr, "Error: cannot create %s\n", dest); exit(1); } } - - // get a file descriptor for .Xauthority - fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); + // get a file descriptor for ~/.Xauthority + int dst = safer_openat(-1, dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (dst == -1) + errExit("safer_openat"); // check if the actual mount destination is a user owned regular file - if (fstat(fd, &s) == -1) + if (fstat(dst, &s) == -1) errExit("fstat"); if (!S_ISREG(s.st_mode) || s.st_uid != getuid()) { if (S_ISLNK(s.st_mode)) @@ -1274,44 +1248,68 @@ void x11_xorg(void) { } // preserve a read-only mount struct statvfs vfs; - if (fstatvfs(fd, &vfs) == -1) + if (fstatvfs(dst, &vfs) == -1) errExit("fstatvfs"); if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) - fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_READONLY, 0); + fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_READONLY, 0); + + // always mounting the new Xauthority file noexec,nodev,nosuid + fs_remount(RUN_XAUTHORITY_SEC_DIR, MOUNT_NOEXEC, 0); + + // get a file descriptor for the new Xauthority file + int src = safer_openat(-1, tmpfname, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (src == -1) + errExit("safer_openat"); + if (fstat(src, &s) == -1) + errExit("fstat"); + if (!S_ISREG(s.st_mode)) { + errno = EPERM; + errExit("mounting Xauthority file"); + } // mount via the link in /proc/self/fd if (arg_debug) - printf("Mounting %s on %s\n", RUN_XAUTHORITY_SEC_FILE, dest); - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_XAUTHORITY_SEC_FILE, proc, "none", MS_BIND, "mode=0600") == -1) { + printf("Mounting %s on %s\n", tmpfname, dest); + EUID_ROOT(); + if (bind_mount_by_fd(src, dst)) { fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); exit(1); } - free(proc); - close(fd); + EUID_USER(); // check /proc/self/mountinfo to confirm the mount is ok MountData *mptr = get_last_mount(); if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) errLogExit("invalid .Xauthority mount"); + close(src); + close(dst); ASSERT_PERMS(dest, getuid(), getgid(), 0600); - // blacklist .Xauthority file if it is not masked already - char *envar = getenv("XAUTHORITY"); + // blacklist user .Xauthority file if it is not masked already + const char *envar = env_get("XAUTHORITY"); if (envar) { char *rp = realpath(envar, NULL); if (rp) { - if (strcmp(rp, dest) != 0) + if (strcmp(rp, dest) != 0) { + EUID_ROOT(); disable_file_or_dir(rp); + EUID_USER(); + } free(rp); } } // set environment variable - if (setenv("XAUTHORITY", dest, 1) < 0) - errExit("setenv"); + env_store_name_val("XAUTHORITY", dest, SETENV); free(dest); + + // mask RUN_XAUTHORITY_SEC_DIR + EUID_ROOT(); + if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) + errExit("mounting tmpfs"); + fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR); + + // cleanup + unlink(RUN_XAUTH_FILE); #endif } @@ -1325,7 +1323,7 @@ void fs_x11(void) { struct stat s1, s2; if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0) return; - if ((s1.st_mode & S_ISVTX) == 0) { + if ((s1.st_mode & S_ISVTX) != S_ISVTX) { fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n"); return; } @@ -1333,68 +1331,46 @@ void fs_x11(void) { fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n"); return; } + + // the mount source is under control of the user, so be careful and + // mount without following symbolic links, using a file descriptor char *x11file; if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) errExit("asprintf"); - struct stat x11stat; - if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) { + int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); + if (src < 0) { + free(x11file); + return; + } + struct stat s3; + if (fstat(src, &s3) < 0) + errExit("fstat"); + if (!S_ISSOCK(s3.st_mode)) { + close(src); free(x11file); return; } if (arg_debug || arg_debug_whitelists) fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); - - // Move the real /tmp/.X11-unix to a scratch location - // so we can still access x11file after we mount a - // tmpfs over /tmp/.X11-unix. - if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1) - errExit("mkdir"); - if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) - errExit("mount bind"); - // This directory must be mode 1777 if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME, "mode=1777,uid=0,gid=0") < 0) errExit("mounting tmpfs on /tmp/.X11-unix"); + selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix"); fs_logger("tmpfs /tmp/.X11-unix"); // create an empty root-owned file which will have the desired socket bind-mounted over it - int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR); - if (fd < 0) - errExit(x11file); - close(fd); + int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR); + if (dst < 0) + errExit("open"); - // the mount source is under control of the user, so be careful and - // mount without following symbolic links, using a file descriptor - char *wx11file; - if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) - errExit("asprintf"); - fd = safe_fd(wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("opening X11 socket"); - // confirm once more we are mounting a socket - if (fstat(fd, &x11stat) == -1) - errExit("fstat"); - if (!S_ISSOCK(x11stat.st_mode)) { - errno = ENOTSOCK; - errExit("mounting X11 socket"); - } - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) + if (bind_mount_by_fd(src, dst)) errExit("mount bind"); + close(src); + close(dst); fs_logger2("whitelist", x11file); - close(fd); - free(proc); - - // block access to RUN_WHITELIST_X11_DIR - if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) - errExit("mount"); - fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); - free(wx11file); free(x11file); #endif } @@ -1403,7 +1379,7 @@ void fs_x11(void) { void x11_block(void) { #ifdef HAVE_X11 // check abstract socket presence and network namespace options - if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) + if ((!arg_nonetwork && !arg_netns && !cfg.bridge0.configured && !cfg.interface0.configured) && x11_abstract_sockets_present()) { fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" "Additional setup required. To block abstract X11 socket you can either:\n" @@ -1426,7 +1402,7 @@ void x11_block(void) { errExit("strdup"); profile_check_line(cmd, 0, NULL); profile_add(cmd); - char *xauthority = getenv("XAUTHORITY"); + const char *xauthority = env_get("XAUTHORITY"); if (xauthority) { char *line; if (asprintf(&line, "blacklist %s", xauthority) == -1) diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index f2513213c6a..a1b6692aa4b 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in @@ -1,14 +1,17 @@ +.PHONY: all all: firemon include ../common.mk -%.o : %.c $(H_FILE_LIST) +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ firemon: $(OBJS) ../lib/common.o ../lib/pid.o $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o firemon *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c index 028dbc212d7..eb810a9e7b3 100644 --- a/src/firemon/apparmor.c +++ b/src/firemon/apparmor.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -44,7 +44,7 @@ void apparmor(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) print_apparmor(child); diff --git a/src/firemon/arp.c b/src/firemon/arp.c index a43593ced9a..1a69a67b100 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -80,7 +80,7 @@ void arp(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) { char *fname; diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 951bd21a549..c0f305a5d10 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -53,7 +53,7 @@ void caps(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) print_caps(child); diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 251db007736..97ba591a6c8 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -53,7 +53,7 @@ void cgroup(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) print_cgroup(child); diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 6170ef8c1c0..91b455941eb 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -54,7 +54,7 @@ void cpu(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) print_cpu(child); diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 39c05d63e37..6c34cd41135 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -40,7 +40,7 @@ static int arg_top = 0; static int arg_list = 0; static int arg_netstats = 0; static int arg_apparmor = 0; -int arg_nowrap = 0; +int arg_wrap = 0; static struct termios tlocal; // startup terminal setting static struct termios twait; // no wait on key press @@ -52,7 +52,7 @@ static void my_handler(int s){ if (terminal_set) tcsetattr(0, TCSANOW, &tlocal); - exit(0); + _exit(0); } // find the second child process for the specified pid @@ -70,6 +70,13 @@ int find_child(int id) { // find the first child for (i = 0; i < max_pids; i++) { if (pids[i].level == 2 && pids[i].parent == id) { + // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) + char *cmdline = pid_proc_cmdline(i); + if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { + free(cmdline); + continue; + } + free(cmdline); first_child = i; break; } @@ -78,7 +85,7 @@ int find_child(int id) { if (first_child == -1) return -1; - // find the second child + // find the second-level child for (i = 0; i < max_pids; i++) { if (pids[i].level == 3 && pids[i].parent == first_child) return i; @@ -152,6 +159,7 @@ int main(int argc, char **argv) { arg_list = 1; else if (strcmp(argv[i], "--tree") == 0) arg_tree = 1; +#ifdef HAVE_NETWORK else if (strcmp(argv[i], "--netstats") == 0) { struct stat s; if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { @@ -160,7 +168,7 @@ int main(int argc, char **argv) { } arg_netstats = 1; } - +#endif // cumulative options with or without a pid argument else if (strcmp(argv[i], "--x11") == 0) @@ -180,10 +188,12 @@ int main(int argc, char **argv) { } arg_interface = 1; } +#ifdef HAVE_NETWORK else if (strcmp(argv[i], "--route") == 0) arg_route = 1; else if (strcmp(argv[i], "--arp") == 0) arg_arp = 1; +#endif else if (strcmp(argv[i], "--apparmor") == 0) arg_apparmor = 1; @@ -196,8 +206,8 @@ int main(int argc, char **argv) { } // etc - else if (strcmp(argv[i], "--nowrap") == 0) - arg_nowrap = 1; + else if (strcmp(argv[i], "--wrap") == 0) + arg_wrap = 1; // invalid option else if (*argv[i] == '-') { diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 7a55a64fbec..5252ad34ff1 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -40,19 +40,19 @@ static inline void firemon_clrscr(void) { // firemon.c extern pid_t skip_process; -extern int arg_nowrap; +extern int arg_wrap; int find_child(int id); void firemon_sleep(int st); // procevent.c -void procevent(pid_t pid); +void procevent(pid_t pid) __attribute__((noreturn)); // usage.c void usage(void); // top.c -void top(void); +void top(void) __attribute__((noreturn)); // list.c void list(void); @@ -82,7 +82,7 @@ void cgroup(pid_t pid, int print_procs); void tree(pid_t pid); // netstats.c -void netstats(void); +void netstats(void) __attribute__((noreturn)); // x11.c void x11(pid_t pid, int print_procs); diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 325ffd80e64..780e3d706d3 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -145,9 +146,9 @@ static void print_sandbox(pid_t pid) { if (rv) return; net_ifprint(); -#ifdef HAVE_GCOV + __gcov_flush(); -#endif + _exit(0); } @@ -163,7 +164,7 @@ void interface(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) { print_sandbox(child); diff --git a/src/firemon/list.c b/src/firemon/list.c index 8a07f9eb265..51099a75cc2 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -28,6 +28,6 @@ void list(void) { if (i == skip_process) continue; if (pids[i].level == 1) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); } } diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index c746cc127ac..9d8e5d7f566 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -242,8 +243,7 @@ void netstats(void) { print_proc(i, itv, col); } } -#ifdef HAVE_GCOV - __gcov_flush(); -#endif + + __gcov_flush(); } } diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 7dd08444e64..716a9cba46d 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -100,7 +101,7 @@ static int pid_is_firejail(pid_t pid) { // debug "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls", "debug-syscalls32", // file transfer - "ls", "get", "put", + "ls", "get", "put", "cat", // stats "tree", "list", "top", // network @@ -220,7 +221,7 @@ static int procevent_netlink_setup(void) { } -static int procevent_monitor(const int sock, pid_t mypid) { +static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t mypid) { ssize_t len; struct nlmsghdr *nlmsghdr; @@ -230,9 +231,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { tv.tv_usec = 0; while (1) { -#ifdef HAVE_GCOV __gcov_flush(); -#endif #define BUFFSIZE 4096 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; @@ -246,8 +245,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { int rv = select(max, &readfds, NULL, NULL, &tv); if (rv == -1) { - fprintf(stderr, "recv: %s\n", strerror(errno)); - return -1; + errExit("recv"); } // timeout @@ -259,7 +257,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) - return 0; + exit(0); if (len == -1) { if (errno == EINTR) continue; @@ -271,7 +269,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { } else { fprintf(stderr,"Error: rx socket recv call, errno %d, %s\n", errno, strerror(errno)); - return -1; + exit(1); } } @@ -497,7 +495,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { exit(0); } } - return 0; + __builtin_unreachable(); } void procevent(pid_t pid) { @@ -515,6 +513,4 @@ void procevent(pid_t pid) { } procevent_monitor(sock, pid); // it will never return from here - assert(0); - close(sock); // quiet static analyzers } diff --git a/src/firemon/route.c b/src/firemon/route.c index 9fd46505f23..9cf5054b299 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -189,7 +189,7 @@ void route(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) { char *fname; diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index 7bc700ee6b7..04111b6c022 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -52,7 +52,7 @@ void seccomp(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); int child = find_child(i); if (child != -1) print_seccomp(child); diff --git a/src/firemon/top.c b/src/firemon/top.c index ba707ef196d..2217cc7de54 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "firemon.h" +#include "../include/gcov_wrapper.h" #include #include #include @@ -326,8 +327,7 @@ void top(void) { } } head_print(col, row); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif + + __gcov_flush(); } } diff --git a/src/firemon/tree.c b/src/firemon/tree.c index f3610eaec91..899214b9f3b 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -28,7 +28,7 @@ void tree(pid_t pid) { if (i == skip_process) continue; if (pids[i].level == 1) - pid_print_tree(i, 0, arg_nowrap); + pid_print_tree(i, 0, arg_wrap); } printf("\n"); } diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 0c3da00f8bb..baaef3111ca 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/firemon/x11.c b/src/firemon/x11.c index a41f4825fa9..97e24b2d24f 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -30,7 +30,7 @@ void x11(pid_t pid, int print_procs) { for (i = 0; i < max_pids; i++) { if (pids[i].level == 1) { if (print_procs || pid == 0) - pid_print_list(i, arg_nowrap); + pid_print_list(i, arg_wrap); char *x11file; // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in index 53382c2df91..ba87d16cd33 100644 --- a/src/fldd/Makefile.in +++ b/src/fldd/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fldd include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fldd: $(OBJS) ../lib/ldd_utils.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) +fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fldd/main.c b/src/fldd/main.c index dd22e601ed6..b71145793a9 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -261,12 +261,21 @@ static void walk_directory(const char *dirname) { // check directory // entry->d_type field is supported in glibc since version 2.19 (Feb 2014) - // we'll use stat to check for directories + // we'll use stat to check for directories using the real path + // (sometimes the path is a double symlink to a real file and stat would fail) + char *rpath = realpath(path, NULL); + if (!rpath) { + free(path); + continue; + } + free(path); + struct stat s; - if (stat(path, &s) == -1) + if (stat(rpath, &s) == -1) errExit("stat"); if (S_ISDIR(s.st_mode)) - walk_directory(path); + walk_directory(rpath); + free(rpath); } closedir(dir); } @@ -302,6 +311,8 @@ printf("\n"); return 0; } + warn_dumpable(); + // check program access if (access(argv[1], R_OK)) { fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]); diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 37566db72be..7447c6d3fce 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fnet include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fnet: $(OBJS) ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) +fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 122d0007c61..59798d32d48 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -149,10 +149,8 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { memcpy (frame + 14, &hdr, sizeof(hdr)); // send packet - int len; - if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) + if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0) errExit("send"); -//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); fflush(0); dest++; } diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index b9cf96c6440..c0154b53ea0 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 62df0930e12..91d91360d11 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fnet/main.c b/src/fnet/main.c index 95e12164e85..df8f7226cbc 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -64,16 +64,18 @@ printf("\n"); usage(); return 1; } + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + usage(); + return 0; + } + + warn_dumpable(); char *quiet = getenv("FIREJAIL_QUIET"); if (quiet && strcmp(quiet, "yes") == 0) arg_quiet = 1; - if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { - usage(); - return 0; - } - else if (argc == 3 && strcmp(argv[1], "ifup") == 0) { + if (argc == 3 && strcmp(argv[1], "ifup") == 0) { net_if_up(argv[2]); } else if (argc == 2 && strcmp(argv[1], "printif") == 0) { diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 777e4e07e08..e09b1b1c5cf 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c @@ -26,7 +26,7 @@ * */ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in index 05516719292..8252624820e 100644 --- a/src/fnetfilter/Makefile.in +++ b/src/fnetfilter/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fnetfilter include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fnetfilter: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +fnetfilter: $(OBJS) ../lib/common.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 8124beb1ab3..979f082d075 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -181,6 +181,8 @@ printf("\n"); return 1; } + warn_dumpable(); + char *destfile = (argc == 3)? argv[2]: argv[1]; char *command = (argc == 3)? argv[1]: NULL; //printf("command %s\n", command); diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in index 0387f7ec78e..a2187e89c79 100644 --- a/src/fsec-optimize/Makefile.in +++ b/src/fsec-optimize/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fsec-optimize include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fsec-optimize: $(OBJS) ../lib/libnetlink.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 21111164131..fc9dd7db862 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 416d85b887b..84bf2d4f951 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -18,6 +18,9 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "fsec_optimize.h" +#include "../include/syscall.h" + +int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill static void usage(void) { printf("Usage:\n"); @@ -44,6 +47,22 @@ printf("\n"); return 0; } + warn_dumpable(); + + char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION"); + if (error_action) { + if (strcmp(error_action, "kill") == 0) + arg_seccomp_error_action = SECCOMP_RET_KILL; + else if (strcmp(error_action, "log") == 0) + arg_seccomp_error_action = SECCOMP_RET_LOG; + else { + arg_seccomp_error_action = errno_find_name(error_action); + if (arg_seccomp_error_action == -1) + errExit("seccomp-error-action: unknown errno"); + arg_seccomp_error_action |= SECCOMP_RET_ERRNO; + } + } + char *fname = argv[1]; // open input file diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c index 776beaa75c8..4c02de59d48 100644 --- a/src/fsec-optimize/optimizer.c +++ b/src/fsec-optimize/optimizer.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -33,7 +33,7 @@ static inline int is_blacklist(struct sock_filter *bpf) { if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K && (bpf + 1)->code == BPF_RET + BPF_K && - (bpf + 1)->k == SECCOMP_RET_KILL ) + (bpf + 1)->k == (__u32)arg_seccomp_error_action) return 1; return 0; } @@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) { } } - // step 3: add the new ret KILL, and recalculate entries + // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries filter_step2[j].code = BPF_RET + BPF_K; - filter_step2[j].k = SECCOMP_RET_KILL; + filter_step2[j].k = arg_seccomp_error_action; entries = j + 1; // step 4: recalculate jumps diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in index a30ff4ba38e..824fb5daf50 100644 --- a/src/fsec-print/Makefile.in +++ b/src/fsec-print/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fsec-print include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 33719928823..75a82c11a47 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index ade45c88115..5bca93d5012 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -61,6 +61,8 @@ printf("\n"); return 0; } + warn_dumpable(); + char *fname = argv[1]; // open input file diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index a6aae5ecb8f..143a7a53e69 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -19,7 +19,7 @@ * * * - * Parts of this code was lifted from libseccomp project, license LGPV 2.1. + * Parts of this code was lifted from libseccomp project, license LGPL 2.1. * This is the original copyright notice in libseccomp code: * * diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 8623db6f898..41abfce17f2 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: fseccomp include ../common.mk @@ -5,10 +6,12 @@ include ../common.mk %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index e8dd083b62b..97eac9ed805 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 892a88e2578..326c29a44ae 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -20,7 +20,7 @@ #include "fseccomp.h" #include "../include/seccomp.h" int arg_quiet = 0; -int arg_seccomp_error_action = EPERM; // error action: errno or kill +int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill static void usage(void) { printf("Usage:\n"); @@ -64,6 +64,12 @@ printf("\n"); usage(); return 1; } + if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + usage(); + return 0; + } + + warn_dumpable(); char *quiet = getenv("FIREJAIL_QUIET"); if (quiet && strcmp(quiet, "yes") == 0) @@ -73,6 +79,8 @@ printf("\n"); if (error_action) { if (strcmp(error_action, "kill") == 0) arg_seccomp_error_action = SECCOMP_RET_KILL; + else if (strcmp(error_action, "log") == 0) + arg_seccomp_error_action = SECCOMP_RET_LOG; else { arg_seccomp_error_action = errno_find_name(error_action); if (arg_seccomp_error_action == -1) @@ -81,11 +89,7 @@ printf("\n"); } } - if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { - usage(); - return 0; - } - else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) + if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) syscall_print(); else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0) syscall_print_32(); diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index b8b30f48885..48dda61dd10 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -57,6 +57,7 @@ static char *protocol[] = { "inet6", "netlink", "packet", + "bluetooth", NULL }; @@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = { WHITELIST(AF_INET), WHITELIST(AF_INET6), WHITELIST(AF_NETLINK), - WHITELIST(AF_PACKET) + WHITELIST(AF_PACKET), + WHITELIST(AF_BLUETOOTH) }; #endif // Note: protocol[] and protocol_filter_command are synchronized @@ -143,22 +145,6 @@ void protocol_build_filter(const char *prlist, const char *fname) { memcpy(ptr, &filter_start[0], sizeof(filter_start)); ptr += sizeof(filter_start); -#if 0 -printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter))); -{ - unsigned j; - unsigned char *ptr2 = (unsigned char *) &filter[0]; - for (j = 0; j < sizeof(filter); j++, ptr2++) { - if ((j % (sizeof(struct sock_filter))) == 0) - printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); - printf("%02x, ", (*ptr2) & 0xff); - } - printf("\n"); -} -printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter)); -#endif - - // parse list and add commands char *tmplist = strdup(prlist); if (!tmplist) @@ -176,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter)); ptr += whitelist_len * sizeof(struct sock_filter); token = strtok(NULL, ","); - -#if 0 -printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); -{ - unsigned j; - unsigned char *ptr2 = (unsigned char *) &filter[0]; - for (j = 0; j < sizeof(filter); j++, ptr2++) { - if ((j % (sizeof(struct sock_filter))) == 0) - printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); - printf("%02x, ", (*ptr2) & 0xff); - } - printf("\n"); -} -#endif - - } free(tmplist); @@ -202,19 +172,6 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns memcpy(ptr, &filter_end[0], sizeof(filter_end)); ptr += sizeof(filter_end); -#if 0 -printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter)); -{ - unsigned j; - unsigned char *ptr2 = (unsigned char *) &filter[0]; - for (j = 0; j < sizeof(filter); j++, ptr2++) { - if ((j % (sizeof(struct sock_filter))) == 0) - printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter)))); - printf("%02x, ", (*ptr2) & 0xff); - } - printf("\n"); -} -#endif // save filter to file int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index e808538b061..99e671799fe 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 9e8ceb89879..846c7f3356c 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index f024859d3d8..54089202694 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -126,7 +126,7 @@ void seccomp_secondary_block(const char *fname) { EXAMINE_SYSCALL, #if defined(__x86_64__) // block x32 - HANDLE_X32_KILL, + HANDLE_X32, #endif // block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality) // 0: if personality(2), continue to 1, else goto 7 (allow) diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index 936a2351260..f9a6c4f0624 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh @@ -1,8 +1,18 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 +TCFILE="" +if [ -x "/usr/sbin/tc" ]; then + TCFILE="/usr/sbin/tc" +elif [ -x "/sbin/tc" ]; then + TCFILE="/sbin/tc"; +else + echo "Error: traffic control utility (tc) not found"; + exit 1 +fi + usage() { echo "Usage:" echo " fshaper.sh --status" @@ -11,8 +21,8 @@ usage() { } if [ "$1" = "--status" ]; then - /sbin/tc -s qdisc ls - /sbin/tc -s class ls + $TCFILE -s qdisc ls + $TCFILE -s class ls exit fi @@ -25,8 +35,8 @@ if [ "$1" = "--clear" ]; then DEV=$2 echo "Removing bandwidth limits" - /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null - /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null + $TCFILE qdisc del dev $DEV root 2> /dev/null > /dev/null + $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null exit fi @@ -34,7 +44,7 @@ fi if [ "$1" = "--set" ]; then DEV=$2 echo "Removing bandwidth limit" - /sbin/tc qdisc del dev $DEV ingress #2> /dev/null > /dev/null + $TCFILE qdisc del dev $DEV ingress #2> /dev/null > /dev/null if [ $# -ne 4 ]; then echo "Error: missing parameters" @@ -54,16 +64,16 @@ if [ "$1" = "--set" ]; then echo "Upload speed ${OUT}kbps" echo "cleaning limits" - /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null - /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null + $TCFILE qdisc del dev $DEV root 2> /dev/null > /dev/null + $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null echo "configuring tc ingress" - /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null - /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ + $TCFILE qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null + $TCFILE filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${IN}kbit burst 10k drop flowid :1 #2> /dev/null > /dev/null echo "configuring tc egress" - /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null + $TCFILE qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null exit fi diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in index 32cdc63d32f..05caf81be09 100644 --- a/src/ftee/Makefile.in +++ b/src/ftee/Makefile.in @@ -1,3 +1,4 @@ +.PHONY: all all: ftee include ../common.mk @@ -8,7 +9,9 @@ include ../common.mk ftee: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) +.PHONY: clean clean:; rm -fr *.o ftee *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h index aec64595d56..a556efb756a 100644 --- a/src/ftee/ftee.h +++ b/src/ftee/ftee.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/ftee/main.c b/src/ftee/main.c index a1e42ed32cd..4d447f2c4d3 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/include/common.h b/src/include/common.h index c65ba0d55a3..5bcbaad8899 100644 --- a/src/include/common.h +++ b/src/include/common.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -32,6 +32,10 @@ #include #include +// dbus proxy path used by firejail and firemon +#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy" + + #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) // macro to print ip addresses in a printf statement @@ -109,21 +113,6 @@ static inline int mac_not_zero(const unsigned char mac[6]) { return 0; } -// rtdsc timestamp on x86-64/amd64 processors -static inline unsigned long long getticks(void) { -#if defined(__x86_64__) - unsigned a, d; - asm volatile("rdtsc" : "=a" (a), "=d" (d)); - return ((unsigned long long)a) | (((unsigned long long)d) << 32); -#elif defined(__i386__) - unsigned long long ret; - __asm__ __volatile__("rdtsc" : "=A" (ret)); - return ret; -#else - return 0; // not implemented -#endif -} - void timetrace_start(void); float timetrace_end(void); int join_namespace(pid_t pid, char *type); @@ -132,4 +121,6 @@ char *pid_proc_comm(const pid_t pid); char *pid_proc_cmdline(const pid_t pid); int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); int pid_hidepid(void); +void warn_dumpable(void); +const char *gnu_basename(const char *path); #endif diff --git a/src/include/euid_common.h b/src/include/euid_common.h index d8277ade79d..8d8dd95f6f9 100644 --- a/src/include/euid_common.h +++ b/src/include/euid_common.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/include/firejail_user.h b/src/include/firejail_user.h index a8d269daac4..cf17fa0cffa 100644 --- a/src/include/firejail_user.h +++ b/src/include/firejail_user.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h new file mode 100644 index 00000000000..4aafb8e18cd --- /dev/null +++ b/src/include/gcov_wrapper.h @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef GCOV_WRAPPER_H +#define GCOV_WRAPPER_H + +#ifdef HAS_GCOV +#include + +/* + * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it + * appears to be the safe/"correct" way to do things on previous versions (as + * it ensured proper locking, which is now done elsewhere). Thus, keep using + * it in the code and ensure that it exists, in order to support gcc <11.1.0 + * and gcc >=11.1.0, respectively. + */ +#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1) +static void __gcov_flush(void) { + __gcov_dump(); + __gcov_reset(); +} +#endif +#else +#define __gcov_dump() ((void)0) +#define __gcov_reset() ((void)0) +#define __gcov_flush() ((void)0) +#endif /* HAS_GCOV */ + +#endif /* GCOV_WRAPPER_H */ diff --git a/src/include/ldd_utils.h b/src/include/ldd_utils.h index 29dd8926e07..ffd6e189fef 100644 --- a/src/include/ldd_utils.h +++ b/src/include/ldd_utils.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/include/pid.h b/src/include/pid.h index 1f15d3c687a..17e51f66019 100644 --- a/src/include/pid.h +++ b/src/include/pid.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/include/rundefs.h b/src/include/rundefs.h index f8bcdec52cd..3db750da3ec 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -51,7 +51,7 @@ #define RUN_LIB_DIR RUN_MNT_DIR "/lib" #define RUN_LIB_FILE RUN_MNT_DIR "/libfiles" #define RUN_DNS_ETC RUN_MNT_DIR "/dns-etc" -#define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient" +#define RUN_DHCLIENT_DIR RUN_MNT_DIR "/dhclient-dir" #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" #define RUN_DHCLIENT_6_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient6.leases" #define RUN_DHCLIENT_4_LEASES_FILE RUN_DHCLIENT_DIR "/dhclient.leases" @@ -79,28 +79,11 @@ #define PATH_SECCOMP_MDWX_32 LIBDIR "/firejail/seccomp.mdwx.32" #define PATH_SECCOMP_BLOCK_SECONDARY LIBDIR "/firejail/seccomp.block_secondary" // secondary arch blocking filter built during make - #define RUN_DEV_DIR RUN_MNT_DIR "/dev" #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" - -#define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" -#define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking -#define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking -#define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting -#define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting -#define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" -#define RUN_WHITELIST_MEDIA_DIR RUN_MNT_DIR "/orig-media" -#define RUN_WHITELIST_MNT_DIR RUN_MNT_DIR "/orig-mnt" -#define RUN_WHITELIST_VAR_DIR RUN_MNT_DIR "/orig-var" -#define RUN_WHITELIST_DEV_DIR RUN_MNT_DIR "/orig-dev" -#define RUN_WHITELIST_OPT_DIR RUN_MNT_DIR "/orig-opt" -#define RUN_WHITELIST_SRV_DIR RUN_MNT_DIR "/orig-srv" -#define RUN_WHITELIST_ETC_DIR RUN_MNT_DIR "/orig-etc" -#define RUN_WHITELIST_SHARE_DIR RUN_MNT_DIR "/orig-share" -#define RUN_WHITELIST_MODULE_DIR RUN_MNT_DIR "/orig-module" - -#define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" -#define RUN_XAUTHORITY_SEC_FILE RUN_MNT_DIR "/sec.Xauthority" +#define RUN_XAUTHORITY_FILE RUN_MNT_DIR "/.Xauthority" // private options +#define RUN_XAUTH_FILE RUN_MNT_DIR "/xauth" // x11=xorg +#define RUN_XAUTHORITY_SEC_DIR RUN_MNT_DIR "/.sec.Xauthority" // x11=xorg #define RUN_ASOUNDRC_FILE RUN_MNT_DIR "/.asoundrc" #define RUN_HOSTNAME_FILE RUN_MNT_DIR "/hostname" #define RUN_HOSTS_FILE RUN_MNT_DIR "/hosts" @@ -112,7 +95,7 @@ #define RUN_FSLOGGER_FILE RUN_MNT_DIR "/fslogger" #define RUN_TRACE_FILE RUN_MNT_DIR "/trace" #define RUN_UMASK_FILE RUN_MNT_DIR "/umask" +#define RUN_JOIN_FILE RUN_MNT_DIR "/join" #define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot" -#define RUN_READY_FOR_JOIN RUN_MNT_DIR "/ready-for-join" #endif diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 50920ce3a93..43bb73a0437 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -96,24 +96,7 @@ # define PR_SET_NO_NEW_PRIVS 38 #endif -#if HAVE_SECCOMP_H #include -#else -#define SECCOMP_MODE_FILTER 2 -#define SECCOMP_RET_KILL 0x00000000U -#define SECCOMP_RET_TRAP 0x00030000U -#define SECCOMP_RET_ALLOW 0x7fff0000U -#define SECCOMP_RET_ERRNO 0x00050000U -#define SECCOMP_RET_DATA 0x0000ffffU - -struct seccomp_data { - int nr; - __u32 arch; - __u64 instruction_pointer; - __u64 args[6]; -}; -#endif - #ifndef SECCOMP_RET_LOG #define SECCOMP_RET_LOG 0x7ffc0000U #endif @@ -218,7 +201,7 @@ struct seccomp_data { #define VALIDATE_ARCHITECTURE_KILL \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #define VALIDATE_ARCHITECTURE_64 \ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ @@ -239,11 +222,7 @@ struct seccomp_data { #define HANDLE_X32 \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - RETURN_ERRNO(EPERM) -#define HANDLE_X32_KILL \ - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ - BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #endif #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ @@ -274,7 +253,9 @@ struct seccomp_data { #define RETURN_ERRNO(nr) \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) -extern int arg_seccomp_error_action; // error action: errno or kill +extern int arg_seccomp_error_action; // error action: errno, log or kill +#define DEFAULT_SECCOMP_ERROR_ACTION EPERM + #define KILL_OR_RETURN_ERRNO \ BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) diff --git a/src/include/syscall.h b/src/include/syscall.h index 89b54170e08..015dd01b982 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -32,7 +32,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b // errno.c void errno_print(void); int errno_find_name(const char *name); -char *errno_find_nr(int nr); +const char *errno_find_nr(int nr); // syscall.c void syscall_print(void); diff --git a/src/include/syscall_armeabi.h b/src/include/syscall_armeabi.h index cbdc67f37c9..3b574f875e4 100644 --- a/src/include/syscall_armeabi.h +++ b/src/include/syscall_armeabi.h @@ -42,6 +42,7 @@ { "exit", 1 }, { "exit_group", 248 }, { "faccessat", 334 }, +{ "faccessat2", 439 }, { "fallocate", 352 }, { "fanotify_init", 367 }, { "fanotify_mark", 368 }, diff --git a/src/include/syscall_i386.h b/src/include/syscall_i386.h index 4795e5b2a15..752e11f24ad 100644 --- a/src/include/syscall_i386.h +++ b/src/include/syscall_i386.h @@ -54,6 +54,7 @@ { "exit", 1 }, { "exit_group", 252 }, { "faccessat", 307 }, +{ "faccessat2", 439 }, { "fadvise64", 250 }, { "fadvise64_64", 272 }, { "fallocate", 324 }, diff --git a/src/include/syscall_x86_64.h b/src/include/syscall_x86_64.h index 539e874beaf..97f2762b14b 100644 --- a/src/include/syscall_x86_64.h +++ b/src/include/syscall_x86_64.h @@ -47,6 +47,7 @@ { "exit", 60 }, { "exit_group", 231 }, { "faccessat", 269 }, +{ "faccessat2", 439 }, { "fadvise64", 221 }, { "fallocate", 285 }, { "fanotify_init", 300 }, diff --git a/src/jailcheck/Makefile.in b/src/jailcheck/Makefile.in new file mode 100644 index 00000000000..d218c1f9076 --- /dev/null +++ b/src/jailcheck/Makefile.in @@ -0,0 +1,17 @@ +.PHONY: all +all: jailcheck + +include ../common.mk + +%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h + $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ + +jailcheck: $(OBJS) + $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) + +.PHONY: clean +clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c new file mode 100644 index 00000000000..3c2f46495d0 --- /dev/null +++ b/src/jailcheck/access.c @@ -0,0 +1,143 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + +typedef struct { + char *tfile; + char *tdir; +} TestDir; + +#define MAX_TEST_FILES 16 +TestDir td[MAX_TEST_FILES]; +static int files_cnt = 0; + +void access_setup(const char *directory) { + // I am root! + assert(directory); + assert(user_home_dir); + + if (files_cnt >= MAX_TEST_FILES) { + fprintf(stderr, "Error: maximum number of test directories exceeded\n"); + exit(1); + } + + char *fname = strdup(directory); + if (!fname) + errExit("strdup"); + if (strncmp(fname, "~/", 2) == 0) { + free(fname); + if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1) + errExit("asprintf"); + } + + char *path = realpath(fname, NULL); + free(fname); + if (path == NULL) { + fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory); + return; + } + + // file in home directory + if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { + fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory); + free(path); + return; + } + + // try to open the dir as root + DIR *dir = opendir(path); + if (!dir) { + fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); + free(path); + return; + } + closedir(dir); + + // create a test file + char *test_file; + if (asprintf(&test_file, "%s/jailcheck-access-%d", path, getpid()) == -1) + errExit("asprintf"); + + FILE *fp = fopen(test_file, "w"); + if (!fp) { + printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); + return; + } + fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); + fclose(fp); + int rv = chown(test_file, user_uid, user_gid); + if (rv) + errExit("chown"); + + char *dname = strdup(directory); + if (!dname) + errExit("strdup"); + td[files_cnt].tdir = dname; + td[files_cnt].tfile = test_file; + files_cnt++; +} + +void access_destroy(void) { + // remove test files + int i; + + for (i = 0; i < files_cnt; i++) { + int rv = unlink(td[i].tfile); + (void) rv; + } + files_cnt = 0; +} + +void access_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + for (i = 0; i < files_cnt; i++) { + assert(td[i].tfile); + + // try to open the file for reading + FILE *fp = fopen(td[i].tfile, "r"); + if (fp) { + + printf(" Warning: I can read %s\n", td[i].tdir); + fclose(fp); + } + } + exit(0); + } + + // wait for the child to finish + int status; + wait(&status); +} diff --git a/src/jailcheck/apparmor.c b/src/jailcheck/apparmor.c new file mode 100644 index 00000000000..64f27804667 --- /dev/null +++ b/src/jailcheck/apparmor.c @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" + +#ifdef HAVE_APPARMOR +#include + +void apparmor_test(pid_t pid) { + char *label = NULL; + char *mode = NULL; + int rv = aa_gettaskcon(pid, &label, &mode); + if (rv == -1 || mode == NULL) + printf(" Warning: AppArmor not enabled\n"); +} + + +#else +void apparmor_test(pid_t pid) { + (void) pid; + return; +} +#endif + diff --git a/src/faudit/faudit.h b/src/jailcheck/jailcheck.h similarity index 50% rename from src/faudit/faudit.h rename to src/jailcheck/jailcheck.h index 20189a0ffd0..3f8c89bfb46 100644 --- a/src/faudit/faudit.h +++ b/src/jailcheck/jailcheck.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -17,52 +17,48 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#ifndef JAILCHECK_H +#define JAILCHECK_H -#ifndef FAUDIT_H -#define FAUDIT_H -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) +#include "../include/common.h" // main.c -extern char *prog; +extern uid_t user_uid; +extern gid_t user_gid; +extern char *user_name; +extern char *user_home_dir; +extern char *user_run_dir; -// pid.c -void pid_test(void); +// access.c +void access_setup(const char *directory); +void access_test(void); +void access_destroy(void); -// caps.c -void caps_test(void); +// noexec.c +void noexec_setup(void); +void noexec_test(const char *msg); -// seccomp.c -void seccomp_test(void); +// sysfiles.c +void sysfiles_setup(const char *file); +void sysfiles_test(void); -// syscall.c -void syscall_helper(int argc, char **argv); -void syscall_run(const char *name); +// virtual.c +void virtual_setup(const char *directory); +void virtual_destroy(void); +void virtual_test(void); -// files.c -void files_test(void); +// apparmor.c +void apparmor_test(pid_t pid); + +// seccomp.c +void seccomp_test(pid_t pid); // network.c void network_test(void); - -// dbus.c -int check_unix(const char *sockfile); -void dbus_test(void); - -// dev.c -void dev_test(void); - -// x11.c -void x11_test(void); +// utils.c +char *get_sudo_user(void); +char *get_homedir(const char *user, uid_t *uid, gid_t *gid); +int find_child(pid_t pid); +pid_t switch_to_child(pid_t pid); #endif diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c new file mode 100644 index 00000000000..812ac5808ee --- /dev/null +++ b/src/jailcheck/main.c @@ -0,0 +1,215 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include "../include/firejail_user.h" +#include "../include/pid.h" +#include + +uid_t user_uid = 0; +gid_t user_gid = 0; +char *user_name = NULL; +char *user_home_dir = NULL; +char *user_run_dir = NULL; +int arg_debug = 0; + +static char *usage_str = + "Usage: jailcheck [options] directory [directory]\n\n" + "Options:\n" + " --debug - print debug messages.\n" + " --help, -? - this help screen.\n" + " --version - print program version and exit.\n"; + + +static void usage(void) { + printf("firetest - version %s\n\n", VERSION); + puts(usage_str); +} + +static void cleanup(void) { + // running only as root + if (getuid() == 0) { + if (arg_debug) + printf("cleaning up!\n"); + access_destroy(); + virtual_destroy(); + } +} + +int main(int argc, char **argv) { + int i; + int findex = 0; + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) { + usage(); + return 0; + } + else if (strcmp(argv[i], "--version") == 0) { + printf("firetest version %s\n\n", VERSION); + return 0; + } + else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test + printf(" Warning: I can run programs in %s\n", argv[i] + 8); + return 0; + } + else if (strcmp(argv[i], "--debug") == 0) + arg_debug = 1; + else if (strncmp(argv[i], "--", 2) == 0) { + fprintf(stderr, "Error: invalid option\n"); + return 1; + } + else { + findex = i; + break; + } + } + + // user setup + if (getuid() != 0) { + fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); + exit(1); + } + user_name = get_sudo_user(); + assert(user_name); + user_home_dir = get_homedir(user_name, &user_uid, &user_gid); + if (user_uid == 0) { + fprintf(stderr, "Error: root user not supported\n"); + exit(1); + } + if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) + errExit("asprintf"); + + // test setup + atexit(cleanup); + access_setup("~/.ssh"); + access_setup("~/.gnupg"); + if (findex > 0) { + for (i = findex; i < argc; i++) + access_setup(argv[i]); + } + + noexec_setup(); + virtual_setup(user_home_dir); + virtual_setup("/tmp"); + virtual_setup("/var/tmp"); + virtual_setup("/dev"); + virtual_setup("/etc"); + virtual_setup("/bin"); + virtual_setup("/usr/share"); + virtual_setup(user_run_dir); + // basic sysfiles + sysfiles_setup("/etc/shadow"); + sysfiles_setup("/etc/gshadow"); + sysfiles_setup("/usr/bin/mount"); + sysfiles_setup("/usr/bin/su"); + sysfiles_setup("/usr/bin/ksu"); + sysfiles_setup("/usr/bin/sudo"); + sysfiles_setup("/usr/bin/strace"); + // X11 + sysfiles_setup("/usr/bin/xev"); + sysfiles_setup("/usr/bin/xinput"); + // compilers + sysfiles_setup("/usr/bin/gcc"); + sysfiles_setup("/usr/bin/clang"); + // networking + sysfiles_setup("/usr/bin/dig"); + sysfiles_setup("/usr/bin/nslookup"); + sysfiles_setup("/usr/bin/resolvectl"); + sysfiles_setup("/usr/bin/nc"); + sysfiles_setup("/usr/bin/ncat"); + sysfiles_setup("/usr/bin/nmap"); + sysfiles_setup("/usr/sbin/tcpdump"); + // terminals + sysfiles_setup("/usr/bin/gnome-terminal"); + sysfiles_setup("/usr/bin/xfce4-terminal"); + sysfiles_setup("/usr/bin/lxterminal"); + + // print processes + pid_read(0); + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 1) { + uid_t uid = pid_get_uid(i); + if (uid != user_uid) // not interested in other user sandboxes + continue; + + // in case the pid is that of a firejail process, use the pid of the first child process + uid_t pid = find_child(i); + printf("\n"); + pid_print_list(i, 0); // no wrapping + apparmor_test(pid); + seccomp_test(pid); + fflush(0); + + // filesystem tests + pid_t child = fork(); + if (child == -1) + errExit("fork"); + if (child == 0) { + int rv = join_namespace(pid, "mnt"); + if (rv == 0) { + virtual_test(); + noexec_test(user_home_dir); + noexec_test("/tmp"); + noexec_test("/var/tmp"); + noexec_test(user_run_dir); + access_test(); + sysfiles_test(); + } + else { + printf(" Error: I cannot join the process mount space\n"); + exit(1); + } + + // drop privileges in order not to trigger cleanup() + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + return 0; + } + int status; + wait(&status); + + // network test + child = fork(); + if (child == -1) + errExit("fork"); + if (child == 0) { + int rv = join_namespace(pid, "net"); + if (rv == 0) + network_test(); + else { + printf(" Error: I cannot join the process network stack\n"); + exit(1); + } + + // drop privileges in order not to trigger cleanup() + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + return 0; + } + wait(&status); + } + } + + return 0; +} diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c new file mode 100644 index 00000000000..636344e77a6 --- /dev/null +++ b/src/jailcheck/network.c @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +void network_test(void) { + // I am root running in a network namespace + struct ifaddrs *ifaddr, *ifa; + int found = 0; + + // walk through the linked list + if (getifaddrs(&ifaddr) == -1) + errExit("getifaddrs"); + for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { + if (strcmp(ifa->ifa_name, "lo") == 0) + continue; + found = 1; + break; + } + + freeifaddrs(ifaddr); + + if (found) + printf(" Networking: enabled\n"); + else + printf(" Networking: disabled\n"); +} + + + diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c new file mode 100644 index 00000000000..be18ac10999 --- /dev/null +++ b/src/jailcheck/noexec.c @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include +#include + +static unsigned char *execfile = NULL; +static int execfile_len = 0; + +void noexec_setup(void) { + // grab a copy of myself + char *self = realpath("/proc/self/exe", NULL); + if (self) { + struct stat s; + if (access(self, X_OK) == 0 && stat(self, &s) == 0) { + assert(s.st_size); + execfile = malloc(s.st_size); + + int fd = open(self, O_RDONLY); + if (fd == -1) + errExit("open"); + int len = 0; + do { + int rv = read(fd, execfile + len, s.st_size - len); + if (rv == -1) + errExit("read"); + if (rv == 0) { + // something went wrong! + free(execfile); + execfile = NULL; + printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n"); + break; + } + len += rv; + } + while (len < s.st_size); + execfile_len = s.st_size; + close(fd); + } + } +} + + +void noexec_test(const char *path) { + assert(user_uid); + + // I am root in sandbox mount namespace + if (!execfile) + return; + + char *fname; + if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1) + errExit("asprintf"); + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700); + if (fd == -1) { + printf(" I cannot create files in %s, skipping noexec...\n", path); + exit(1); + } + + int len = 0; + while (len < execfile_len) { + int rv = write(fd, execfile + len, execfile_len - len); + if (rv == -1 || rv == 0) { + printf(" I cannot create files in %s, skipping noexec....\n", path); + exit(1); + } + len += rv; + } + fchmod(fd, 0700); + close(fd); + + char *arg; + if (asprintf(&arg, "--hello=%s", path) == -1) + errExit("asprintf"); + int rv = execl(fname, fname, arg, NULL); + (void) rv; // if we get here execl failed + exit(0); + } + + int status; + wait(&status); + int rv = unlink(fname); + (void) rv; +} diff --git a/src/faudit/dev.c b/src/jailcheck/seccomp.c similarity index 52% rename from src/faudit/dev.c rename to src/jailcheck/seccomp.c index 9c80f99dfeb..9345eb97006 100644 --- a/src/faudit/dev.c +++ b/src/jailcheck/seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -17,31 +17,31 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include "faudit.h" -#include +#include "jailcheck.h" +#define MAXBUF 4096 -void dev_test(void) { - DIR *dir; - if (!(dir = opendir("/dev"))) { - fprintf(stderr, "Error: cannot open /dev directory\n"); +void seccomp_test(pid_t pid) { + char *file; + if (asprintf(&file, "/proc/%d/status", pid) == -1) + errExit("asprintf"); + + FILE *fp = fopen(file, "r"); + if (!fp) { + printf(" Error: cannot open %s\n", file); + free(file); return; } - struct dirent *entry; - printf("INFO: files visible in /dev directory: "); - int cnt = 0; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) - continue; - - printf("%s, ", entry->d_name); - cnt++; + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "Seccomp:", 8) == 0) { + int val = -1; + int rv = sscanf(buf + 8, "\t%d", &val); + if (rv != 1 || val == 0) + printf(" Warning: seccomp not enabled\n"); + break; + } } - printf("\n"); - - if (cnt > 20) - printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); - else - printf("GOOD: Access to /dev directory is restricted.\n"); - closedir(dir); + fclose(fp); + free(file); } diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c new file mode 100644 index 00000000000..9a0d6350ea0 --- /dev/null +++ b/src/jailcheck/sysfiles.c @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + +typedef struct { + char *tfile; +} TestFile; + +#define MAX_TEST_FILES 32 +TestFile tf[MAX_TEST_FILES]; +static int files_cnt = 0; + +void sysfiles_setup(const char *file) { + // I am root! + assert(file); + + if (files_cnt >= MAX_TEST_FILES) { + fprintf(stderr, "Error: maximum number of system test files exceeded\n"); + exit(1); + } + + if (access(file, F_OK)) { + // no such file + return; + } + + + char *fname = strdup(file); + if (!fname) + errExit("strdup"); + + tf[files_cnt].tfile = fname; + files_cnt++; +} + +void sysfiles_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + for (i = 0; i < files_cnt; i++) { + assert(tf[i].tfile); + + // try to open the file for reading + FILE *fp = fopen(tf[i].tfile, "r"); + if (fp) { + + printf(" Warning: I can access %s\n", tf[i].tfile); + fclose(fp); + } + } + exit(0); + } + + // wait for the child to finish + int status; + wait(&status); +} diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c new file mode 100644 index 00000000000..c3aaae29825 --- /dev/null +++ b/src/jailcheck/utils.c @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include "../include/pid.h" +#include +#include +#include + +#define BUFLEN 4096 + +char *get_sudo_user(void) { + char *user = getenv("SUDO_USER"); + if (!user) { + user = getpwuid(getuid())->pw_name; + if (!user) { + fprintf(stderr, "Error: cannot detect login user\n"); + exit(1); + } + } + + return user; +} + +char *get_homedir(const char *user, uid_t *uid, gid_t *gid) { + // find home directory + struct passwd *pw = getpwnam(user); + if (!pw) + goto errexit; + + char *home = pw->pw_dir; + if (!home) + goto errexit; + + *uid = pw->pw_uid; + *gid = pw->pw_gid; + + return home; + +errexit: + fprintf(stderr, "Error: cannot find home directory for user %s\n", user); + exit(1); +} + +// find the second child process for the specified pid +// return -1 if not found +// +// Example: +//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt +// 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt +// 14792:netblue:/usr/bin/transmission-qt +// We need 14792, the first real sandboxed process +// duplicate from src/firemon/main.c +int find_child(int id) { + int i; + int first_child = -1; + + // find the first child + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 2 && pids[i].parent == id) { + // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) + char *cmdline = pid_proc_cmdline(i); + if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { + free(cmdline); + continue; + } + free(cmdline); + first_child = i; + break; + } + } + + if (first_child == -1) + return -1; + + // find the second-level child + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 3 && pids[i].parent == first_child) + return i; + } + + // if a second child is not found, return the first child pid + // this happens for processes sandboxed with --join + return first_child; +} + diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c new file mode 100644 index 00000000000..09092f9ce43 --- /dev/null +++ b/src/jailcheck/virtual.c @@ -0,0 +1,125 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + + +#define MAX_TEST_FILES 16 +static char *dirs[MAX_TEST_FILES]; +static char *files[MAX_TEST_FILES]; +static int files_cnt = 0; + +void virtual_setup(const char *directory) { + // I am root! + assert(directory); + assert(*directory == '/'); + assert(files_cnt < MAX_TEST_FILES); + + // try to open the dir as root + DIR *dir = opendir(directory); + if (!dir) { + fprintf(stderr, "Warning: directory %s not found, skipping\n", directory); + return; + } + closedir(dir); + + // create a test file + char *test_file; + if (asprintf(&test_file, "%s/jailcheck-private-%d", directory, getpid()) == -1) + errExit("asprintf"); + + FILE *fp = fopen(test_file, "w"); + if (!fp) { + printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); + return; + } + fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); + fclose(fp); + if (strcmp(directory, user_home_dir) == 0) { + int rv = chown(test_file, user_uid, user_gid); + if (rv) + errExit("chown"); + } + + char *dname = strdup(directory); + if (!dname) + errExit("strdup"); + dirs[files_cnt] = dname; + files[files_cnt] = test_file; + files_cnt++; +} + +void virtual_destroy(void) { + // remove test files + int i; + + for (i = 0; i < files_cnt; i++) { + int rv = unlink(files[i]); + (void) rv; + } + files_cnt = 0; +} + +void virtual_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + int cnt = 0; + cnt += printf(" Virtual dirs: "); fflush(0); + + for (i = 0; i < files_cnt; i++) { + assert(files[i]); + + // I am root! + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + // try to open the file for reading + FILE *fp = fopen(files[i], "r"); + if (fp) + fclose(fp); + else { + if (cnt == 0) + cnt += printf("\n "); + cnt += printf("%s, ", dirs[i]); + if (cnt > 60) + cnt = 0; + } + fflush(0); + exit(cnt); + } + + // wait for the child to finish + int status; + wait(&status); + cnt = WEXITSTATUS(status); + } + printf("\n"); +} diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 68125283296..49c8057b381 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -1,11 +1,14 @@ include ../common.mk +.PHONY: all all: $(OBJS) %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ +.PHONY: clean clean:; rm -fr $(OBJS) *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/lib/common.c b/src/lib/common.c index 1fd317d4f44..f1bd7a6fecd 100644 --- a/src/lib/common.c +++ b/src/lib/common.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -30,6 +30,7 @@ #include #include #include +#include #include "../include/common.h" #define BUFLEN 4096 @@ -266,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { } // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied -#define BUFLEN 4096 int pid_hidepid(void) { FILE *fp = fopen("/proc/mounts", "r"); if (!fp) @@ -277,7 +277,7 @@ int pid_hidepid(void) { if (strstr(buf, "proc /proc proc")) { fclose(fp); // check hidepid - if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1")) + if (strstr(buf, "hidepid=")) return 1; return 0; } @@ -287,41 +287,78 @@ int pid_hidepid(void) { return 0; } +// print error if unprivileged users can trace the process +void warn_dumpable(void) { + if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) { + fprintf(stderr, "Error: dumpable process\n"); + + // best effort to provide detailed debug information + // cannot use process name, it is just a file descriptor number + char path[BUFLEN]; + ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1); + if (len < 0) + return; + path[len] = '\0'; + // path can refer to a sandbox mount namespace, use basename only + const char *base = gnu_basename(path); + + struct stat s; + if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0) + fprintf(stderr, "Change owner of %s executable to root\n", base); + else if (access("/proc/self/exe", R_OK) == 0) + fprintf(stderr, "Remove read permission on %s executable\n", base); + } +} + +// Equivalent to the GNU version of basename, which is incompatible with +// the POSIX basename. A few lines of code saves any portability pain. +// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename +const char *gnu_basename(const char *path) { + const char *last_slash = strrchr(path, '/'); + if (!last_slash) + return path; + return last_slash+1; +} + //************************** // time trace based on getticks function //************************** -static int tt_not_implemented = 0; // not implemented for the current architecture -static unsigned long long tt_1ms = 0; -static unsigned long long tt = 0; // start time +typedef struct list_entry_t { + struct list_entry_t *next; + struct timespec ts; +} ListEntry; -void timetrace_start(void) { - if (tt_not_implemented) - return; - unsigned long long t1 = getticks(); - if (t1 == 0) { - tt_not_implemented = 1; - return; - } +static ListEntry *ts_list = NULL; - if (tt_1ms == 0) { - usleep(1000); // sleep 1 ms - unsigned long long t2 = getticks(); - tt_1ms = t2 - t1; - if (tt_1ms == 0) { - tt_not_implemented = 1; - return; - } - } +static inline float msdelta(struct timespec *start, struct timespec *end) { + unsigned sec = end->tv_sec - start->tv_sec; + long nsec = end->tv_nsec - start->tv_nsec; + return (float) sec * 1000 + (float) nsec / 1000000; +} - tt = getticks(); +void timetrace_start(void) { + ListEntry *t = malloc(sizeof(ListEntry)); + if (!t) + errExit("malloc"); + memset(t, 0, sizeof(ListEntry)); + clock_gettime(CLOCK_MONOTONIC, &t->ts); + + // add it to the list + t->next = ts_list; + ts_list = t; } float timetrace_end(void) { - if (tt_not_implemented) + if (!ts_list) return 0; - unsigned long long delta = getticks() - tt; - assert(tt_1ms); + // remove start time from the list + ListEntry *t = ts_list; + ts_list = t->next; - return (float) delta / (float) tt_1ms; + struct timespec end; + clock_gettime(CLOCK_MONOTONIC, &end); + float rv = msdelta(&t->ts, &end); + free(t); + return rv; } diff --git a/src/lib/errno.c b/src/lib/errno.c index d38c197ad13..9edb44c2277 100644 --- a/src/lib/errno.c +++ b/src/lib/errno.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -183,7 +183,7 @@ int errno_find_name(const char *name) { return -1; } -char *errno_find_nr(int nr) { +const char *errno_find_nr(int nr) { int i; int elems = sizeof(errnolist) / sizeof(errnolist[0]); for (i = 0; i < elems; i++) { diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 2e03ce0e08c..d6a3c71ab15 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index 32bfb097498..c5dde85b066 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -23,13 +23,16 @@ #include #include +// todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c const char * const default_lib_paths[] = { "/usr/lib/x86_64-linux-gnu", // Debian & friends "/lib/x86_64-linux-gnu", // CentOS, Fedora + "/usr/lib64", + "/lib64", "/usr/lib", "/lib", - "/lib64", LIBDIR, + "/usr/local/lib64", "/usr/local/lib", "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory @@ -47,7 +50,7 @@ int is_lib_64(const char *exe) { unsigned char buf[EI_NIDENT]; ssize_t len = 0; while (len < EI_NIDENT) { - ssize_t sz = read(fd, buf, EI_NIDENT); + ssize_t sz = read(fd, buf + len, EI_NIDENT - len); if (sz <= 0) goto doexit; len += sz; diff --git a/src/lib/pid.c b/src/lib/pid.c index cad0e5424db..ca62aaa424b 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 2f8ccaed779..d0d9ff5aa70 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = { "@cpu-emulation," "@debug," "@module," + "@mount," "@obsolete," "@raw-io," "@reboot," @@ -252,9 +253,6 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_fanotify_init "fanotify_init," #endif -#ifdef SYS_kcmp - "kcmp," -#endif #ifdef SYS_add_key "add_key," #endif @@ -297,9 +295,6 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_vmsplice "vmsplice," #endif -#ifdef SYS_umount - "umount," -#endif #ifdef SYS_userfaultfd "userfaultfd," #endif @@ -309,27 +304,15 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_bpf "bpf," #endif -#ifdef SYS_chroot - "chroot," -#endif -#ifdef SYS_mount - "mount," -#endif #ifdef SYS_nfsservctl "nfsservctl," #endif -#ifdef SYS_pivot_root - "pivot_root," -#endif #ifdef SYS_setdomainname "setdomainname," #endif #ifdef SYS_sethostname "sethostname," #endif -#ifdef SYS_umount2 - "umount2," -#endif #ifdef SYS_vhangup "vhangup" #endif @@ -350,6 +333,7 @@ static const SyscallGroupList sysgroups[] = { #endif }, { .name = "@default-keep", .list = + "execveat," // commonly used by fexecve "execve," "prctl" }, @@ -372,6 +356,9 @@ static const SyscallGroupList sysgroups[] = { #ifdef SYS_faccessat "faccessat," #endif +#ifdef SYS_faccessat2 + "faccessat2," +#endif #ifdef SYS_fallocate "fallocate," #endif diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in index 00dc6ee7ef8..c08ae78ceb7 100644 --- a/src/libpostexecseccomp/Makefile.in +++ b/src/libpostexecseccomp/Makefile.in @@ -4,13 +4,14 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now +LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now +.PHONY: all all: libpostexecseccomp.so %.o : %.c $(H_FILE_LIST) ../include/seccomp.h ../include/rundefs.h @@ -19,7 +20,9 @@ all: libpostexecseccomp.so libpostexecseccomp.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl +.PHONY: clean clean:; rm -fr $(OBJS) libpostexecseccomp.so *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c index c86faa32979..1d1eb283b03 100644 --- a/src/libpostexecseccomp/libpostexecseccomp.c +++ b/src/libpostexecseccomp/libpostexecseccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in index 2070fe0ea67..804671ee2db 100644 --- a/src/libtrace/Makefile.in +++ b/src/libtrace/Makefile.in @@ -4,13 +4,14 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now +LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now +.PHONY: all all: libtrace.so %.o : %.c $(H_FILE_LIST) @@ -19,8 +20,9 @@ all: libtrace.so libtrace.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - +.PHONY: clean clean:; rm -fr $(OBJS) libtrace.so *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index a27fa7a03b9..d88512b0a86 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in index db640617ae0..aea1b11f2e5 100644 --- a/src/libtracelog/Makefile.in +++ b/src/libtracelog/Makefile.in @@ -4,13 +4,14 @@ VERSION=@PACKAGE_VERSION@ NAME=@PACKAGE_NAME@ HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ -H_FILE_LIST = $(sort $(wildcard *.[h])) +H_FILE_LIST = $(sort $(wildcard *.h)) C_FILE_LIST = $(sort $(wildcard *.c)) OBJS = $(C_FILE_LIST:.c=.o) BINOBJS = $(foreach file, $(OBJS), $file) CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now +LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now +.PHONY: all all: libtracelog.so %.o : %.c $(H_FILE_LIST) ../include/rundefs.h @@ -19,8 +20,9 @@ all: libtracelog.so libtracelog.so: $(OBJS) $(CC) $(LDFLAGS) -shared -fPIC -z relro -o $@ $(OBJS) -ldl - +.PHONY: clean clean:; rm -fr $(OBJS) libtracelog.so *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 9102a8ef637..b946cc88983 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/man/Makefile.in b/src/man/Makefile.in new file mode 100644 index 00000000000..fbd2d795eb4 --- /dev/null +++ b/src/man/Makefile.in @@ -0,0 +1,14 @@ +.PHONY: all +all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man + +include ../common.mk + +%.man: %.txt + gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ + +.PHONY: clean +clean:; rm -fr *.man + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index e282c8cf06b..7e0a57f923f 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -44,9 +44,10 @@ The following actions are implemented by default by running sudo firecfg: .br - fix desktop files in $HOME/.local/share/applications/ (firecfg --fix). .br - +#ifdef HAVE_APPARMOR .br - automatically loads and forces the AppArmor profile "firejail-default". +#endif .RE .SH OPTIONS @@ -60,7 +61,7 @@ $ sudo firecfg --add-users dustin lucas mike eleven .TP \fB\-\-bindir=directory -Create and search symbolic links in directory instead of the default location /user/local/bin. +Create and search symbolic links in directory instead of the default location /usr/local/bin. Directory should precede /usr/bin and /bin in the PATH environment variable. .TP @@ -129,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 430e86cc8dd..05afd55b52d 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -3,7 +3,7 @@ login.users \- Login file syntax for Firejail .SH DESCRIPTION -/etc/firejail/login.users file describes additional arguments passed to firejail executable +/etc/firejail/login.users file describes additional arguments passed to the firejail executable upon user logging into a Firejail restricted shell. Each user entry in the file consists of a user name followed by the arguments passed to firejail. The format is as follows: @@ -19,8 +19,8 @@ Wildcard patterns are accepted in the user name field: .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in -/etc/passwd file for each user that needs to be restricted. Alternatively, -you can specify /usr/bin/firejail using adduser or usermod commands: +the /etc/passwd file for each user that needs to be restricted. Alternatively, +you can specify /usr/bin/firejail using the `adduser` or `usermod` commands: adduser \-\-shell /usr/bin/firejail username .br @@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-users (5), +.BR jailcheck (1) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index df2d2a2e819..a76fd376562 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -1,18 +1,84 @@ .TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" .SH NAME -profile \- Security profile file syntax for Firejail +profile \- Security profile file syntax, and information about building new application profiles. -.SH USAGE +.SH SYNOPSIS + +Using a specific profile: +.PP +.RS .TP -firejail \-\-profile=filename.profile +\fBfirejail \-\-profile=filename.profile +.br + +.br +Example: +.br +$ firejail --profile=/etc/firejail/kdenlive.profile --appimage kdenlive.appimage +.br + +.br +.TP +\fBfirejail \-\-profile=profile_name +.br + +.br +Example: +.br +$ firejail --profile=kdenlive --appimage kdenlive.appimage +.br + +.br +.RE +.PP + + + +Building a profile manually: +.PP +.RS +Start with the template in /usr/share/doc/firejail/profile.template and modify it in a text editor. +To integrate the program in your desktop environment copy the profile file in ~/.config/firejail +directory and run "sudo firecfg". +.RE +.PP + +Aliases and redirections: +.PP +.RS +In some cases the same profile can be used for several applications. +One such example is LibreOffice. +Build a regular profile for the main application, and for the rest use +/usr/share/doc/firejail/redirect_alias-profile.template. +.RE +.PP + +Running the profile builder: +.PP +.RS +.TP +\fBfirejail \-\-build=appname.profile appname +.br + +.br +Example: +.br +$ firejail --build=blobby.profile blobby +.br + +.br +Run the program in "firejail \-\-build" and try to exercise as many program features as possible. +The profile is extracted and saved in the current directory. Open it in a text editor and add or remove +sandboxing options as necessary. Test again after modifying the profile. To integrate the program +in your desktop environment copy the profile file in ~/.config/firejail directory and run "sudo firecfg". .RE -firejail \-\-profile=profile_name +.PP .SH DESCRIPTION Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows: -\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. +\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. Example: .PP .RS @@ -94,6 +160,11 @@ Example: "blacklist ~/My Virtual Machines" .TP \fB# this is a comment +Example: + +# disable networking +.br +net none # this command creates an empty network namespace .TP \fB?CONDITIONAL: profile line @@ -103,7 +174,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM +Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled or disabled globally in Firejail's configuration file. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. @@ -150,9 +221,10 @@ Example: "nowhitelist ~/.config" Ignore command. Example: "ignore seccomp" +#ifdef HAVE_NETWORK .br Example: "ignore net eth0" - +#endif .TP \fBquiet Disable Firejail's output. This should be the first uncommented command in the profile file. @@ -204,6 +276,10 @@ Mount-bind file1 on top of file2. This option is only available when running as \fBdisable-mnt Disable /mnt, /media, /run/mount and /run/media access. .TP +\fBkeep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.TP \fBkeep-dev-shm /dev/shm directory is untouched (even with private-dev). .TP @@ -245,18 +321,20 @@ before the sandbox is started. The file is created if it doesn't already exist. .TP \fBnoexec file_or_directory Remount the file or the directory noexec, nodev and nosuid. +#ifdef HAVE_OVERLAYFS .TP \fBoverlay -Mount a filesystem overlay on top of the current filesystem. -The overlay is stored in $HOME/.firejail/ directory. +Mount a filesystem overlay on top of the current filesystem. +The overlay is stored in $HOME/.firejail/ directory. .TP \fBoverlay-named name -Mount a filesystem overlay on top of the current filesystem. -The overlay is stored in $HOME/.firejail/name directory. +Mount a filesystem overlay on top of the current filesystem. +The overlay is stored in $HOME/.firejail/name directory. .TP \fBoverlay-tmpfs -Mount a filesystem overlay on top of the current filesystem. -All filesystem modifications are discarded when the sandbox is closed. +Mount a filesystem overlay on top of the current filesystem. +All filesystem modifications are discarded when the sandbox is closed. +#endif .TP \fBprivate Mount new /root and /home/user directories in temporary @@ -268,6 +346,8 @@ Use directory as user home. .TP \fBprivate-bin file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. +The files in the list must be expressed as relative to the /bin, +/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. .TP \fBprivate-cache @@ -289,26 +369,45 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res \fBprivate-etc file,directory Build a new /etc in a temporary filesystem, and copy the files and directories in the list. +The files and directories in the list must be expressed as relative to +the /etc directory, and must not contain the / character +(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- +expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. +#ifdef HAVE_PRIVATE_HOME .TP \fBprivate-home file,directory Build a new user home in a temporary filesystem, and copy the files and directories in the list in the -new home. All modifications are discarded when the sandbox is +new home. +The files and directories in the list must be expressed as relative to +the current user's home directory. +All modifications are discarded when the sandbox is closed. +#endif .TP \fBprivate-lib file,directory Build a new /lib directory and bring in the libraries required by the application to run. +The files and directories in the list must be expressed as relative to +the /lib directory. This feature is still under development, see \fBman 1 firejail\fR for some examples. .TP \fBprivate-opt file,directory Build a new /opt in a temporary filesystem, and copy the files and directories in the list. +The files and directories in the list must be expressed as relative to +the /opt directory, and must not contain the / character +(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- +expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. .TP \fBprivate-srv file,directory Build a new /srv in a temporary filesystem, and copy the files and directories in the list. +The files and directories in the list must be expressed as relative to +the /srv directory, and must not contain the / character +(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- +expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed. .TP \fBprivate-tmp @@ -321,7 +420,7 @@ Make directory or file read-only. Make directory or file read-write. .TP \fBtmpfs directory -Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root. +Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. .TP \fBtracelog Blacklist violations logged to syslog. @@ -329,8 +428,9 @@ Blacklist violations logged to syslog. \fBwhitelist file_or_directory Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, -everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp. +everything else is discarded when the sandbox is closed. The top directory can be +all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and +all directories in /usr. .br .br @@ -356,9 +456,11 @@ The following security filters are currently implemented: .TP \fBallow-debuggers Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv. +#ifdef HAVE_APPARMOR .TP \fBapparmor Enable AppArmor confinement. +#endif .TP \fBcaps Enable default Linux capabilities filter. @@ -382,15 +484,17 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes cannot acquire new privileges using execve(2); in particular, this means that calling a suid binary (or one with file capabilities) does not result in an increase of privilege. +#ifdef HAVE_USERNS .TP \fBnoroot -Use this command to enable an user namespace. The namespace has only one user, the current user. +Use this command to enable an user namespace. The namespace has only one user, the current user. There is no root account (uid 0) defined in the namespace. +#endif .TP \fBprotocol protocol1,protocol2,protocol3 -Enable protocol filter. The filter is based on seccomp and checks the +Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. Recognized values: \fBunix\fR, -\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR. +\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. .TP \fBseccomp Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. @@ -420,8 +524,11 @@ Enable seccomp filter and whitelist the system calls in the list. \fBseccomp.32.keep syscall,syscall,syscall Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. .TP -\fBseccomp-error-action kill | ERRNO -Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. +\fBseccomp-error-action kill | log | ERRNO +Return a different error instead of EPERM to the process, kill it when +an attempt is made to call a blocked system call, or allow but log the +attempt. +#ifdef HAVE_X11 .TP \fBx11 Enable X11 sandboxing. @@ -455,7 +562,8 @@ Example: xephyr-screen 640x480 .br x11 xephyr - +#endif +#ifdef HAVE_DBUSPROXY .SH DBus filtering Access to the session and system DBus UNIX sockets can be allowed, filtered or @@ -491,6 +599,15 @@ Allow the application to own the name org.gnome.ghex and all names underneath in \fBdbus-system.talk org.freedesktop.Notifications Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. .TP +\fBdbus-system.see org.freedesktop.Notifications +Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. +.TP +\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. +.TP +\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. +.TP \fBdbus-user filter Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. .TP @@ -503,6 +620,15 @@ Allow the application to own the name org.gnome.ghex and all names underneath in \fBdbus-user.talk org.freedesktop.Notifications Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. .TP +\fBdbus-user.see org.freedesktop.Notifications +Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. +.TP +\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. +.TP +\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications +Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. +.TP \fBnodbus \fR(deprecated) Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. .TP @@ -532,7 +658,7 @@ and the user wants to disable notifications, this can be achieved by putting the ignore dbus-user.talk org.freedesktop.Notifications .br [...] - +#endif .SH Resource limits, CPU affinity, Control Groups These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command @@ -602,9 +728,8 @@ name browser \fBno3d Disable 3D hardware acceleration. .TP -\fBnoautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. +\fBnoautopulse \fR(deprecated) +See keep-config-pulse. .TP \fBnodvd Disable DVD and audio CD devices. @@ -612,6 +737,9 @@ Disable DVD and audio CD devices. \fBnogroups Disable supplementary user groups .TP +\fBnoinput +Disable input devices. +.TP \fBnosound Disable sound system. .TP @@ -622,12 +750,16 @@ Disable DVB (Digital Video Broadcasting) TV devices. Disable U2F devices. .TP \fBnovideo -Disable video devices. +Disable video capture devices. +.TP +\fBmachine-id +Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. .TP \fBshell none Run the program directly, without a shell. +#ifdef HAVE_NETWORK .SH Networking Networking features available in profile files. @@ -741,8 +873,8 @@ a DHCP client and releasing the lease manually. .TP \fBiprange address,address -Assign an IP address in the provided range to the last network -interface defined by a net command. A default gateway is assigned by default. +Assign an IP address in the provided range to the last network +interface defined by a net command. A default gateway is assigned by default. .br .br @@ -759,10 +891,6 @@ iprange 192.168.1.150,192.168.1.160 \fBmac address Assign MAC addresses to the last network interface defined by a net command. -.TP -\fBmachine-id -Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. - .TP \fBmtu number Assign a MTU value to the last network interface defined by a net command. @@ -816,11 +944,16 @@ Use this option when you want to assign an IP address in a new namespace and the parent interface specified by --net is not configured. An IP address and a default gateway address also have to be added. +.TP +\fBnetns namespace +Run the program in a named, persistent network namespace. These can +be created and configured using "ip netns". + .TP \fBveth-name name Use this name for the interface connected to the bridge for --net=bridge_interface commands, instead of the default one. - +#endif .SH Other .TP \fBdeterministic-exit-code @@ -832,15 +965,33 @@ Join the sandbox identified by name or start a new one. Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". .SH FILES -/etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile +.TP +\fB/etc/firejail/appname.profile +Global Firejail configuration consisting mainly of profiles for each application supported by default. + +.TP +\fB$HOME/.config/firejail/appname.profile +User application profiles, will take precedence over the global profiles. + +.TP +\fB/usr/share/doc/firejail/profile.template +Template for building new profiles. + +.TP +\fB/usr/share/doc/firejail/redirect_alias-profile.template +Template for aliasing/redirecting profiles. .SH LICENSE Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) + +.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles +.UE diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 88b4041b0c7..e3cce7ed50e 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt @@ -38,7 +38,7 @@ See \fBman 1 firecfg\fR for details. An alternative way of restricting user access to firejail executable is to create a special firejail user group and allow only users in this group to run the sandbox: - # addgroup firejail + # addgroup --system firejail .br # chown root:firejail /usr/bin/firejail .br @@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-login\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR jailcheck (1) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fae97ceb751..2883ab25767 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -14,18 +14,22 @@ Start an AppImage program: firejail [OPTIONS] --appimage [appimage-file and arguments] .RE .PP +#ifdef HAVE_FILE_TRANSFER File transfer from an existing sandbox .PP .RS -firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename +firejail {\-\-ls | \-\-get | \-\-put | \-\-cat} dir_or_filename .RE .PP +#endif +#ifdef HAVE_NETWORK Network traffic shaping for an existing sandbox: .PP .RS firejail \-\-bandwidth={name|pid} bandwidth-command .RE .PP +#endif Monitoring: .PP .RS @@ -38,6 +42,15 @@ Miscellaneous: firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version} .RE .SH DESCRIPTION +#ifdef HAVE_LTS +This is Firejail long-term support (LTS), an enterprise focused version of the software, +LTS is usually supported for two or three years. +During this time only bugs and the occasional documentation problems are fixed. +The attack surface of the SUID executable was greatly reduced by removing some of the features. +.br + +.br +#endif Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. @@ -66,15 +79,16 @@ command line options. The default Firejail filesystem is based on the host files system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home and /tmp are writable. .PP -As it starts up, Firejail tries to find a security profile based on the name of the application. +Upon execution Firejail first looks in ~/.config/firejail/ for a profile and if it doesn't find one, it looks in /etc/firejail/. +For profile resolution detail see https://github.com/netblue30/firejail/wiki/Creating-Profiles#locations-and-types. If an appropriate profile is not found, Firejail will use a default profile. The default profile is quite restrictive. In case the application doesn't work, use --noprofile option to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. .PP -If a program argument is not specified, Firejail starts /bin/bash shell. +If a program argument is not specified, Firejail starts the user's preferred shell. Examples: .PP -$ firejail [OPTIONS] # starting a /bin/bash shell +$ firejail [OPTIONS] # starting the program specified in $SHELL, usually /bin/bash .PP $ firejail [OPTIONS] firefox # starting Mozilla Firefox .PP @@ -95,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter. .br Example: .br -$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox +$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP \fB\-\-allusers All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. @@ -105,6 +119,7 @@ All directories under /home are visible inside the sandbox. By default, only cur Example: .br $ firejail --allusers +#ifdef HAVE_APPARMOR .TP \fB\-\-apparmor Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below. @@ -121,31 +136,29 @@ $ firejail \-\-apparmor.print=browser 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr .br AppArmor: firejail-default enforce - +#endif .TP \fB\-\-appimage Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started as a regular user, nonewprivs and a default capabilities filter are enabled. +private-bin and private-lib are disabled by default when running appimages. .br .br Example: .br -$ firejail --appimage krita-3.0-x86_64.appimage +$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage .br -$ firejail --appimage --private krita-3.0-x86_64.appimage +$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage .br -$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage - -.TP -\fB\-\-audit -Audit the sandbox, see \fBAUDIT\fR section for more details. -.TP -\fB\-\-audit=test-program -Audit the sandbox, see \fBAUDIT\fR section for more details. +#ifdef HAVE_X11 +$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage +#endif .TP +#ifdef HAVE_NETWORK \fB\-\-bandwidth=name|pid Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details. +#endif .TP \fB\-\-bind=filename1,filename2 Mount-bind filename1 on top of filename2. This option is only available when running as root. @@ -271,6 +284,11 @@ $ firejail \-\-list .br $ firejail \-\-caps.print=3272 +#ifdef HAVE_FILE_TRANSFER +.TP +\fB\-\-cat=name|pid filename +Print content of file from sandbox container, see FILE TRANSFER section for more details. +#endif .TP \fB\-\-cgroup=tasks-file Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file. @@ -280,7 +298,7 @@ Place the sandbox in the specified control group. tasks-file is the full path of Example: .br # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks - +#ifdef HAVE_CHROOT .TP \fB\-\-chroot=dirname Chroot the sandbox into a root filesystem. Unlike the regular filesystem container, @@ -292,7 +310,7 @@ regular user, nonewprivs and a default capabilities filter are enabled. Example: .br $ firejail \-\-chroot=/media/ubuntu warzone2100 - +#endif .TP \fB\-\-cpu=cpu-number,cpu-number,cpu-number Set CPU affinity. @@ -324,10 +342,28 @@ $ firejail \-\-list 3272:netblue::firejail \-\-private firefox .br $ firejail \-\-cpu.print=3272 +#ifdef HAVE_DBUSPROXY +.TP +\fB\-\-dbus-log=file +Specify the location for the DBus log file. +.br + +.br +The log file contains events for both the system and session buses if both of +the --dbus-system.log and --dbus-user.log options are specified. If no log file +path is given, logs are written to the standard output instead. +.br + +.br +Example: +.br +$ firejail --dbus-system=filter --dbus-system.log \\ +.br +--dbus-log=dbus.txt .TP \fB\-\-dbus-system=filter|none -Set system DBus sandboxing policy. +Set system DBus sandboxing policy. .br .br @@ -352,6 +388,60 @@ Example: .br $ firejail \-\-dbus-system=none +.TP +\fB\-\-dbus-system.broadcast=name=[member][@path] +Allows the application to receive broadcast signals from theindicated interface +member at the indicated object path exposed by the indicated bus name on the +system DBus. +The name may have a .* suffix to match all names underneath it, including +itself. +The interface member may have a .* to match all members of an interface, or be * to match all interfaces. +The path may have a /* suffix to indicate all objects underneath it, including +itself. +Omitting the interface member or the object path will match all members and +object paths, respectively. +.br + +.br +Example: +.br +$ firejail --dbus-system=filter --dbus-system.broadcast=\\ +.br +org.freedesktop.Notifications=\\ +.br +org.freedesktop.Notifications.*@/org/freedesktop/Notifications + +.TP +\fB\-\-dbus-system.call=name=[member][@path] +Allows the application to call the indicated interface member at the indicated +object path exposed by the indicated bus name on the system DBus. +The name may have a .* suffix to match all names underneath it, including +itself. +The interface member may have a .* to match all members of an interface, or be * to match all interfaces. +The path may have a /* suffix to indicate all objects underneath it, including +itself. +Omitting the interface member or the object path will match all members and +object paths, respectively. +.br + +.br +Example: +.br +$ firejail --dbus-system=filter --dbus-system.call=\\ +.br +org.freedesktop.Notifications=\\ +.br +org.freedesktop.Notifications.*@/org/freedesktop/Notifications + +.TP +\fB\-\-dbus-system.log +Turn on DBus logging for the system DBus. This option requires --dbus-system=filter. + +.br +Example: +.br +$ firejail --dbus-system=filter --dbus-system.log + .TP \fB\-\-dbus-system.own=name Allows the application to own the specified well-known name on the system DBus. @@ -363,7 +453,25 @@ not "foobar"). .br Example: .br -$ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* +$ firejail --dbus-system=filter --dbus-system.own=\\ +.br +org.gnome.ghex.* + +.TP +\fB\-\-dbus-system.see=name +Allows the application to see, but not talk to the specified well-known name on +the system DBus. +The name may have a .* suffix to match all names underneath it, including itself +(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but +not "foobar"). +.br + +.br +Example: +.br +$ firejail --dbus-system=filter --dbus-system.see=\\ +.br +org.freedesktop.Notifications .TP \fB\-\-dbus-system.talk=name @@ -376,7 +484,9 @@ not "foobar"). .br Example: .br -$ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications +$ firejail --dbus-system=filter --dbus-system.talk=\\ +.br +org.freedesktop.Notifications .TP \fB\-\-dbus-user=filter|none @@ -405,6 +515,60 @@ Example: .br $ firejail \-\-dbus-user=none +.TP +\fB\-\-dbus-user.broadcast=name=[member][@path] +Allows the application to receive broadcast signals from theindicated interface +member at the indicated object path exposed by the indicated bus name on the +session DBus. +The name may have a .* suffix to match all names underneath it, including +itself. +The interface member may have a .* to match all members of an interface, or be * to match all interfaces. +The path may have a /* suffix to indicate all objects underneath it, including +itself. +Omitting the interface member or the object path will match all members and +object paths, respectively. +.br + +.br +Example: +.br +$ firejail --dbus-user=filter --dbus-user.broadcast=\\ +.br +org.freedesktop.Notifications=\\ +.br +org.freedesktop.Notifications.*@/org/freedesktop/Notifications + +.TP +\fB\-\-dbus-user.call=name=[member][@path] +Allows the application to call the indicated interface member at the indicated +object path exposed by the indicated bus name on the session DBus. +The name may have a .* suffix to match all names underneath it, including +itself. +The interface member may have a .* to match all members of an interface, or be * to match all interfaces. +The path may have a /* suffix to indicate all objects underneath it, including +itself. +Omitting the interface member or the object path will match all members and +object paths, respectively. +.br + +.br +Example: +.br +$ firejail --dbus-user=filter --dbus-user.call=\\ +.br +org.freedesktop.Notifications=\\ +.br +org.freedesktop.Notifications.*@/org/freedesktop/Notifications + +.TP +\fB\-\-dbus-user.log +Turn on DBus logging for the session DBus. This option requires --dbus-user=filter. + +.br +Example: +.br +$ firejail --dbus-user=filter --dbus-user.log + .TP \fB\-\-dbus-user.own=name Allows the application to own the specified well-known name on the session DBus. @@ -429,8 +593,26 @@ not "foobar"). .br Example: .br -$ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications +$ firejail --dbus-user=filter --dbus-user.talk=\\ +.br +org.freedesktop.Notifications +.TP +\fB\-\-dbus-user.see=name +Allows the application to see, but not talk to the specified well-known name on +the session DBus. +The name may have a .* suffix to match all names underneath it, including itself +(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but +not "foobar"). +.br + +.br +Example: +.br +$ firejail --dbus-user=filter --dbus-user.see=\\ +.br +org.freedesktop.Notifications +#endif .TP \fB\-\-debug\fR Print debug messages. @@ -504,7 +686,7 @@ Debug whitelisting. Example: .br $ firejail \-\-debug-whitelists firefox - +#ifdef HAVE_NETWORK .TP \fB\-\-defaultgw=address Use this address as default gateway in the new network namespace. @@ -514,7 +696,11 @@ Use this address as default gateway in the new network namespace. Example: .br $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox - +#endif +.TP +\fB\-\-deterministic-exit-code +Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. +.br .TP \fB\-\-disable-mnt Blacklist /mnt, /media, /run/mount and /run/media access. @@ -525,10 +711,6 @@ Example: .br $ firejail \-\-disable-mnt firefox -.TP -\fB\-\-deterministic-exit-code -Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. - .TP \fB\-\-dns=address Set a DNS server for the sandbox. Up to three DNS servers can be defined. @@ -597,10 +779,11 @@ $ firejail \-\-list .br $ firejail \-\-fs.print=3272 +#ifdef HAVE_FILE_TRANSFER .TP \fB\-\-get=name|pid filename Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details. - +#endif .TP \fB\-?\fR, \fB\-\-help\fR Print options end exit. @@ -635,8 +818,22 @@ Ignore command in profile file. Example: .br $ firejail \-\-ignore=shell --ignore=seccomp firefox +#ifdef HAVE_NETWORK .br $ firejail \-\-ignore="net eth0" firefox +#endif + +.TP +\fB\-\-\include=file.profile +Include a profile file before the regular profiles are used. +.br + +.br +Example: +.br +$ firejail --include=/etc/firejail/disable-devel.inc gedit + +#ifdef HAVE_NETWORK .TP \fB\-\-interface=interface Move interface in a new network namespace. Up to four --interface options can be specified. @@ -750,7 +947,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150 .TP \fB\-\-ipc-namespace -Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default +Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default for sandboxes started as root. .br @@ -758,6 +955,7 @@ for sandboxes started as root. Example: .br $ firejail \-\-ipc-namespace firefox +#endif .TP \fB\-\-join=name|pid Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox. @@ -789,7 +987,7 @@ $ firejail \-\-join=3272 Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. - +#ifdef HAVE_NETWORK .TP \fB\-\-join-network=name|pid Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox. @@ -816,7 +1014,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL .br .br -# verify IP addresses +# verify IP addresses .br $ sudo firejail --join-network=browser ip addr .br @@ -845,7 +1043,7 @@ Switching to pid 1932, the first child process inside the sandbox inet6 fe80::7458:14ff:fe42:78e4/64 scope link .br valid_lft forever preferred_lft forever - +#endif .TP \fB\-\-join-or-start=name Join the sandbox identified by name or start a new one. @@ -853,6 +1051,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise .br Note that in contrary to other join options there is respective profile option. +.TP +\fB\-\-keep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.br + +.br +Example: +.br +$ firejail \-\-keep-config-pulse firefox + .TP \fB\-\-keep-dev-shm /dev/shm directory is untouched (even with --private-dev) @@ -884,15 +1093,21 @@ Example: $ firejail \-\-list .br 7015:netblue:browser:firejail firefox +#ifdef HAVE_NETWORK .br 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk +#endif +#ifdef HAVE_USERNS .br 7064:netblue::firejail \-\-noroot xterm .br +#endif +#ifdef HAVE_FILE_TRANSFER .TP \fB\-\-ls=name|pid dir_or_filename List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. - +#endif +#ifdef HAVE_NETWORK .TP \fB\-\-mac=address Assign MAC addresses to the last network interface defined by a \-\-net option. This option @@ -903,7 +1118,7 @@ is not supported for wireless interfaces. Example: .br $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox - +#endif .TP \fB\-\-machine-id Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox. @@ -915,6 +1130,26 @@ Example: .br $ firejail \-\-machine-id +.TP +\fB\-\-mkdir=dirname +Create a directory in user home. Parent directories are created as needed. +.br + +.br +Example: +.br +$ firejail --mkdir=~/work/project + +.TP +\fB\-\-mkfile=filename +Create an empty file in user home. +.br + +.br +Example: +.br +$ firejail --mkfile=~/work/project/readme + .TP \fB\-\-memory-deny-write-execute Install a seccomp filter to block attempts to create memory mappings @@ -922,14 +1157,14 @@ that are both writable and executable, to change mappings to be executable, or to create executable shared memory. The filter examines the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and shmat system calls and returns error EPERM to the process (or -kills it, see \-\-seccomp-error-action below) if necessary. +kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. .br .br Note: shmat is not implemented as a system call on some platforms including i386, and it cannot be handled by seccomp-bpf. - +#ifdef HAVE_NETWORK .TP \fB\-\-mtu=number Assign a MTU value to the last network interface defined by a \-\-net option. @@ -939,7 +1174,7 @@ Assign a MTU value to the last network interface defined by a \-\-net option. Example: .br $ firejail \-\-net=eth0 \-\-mtu=1492 - +#endif .TP \fB\-\-name=name Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use @@ -964,7 +1199,7 @@ $ firejail --list .br 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote .br - +#ifdef HAVE_NETWORK .TP \fB\-\-net=bridge_interface Enable a new network namespace and connect it to this bridge interface. @@ -1005,7 +1240,7 @@ Example: $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox .br $ firejail \-\-net=wlan0 firefox - +#endif .TP \fB\-\-net=none Enable a new, unconnected network namespace. The only interface @@ -1023,7 +1258,7 @@ $ firejail \-\-net=none vlc .br Note: \-\-net=none can crash the application on some platforms. In these cases, it can be replaced with \-\-protocol=unix. - +#ifdef HAVE_NETWORK .TP \fB\-\-net=tap_interface Enable a new network namespace and connect it @@ -1128,7 +1363,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\ .br .br -.B nolocal.net +.B nolocal.net/nolocal6.net is a desktop client firewall that disable access to local network. Example: .br @@ -1137,9 +1372,6 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ .br --net=eth0 firefox - - - .TP \fB\-\-netfilter=filename,arg1,arg2,arg3 ... This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script @@ -1153,8 +1385,6 @@ $ firejail --net=eth0 --ip=192.168.1.105 \\ --netfilter=/etc/firejail/tcpserver.net,5001 server-program .br - - .TP \fB\-\-netfilter.print=name|pid Print the firewall installed in the sandbox specified by name or PID. Example: @@ -1218,7 +1448,7 @@ PID User RX(KB/s) TX(KB/s) Command 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox .br 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission - +#endif .TP \fB\-\-nice=value Set nice value for all processes running inside the sandbox. @@ -1241,15 +1471,8 @@ Example: $ firejail --no3d firefox .TP -\fB\-\-noautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. -.br - -.br -Example: -.br -$ firejail \-\-noautopulse firefox +\fB\-\-noautopulse \fR(deprecated) +See --keep-config-pulse. .TP \fB\-\-noblacklist=dirname_or_filename @@ -1277,6 +1500,7 @@ $ nc dict.org 2628 .br .TP \fB\-\-nodbus \fR(deprecated) +#ifdef HAVE_DBUSPROXY Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. .br @@ -1284,6 +1508,7 @@ Disable D-Bus access (both system and session buses). Equivalent to --dbus-syste Example: .br $ firejail \-\-nodbus \-\-net=none +#endif .TP \fB\-\-nodvd Disable DVD and audio CD devices. @@ -1294,6 +1519,15 @@ Example: .br $ firejail \-\-nodvd .TP +\fB\-\-noinput +Disable input devices. +.br + +.br +Example: +.br +$ firejail \-\-noinput +.TP \fB\-\-noexec=dirname_or_filename Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br @@ -1372,7 +1606,7 @@ Parent pid 8553, child pid 8554 Child process initialized .br [...] - +#ifdef HAVE_USERNS .TP \fB\-\-noroot Install a user namespace with a single user - the current user. @@ -1396,7 +1630,7 @@ $ ping google.com ping: icmp open socket: Operation not permitted .br $ - +#endif .TP \fB\-\-nosound Disable sound system. @@ -1436,6 +1670,7 @@ Disable video devices. \fB\-\-nowhitelist=dirname_or_filename Disable whitelist for this directory or file. +#ifdef HAVE_OUTPUT .TP \fB\-\-output=logfile stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log @@ -1466,7 +1701,9 @@ $ ls -l sandboxlog* .TP \fB\-\-output-stderr=logfile Similar to \-\-output, but stderr is also stored. +#endif +#ifdef HAVE_OVERLAYFS .TP \fB\-\-overlay Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, @@ -1533,7 +1770,7 @@ This option is not available on Grsecurity systems. Example: .br $ firejail \-\-overlay-tmpfs firefox - +#endif .TP \fB\-\-private Mount new /root and /home/user directories in temporary @@ -1560,7 +1797,9 @@ $ firejail \-\-private=/home/netblue/firefox-home firefox .TP \fB\-\-private-bin=file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. -If no listed file is found, /bin directory will be empty. +The files in the list must be expressed as relative to the /bin, +/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories. +If no listed files are found, /bin directory will be empty. The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifications are discarded when the sandbox is closed. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. @@ -1656,6 +1895,8 @@ $ \fB\-\-private-etc=file,directory Build a new /etc in a temporary filesystem, and copy the files and directories in the list. +The files and directories in the list must be expressed as relative to +the /etc directory (e.g., /etc/foo must be expressed as foo). If no listed file is found, /etc directory will be empty. All modifications are discarded when the sandbox is closed. .br @@ -1666,12 +1907,15 @@ Example: $ firejail --private-etc=group,hostname,localtime, \\ .br nsswitch.conf,passwd,resolv.conf - +#ifdef HAVE_PRIVATE_HOME .TP \fB\-\-private-home=file,directory Build a new user home in a temporary filesystem, and copy the files and directories in the list in the -new home. All modifications are discarded when the sandbox is +new home. +The files and directories in the list must be expressed as relative to +the current user's home directory. +All modifications are discarded when the sandbox is closed. .br @@ -1679,10 +1923,12 @@ closed. Example: .br $ firejail \-\-private-home=.mozilla firefox - +#endif .TP \fB\-\-private-lib=file,directory This feature is currently under heavy development. Only amd64 platforms are supported at this moment. +The files and directories in the list must be expressed as relative to +the /lib directory. The idea is to build a new /lib in a temporary filesystem, with only the library files necessary to run the application. It could be as simple as: @@ -1734,6 +1980,10 @@ $ \fB\-\-private-opt=file,directory Build a new /opt in a temporary filesystem, and copy the files and directories in the list. +The files and directories in the list must be expressed as relative to +the /opt directory, and must not contain the / character +(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- +expressed as foo/bar -- is disallowed). If no listed file is found, /opt directory will be empty. All modifications are discarded when the sandbox is closed. .br @@ -1747,6 +1997,10 @@ $ firejail --private-opt=firefox /opt/firefox/firefox \fB\-\-private-srv=file,directory Build a new /srv in a temporary filesystem, and copy the files and directories in the list. +The files and directories in the list must be expressed as relative to +the /srv directory, and must not contain the / character +(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- +expressed as srv/bar -- is disallowed). If no listed file is found, /srv directory will be empty. All modifications are discarded when the sandbox is closed. .br @@ -1803,7 +2057,7 @@ $ firejail \-\-profile.print=browser .TP \fB\-\-protocol=protocol,protocol,protocol Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. -Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture. +Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture. .br .br @@ -1835,9 +2089,11 @@ $ firejail \-\-list $ firejail \-\-protocol.print=3272 .br unix,inet,inet6,netlink +#ifdef HAVE_FILE_TRANSFER .TP \fB\-\-put=name|pid src-filename dest-filename Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details. +#endif .TP \fB\-\-quiet Turn off Firejail's output. @@ -1873,11 +2129,12 @@ $ firejail --read-only=~/test --read-write=~/test/a .TP \fB\-\-rlimit-as=number Set the maximum size of the process's virtual memory (address space) in bytes. +Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). .TP \fB\-\-rlimit-cpu=number Set the maximum limit, in seconds, for the amount of CPU time each -sandboxed process can consume. When the limit is reached, the processes are killed. +sandboxed process can consume. When the limit is reached, the processes are killed. The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps @@ -1886,6 +2143,7 @@ track of CPU seconds for each process independently. .TP \fB\-\-rlimit-fsize=number Set the maximum file size that can be created by a process. +Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). .TP \fB\-\-rlimit-nofile=number Set the maximum number of files that can be opened by a process. @@ -1905,7 +2163,7 @@ Remove environment variable in the new sandbox. Example: .br $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS - +#ifdef HAVE_NETWORK .TP \fB\-\-scan ARP-scan all the networks from inside a network namespace. @@ -1916,10 +2174,11 @@ This makes it possible to detect macvlan kernel device drivers running on the cu Example: .br $ firejail \-\-net=eth0 \-\-scan +#endif .TP \fB\-\-seccomp Enable seccomp filter and blacklist the syscalls in the default list, -which is @default-nodebuggers unless allow-debuggers is specified, +which is @default-nodebuggers unless \-\-allow-debuggers is specified, then it is @default. .br @@ -1930,18 +2189,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock, @network-io, @obsolete, @privileged, @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync, @system-service and @timer. More information about groups can be found in /usr/share/doc/firejail/syscalls.txt - -In addition, a system call can be specified by its number instead of -name with prefix $, so for example $165 would be equal to mount on i386. -Exceptions can be allowed with prefix !. +.br .br System architecture is strictly imposed only if flag \-\-seccomp.block-secondary is used. The filter is applied at run time only if the correct architecture was detected. For the case of I386 -and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit -architecture, an additional filter for 32 bit system calls can be -installed with \-\-seccomp.32. +and AMD64 both 32-bit and 64-bit filters are installed. .br .br @@ -1952,11 +2206,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil Example: .br $ firejail \-\-seccomp +.br + +.br +The default list can be customized, see \-\-seccomp= for a description. It can be customized +also globally in /etc/firejail/firejail.config file. + .TP \fB\-\-seccomp=syscall,@group,!syscall2 -Enable seccomp filter, whitelist "syscall2", but blacklist the default -list and the syscalls or syscall groups specified by the -command. +Enable seccomp filter, blacklist the default list and the syscalls or syscall groups +specified by the command, but don't blacklist "syscall2". On a 64 bit +architecture, an additional filter for 32 bit system calls can be +installed with \-\-seccomp.32. .br .br @@ -1966,18 +2227,26 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox .br $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk .br +$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious +.br + +.br +Syscalls can be specified by their number if prefix $ is added, +so for example $165 would be equal to mount on i386. +.br .br Instead of dropping the syscall by returning EPERM, another error number can be returned using \fBsyscall:errno\fR syntax. This can be also changed globally with \-\-seccomp-error-action or in /etc/firejail/firejail.config file. The process can also be killed -by using \fBsyscall:kill\fR syntax. - +by using \fBsyscall:kill\fR syntax, or the attempt may be logged with +\fBsyscall:log\fR. .br .br Example: +.br $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes .br Parent pid 10662, child pid 10663 @@ -1986,9 +2255,13 @@ Child process initialized .br $ touch testfile .br +$ ls testfile +.br +testfile +.br $ rm testfile .br -rm: cannot remove `testfile': Operation not permitted +rm: cannot remove `testfile': No such file or directory .br .br @@ -2001,7 +2274,7 @@ filters. .br Example: .br -$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash +$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh .br Parent pid 32751, child pid 32752 .br @@ -2013,8 +2286,7 @@ Child process initialized in 46.44 ms .br $ ls .br -Bad system call -.br +Operation not permitted .TP \fB\-\-seccomp.block-secondary @@ -2043,7 +2315,8 @@ Instead of dropping the syscall by returning EPERM, another error number can be returned using \fBsyscall:errno\fR syntax. This can be also changed globally with \-\-seccomp-error-action or in /etc/firejail/firejail.config file. The process can also be killed -by using \fBsyscall:kill\fR syntax. +by using \fBsyscall:kill\fR syntax, or the attempt may be logged with +\fBsyscall:log\fR. .br .br @@ -2057,19 +2330,19 @@ Child process initialized .br $ touch testfile .br +$ ls testfile +.br +testfile +.br $ rm testfile .br -rm: cannot remove `testfile': Operation not permitted +rm: cannot remove `testfile': No such file or directory .br - - - - .TP \fB\-\-seccomp.keep=syscall,@group,!syscall2 Enable seccomp filter, blacklist all syscall not listed and "syscall2". -The system calls needed by Firejail (group @default-keep: prctl, execve) +The system calls needed by Firejail (group @default-keep: prctl, execve, execveat) are handled with the preload library. On a 64 bit architecture, an additional filter for 32 bit system calls can be installed with \-\-seccomp.32.keep. @@ -2247,12 +2520,13 @@ $ firejail --seccomp.print=browser $ .TP -\fB\-\-seccomp-error-action= kill | ERRNO +\fB\-\-seccomp-error-action= kill | ERRNO | log By default, if a seccomp filter blocks a system call, the process gets EPERM as the error. With \-\-seccomp-error-action=error, another error number can be returned, for example ENOSYS or EACCES. The process can also be killed (like in versions <0.9.63 of Firejail) by using -\-\-seccomp-error-action=kill syntax. Not killing the process weakens +\-\-seccomp-error-action=kill syntax, or the attempt may be logged +with \-\-seccomp-error-action=log. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. @@ -2271,7 +2545,7 @@ $ firejail \-\-shell=none script.sh \fB\-\-shell=program Set default user shell. Use this shell to run the application using \-c shell option. For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox". -By default Bash shell (/bin/bash) is used. +By default the user's preferred shell is used. .br .br @@ -2307,14 +2581,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified $ firejail \-\-timeout=01:30:00 firefox .TP \fB\-\-tmpfs=dirname -Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root. -File globbing is supported, see \fBFILE GLOBBING\fR section for more details. +Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. .br .br Example: .br -# firejail \-\-tmpfs=/var +$ firejail \-\-tmpfs=~/.local/share .TP \fB\-\-top Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details. @@ -2393,11 +2666,14 @@ $ firejail \-\-tree 11904:netblue:iceweasel .br 11957:netblue:/usr/lib/iceweasel/plugin-container +#ifdef HAVE_NETWORK .br 11969:netblue:firejail \-\-net=eth0 transmission-gtk +#endif .br 11970:netblue:transmission-gtk +#ifdef HAVE_FIRETUNNEL .TP \fB\-\-tunnel[=devname] Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options @@ -2418,6 +2694,7 @@ Example: .br $ firejail --tunnel firefox .br +#endif .TP \fB\-\-version Print program version/compile time support and exit. @@ -2444,6 +2721,7 @@ Compile time support: - user namespace support is enabled - X11 sandboxing support is enabled .br +#ifdef HAVE_NETWORK .TP \fB\-\-veth-name=name Use this name for the interface connected to the bridge for --net=bridge_interface commands, @@ -2454,13 +2732,14 @@ instead of the default one. Example: .br $ firejail \-\-net=br0 --veth-name=if0 - +#endif .TP \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent, -everything else is discarded when the sandbox is closed. The top directory could be -user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var. +everything else is discarded when the sandbox is closed. The top directory can be +all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and +all directories in /usr. .br .br @@ -2524,7 +2803,7 @@ Example: .br $ sudo firejail --writable-var-log - +#ifdef HAVE_X11 .TP \fB\-\-x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. @@ -2586,7 +2865,7 @@ and it is installed by default on most Linux distributions. It provides support connection model. Untrusted clients are restricted in certain ways to prevent them from reading window contents of other clients, stealing input events, etc. -The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients +The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples. Firefox and transmission-gtk seem to be working fine. A network namespace is not required for this option. @@ -2685,7 +2964,8 @@ Example: .br $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox .br - +#endif +#ifdef HAVE_APPARMOR .SH APPARMOR .TP AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it: @@ -2728,26 +3008,7 @@ To enable AppArmor confinement on top of your current Firejail security features .br $ firejail --apparmor firefox - -.SH AUDIT -Audit feature allows the user to point out gaps in security profiles. The -implementation replaces the program to be sandboxed with a test program. By -default, we use faudit program distributed with Firejail. A custom test program -can also be supplied by the user. Examples: - -Running the default audit program: -.br - $ firejail --audit transmission-gtk - -Running a custom audit program: -.br - $ firejail --audit=~/sandbox-test transmission-gtk - -In the examples above, the sandbox configures transmission-gtk profile and -starts the test program. The real program, transmission-gtk, will not be -started. - -Limitations: audit feature is not implemented for --x11 commands. +#endif .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. @@ -2807,7 +3068,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f .SH EXAMPLES .TP \f\firejail -Sandbox a regular /bin/bash session. +Sandbox a regular shell session. .TP \f\firejail firefox Start Mozilla Firefox. @@ -2820,15 +3081,17 @@ Start Firefox with a new, empty home directory. .TP \f\firejail --net=none vlc Start VLC in an unconnected network namespace. +#ifdef HAVE_NETWORK .TP \f\firejail \-\-net=eth0 firefox Start Firefox in a new network namespace. An IP address is assigned automatically. .TP \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2 -Start a /bin/bash session in a new network namespace and connect it +Start a shell session in a new network namespace and connect it to br0, br1, and br2 host bridge devices. IP addresses are assigned automatically for the interfaces connected to br1 and b2 +#endif .TP \f\firejail \-\-list List all sandboxed processes. @@ -2874,10 +3137,17 @@ $ firejail --blacklist=~/dir[1234] $ firejail --read-only=~/dir[1-4] .br +#ifdef HAVE_FILE_TRANSFER .SH FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files between the container and the host filesystem. +.TP +\fB\-\-cat=name|pid filename +Write content of a container file to standard out. The container is specified by name or PID. +If standard out is a terminal, all ASCII control characters except new line and horizontal tab +are replaced. + .TP \fB\-\-get=name|pid filename Retrieve the container file and store it on the host in the current working directory. @@ -2922,6 +3192,10 @@ $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png .br +.br +$ firejail \-\-cat=mybrowser ~/.bashrc +.br +#endif .SH MONITORING Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: @@ -2938,7 +3212,6 @@ sandboxes. Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces. - Listed below are the available fields (columns) in alphabetical order for \-\-top and \-\-netstats options: @@ -2983,7 +3256,7 @@ The owner of the sandbox. .SH RESTRICTED SHELL To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in /etc/passwd file for each user that needs to be restricted. Alternatively, -you can specify /usr/bin/firejail in adduser command: +you can specify /usr/bin/firejail in adduser command: adduser \-\-shell /usr/bin/firejail username @@ -2993,7 +3266,7 @@ Additional arguments passed to firejail executable upon login are declared in /e Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows: -1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. +1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. Example: .PP .RS @@ -3056,7 +3329,7 @@ Child process initialized .RE See \fBman 5 firejail-profile\fR for profile file syntax information. - +#ifdef HAVE_NETWORK .SH TRAFFIC SHAPING Network bandwidth is an expensive resource shared among all sandboxes running on a system. Traffic shaping allows the user to increase network performance by controlling @@ -3098,14 +3371,20 @@ Example: $ firejail \-\-bandwidth=mybrowser status .br $ firejail \-\-bandwidth=mybrowser clear eth0 - +#endif .SH LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) + +.UR https://github.com/netblue30/firejail/wiki +.UE , +.UR https://github.com/netblue30/firejail +.UE diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 40a00ec3f6b..c4e6e15b3a6 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -12,9 +12,11 @@ can run this program. .TP \fB\-\-apparmor Print AppArmor confinement status for each sandbox. +#ifdef HAVE_NETWORK .TP \fB\-\-arp Print ARP table for each sandbox. +#endif .TP \fB\-\-caps Print capabilities configuration for each sandbox. @@ -39,21 +41,22 @@ List all sandboxes. .TP \fB\-\-name=name Print information only about named sandbox. +#ifdef HAVE_NETWORK .TP \fB\-\-netstats Monitor network statistics for sandboxes creating a new network namespace. -.TP -\fB\-\-nowrap -Enable line wrapping in terminals. By default the lines are trimmed. +#endif +#ifdef HAVE_NETWORK .TP \fB\-\-route Print route table for each sandbox. +#endif .TP \fB\-\-seccomp Print seccomp configuration for each sandbox. .TP \fB\-\-top -Monitor the most CPU-intensive sandboxes. This command is similar to +Monitor the most CPU-intensive sandboxes. This command is similar to the regular UNIX top command, however it applies only to sandboxes. .TP \fB\-\-tree @@ -61,7 +64,9 @@ Print a tree of all sandboxed processes. .TP \fB\-\-version Print program version and exit. - +.TP +\fB\-\-wrap +Enable line wrapping in terminals. By default the lines are trimmed. .TP \fB\-\-x11 Print X11 display number. @@ -110,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailcheck (1) diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt new file mode 100644 index 00000000000..483f47fb993 --- /dev/null +++ b/src/man/jailcheck.txt @@ -0,0 +1,117 @@ +.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page" +.SH NAME +jailcheck \- Simple utility program to test running sandboxes +.SH SYNOPSIS +sudo jailcheck [OPTIONS] [directory] +.SH DESCRIPTION +jailcheck attaches itself to all sandboxes started by the user and performs some basic tests +on the sandbox filesystem: +.TP +\fB1. Virtual directories +jailcheck extracts a list with the main virtual directories installed by the sandbox. +These directories are build by firejail at startup using --private* and --whitelist commands. +.TP +\fB2. Noexec test +jailcheck inserts executable programs in /home/username, /tmp, and /var/tmp directories +and tries to run them from inside the sandbox, thus testing if the directory is executable or not. +.TP +\fB3. Read access test +jailcheck creates test files in the directories specified by the user and tries to read +them from inside the sandbox. +.TP +\fB4. AppArmor test +.TP +\fB5. Seccomp test +.TP +\fB6. Networking test +.TP +The program is started as root using sudo. + +.SH OPTIONS +.TP +\fB\-\-debug +Print debug messages. +.TP +\fB\-?\fR, \fB\-\-help\fR +Print options and exit. +.TP +\fB\-\-version +Print program version and exit. +.TP +\fB[directory] +One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. + +.SH OUTPUT +For each sandbox detected we print the following line: + + PID:USER:Sandbox Name:Command + +It is followed by relevant sandbox information, such as the virtual directories and various warnings. + +.SH EXAMPLE + +$ sudo jailcheck +.br +2014:netblue::firejail /usr/bin/gimp +.br + Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, +.br + Warning: I can run programs in /home/netblue +.br + Networking: disabled +.br + +.br +2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net +.br + Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, +.br + Warning: I can read ~/.ssh +.br + Networking: enabled +.br + +.br +2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage +.br + Virtual dirs: /tmp, /var/tmp, /dev, +.br + Networking: enabled +.br + +.br +26090:netblue::/usr/bin/firejail /opt/firefox/firefox +.br + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, +.br + /run/user/1000, +.br + Networking: enabled +.br + +.br +26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor +.br + Warning: AppArmor not enabled +.br + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, +.br + /usr/share, /run/user/1000, +.br + Warning: I can run programs in /home/netblue +.br + Networking: enabled +.br + + +.SH LICENSE +This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. +.PP +Homepage: https://firejail.wordpress.com +.SH SEE ALSO +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), diff --git a/src/man/preproc.awk b/src/man/preproc.awk new file mode 100755 index 00000000000..1ce5c82dee7 --- /dev/null +++ b/src/man/preproc.awk @@ -0,0 +1,55 @@ +#!/usr/bin/gawk -E + +# Copyright (c) 2019-2021 rusty-snake +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +BEGIN { + macros[0] = 0 + for (arg in ARGV) { + if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) { + macros[length(macros) + 1] = substr(ARGV[arg], 3) + } + ARGV[arg] = "" + } + + include = 1 +} +/^#ifdef [A-Z0-9_]+$/ { + macro = substr($0, 8) + for (i in macros) { + if (macros[i] == macro) { + include = 1 + next + } + } + include = 0 +} +/^#if 0$/ { + include = 0 + next +} +/^#endif$/ { + include = 1 + next +} +{ + if (include) + print +} diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in index 4ada23c233d..e025f5939bb 100644 --- a/src/profstats/Makefile.in +++ b/src/profstats/Makefile.in @@ -1,14 +1,17 @@ -all: ../../etc/profstats +.PHONY: all +all: profstats include ../common.mk %.o : %.c $(H_FILE_LIST) $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ -../../etc/profstats: $(OBJS) +profstats: $(OBJS) $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) -clean:; rm -fr *.o ../../etc/profstats *.gcov *.gcda *.gcno *.plist +.PHONY: clean +clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist +.PHONY: distclean distclean: clean rm -fr Makefile diff --git a/src/profstats/main.c b/src/profstats/main.c index a75ad8e29e3..10e44bd6592 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -28,6 +28,10 @@ static int cnt_profiles = 0; static int cnt_apparmor = 0; static int cnt_seccomp = 0; static int cnt_caps = 0; +static int cnt_dbus_system_none = 0; +static int cnt_dbus_user_none = 0; +static int cnt_dbus_system_filter = 0; +static int cnt_dbus_user_filter = 0; static int cnt_dotlocal = 0; static int cnt_globalsdotlocal = 0; static int cnt_netnone = 0; @@ -41,6 +45,8 @@ static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc static int cnt_ssh = 0; static int cnt_mdwx = 0; +static int cnt_whitelisthome = 0; +static int cnt_noroot = 0; static int level = 0; static int arg_debug = 0; @@ -57,6 +63,11 @@ static int arg_whitelistrunuser = 0; static int arg_whitelistusrshare = 0; static int arg_ssh = 0; static int arg_mdwx = 0; +static int arg_dbus_system_none = 0; +static int arg_dbus_user_none = 0; +static int arg_whitelisthome = 0; +static int arg_noroot = 0; + static char *profile = NULL; @@ -67,14 +78,18 @@ static void usage(void) { printf("Options:\n"); printf(" --apparmor - print profiles without apparmor\n"); printf(" --caps - print profiles without caps\n"); + printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); + printf(" --dbus-user-none - profiles without \"dbus-user none\"\n"); printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); + printf(" --noroot - print profiles without \"noroot\"\n"); printf(" --private-bin - print profiles without private-bin\n"); printf(" --private-dev - print profiles without private-dev\n"); printf(" --private-etc - print profiles without private-etc\n"); printf(" --private-tmp - print profiles without private-tmp\n"); printf(" --seccomp - print profiles without seccomp\n"); printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); + printf(" --whitelist-home - print profiles whitelisting home directory\n"); printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); @@ -97,6 +112,7 @@ void process_file(const char *fname) { return; } + int have_include_local = 0; char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { char *ptr = strchr(buf, '\n'); @@ -115,11 +131,15 @@ void process_file(const char *fname) { cnt_caps++; else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) cnt_noexec++; + else if (strncmp(ptr, "noroot", 6) == 0) + cnt_noroot++; else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) cnt_whitelistvar++; else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) cnt_whitelistrunuser++; + else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) + cnt_whitelisthome++; else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) cnt_whitelistusrshare++; else if (strncmp(ptr, "include disable-common.inc", 26) == 0) @@ -138,9 +158,18 @@ void process_file(const char *fname) { cnt_privatetmp++; else if (strncmp(ptr, "private-etc", 11) == 0) cnt_privateetc++; + else if (strncmp(ptr, "dbus-system none", 16) == 0) + cnt_dbus_system_none++; + else if (strncmp(ptr, "dbus-system", 11) == 0) + cnt_dbus_system_filter++; + else if (strncmp(ptr, "dbus-user none", 14) == 0) + cnt_dbus_user_none++; + else if (strncmp(ptr, "dbus-user", 9) == 0) + cnt_dbus_user_filter++; else if (strncmp(ptr, "include ", 8) == 0) { // not processing .local files if (strstr(ptr, ".local")) { + have_include_local = 1; //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); if (strstr(ptr, "globals.local")) cnt_globalsdotlocal++; @@ -148,11 +177,18 @@ void process_file(const char *fname) { cnt_dotlocal++; continue; } + // clean blanks + char *ptr = buf + 8; + while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t') + ptr++; + *ptr = '\0'; process_file(buf + 8); } } fclose(fp); + if (!have_include_local) + printf("No include .local found in %s\n", fname); level--; } @@ -181,6 +217,8 @@ int main(int argc, char **argv) { arg_mdwx = 1; else if (strcmp(argv[i], "--noexec") == 0) arg_noexec = 1; + else if (strcmp(argv[i], "--noroot") == 0) + arg_noroot = 1; else if (strcmp(argv[i], "--private-bin") == 0) arg_privatebin = 1; else if (strcmp(argv[i], "--private-dev") == 0) @@ -189,6 +227,8 @@ int main(int argc, char **argv) { arg_privatetmp = 1; else if (strcmp(argv[i], "--private-etc") == 0) arg_privateetc = 1; + else if (strcmp(argv[i], "--whitelist-home") == 0) + arg_whitelisthome = 1; else if (strcmp(argv[i], "--whitelist-var") == 0) arg_whitelistvar = 1; else if (strcmp(argv[i], "--whitelist-runuser") == 0) @@ -197,6 +237,10 @@ int main(int argc, char **argv) { arg_whitelistusrshare = 1; else if (strcmp(argv[i], "--ssh") == 0) arg_ssh = 1; + else if (strcmp(argv[i], "--dbus-system-none") == 0) + arg_dbus_system_none = 1; + else if (strcmp(argv[i], "--dbus-user-none") == 0) + arg_dbus_user_none = 1; else if (*argv[i] == '-') { fprintf(stderr, "Error: invalid option %s\n", argv[i]); return 1; @@ -219,15 +263,21 @@ int main(int argc, char **argv) { int caps = cnt_caps; int apparmor = cnt_apparmor; int noexec = cnt_noexec; + int noroot = cnt_noroot; int privatebin = cnt_privatebin; int privatetmp = cnt_privatetmp; int privatedev = cnt_privatedev; int privateetc = cnt_privateetc; int dotlocal = cnt_dotlocal; int globalsdotlocal = cnt_globalsdotlocal; + int whitelisthome = cnt_whitelisthome; int whitelistvar = cnt_whitelistvar; int whitelistrunuser = cnt_whitelistrunuser; int whitelistusrshare = cnt_whitelistusrshare; + int dbussystemnone = cnt_dbus_system_none; + int dbussystemfilter = cnt_dbus_system_filter; + int dbususernone = cnt_dbus_user_none; + int dbususerfilter = cnt_dbus_user_filter; int ssh = cnt_ssh; int mdwx = cnt_mdwx; @@ -248,7 +298,21 @@ int main(int argc, char **argv) { cnt_globalsdotlocal = globalsdotlocal + 1; if (cnt_whitelistrunuser > (whitelistrunuser + 1)) cnt_whitelistrunuser = whitelistrunuser + 1; + if (cnt_seccomp > (seccomp + 1)) + cnt_seccomp = seccomp + 1; + if (cnt_dbus_user_none > (dbususernone + 1)) + cnt_dbus_user_none = dbususernone + 1; + if (cnt_dbus_user_filter > (dbususerfilter + 1)) + cnt_dbus_user_filter = dbususerfilter + 1; + if (cnt_dbus_system_none > (dbussystemnone + 1)) + cnt_dbus_system_none = dbussystemnone + 1; + if (cnt_dbus_system_filter > (dbussystemfilter + 1)) + cnt_dbus_system_filter = dbussystemfilter + 1; + if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) + printf("No dbus-system none found in %s\n", argv[i]); + if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none) + printf("No dbus-user none found in %s\n", argv[i]); if (arg_apparmor && apparmor == cnt_apparmor) printf("No apparmor found in %s\n", argv[i]); if (arg_caps && caps == cnt_caps) @@ -257,6 +321,8 @@ int main(int argc, char **argv) { printf("No seccomp found in %s\n", argv[i]); if (arg_noexec && noexec == cnt_noexec) printf("No include disable-exec.inc found in %s\n", argv[i]); + if (arg_noroot && noroot == cnt_noroot) + printf("No noroot found in %s\n", argv[i]); if (arg_privatedev && privatedev == cnt_privatedev) printf("No private-dev found in %s\n", argv[i]); if (arg_privatebin && privatebin == cnt_privatebin) @@ -265,6 +331,8 @@ int main(int argc, char **argv) { printf("No private-tmp found in %s\n", argv[i]); if (arg_privateetc && privateetc == cnt_privateetc) printf("No private-etc found in %s\n", argv[i]); + if (arg_whitelisthome && whitelisthome == cnt_whitelisthome) + printf("Home directory not whitelisted in %s\n", argv[i]); if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) printf("No include whitelist-var-common.inc found in %s\n", argv[i]); if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) @@ -283,22 +351,28 @@ int main(int argc, char **argv) { printf("Stats:\n"); printf(" profiles\t\t\t%d\n", cnt_profiles); printf(" include local profile\t%d (include profile-name.local)\n", cnt_dotlocal); - printf(" include globals\t\t%d (include globals.local)\n", cnt_dotlocal); + printf(" include globals\t\t%d (include globals.local)\n", cnt_globalsdotlocal); printf(" blacklist ~/.ssh\t\t%d (include disable-common.inc)\n", cnt_ssh); printf(" seccomp\t\t\t%d\n", cnt_seccomp); printf(" capabilities\t\t%d\n", cnt_caps); printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); + printf(" noroot\t\t\t%d\n", cnt_noroot); printf(" memory-deny-write-execute\t%d\n", cnt_mdwx); printf(" apparmor\t\t\t%d\n", cnt_apparmor); printf(" private-bin\t\t\t%d\n", cnt_privatebin); printf(" private-dev\t\t\t%d\n", cnt_privatedev); printf(" private-etc\t\t\t%d\n", cnt_privateetc); printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); + printf(" whitelist home directory\t%d\n", cnt_whitelisthome); printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); printf(" net none\t\t\t%d\n", cnt_netnone); + printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); + printf(" dbus-user filter \t\t%d\n", cnt_dbus_user_filter); + printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); + printf(" dbus-system filter \t\t%d\n", cnt_dbus_system_filter); printf("\n"); return 0; } diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh index 34ac5993d75..b7026b1cd45 100755 --- a/src/tools/check-caps.sh +++ b/src/tools/check-caps.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 if [ $# -eq 0 ] diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c index d76749e44c3..8da9c452b32 100644 --- a/src/tools/extract_caps.c +++ b/src/tools/extract_caps.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * @@ -17,6 +17,7 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ +#include #include #include #include diff --git a/src/tools/extract_errnos.sh b/src/tools/extract_errnos.sh index 286fdd7677c..34c416b044c 100644 --- a/src/tools/extract_errnos.sh +++ b/src/tools/extract_errnos.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 echo -e "#include \n#include " | \ diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c index 133e65e8ce0..b5f92d2df5c 100644 --- a/src/tools/extract_seccomp.c +++ b/src/tools/extract_seccomp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c index 83c2f65f3df..9159b6576c0 100644 --- a/src/tools/extract_syscalls.c +++ b/src/tools/extract_syscalls.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh index b21418d5c61..86d798a112a 100755 --- a/src/tools/mkcoverit.sh +++ b/src/tools/mkcoverit.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # unpack firejail archive diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c new file mode 100644 index 00000000000..beff9319944 --- /dev/null +++ b/src/tools/profcleaner.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +//************************************************************* +// Small utility program to convert profiles from blacklist/whitelist to deny/allow +// Compile: +// gcc -o profcleaner profcleaner.c +// Usage: +// profcleaner *.profile +//************************************************************* + +#include +#include +#include +#include +#define MAXBUF 4096 + +int main(int argc, char **argv) { + printf("Usage: profcleaner files\n"); + int i; + + for (i = 1; i < argc; i++) { + FILE *fp = fopen(argv[i], "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", argv[i]); + return 1; + } + + FILE *fpout = fopen("profcleaner-tmp", "w"); + if (!fpout) { + fprintf(stderr, "Error: cannot open output file\n"); + return 1; + } + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "blacklist-nolog", 15) == 0) + fprintf(fpout, "deny-nolog %s", buf + 15); + else if (strncmp(buf, "blacklist", 9) == 0) + fprintf(fpout, "deny %s", buf + 9); + else if (strncmp(buf, "noblacklist", 11) == 0) + fprintf(fpout, "nodeny %s", buf + 11); + else if (strncmp(buf, "whitelist", 9) == 0) + fprintf(fpout, "allow %s", buf + 9); + else if (strncmp(buf, "nowhitelist", 11) == 0) + fprintf(fpout, "noallow %s", buf + 11); + else + fprintf(fpout, "%s", buf); + } + + fclose(fp); + fclose(fpout); + unlink(argv[i]); + rename("profcleaner-tmp", argv[i]); + } + + return 0; +} diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh new file mode 100755 index 00000000000..96402aed655 --- /dev/null +++ b/src/tools/profcleaner.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# Copyright (C) 2021 Firejail Authors +# +# This file is part of firejail project +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +if [[ $1 == --help ]]; then + cat <<-EOM + USAGE: + profcleaner.sh --help Show this help message and exit + profcleaner.sh --system Clean all profiles in /etc/firejail + profcleaner.sh --user Clean all profiles in ~/.config/firejail + profcleaner.sh /path/to/profile1 /path/to/profile2 ... + EOM + exit 0 +fi + +if [[ $1 == --system ]]; then + profiles=(/etc/firejail/*.{inc,local,profile}) +elif [[ $1 == --user ]]; then + profiles=("$HOME"/.config/firejail/*.{inc,local,profile}) +else + profiles=("$@") +fi + +sed -i -E \ + -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \ + -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \ + -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \ + -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \ + "${profiles[@]}" diff --git a/src/tools/testuid.c b/src/tools/testuid.c index ad3d2be5f76..a18d57d5e46 100644 --- a/src/tools/testuid.c +++ b/src/tools/testuid.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c index beaeb4fbeae..0f72753bcf6 100644 --- a/src/tools/ttytest.c +++ b/src/tools/ttytest.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c index 0987deb7a76..c4ecabca754 100644 --- a/src/tools/unixsocket.c +++ b/src/tools/unixsocket.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/src/zsh_completion/Makefile.in b/src/zsh_completion/Makefile.in new file mode 100644 index 00000000000..a83cccf6c2c --- /dev/null +++ b/src/zsh_completion/Makefile.in @@ -0,0 +1,17 @@ +.PHONY: all +all: _firejail + +include ../common.mk + +_firejail: _firejail.in + gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp + sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ + rm $@.tmp + +.PHONY: clean +clean: + rm -fr _firejail + +.PHONY: distclean +distclean: clean + rm -fr Makefile diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in new file mode 100644 index 00000000000..c7f6ee3f11b --- /dev/null +++ b/src/zsh_completion/_firejail.in @@ -0,0 +1,286 @@ +#compdef firejail + +# Documentation: man 1 zshcompsys +# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org + +_all_firejails() { + local -a _all_firejails_list + for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do + _all_firejails_list+=${jail%% *} + done + _describe 'firejails list' _all_firejails_list +} + +_all_cpus() { + _cpu_count=$(getconf _NPROCESSORS_ONLN) + for i in {0..$((_cpu_count-1))} ; do + print $i + done +} + +_profiles() { + print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" +} +_profiles_with_ext() { + print $1/*.profile +} + +_all_profiles() { + _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) +} + +_session_bus_names() { + _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) + # Alternatives to hack on for non-systemd systems: + # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames + # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service +} + +_system_bus_names() { + _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) +} + +_caps() { + _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') +} + +_firejail_args=( + '*::arguments:_normal' + + '--appimage[sandbox an AppImage application]' + '--build[build a profile for the application and print it on stdout]' + '--build=-[build a profile for the application and save it]: :_files' + # Ignore that you can do -? too as it's the only short option + '--help[this help screen]' + '--join=-[join the sandbox name|pid]: :_all_firejails' + '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' + '--list[list all sandboxes]' + '(--profile)--noprofile[do not use a security profile]' + '(--noprofile)--profile=-[use a custom profile]: :_all_profiles' + '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' + '--top[monitor the most CPU-intensive sandboxes]' + '--tree[print a tree of all sandboxed processes]' + '--version[print program version and exit]' + + '--ids-check[verify file system]' + '--ids-init[initialize IDS database]' + + '--debug[print sandbox debug messages]' + '--debug-allow[debug file system access]' + '--debug-caps[print all recognized capabilities]' + '--debug-deny[debug file system access]' + '--debug-errnos[print all recognized error numbers]' + '--debug-private-lib[debug for --private-lib option]' + '--debug-protocols[print all recognized protocols]' + '--debug-syscalls[print all recognized system calls]' + '--debug-syscalls32[print all recognized 32 bit system calls]' + + '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' + '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' + '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' + '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' + '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' + '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' + + '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' + '--allusers[all user home directories are visible inside the sandbox]' + # Should be _files, a comma and files or files -/ + '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' + '--caps[enable default Linux capabilities filter]' + '--caps.drop=all[drop all capabilities]' + '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' + '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' + '--cgroup=-[place the sandbox in the specified control group]: :' + '--cpu=-[set cpu affinity]: :->cpus' + '*--deny=-[deny access to directory or file]: :_files' + "--deterministic-exit-code[always exit with first child's status code]" + '*--dns=-[set DNS server]: :' + '*--env=-[set environment variable]: :' + '--hostname=-[set sandbox hostname]: :' + '--hosts-file=-[use file as /etc/hosts]: :_files' + '*--ignore=-[ignore command in profile files]: :' + '--ipc-namespace[enable a new IPC namespace]' + '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' + '--keep-config-pulse[disable automatic ~/.config/pulse init]' + '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' + '--keep-var-tmp[/var/tmp directory is untouched]' + '--machine-id[preserve /etc/machine-id]' + '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' + '*--mkdir=-[create a directory]:' + '*--mkfile=-[create a file]:' + '--name=-[set sandbox name]: :' + '--net=none[enable a new, unconnected network namespace]' + # Sample values as I don't think + # many would enjoy getting a list from -20..20 + '--nice=-[set nice value]: :(1 10 15 20)' + '--no3d[disable 3D hardware acceleration]' + '--noautopulse[disable automatic ~/.config/pulse init]' + '--nodeny=-[disable deny command for file or directory]: :_files' + '--nodbus[disable D-Bus access]' + '--nodvd[disable DVD and audio CD devices]' + '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' + '--nogroups[disable supplementary groups]' + '--noinput[disable input devices]' + '--nonewprivs[sets the NO_NEW_PRIVS prctl]' + '--nosound[disable sound system]' + '--nou2f[disable U2F devices]' + '--novideo[disable video devices]' + '--private[temporary home directory]' + '--private=-[use directory as user home]: :_files -/' + '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' + '--private-cwd[do not inherit working directory inside jail]' + '--private-cwd=-[set working directory inside jail]: :_files -/' + '--private-dev[create a new /dev directory with a small number of common device files]' + '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' + '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' + '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' + '--private-tmp[mount a tmpfs on top of /tmp directory]' + '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' + "--quiet[turn off Firejail's output.]" + '*--read-only=-[set directory or file read-only]: :_files' + '*--read-write=-[set directory or file read-write]: :_files' + "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" + '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' + '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' + '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' + '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' + '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' + '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' + '--seccomp[enable seccomp filter and drop the default syscalls]: :' + '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' + '--seccomp.block-secondary[build only the native architecture filters]' + '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' + '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' + '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' + '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' + # FIXME: Add errnos + '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' + '--shell=none[run the program directly without a user shell]' + '--shell=-[set default user shell]: :_values $(cat /etc/shells)' + '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' + #'(--tracelog)--trace[trace open, access and connect system calls]' + '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' + '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' + '(--private-etc)--writable-etc[/etc directory is mounted read-write]' + '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' + '--writable-var[/var directory is mounted read-write]' + '--writable-var-log[use the real /var/log directory, not a clone]' + +#ifdef HAVE_APPARMOR + '--apparmor[enable AppArmor confinement]' + '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' +#endif + +#ifdef HAVE_CHROOT + '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/' +#endif + +#ifdef HAVE_DBUSPROXY + # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. + # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl + '--dbus-log=-[set DBus log file location]: :_files' + '--dbus-system=-[set system DBus access policy]: :(filter none)' + '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' + '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' + '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' + '--dbus-user=-[set session DBus access policy or none]: :(filter none)' + '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' + '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' + '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' +#endif + +#ifdef HAVE_FILE_TRANSFER + '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' + '--get=-[get a file from sandbox container name|pid]: :_all_firejails' + # --put=name|pid src-filename dest-filename - put a file in sandbox container. + '--put=-[put a file in sandbox container]: :' + '--ls=-[list files in sandbox container name|pid]: :_all_firejails' +#endif + +#ifdef HAVE_FIRETUNNEL + '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' +#endif + +#ifdef HAVE_NETWORK + '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' + '--defaultgw=[configure default gateway]: :' + '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' + '--join-network=-[join the network namespace name|pid]: :_all_firejails' + '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' + '--mtu=-[set interface MTU]: :' + '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' + '--net.print=-[print network interface configuration name|pid]: :_all_firejails' + '--netfilter=-[enable firewall]: :' + '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' + '--netfilter6=-[enable IPv6 firewall]: :' + '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' + '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :' + '--netns=-[Run the program in a named, persistent network namespace]: :' + '--netstats[monitor network statistics]' + '--interface=-[move interface in sandbox]: :' + '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' + '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' + '--iprange=-[configure an IP address in this range]: :' + '--scan[ARP-scan all the networks from inside a network namespace]' + '--veth-name=-[use this name for the interface connected to the bridge]: :' +#endif + +#ifdef HAVE_OUTPUT + '--output=-[stdout logging and log rotation]: :_files' + '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' +#endif + +#ifdef HAVE_OVERLAYFS + '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]' + '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' + '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' + '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' +#endif + +#ifdef HAVE_PRIVATE_HOME + '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' +#endif + +#ifdef HAVE_USERNS + '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]' +#endif + +#ifdef HAVE_USERTMPFS + '--private-cache[temporary ~/.cache directory]' + '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' +#endif + + '*--noallow=-[disable allow command for file or directory]: :_files' + '*--allow=-[allow file system access]: :_files' + +#ifdef HAVE_X11 + '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' + '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' + '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' +#endif +) + + +_firejail() { + _arguments -S $_firejail_args + case "$state" in + cpus) + _values -s "," 'cpus' $(_all_cpus) + ;; + net_or_none) + local netdevs=($(ip link | awk '{print $2}' | grep '^.*:$' | tr -d ':')) + local net_and_none=(none $netdevs) + _values 'net' $net_and_none + ;; + seccomp) + # TODO: syscall groups + _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) + ;; + esac +} + +# vim: ft=zsh sw=4 ts=4 et sts=4 ai diff --git a/test/Makefile.in b/test/Makefile.in new file mode 100644 index 00000000000..264314a3b38 --- /dev/null +++ b/test/Makefile.in @@ -0,0 +1,14 @@ +TESTS=$(patsubst %/,%,$(wildcard */)) + +.PHONY: $(TESTS) +$(TESTS): + cd $@ && ./$@.sh 2>&1 | tee $@.log + cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log + +.PHONY: clean +clean: + for test in $(TESTS); do rm -f "$$test/$$test.log"; done + +.PHONY: distclean +distclean: clean + rm -f Makefile diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index 03c7218acc4..eecb9bf8277 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -56,7 +56,7 @@ expect { sleep 2 spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" +send -- "firemon --seccomp --wrap\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} @@ -71,7 +71,7 @@ expect { "name=blablabla" } after 100 -send -- "firemon --caps --nowrap\r" +send -- "firemon --caps --wrap\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "appimage Leafpad" @@ -96,7 +96,7 @@ send -- "firejail --shutdown=appimage-test\r" set spawn_id $appimage_id expect { timeout {puts "shutdown\n";exit} - "AppImage unmounted" + "AppImage detached" } after 100 diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp index 07a0aac0d33..2f67eb53198 100755 --- a/test/appimage/appimage-trace.exp +++ b/test/appimage/appimage-trace.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -31,7 +31,7 @@ expect { } expect { timeout {puts "shutdown\n"} - "AppImage unmounted" + "AppImage detached" } sleep 1 @@ -58,7 +58,7 @@ expect { } expect { timeout {puts "shutdown\n"} - "AppImage unmounted" + "AppImage detached" } sleep 1 diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 7b6fa21200f..b8b6e0c9696 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -44,7 +44,7 @@ expect { sleep 2 spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" +send -- "firemon --seccomp --wrap\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} @@ -59,7 +59,7 @@ expect { "name=blablabla" } after 100 -send -- "firemon --caps --nowrap\r" +send -- "firemon --caps --wrap\r" expect { timeout {puts "TESTING ERROR 6\n";exit} "appimage Leafpad" @@ -84,7 +84,7 @@ send -- "firejail --shutdown=appimage-test\r" set spawn_id $appimage_id expect { timeout {puts "shutdown\n"} - "AppImage unmounted" + "AppImage detached" } after 100 diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index ccdeae0aa33..243824f75d0 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r" set spawn_id $appimage_id expect { timeout {puts "shutdown\n"} - "AppImage unmounted" + "AppImage detached" } after 100 diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index fa1a53195a5..e766b1acd00 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -20,4 +20,4 @@ echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" ./appimage-args.exp echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" -./appimage-args.exp +./appimage-trace.exp diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp index e4c7d3a9504..54d8d722db7 100755 --- a/test/appimage/filename.exp +++ b/test/appimage/filename.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -17,7 +17,7 @@ after 100 send -- "firejail --appimage /etc/shadow\r" expect { timeout {puts "TESTING ERROR 2\n";exit} - "cannot access" + "cannot read" } after 100 diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh index 843fdc50b1a..7f37914aa47 100755 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ b/test/apps-x11-xorg/apps-x11-xorg.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -25,6 +25,15 @@ else echo "TESTING SKIP: transmission-gtk not found" fi +which transmission-qt 2>/dev/null +if [ "$?" -eq 0 ]; +then + echo "TESTING: transmission-qt x11 xorg" + ./transmission-qt.exp +else + echo "TESTING SKIP: transmission-qt not found" +fi + which thunderbird 2>/dev/null if [ "$?" -eq 0 ]; then diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp index 0a43db56827..12fcc13ce47 100755 --- a/test/apps-x11-xorg/firefox.exp +++ b/test/apps-x11-xorg/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -41,7 +41,7 @@ expect { sleep 2 spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" +send -- "firemon --seccomp --wrap\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} @@ -61,7 +61,7 @@ expect { "name=blablabla" } sleep 1 -send -- "firemon --caps --nowrap\r" +send -- "firemon --caps --wrap\r" expect { timeout {puts "TESTING ERROR 6\n";exit} " firefox" {puts "firefox detected\n";} diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp index 8cf0ac244c9..5c810c517b1 100755 --- a/test/apps-x11-xorg/thunderbird.exp +++ b/test/apps-x11-xorg/thunderbird.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -38,7 +38,7 @@ expect { sleep 2 spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" +send -- "firemon --seccomp --wrap\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} @@ -57,7 +57,7 @@ expect { "name=blablabla" } sleep 2 -send -- "firemon --caps --nowrap\r" +send -- "firemon --caps --wrap\r" expect { timeout {puts "TESTING ERROR 6\n";exit} ":firejail" diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp index fdbf388e979..e0f519c0007 100755 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ b/test/apps-x11-xorg/transmission-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -38,7 +38,7 @@ expect { sleep 2 spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" +send -- "firemon --seccomp --wrap\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} @@ -57,7 +57,7 @@ expect { "name=blablabla" } sleep 1 -send -- "firemon --caps --nowrap\r" +send -- "firemon --caps --wrap\r" expect { timeout {puts "TESTING ERROR 6\n";exit} ":firejail" diff --git a/test/apps-x11-xorg/transmission-qt.exp b/test/apps-x11-xorg/transmission-qt.exp new file mode 100755 index 00000000000..02a01596890 --- /dev/null +++ b/test/apps-x11-xorg/transmission-qt.exp @@ -0,0 +1,85 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2021 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-qt\r" +sleep 10 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "transmission-qt" +} +sleep 1 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp --wrap\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 5.0\n";exit} + "transmission-qt" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firemon --caps --wrap\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6.0\n";exit} + "transmission-qt" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +sleep 1 +send -- "firejail --shutdown=test\r" +sleep 3 + +puts "\nall done\n" diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 609eb5dc96f..9954cb736c9 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp index 14f8ff61675..92739048cbb 100755 --- a/test/apps-x11/chromium.exp +++ b/test/apps-x11/chromium.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp index 8de9d939bf5..69efc79d95e 100755 --- a/test/apps-x11/firefox.exp +++ b/test/apps-x11/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/thunderbird.exp b/test/apps-x11/thunderbird.exp index 73133fa1b9a..7cfc957b7a1 100755 --- a/test/apps-x11/thunderbird.exp +++ b/test/apps-x11/thunderbird.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp index a8ce1d94076..53e396a9ee4 100755 --- a/test/apps-x11/transmission-gtk.exp +++ b/test/apps-x11/transmission-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp index 3f56a3072bb..b45751aa748 100755 --- a/test/apps-x11/x11-none.exp +++ b/test/apps-x11/x11-none.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp index 4efdbc4f08f..3da0e1a46ca 100755 --- a/test/apps-x11/x11-xephyr.exp +++ b/test/apps-x11/x11-xephyr.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp index 7dc193110bf..5edbadad93b 100755 --- a/test/apps-x11/xterm-xephyr.exp +++ b/test/apps-x11/xterm-xephyr.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp index 8933068300a..a2a0277297f 100755 --- a/test/apps-x11/xterm-xorg.exp +++ b/test/apps-x11/xterm-xorg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp index 0b35a700963..0f1458d154c 100755 --- a/test/apps-x11/xterm-xpra.exp +++ b/test/apps-x11/xterm-xpra.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/apps.sh b/test/apps/apps.sh index 1e5f0f8c564..c332fe41617 100755 --- a/test/apps/apps.sh +++ b/test/apps/apps.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp index d6375323efa..d65bc93a9cb 100755 --- a/test/apps/chromium.exp +++ b/test/apps/chromium.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/deluge.exp b/test/apps/deluge.exp index 92f50fc8a47..25c98623c09 100755 --- a/test/apps/deluge.exp +++ b/test/apps/deluge.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/fbreader.exp b/test/apps/fbreader.exp index 55f7dd49f36..67301c1d250 100755 --- a/test/apps/fbreader.exp +++ b/test/apps/fbreader.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/filezilla.exp b/test/apps/filezilla.exp index 9952a4d2967..da37f1eff74 100755 --- a/test/apps/filezilla.exp +++ b/test/apps/filezilla.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/firefox.exp b/test/apps/firefox.exp index 9869972f0f3..2a6f182768c 100755 --- a/test/apps/firefox.exp +++ b/test/apps/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/gnome-mplayer.exp b/test/apps/gnome-mplayer.exp index 1d00cdd9b7b..564220d95a2 100755 --- a/test/apps/gnome-mplayer.exp +++ b/test/apps/gnome-mplayer.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/gthumb.exp b/test/apps/gthumb.exp index 9fba8a98e40..569adcd34e3 100755 --- a/test/apps/gthumb.exp +++ b/test/apps/gthumb.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/hexchat.exp b/test/apps/hexchat.exp index b933e1edbab..adea0221614 100755 --- a/test/apps/hexchat.exp +++ b/test/apps/hexchat.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/kcalc.exp b/test/apps/kcalc.exp index ae743cf23ba..aaeb5221d24 100755 --- a/test/apps/kcalc.exp +++ b/test/apps/kcalc.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/ktorrent.exp b/test/apps/ktorrent.exp index ef177bd082c..8693f5f1d22 100755 --- a/test/apps/ktorrent.exp +++ b/test/apps/ktorrent.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/midori.exp b/test/apps/midori.exp index 78a55313ff0..fae41e6da8a 100755 --- a/test/apps/midori.exp +++ b/test/apps/midori.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/opera.exp b/test/apps/opera.exp index b88368ec618..990476ed56a 100755 --- a/test/apps/opera.exp +++ b/test/apps/opera.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/qbittorrent.exp b/test/apps/qbittorrent.exp index 67dfa73c7f5..bc0386335eb 100755 --- a/test/apps/qbittorrent.exp +++ b/test/apps/qbittorrent.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/thunderbird.exp b/test/apps/thunderbird.exp index 319ebbccfee..10d0bb2f679 100755 --- a/test/apps/thunderbird.exp +++ b/test/apps/thunderbird.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/transmission-qt.exp b/test/apps/transmission-qt.exp index 4aec7d0940e..fec18a8bf5a 100755 --- a/test/apps/transmission-qt.exp +++ b/test/apps/transmission-qt.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/uget-gtk.exp b/test/apps/uget-gtk.exp index 397c63846eb..caa4063b981 100755 --- a/test/apps/uget-gtk.exp +++ b/test/apps/uget-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/vlc.exp b/test/apps/vlc.exp index 8110a6d93c1..ce3df1ba60a 100755 --- a/test/apps/vlc.exp +++ b/test/apps/vlc.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/wine.exp b/test/apps/wine.exp index af8c5dca8d6..982a0c6d98e 100755 --- a/test/apps/wine.exp +++ b/test/apps/wine.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/apps/xchat.exp b/test/apps/xchat.exp index 1d88ef7e4d2..9ed75d8211a 100755 --- a/test/apps/xchat.exp +++ b/test/apps/xchat.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh deleted file mode 100755 index 12e2aac6db5..00000000000 --- a/test/arguments/arguments.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -export LC_ALL=C - -if [ -f /etc/debian_version ]; then - libdir=$(dirname "$(dpkg -L firejail | grep faudit)") - export PATH="$PATH:$libdir" -fi -export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" - -echo "TESTING: 1. regular bash session" -./bashrun.exp -sleep 1 - -echo "TESTING: 2. symbolic link to firejail" -./symrun.exp -rm -fr symtest -sleep 1 - -echo "TESTING: 3. --join option" -./joinrun.exp -sleep 1 - -echo "TESTING: 4. --output option" -./outrun.exp -rm out -rm out.* diff --git a/test/arguments/bashrun.exp b/test/arguments/bashrun.exp deleted file mode 100755 index 782484cadde..00000000000 --- a/test/arguments/bashrun.exp +++ /dev/null @@ -1,89 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "./bashrun.sh\r" -expect { - timeout {puts "TESTING ERROR 1.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 1.1.3\n";exit} - "#arg2#" -} - -expect { - timeout {puts "TESTING ERROR 1.2.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.2.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 1.2.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 1.3.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 1.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 1.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 1.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 1.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 1.6.3\n";exit} - "#arg2&tail#" -} - -puts "\nall done\n" diff --git a/test/arguments/bashrun.sh b/test/arguments/bashrun.sh deleted file mode 100755 index 433d92436f3..00000000000 --- a/test/arguments/bashrun.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -echo "TESTING: 1.1 - simple args" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 1.2 - args with space and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 1.3 - args with space and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 1.4 - args with space and \\" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 1.5 - args with & and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 1.6 - args with & and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp deleted file mode 100755 index 8359b48196e..00000000000 --- a/test/arguments/joinrun.exp +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - - -send -- "firejail --name=joinrun\r" -sleep 2 - -spawn $env(SHELL) -send -- "./joinrun.sh\r" -expect { - timeout {puts "TESTING ERROR 3.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 3.1.3\n";exit} - "#arg2#" -} - -expect { - timeout {puts "TESTING ERROR 3.2.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.2.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.2.3\n";exit} - "#arg2 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.3.3\n";exit} - "#arg2 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 3.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 3.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 3.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 3.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 3.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 3.6.3\n";exit} - "#arg2&tail#" -} - -puts "\nall done\n" diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh deleted file mode 100755 index 0019563be7d..00000000000 --- a/test/arguments/joinrun.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -echo "TESTING: 3.1 - simple args" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 3.2 - args with space and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 3.3 - args with space and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 3.4 - args with space and \\" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 3.5 - args with & and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 3.6 - args with & and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/outrun.exp b/test/arguments/outrun.exp deleted file mode 100755 index 46a2268702b..00000000000 --- a/test/arguments/outrun.exp +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "./outrun.sh\r" -expect { - timeout {puts "TESTING ERROR 4.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 4.1.3\n";exit} - "#arg2#" -} - -exit -#*************************************************** -# breaking down from here on - bug to fix -#*************************************************** -expect { - timeout {puts "TESTING ERROR 4.2.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.2.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 4.2.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 4.3.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 4.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 4.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 4.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 4.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 4.6.3\n";exit} - "#arg2&tail#" -} - -puts "\nall done\n" diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh deleted file mode 100755 index 4e8b5241750..00000000000 --- a/test/arguments/outrun.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -echo "TESTING: 4.1 - simple args" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 4.2 - args with space and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 4.3 - args with space and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 4.4 - args with space and \\" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 4.5 - args with & and \"" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 4.6 - args with & and '" -firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail' diff --git a/test/arguments/symrun.exp b/test/arguments/symrun.exp deleted file mode 100755 index 49e0d28e03d..00000000000 --- a/test/arguments/symrun.exp +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "./symrun.sh\r" -expect { - timeout {puts "TESTING ERROR 2.1.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.1.2\n";exit} - "#arg1#" -} -expect { - timeout {puts "TESTING ERROR 2.1.3\n";exit} - "#arg2#" -} - -expect { - timeout {puts "TESTING ERROR 2.3.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.3.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 2.3.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 2.4.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.4.2\n";exit} - "#arg1 tail#" -} -expect { - timeout {puts "TESTING ERROR 2.4.3\n";exit} - "#arg2 tail#" -} - -expect { - timeout {puts "TESTING ERROR 2.5.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.5.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 2.5.3\n";exit} - "#arg2&tail#" -} - -expect { - timeout {puts "TESTING ERROR 2.6.1\n";exit} - "Arguments:" -} -expect { - timeout {puts "TESTING ERROR 2.6.2\n";exit} - "#arg1&tail#" -} -expect { - timeout {puts "TESTING ERROR 2.6.3\n";exit} - "#arg2&tail#" -} diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh deleted file mode 100755 index 00c17df6975..00000000000 --- a/test/arguments/symrun.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -mkdir symtest -ln -s /usr/bin/firejail symtest/faudit - -# search for faudit in current directory -export PATH=$PATH:. -export FIREJAIL_TEST_ARGUMENTS=yes - -echo "TESTING: 2.1 - simple args" -symtest/faudit arg1 arg2 - -# simple quotes, testing spaces in file names -echo "TESTING: 2.2 - args with space and \"" -symtest/faudit "arg1 tail" "arg2 tail" - -echo "TESTING: 2.3 - args with space and '" -symtest/faudit 'arg1 tail' 'arg2 tail' - -# escaped space in file names -echo "TESTING: 2.4 - args with space and \\" -symtest/faudit arg1\ tail arg2\ tail - -# & char appears in URLs - URLs should be quoted -echo "TESTING: 2.5 - args with & and \"" -symtest/faudit "arg1&tail" "arg2&tail" - -echo "TESTING: 2.6 - args with & and '" -symtest/faudit 'arg1&tail' 'arg2&tail' - -rm -fr symtest diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 7f65b218813..1ac5cf47e98 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/chroot/configure b/test/chroot/configure index 465092abb1f..747dc43836d 100755 --- a/test/chroot/configure +++ b/test/chroot/configure @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # build a very small chroot diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index 1db8269b91e..6504258298d 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp index 844bd74501a..b8836705475 100755 --- a/test/chroot/unchroot-as-root.exp +++ b/test/chroot/unchroot-as-root.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c index 4454dd1c476..643983ce438 100644 --- a/test/chroot/unchroot.c +++ b/test/chroot/unchroot.c @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 2f9e0ece6d7..10199818712 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -1,10 +1,20 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 +# not currently covered +# --disable-suid install as a non-SUID executable +# --enable-fatal-warnings -W -Wall -Werror +# --enable-gcov Gcov instrumentation +# --enable-contrib-install +# install contrib scripts +# --enable-analyzer enable GCC 10 static analyzer + + + arr[1]="TEST 1: standard compilation" -arr[2]="TEST 2: compile seccomp disabled" +arr[2]="TEST 2: compile dbus proxy disabled" arr[3]="TEST 3: compile chroot disabled" arr[4]="TEST 4: compile firetunnel disabled" arr[5]="TEST 5: compile user namespace disabled" @@ -17,13 +27,18 @@ arr[11]="TEST 11: compile disable global config" arr[12]="TEST 12: compile apparmor" arr[13]="TEST 13: compile busybox" arr[14]="TEST 14: compile overlayfs disabled" -arr[14]="TEST 15: compile private-home disabled" +arr[15]="TEST 15: compile private-home disabled" +arr[16]="TEST 16: compile disable manpages" +arr[17]="TEST 17: disable tmpfs as regular user" +arr[18]="TEST 18: disable private home" # remove previous reports and output file cleanup() { rm -f report* rm -fr firejail rm -f oc* om* + rm -f output-configure + rm -f output-make } print_title() { @@ -77,13 +92,12 @@ rm output-configure output-make #***************************************************************** # TEST 2 #***************************************************************** -# - disable seccomp configuration +# - disable dbus proxy configuration #***************************************************************** print_title "${arr[2]}" -# seccomp cd firejail make distclean -./configure --prefix=/usr --disable-seccomp --enable-fatal-warnings 2>&1 | tee ../output-configure +./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test2 @@ -98,7 +112,6 @@ rm output-configure output-make # - disable chroot configuration #***************************************************************** print_title "${arr[3]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -116,7 +129,6 @@ rm output-configure output-make # - disable firetunnel configuration #***************************************************************** print_title "${arr[4]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -134,7 +146,6 @@ rm output-configure output-make # - disable user namespace configuration #***************************************************************** print_title "${arr[5]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -153,7 +164,6 @@ rm output-configure output-make # - check compilation #***************************************************************** print_title "${arr[6]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -171,7 +181,6 @@ rm output-configure output-make # - disable X11 support #***************************************************************** print_title "${arr[7]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -189,7 +198,6 @@ rm output-configure output-make # - enable selinux #***************************************************************** print_title "${arr[8]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -207,7 +215,6 @@ rm output-configure output-make # - disable file transfer #***************************************************************** print_title "${arr[9]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -225,7 +232,6 @@ rm output-configure output-make # - disable whitelist #***************************************************************** print_title "${arr[10]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -243,7 +249,6 @@ rm output-configure output-make # - disable global config #***************************************************************** print_title "${arr[11]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -261,7 +266,6 @@ rm output-configure output-make # - enable apparmor #***************************************************************** print_title "${arr[12]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -279,7 +283,6 @@ rm output-configure output-make # - enable busybox workaround #***************************************************************** print_title "${arr[13]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -297,7 +300,6 @@ rm output-configure output-make # - disable overlayfs #***************************************************************** print_title "${arr[14]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -315,7 +317,6 @@ rm output-configure output-make # - disable private home #***************************************************************** print_title "${arr[15]}" -# seccomp cd firejail make distclean ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure @@ -327,6 +328,57 @@ cp output-configure oc15 cp output-make om15 rm output-configure output-make +#***************************************************************** +# TEST 16 +#***************************************************************** +# - disable manpages +#***************************************************************** +print_title "${arr[16]}" +cd firejail +make distclean +./configure --prefix=/usr --disable-man --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test16 +grep Error output-configure output-make >> ./report-test16 +cp output-configure oc16 +cp output-make om16 +rm output-configure output-make + +#***************************************************************** +# TEST 17 +#***************************************************************** +# - disable tmpfs as regular user" +#***************************************************************** +print_title "${arr[17]}" +cd firejail +make distclean +./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test17 +grep Error output-configure output-make >> ./report-test17 +cp output-configure oc17 +cp output-make om17 +rm output-configure output-make + +#***************************************************************** +# TEST 18 +#***************************************************************** +# - disable private home feature +#***************************************************************** +print_title "${arr[18]}" +cd firejail +make distclean +./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure +make -j4 2>&1 | tee ../output-make +cd .. +grep Warning output-configure output-make > ./report-test18 +grep Error output-configure output-make >> ./report-test18 +cp output-configure oc18 +cp output-make om18 +rm output-configure output-make + #***************************************************************** # PRINT REPORTS #***************************************************************** @@ -356,3 +408,6 @@ echo ${arr[12]} echo ${arr[13]} echo ${arr[14]} echo ${arr[15]} +echo ${arr[16]} +echo ${arr[17]} +echo ${arr[18]} diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp index c2f4be64c25..f660c123a81 100755 --- a/test/environment/allow-debuggers.exp +++ b/test/environment/allow-debuggers.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/csh.exp b/test/environment/csh.exp index ff61e6a837a..f8ced07b578 100755 --- a/test/environment/csh.exp +++ b/test/environment/csh.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/dash.exp b/test/environment/dash.exp index 82e2f5cad9a..983a527cfe2 100755 --- a/test/environment/dash.exp +++ b/test/environment/dash.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp index a92203b2db3..1a1e5360589 100755 --- a/test/environment/deterministic-exit-code.exp +++ b/test/environment/deterministic-exit-code.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 4 diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 801a7e2b1b6..5b06b51c088 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/doubledash.exp b/test/environment/doubledash.exp index 60d4700ddad..27575533786 100755 --- a/test/environment/doubledash.exp +++ b/test/environment/doubledash.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/env.exp b/test/environment/env.exp index 107a41bebbf..4f6f8a1b781 100755 --- a/test/environment/env.exp +++ b/test/environment/env.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/environment.sh b/test/environment/environment.sh index e88036d3de5..1e1dd549b8a 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -70,12 +70,12 @@ echo "TESTING: firejail in firejail - single sandbox (test/environment/firejail- ./firejail-in-firejail.exp which aplay 2>/dev/null -if [ "$?" -eq 0 ]; +if [ "$?" -eq 0 ] && [ "$(aplay -l | grep -c "List of PLAYBACK")" -gt 0 ]; then echo "TESTING: sound (test/environment/sound.exp)" ./sound.exp else - echo "TESTING SKIP: aplay not found" + echo "TESTING SKIP: no aplay or sound card found" fi echo "TESTING: nice (test/environment/nice.exp)" @@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)" echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)" ./rlimit-profile.exp +echo "TESTING: rlimit join (test/environment/rlimit-join.exp)" +./rlimit-join.exp + echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)" ./rlimit-bad.exp echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)" ./rlimit-bad-profile.exp -echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp" +echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)" ./deterministic-exit-code.exp -echo "TESTING: retain umask (test/environment/umask.exp" +echo "TESTING: retain umask (test/environment/umask.exp)" (umask 123 && ./umask.exp) diff --git a/test/environment/extract_command.exp b/test/environment/extract_command.exp index 50a933ec364..f91a10fa671 100755 --- a/test/environment/extract_command.exp +++ b/test/environment/extract_command.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/firejail-in-firejail.exp b/test/environment/firejail-in-firejail.exp index be422a294f4..45905626096 100755 --- a/test/environment/firejail-in-firejail.exp +++ b/test/environment/firejail-in-firejail.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/hostfile.exp b/test/environment/hostfile.exp index 7f5034931cf..6b98863e57a 100755 --- a/test/environment/hostfile.exp +++ b/test/environment/hostfile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff --git a/test/environment/ibus.exp b/test/environment/ibus.exp index 857cef38c48..089736f33e1 100755 --- a/test/environment/ibus.exp +++ b/test/environment/ibus.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/machineid.exp b/test/environment/machineid.exp index ecfd70f55d5..f0b3d294265 100755 --- a/test/environment/machineid.exp +++ b/test/environment/machineid.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff --git a/test/environment/nice.exp b/test/environment/nice.exp index b4afc28d2ae..80591978d96 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/output.exp b/test/environment/output.exp index 0ad5250c102..dd03001d722 100755 --- a/test/environment/output.exp +++ b/test/environment/output.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/output.sh b/test/environment/output.sh index 14c20a79a34..edf7dc4cb9a 100755 --- a/test/environment/output.sh +++ b/test/environment/output.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 i="0" diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp index 0a22051f545..510491738fe 100755 --- a/test/environment/quiet.exp +++ b/test/environment/quiet.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 4 diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp index 35d9b447917..b1572afb6e9 100755 --- a/test/environment/rlimit-bad-profile.exp +++ b/test/environment/rlimit-bad-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -11,7 +11,7 @@ match_max 100000 send -- "firejail --profile=rlimit-bad1.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "invalid rlimit" + "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix." } after 100 diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp index 7eaac27b6a4..c05e14b979f 100755 --- a/test/environment/rlimit-bad.exp +++ b/test/environment/rlimit-bad.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -10,7 +10,7 @@ match_max 100000 send -- "firejail --rlimit-fsize=-1024\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "invalid rlimit" + "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix." } after 100 diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp new file mode 100755 index 00000000000..aa8a203c098 --- /dev/null +++ b/test/environment/rlimit-join.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2021 Firejail Authors +# License GPL v2 + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --name=\"rlimit testing\"\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 + +send -- "cat /proc/self/limits\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Max open files 1234 1234" +} +after 100 + +send -- "exit\r" +after 100 + +puts "\nall done\n" diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index 721e2196e9f..4071675eeef 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -30,7 +30,7 @@ expect { } expect { timeout {puts "TESTING ERROR 1.4\n";exit} - "Max address space 123456789012 123456789012" + "Max address space 1234567890 1234567890" } expect { timeout {puts "TESTING ERROR 1.5\n";exit} diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp index 757faf1f942..6fcb554a75b 100755 --- a/test/environment/rlimit.exp +++ b/test/environment/rlimit.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -8,7 +8,7 @@ cd /home spawn $env(SHELL) match_max 100000 -send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=123456789012\r" +send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -30,7 +30,7 @@ expect { } expect { timeout {puts "TESTING ERROR 1.4\n";exit} - "Max address space 123456789012 123456789012" + "Max address space 1234567890 1234567890" } expect { timeout {puts "TESTING ERROR 1.5\n";exit} diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile index a569edc6d67..2f1134e6c6f 100644 --- a/test/environment/rlimit.profile +++ b/test/environment/rlimit.profile @@ -2,4 +2,4 @@ rlimit-fsize 1024 rlimit-nproc 1000 rlimit-nofile 500 rlimit-sigpending 200 -rlimit-as 123456789012 +rlimit-as 1234567890 diff --git a/test/environment/shell-none.exp b/test/environment/shell-none.exp index aed9adbd443..50722532664 100755 --- a/test/environment/shell-none.exp +++ b/test/environment/shell-none.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/sound.exp b/test/environment/sound.exp index fadad9eedc8..e5fa27e7705 100755 --- a/test/environment/sound.exp +++ b/test/environment/sound.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 diff --git a/test/environment/timeout.exp b/test/environment/timeout.exp index c8b215084b6..ea0dd67b739 100755 --- a/test/environment/timeout.exp +++ b/test/environment/timeout.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/umask.exp b/test/environment/umask.exp index a3b80bd1c80..e1f520fcd2c 100755 --- a/test/environment/umask.exp +++ b/test/environment/umask.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/environment/zsh.exp b/test/environment/zsh.exp index 8c493ac231a..a750ac55c39 100755 --- a/test/environment/zsh.exp +++ b/test/environment/zsh.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index f0416d51ef1..00e44e48943 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp index a74ce161683..633d12d0899 100755 --- a/test/fcopy/dircopy.exp +++ b/test/fcopy/dircopy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh index 96b51523849..822f6a9cd00 100755 --- a/test/fcopy/fcopy.sh +++ b/test/fcopy/fcopy.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/fcopy/filecopy.exp b/test/fcopy/filecopy.exp index 7f7fbea9e69..fb911e2224d 100755 --- a/test/fcopy/filecopy.exp +++ b/test/fcopy/filecopy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp index a9b3a067f0a..dbc33c6a7b9 100755 --- a/test/fcopy/linkcopy.exp +++ b/test/fcopy/linkcopy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 5cf3b724e32..fe1e0f13274 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # disable /boot diff --git a/test/features/1.10.exp b/test/features/1.10.exp index b37b6c5681b..5dd03ecefcc 100755 --- a/test/features/1.10.exp +++ b/test/features/1.10.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # disable /selinux diff --git a/test/features/1.2.exp b/test/features/1.2.exp index c9a9480a75d..f7a55b44599 100755 --- a/test/features/1.2.exp +++ b/test/features/1.2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # new /proc diff --git a/test/features/1.4.exp b/test/features/1.4.exp index a19589b6eb4..66a8c1175e3 100755 --- a/test/features/1.4.exp +++ b/test/features/1.4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # mask other users diff --git a/test/features/1.5.exp b/test/features/1.5.exp index cd296bbd8a0..ba0aea220e2 100755 --- a/test/features/1.5.exp +++ b/test/features/1.5.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # PID namespace diff --git a/test/features/1.6.exp b/test/features/1.6.exp index 24951d27a49..89fa29de06f 100755 --- a/test/features/1.6.exp +++ b/test/features/1.6.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # new /var/log diff --git a/test/features/1.7.exp b/test/features/1.7.exp index 701aa0ca5df..3e9c0908f57 100755 --- a/test/features/1.7.exp +++ b/test/features/1.7.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # new /var/tmp diff --git a/test/features/1.8.exp b/test/features/1.8.exp index bd7d7add246..15936c2fbae 100755 --- a/test/features/1.8.exp +++ b/test/features/1.8.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # disable /etc/firejail and ~/.config/firejail diff --git a/test/features/2.1.exp b/test/features/2.1.exp index 4ad3f3bff98..6e741a1c23e 100755 --- a/test/features/2.1.exp +++ b/test/features/2.1.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # hostname diff --git a/test/features/2.2.exp b/test/features/2.2.exp index c8c6461ddbe..3f30d0bad49 100755 --- a/test/features/2.2.exp +++ b/test/features/2.2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # DNS diff --git a/test/features/2.3.exp b/test/features/2.3.exp index ccc2bd16827..6c520fdbadb 100755 --- a/test/features/2.3.exp +++ b/test/features/2.3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # mac-vlan diff --git a/test/features/2.4.exp b/test/features/2.4.exp index fb64d84c1a9..74b7881f035 100755 --- a/test/features/2.4.exp +++ b/test/features/2.4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # bridge diff --git a/test/features/2.5.exp b/test/features/2.5.exp index 74f47e1a1b1..bc3e44e8f23 100755 --- a/test/features/2.5.exp +++ b/test/features/2.5.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # interface diff --git a/test/features/2.6.exp b/test/features/2.6.exp index 27347d43d6d..7c763e6f193 100755 --- a/test/features/2.6.exp +++ b/test/features/2.6.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # default gateway diff --git a/test/features/3.1.exp b/test/features/3.1.exp index c1167f2966f..6ba56517ae5 100755 --- a/test/features/3.1.exp +++ b/test/features/3.1.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # private diff --git a/test/features/3.10.exp b/test/features/3.10.exp index fdec33d1b97..4797c765b1d 100755 --- a/test/features/3.10.exp +++ b/test/features/3.10.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # whitelist tmp diff --git a/test/features/3.11.exp b/test/features/3.11.exp index 27daaf75288..b26d7b8882a 100755 --- a/test/features/3.11.exp +++ b/test/features/3.11.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # mkdir diff --git a/test/features/3.2.exp b/test/features/3.2.exp index eae820dd763..df73b978618 100755 --- a/test/features/3.2.exp +++ b/test/features/3.2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # read-only diff --git a/test/features/3.3.exp b/test/features/3.3.exp index 9f58a1e1a79..499718dbd52 100755 --- a/test/features/3.3.exp +++ b/test/features/3.3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # blacklist diff --git a/test/features/3.4.exp b/test/features/3.4.exp index 343f2a37cf0..e59ff8a3828 100755 --- a/test/features/3.4.exp +++ b/test/features/3.4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # whitelist home diff --git a/test/features/3.5.exp b/test/features/3.5.exp index 37e492ea4f3..8c37aebb316 100755 --- a/test/features/3.5.exp +++ b/test/features/3.5.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # private-dev diff --git a/test/features/3.6.exp b/test/features/3.6.exp index ca76f6a3895..0149a04cdba 100755 --- a/test/features/3.6.exp +++ b/test/features/3.6.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # private-etc diff --git a/test/features/3.7.exp b/test/features/3.7.exp index 532c157af27..9d3e7265c70 100755 --- a/test/features/3.7.exp +++ b/test/features/3.7.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # private-tmp diff --git a/test/features/3.8.exp b/test/features/3.8.exp index 80cdf7306cc..5546ef15bbd 100755 --- a/test/features/3.8.exp +++ b/test/features/3.8.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # private-bin diff --git a/test/features/3.9.exp b/test/features/3.9.exp index 56a1fc006cd..6029160a632 100755 --- a/test/features/3.9.exp +++ b/test/features/3.9.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # whitelist dev diff --git a/test/features/test.sh b/test/features/test.sh index 431a6491b7b..392e6c15973 100755 --- a/test/features/test.sh +++ b/test/features/test.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export LC_ALL=C diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp index 32edba72a95..f20326fe0c6 100755 --- a/test/filters/apparmor.exp +++ b/test/filters/apparmor.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp index 5b80b2b48bf..4f3a2832dfb 100755 --- a/test/filters/caps-join.exp +++ b/test/filters/caps-join.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp index e78ab527584..e8465aee12d 100755 --- a/test/filters/caps-print.exp +++ b/test/filters/caps-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/caps.exp b/test/filters/caps.exp index b9aa8d22e15..8776e83d41b 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/debug.exp b/test/filters/debug.exp index 4a5a1163938..b2ca9519104 100755 --- a/test/filters/debug.exp +++ b/test/filters/debug.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/filters.sh b/test/filters/filters.sh index fba90522d50..a9f06b60a4e 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index c7062b3958b..59f812d6d98 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/memwrexe-32.exp b/test/filters/memwrexe-32.exp index d7fad909181..1aeaacc823d 100755 --- a/test/filters/memwrexe-32.exp +++ b/test/filters/memwrexe-32.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c index 797e7881d92..4fbf05f78cb 100644 --- a/test/filters/memwrexe.c +++ b/test/filters/memwrexe.c @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 #include @@ -65,7 +65,7 @@ int main(int argc, char **argv) { } void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0); - if (!p) { + if (p == MAP_FAILED) { fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n"); return 1; } diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp index 244f2477f33..2b170803ccf 100755 --- a/test/filters/memwrexe.exp +++ b/test/filters/memwrexe.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index e9f01443fdd..64f72f610a3 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 0fecd645da2..071460e4cc3 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 269ea1a405a..5e7c8e1b5ae 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index 9b61397ca6e..5587e056c8e 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -41,7 +41,7 @@ expect { send -- "chmod +x testfile; echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Bad system call" + "Operation not permitted" } expect { timeout {puts "TESTING ERROR 6\n";exit} diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index 01b9cbaacae..0d01d4ff2c7 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -41,7 +41,7 @@ expect { send -- "chmod +x testfile; echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Bad system call" + "Operation not permitted" } expect { timeout {puts "TESTING ERROR 6\n";exit} diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp index f6094c9659e..0a19229b4b7 100755 --- a/test/filters/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-debug-32.exp b/test/filters/seccomp-debug-32.exp index 08e590041cb..677ca4e3008 100755 --- a/test/filters/seccomp-debug-32.exp +++ b/test/filters/seccomp-debug-32.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index c3ba9c0842d..852abf822ff 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index b6204fc641b..e655be848a4 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 1 diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp index 81411218f97..3baa7f0c68a 100755 --- a/test/filters/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index d125a90dc62..6c7c63e8899 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp index bb693e94dc2..9a8767ed783 100755 --- a/test/filters/seccomp-join.exp +++ b/test/filters/seccomp-join.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-numeric.exp b/test/filters/seccomp-numeric.exp index 6e8402cfa9a..59fc26884f8 100755 --- a/test/filters/seccomp-numeric.exp +++ b/test/filters/seccomp-numeric.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp index 164230482bb..18263520a40 100755 --- a/test/filters/seccomp-postexec.exp +++ b/test/filters/seccomp-postexec.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index 39cd6a39353..ec8ab615c2b 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp index fd3033a692d..1e3827f0f6f 100755 --- a/test/filters/seccomp-run-files.exp +++ b/test/filters/seccomp-run-files.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -24,7 +24,7 @@ after 100 send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "5" + "6" } send -- "exit\r" sleep 1 @@ -90,7 +90,7 @@ after 100 send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r" expect { timeout {puts "TESTING ERROR 18\n";exit} - "6" + "8" } send -- "exit\r" sleep 1 diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 6a3d99916af..4bd8b5e93de 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c index f153e8b3f26..55ee31afb7a 100644 --- a/test/filters/syscall_test.c +++ b/test/filters/syscall_test.c @@ -1,5 +1,5 @@ // This file is part of Firejail project -// Copyright (C) 2014-2020 Firejail Authors +// Copyright (C) 2014-2021 Firejail Authors // License GPL v2 #include diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp index 944fcda52af..16e8ccb81e2 100755 --- a/test/fnetfilter/cmdline.exp +++ b/test/fnetfilter/cmdline.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fnetfilter/copy.exp b/test/fnetfilter/copy.exp index 4702a5d0244..6c672141ff1 100755 --- a/test/fnetfilter/copy.exp +++ b/test/fnetfilter/copy.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp index 2b5bdbb6981..fee9fb5f391 100755 --- a/test/fnetfilter/default.exp +++ b/test/fnetfilter/default.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh index 636a9d08657..9fac92d393e 100755 --- a/test/fnetfilter/fnetfilter.sh +++ b/test/fnetfilter/fnetfilter.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp index 03a8d622987..0ff09a0249a 100755 --- a/test/fnetfilter/template.exp +++ b/test/fnetfilter/template.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fs.sh b/test/fs/fs.sh index dd24f59222b..9c3310b317f 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -15,15 +15,18 @@ echo "TESTING: mkdir/mkfile (test/fs/mkdir_mkfile.exp)" ./mkdir_mkfile.exp rm -fr ~/_firejail_test_* -mkdir ~/_firejail_test_dir -touch ~/_firejail_test_dir/a -mkdir ~/_firejail_test_dir/test1 -touch ~/_firejail_test_dir/test1/b +echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" +./mkdir.exp +rm -fr ~/_firejail_test_* +rm -fr /tmp/_firejail_test_* + echo "TESTING: read/write (test/fs/read-write.exp)" ./read-write.exp +rm -fr ~/_firejail_test_dir + echo "TESTING: whitelist readonly (test/fs/whitelist-readonly.exp)" ./whitelist-readonly.exp -rm -fr ~/_firejail_test_* +rm -f ~/_firejail_test_dir echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" ./sys_fs.exp @@ -37,16 +40,19 @@ fi echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" ./fs_var_tmp.exp +rm -f /var/tmp/_firejail_test_file echo "TESTING: private-lib (test/fs/private-lib.exp)" ./private-lib.exp echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" ./fs_var_lock.exp +rm -f /var/lock/_firejail_test_file if [ -w /dev/shm ]; then echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" ./fs_dev_shm.exp + rm -f /dev/shm/_firejail_test_file else echo "TESTING SKIP: /dev/shm not writable" fi @@ -56,12 +62,23 @@ echo "TESTING: private (test/fs/private.exp)" echo "TESTING: private home (test/fs/private-home.exp)" ./private-home.exp +rm -f ~/_firejail_test_file1 +rm -f ~/_firejail_test_file2 +rm -fr ~/_firejail_test_dir1 +rm -f ~/_firejail_test_link1 +rm -f ~/_firejail_test_link2 echo "TESTING: private home dir (test/fs/private-home-dir.exp)" ./private-home-dir.exp +rm -fr ~/_firejail_test_dir1 echo "TESTING: private home dir same as user home (test/fs/private-homedir.exp)" ./private-homedir.exp +rm -f ~/_firejail_test_file1 +rm -f ~/_firejail_test_file2 +rm -fr ~/_firejail_test_dir1 +rm -f ~/_firejail_test_link1 +rm -f ~/_firejail_test_link2 echo "TESTING: private-etc (test/fs/private-etc.exp)" ./private-etc.exp @@ -74,6 +91,7 @@ echo "TESTING: private-bin (test/fs/private-bin.exp)" echo "TESTING: private-cache (test/fs/private-cache.exp)" ./private-cache.exp +rm -f ~/.cache/abcdefg echo "TESTING: private-cwd (test/fs/private-cwd.exp)" ./private-cwd.exp @@ -83,6 +101,12 @@ echo "TESTING: macros (test/fs/macro.exp)" echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" ./whitelist-empty.exp +rm -f ~/Videos/_firejail_test_fil +rm -f ~/Pictures/_firejail_test_file +rm -f ~/Music/_firejail_test_file +rm -f ~/Downloads/_firejail_test_file +rm -f ~/Documents/_firejail_test_file +rm -f ~/Desktop/_firejail_test_file echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" ./private-whitelist.exp @@ -95,9 +119,11 @@ echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)" echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)" ./option_blacklist_file.exp +rm -fr ~/_firejail_test_dir echo "TESTING: blacklist glob (test/fs/option_blacklist_glob.exp)" ./option_blacklist_glob.exp +rm -fr ~/_firejail_test_dir echo "TESTING: noblacklist blacklist noexec (test/fs/noblacklist-blacklist-noexec.exp)" ./noblacklist-blacklist-noexec.exp @@ -108,14 +134,13 @@ echo "TESTING: noblacklist blacklist readonly (test/fs/noblacklist-blacklist-rea echo "TESTING: bind as user (test/fs/option_bind_user.exp)" ./option_bind_user.exp -echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" -./mkdir.exp - echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" ./whitelist-double.exp +rm -f /tmp/_firejail_test_file echo "TESTING: whitelist (test/fs/whitelist.exp)" ./whitelist.exp +rm -fr ~/_firejail_test_* echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" ./whitelist-dev.exp @@ -131,6 +156,8 @@ echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" echo "TESTING: fscheck --tmpfs non root (test/fs/fscheck-tmpfs.exp)" ./fscheck-tmpfs.exp +rm -fr ~/_firejail_test_dir +rm -fr /tmp/_firejail_test_dir echo "TESTING: fscheck --private= (test/fs/fscheck-private.exp)" ./fscheck-private.exp @@ -139,10 +166,4 @@ echo "TESTING: fscheck --read-only= (test/fs/fscheck-readonly.exp)" ./fscheck-readonly.exp #cleanup -rm -fr ~/fjtest-dir -rm -fr ~/fjtest-dir-lnk -rm -f ~/fjtest-file -rm -f ~/fjtest-file-lnk -rm -f /tmp/fjtest-file -rm -fr /tmp/fjtest-dir -rm -fr ~/_firejail_test_* +rm -fr ~/_firejail_test* diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index 5f1013339cf..5f05034942d 100755 --- a/test/fs/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -16,13 +16,13 @@ expect { after 100 send -- "stty -echo\r" -send -- "echo mytest > /dev/shm/ttt;echo done\r" +send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "mytest" @@ -32,13 +32,13 @@ expect { "done" } -send -- "rm /dev/shm/ttt;echo done\r" +send -- "rm /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "mytest" {puts "TESTING ERROR 6\n";exit} @@ -57,13 +57,13 @@ expect { after 100 send -- "stty -echo\r" -send -- "echo mytest > /dev/shm/ttt;echo done\r" +send -- "echo mytest > /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 9\n";exit} "mytest" @@ -73,13 +73,13 @@ expect { "done" } -send -- "rm /dev/shm/ttt;echo done\r" +send -- "rm /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "done" } -send -- "cat /dev/shm/ttt;echo done\r" +send -- "cat /dev/shm/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "mytest" {puts "TESTING ERROR 13\n";exit} diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp index 762027b5bbd..3ea98c3e32d 100755 --- a/test/fs/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index 886e773d8ce..c7d4b0c20f9 100755 --- a/test/fs/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -16,13 +16,13 @@ expect { after 100 send -- "stty -echo\r" -send -- "echo mytest > /var/tmp/ttt;echo done\r" +send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "mytest" @@ -32,13 +32,13 @@ expect { "done" } -send -- "rm /var/tmp/ttt;echo done\r" +send -- "rm /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "mytest" {puts "TESTING ERROR 6\n";exit} @@ -58,13 +58,13 @@ expect { after 100 send -- "stty -echo\r" -send -- "echo mytest > /var/tmp/ttt;echo done\r" +send -- "echo mytest > /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 8\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 9\n";exit} "mytest" @@ -74,13 +74,13 @@ expect { "done" } -send -- "rm /var/tmp/ttt;echo done\r" +send -- "rm /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "done" } -send -- "cat /var/tmp/ttt;echo done\r" +send -- "cat /var/tmp/_firejail_test_file;echo done\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "mytest" {puts "TESTING ERROR 13\n";exit} diff --git a/test/fs/fscheck-bindnoroot.exp b/test/fs/fscheck-bindnoroot.exp index eff8c4fadbe..53a3922eee0 100755 --- a/test/fs/fscheck-bindnoroot.exp +++ b/test/fs/fscheck-bindnoroot.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fscheck-private.exp b/test/fs/fscheck-private.exp index 2cf985a9abc..ab39b43e19e 100755 --- a/test/fs/fscheck-private.exp +++ b/test/fs/fscheck-private.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fscheck-readonly.exp b/test/fs/fscheck-readonly.exp index c591e46703f..5d4821deabd 100755 --- a/test/fs/fscheck-readonly.exp +++ b/test/fs/fscheck-readonly.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp index ebd3eeb9c87..78b6efb7637 100755 --- a/test/fs/fscheck-tmpfs.exp +++ b/test/fs/fscheck-tmpfs.exp @@ -1,18 +1,55 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -# .. -send -- "firejail --tmpfs=fscheck-dir\r" +send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r" +after 100 +send -- "mkdir /tmp/fjtest-dir\r" +after 100 + +if { ! [file exists ~/fjtest-dir/fjtest-dir] } { + puts "TESTING ERROR 1\n" + exit +} +if { ! [file exists /tmp/fjtest-dir] } { + puts "TESTING ERROR 2\n" + exit +} + +send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +after 500 + +send -- "ls ~/fjtest-dir/fjtest-dir\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "No such file or directory" +} +after 500 + +send -- "exit\r" +after 500 + +send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r" expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Error" + timeout {puts "TESTING ERROR 5\n";exit} + "Warning: you are not allowed to mount a tmpfs" } +after 500 + +# cleanup +send -- "rm -fr ~/fjtest-dir\r" after 100 +send -- "rm -fr /tmp/fjtest-dir\r" +after 100 + puts "\nall done\n" diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp index bfefcec6807..7c47979767b 100755 --- a/test/fs/invalid_filename.exp +++ b/test/fs/invalid_filename.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp index 8ae520836ce..209cb8d3b19 100755 --- a/test/fs/kmsg.exp +++ b/test/fs/kmsg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/macro.exp b/test/fs/macro.exp index fd992822289..45e892088e8 100755 --- a/test/fs/macro.exp +++ b/test/fs/macro.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp index 59005e1a214..da04a431c21 100755 --- a/test/fs/mkdir.exp +++ b/test/fs/mkdir.exp @@ -1,49 +1,49 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 3 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r" +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 + +send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} - "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit} - "No such file or directory" { puts "TESTING ERROR 1.3\n";exit} - ".firejail_test/a/b/c/d.txt" + "_firejail_test_dir/_firejail_test_file" } -send -- "rm -rf ~/.firejail_test\r" +send -- "rm -rf ~/_firejail_test_dir\r" after 100 -send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r" +send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 2.1\n";exit} - "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit} - "No such file or directory" { puts "TESTING ERROR 2.3\n";exit} - "/tmp/.firejail_test/a/b/c/d.txt" + "_firejail_test_dir/_firejail_test_file" } -send -- "rm -rf /tmp/.firejail_test\r" +send -- "rm -rf /tmp/_firejail_test_dir\r" after 100 set UID [exec id -u] -send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r" -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit} - "No such file or directory" { puts "TESTING ERROR 3.3\n";exit} - "/run/user/$UID/.firejail_test/a/b/c/d.txt" -} -send -- "rm -rf /run/user/$UID/.firejail_test\r" -after 100 +set fexist [file exist /run/user/$UID] +if { $fexist } { + send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r" + expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "_firejail_test_dir/_firejail_test_file" + } + send -- "rm -rf /run/user/$UID/_firejail_test_dir\r" + after 100 -send -- "firejail --profile=mkdir2.profile\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "only files or directories in user home, /tmp, or /run/user/" + send -- "firejail --profile=mkdir2.profile\r" + expect { + timeout {puts "TESTING ERROR 4\n";exit} + "only files or directories in user home, /tmp, or /run/user/" + } + after 100 } -after 100 puts "\nall done\n" diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile index 35c27c87247..fba93f46678 100644 --- a/test/fs/mkdir.profile +++ b/test/fs/mkdir.profile @@ -1,6 +1,6 @@ -mkdir ~/.firejail_test/a/b/c -mkfile ~/.firejail_test/a/b/c/d.txt -mkdir /tmp/.firejail_test/a/b/c -mkfile /tmp/.firejail_test/a/b/c/d.txt -mkdir ${RUNUSER}/.firejail_test/a/b/c -mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt +mkdir ~/_firejail_test_dir +mkfile ~/_firejail_test_dir/_firejail_test_file +mkdir /tmp/_firejail_test_dir +mkfile /tmp/_firejail_test_dir/_firejail_test_file +mkdir ${RUNUSER}/_firejail_test_dir +mkfile ${RUNUSER}/_firejail_test_dir/_firejail_test_file diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp index 109984035f3..eddc6ebfbbf 100755 --- a/test/fs/mkdir_mkfile.exp +++ b/test/fs/mkdir_mkfile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -22,23 +22,23 @@ expect { "_firejail_test_dir" } expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "_firejail_test_dir/dir1" } expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "_firejail_test_dir/dir1/dir2" } expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "_firejail_test_dir/dir1/dir2/dir3" } expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "_firejail_test_dir/dir1/dir2/dir3/file1" } expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 6\n";exit} "_firejail_test_file" } after 100 @@ -47,8 +47,8 @@ after 100 send -- "firejail --profile=mkfile.profile\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} - "only files in user home or /tmp" + timeout {puts "TESTING ERROR 7\n";exit} + "only files or directories in user home, /tmp" } after 100 diff --git a/test/fs/noblacklist-blacklist-noexec.exp b/test/fs/noblacklist-blacklist-noexec.exp index 31f5ab0544b..9f5794a7da7 100755 --- a/test/fs/noblacklist-blacklist-noexec.exp +++ b/test/fs/noblacklist-blacklist-noexec.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/noblacklist-blacklist-readonly.exp b/test/fs/noblacklist-blacklist-readonly.exp index 367d835b0c4..558d3ac9c80 100755 --- a/test/fs/noblacklist-blacklist-readonly.exp +++ b/test/fs/noblacklist-blacklist-readonly.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp index f74d4e9945f..08b892121e7 100755 --- a/test/fs/option_bind_user.exp +++ b/test/fs/option_bind_user.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp index f703c0f791e..48dfcc0699d 100755 --- a/test/fs/option_blacklist.exp +++ b/test/fs/option_blacklist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -35,4 +35,4 @@ expect { } after 100 -puts "\n" +puts "\nall done\n" diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp index 3c2a6c3df30..247e6912148 100755 --- a/test/fs/option_blacklist_file.exp +++ b/test/fs/option_blacklist_file.exp @@ -1,13 +1,18 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --blacklist=/etc/passwd\r" +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 + +send -- "firejail --blacklist=/etc/passwd --blacklist=~/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -15,6 +20,16 @@ expect { sleep 1 send -- "cat /etc/passwd;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "No such file or directory" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +after 100 +send -- "cat ~/_firejail_test_dir/a;echo done\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Permission denied" @@ -25,4 +40,10 @@ expect { } after 100 -puts "\n" +send -- "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 + +puts "\nall done\n" diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp index 8afdeff5fe2..a4be4a97d33 100755 --- a/test/fs/option_blacklist_glob.exp +++ b/test/fs/option_blacklist_glob.exp @@ -1,32 +1,47 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --blacklist=testdir1/*\r" +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 +send -- "mkdir ~/_firejail_test_dir/test1\r" +after 100 +send -- "touch ~/_firejail_test_dir/test1/b\r" +after 100 + +send -- "firejail --blacklist=~/_firejail_test_dir/*\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } sleep 1 -send -- "cd testdir1\r" +send -- "cd ~/_firejail_test_dir\r" sleep 1 -send -- "cat .file\r" +send -- "cat a\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "Permission denied" } -send -- "ls .directory\r" +send -- "ls test1\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "Permission denied" } after 100 -puts "\n" +send -- "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 + +puts "\nall done\n" diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index 3f74a196f53..b5d205780c7 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp index 0597e892186..3244c21c1cf 100755 --- a/test/fs/private-cache.exp +++ b/test/fs/private-cache.exp @@ -1,22 +1,23 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -if {[file exists ~/.cache]} { - puts "found .cache directory\n" -} else { - send -- "mkdir --mode=755 ~/.cache\r" -} +send -- "mkdir --mode=700 ~/.cache\r" after 100 send -- "touch ~/.cache/abcdefg\r" after 100 +if { ! [file exists ~/.cache/abcdefg] } { + puts "TESTING ERROR 0\n" + exit +} + send -- "firejail --noprofile --private-cache\r" expect { timeout {puts "TESTING ERROR 1\n";exit} @@ -34,23 +35,8 @@ after 100 send -- "exit\r" sleep 1 -send -- "rm -v ~/.cache/abcdefg\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "removed" -} +# cleanup +send -- "rm ~/.cache/abcdefg\r" after 100 -# redo the test with --private - -send -- "firejail --noprofile --private --private-cache\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Warning" -} -sleep 1 - -send -- "exit\r" -sleep 1 - puts "\nall done\n" diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp index d439e2c1e9d..54804a6a6da 100755 --- a/test/fs/private-cwd.exp +++ b/test/fs/private-cwd.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index f6c5405bf31..9be18f9bdd0 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index e727eee5c3e..7d0e9f61979 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -64,9 +64,6 @@ expect { } after 100 - - - - +send -- "exit\r" after 100 puts "\nall done\n" diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index bf429601020..bd8cab16fc1 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -21,13 +21,13 @@ if {[file exists ~/.Xauthority]} { send -- "touch ~/.Xauthority\r" } after 100 -send -- "rm -fr ~/_firejail_test_dir_\r" +send -- "rm -fr ~/_firejail_test_dir1_\r" after 100 -send -- "mkdir ~/_firejail_test_dir_\r" +send -- "mkdir ~/_firejail_test_dir1_\r" sleep 1 # testing profile and private -send -- "firejail --private=~/_firejail_test_dir_\r" +send -- "firejail --private=~/_firejail_test_dir1_\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -67,12 +67,12 @@ expect { "private directory is not owned by the current user" } sleep 1 -send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" +send -- "mkdir ~/_firejail_test_dir1_/test_dir_2\r" after 100 -send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r" +send -- "touch ~/_firejail_test_dir1_/test_dir_2/testfile\r" sleep 1 -send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" +send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir1_\r" expect { timeout {puts "TESTING ERROR 10\n";exit} "Disable" @@ -98,7 +98,8 @@ after 100 send "exit\r" sleep 1 -send -- "rm -fr ~/_firejail_test_dir_\r" +send -- "rm -fr ~/_firejail_test_dir1\r" after 100 + puts "\nall done\n" diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index a46071b3a9d..6fbe8b0f62a 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -95,8 +95,19 @@ expect { "broken symbolic link" } send -- "exit\r" +sleep 1 -send -- "rm -f ~/_firejail_test*\r" +send -- "echo cleanup\r" +after 100 +send -- "rm -f ~/_firejail_test_file1\r" +after 100 +send -- "rm -f ~/_firejail_test_file2\r" +after 100 +send -- "rm -fr ~/_firejail_test_dir1\r" +after 100 +send -- "rm -f ~/_firejail_test_link1\r" +after 100 +send -- "rm -f ~/_firejail_test_link2\r" after 100 puts "\nall done\n" diff --git a/test/fs/private-homedir.exp b/test/fs/private-homedir.exp index 36d61786e52..78fb705ec8a 100755 --- a/test/fs/private-homedir.exp +++ b/test/fs/private-homedir.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp index ed04de1f9d3..f32affabb39 100755 --- a/test/fs/private-lib.exp +++ b/test/fs/private-lib.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 @@ -30,8 +30,8 @@ after 100 send -- "cd /lib; find .\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "modules" {puts "TESTING ERROR 6\n";exit} - "firmware" {puts "TESTING ERROR 7\n";exit} + "./modules" {puts "TESTING ERROR 6\n";exit} + "./firmware" {puts "TESTING ERROR 7\n";exit} "libc.so" } after 100 diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index c988bce7f7c..1879a3d54f7 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/private.exp b/test/fs/private.exp index e59f64085f9..d4f7fc893f3 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index 2ff4cda7c74..6c0f755dac8 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp @@ -1,12 +1,20 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 +send -- "mkdir ~/_firejail_test_dir/test1\r" +after 100 +send -- "touch ~/_firejail_test_dir/test1/b\r" +after 100 send -- "firejail --read-only=~/_firejail_test_dir --read-write=~/_firejail_test_dir/test1\r" expect { @@ -31,5 +39,10 @@ expect { "mytest" } +after 100 +send -- "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir\r" after 100 puts "\nall done\n" diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp index 60e935a4cf8..de7fadf6cdf 100755 --- a/test/fs/sys_fs.exp +++ b/test/fs/sys_fs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/testdir1/.directory/file b/test/fs/testdir1/.directory/file deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/test/fs/testdir1/.file b/test/fs/testdir1/.file deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/test/fs/testfile1 b/test/fs/testfile1 deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index 0db5b571cd7..d0466bbebd6 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -61,6 +61,9 @@ expect { "19" {puts "OK\n"} "20" {puts "OK\n"} "21" {puts "OK\n"} + "22" {puts "OK\n"} + "23" {puts "OK\n"} + "24" {puts "OK\n"} } after 100 diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 90cfbaf1102..e653517a6e2 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -1,23 +1,23 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "echo 123 > /tmp/firejal-deleteme\r" +send -- "echo 123 > /tmp/_firejail_test_file\r" sleep 1 -send -- "firejail --whitelist=/tmp/firejal-deleteme --whitelist=/tmp/firejal-deleteme\r" +send -- "firejail --whitelist=/tmp/_firejail_test_file --whitelist=/tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" } sleep 1 -send -- "cat /tmp/firejal-deleteme\r" +send -- "cat /tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "123" @@ -26,13 +26,13 @@ expect { send -- "exit\r" sleep 1 -send -- "cat /tmp/firejal-deleteme\r" +send -- "cat /tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "123" } -send -- "rm -v /tmp/firejal-deleteme\r" +send -- "rm -v /tmp/_firejail_test_file\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "removed" diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index c4810963f85..dbc04cf3066 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 30 diff --git a/test/fs/whitelist-noexec.exp b/test/fs/whitelist-noexec.exp index ee601c12db6..e1c39b66fa9 100755 --- a/test/fs/whitelist-noexec.exp +++ b/test/fs/whitelist-noexec.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/whitelist-readonly.exp b/test/fs/whitelist-readonly.exp index 0e5794a17d5..f9d78b7c005 100755 --- a/test/fs/whitelist-readonly.exp +++ b/test/fs/whitelist-readonly.exp @@ -1,12 +1,20 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 +send -- "mkdir ~/_firejail_test_dir\r" +after 100 +send -- "touch ~/_firejail_test_dir/a\r" +after 100 +send -- "mkdir ~/_firejail_test_dir/test1\r" +after 100 +send -- "touch ~/_firejail_test_dir/test1/b\r" +after 100 send -- "firejail --noprofile --whitelist=~/_firejail_test_dir --read-only=~\r" expect { @@ -25,4 +33,6 @@ after 100 send -- "exit\r" sleep 1 +send -- "rm -fr ~/_firejail_test_dir\r" +after 100 puts "\nall done\n" diff --git a/test/fs/whitelist-whitespace.exp b/test/fs/whitelist-whitespace.exp index 9534568c4d1..1b1c4c1cb28 100755 --- a/test/fs/whitelist-whitespace.exp +++ b/test/fs/whitelist-whitespace.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 11dfa98c80c..dcc2276b859 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -16,10 +16,7 @@ send -- "rm ~/fjtest-file\r" after 200 send -- "rm ~/fjtest-file-lnk\r" after 200 -send -- "rm /tmp/fjtest-file\r" -after 200 -send -- "rm -fr /tmp/fjtest-dir\r" -after 200 + # simple files and directories @@ -149,63 +146,7 @@ expect { send -- "exit\r" sleep 1 -# symlinks outside home to a file we don't own -send -- "rm ~/fjtest-file-lnk\r" -after 200 -send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r" -after 200 -send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" -expect { - timeout {puts "TESTING ERROR 30\n";exit} - "invalid whitelist path" -} -expect { - timeout {puts "TESTING ERROR 31\n";exit} - "cannot sync with peer" -} -sleep 1 - -# symlinks outside home to a file we own -send -- "rm -fr ~/fjtest-dir-lnk\r" -after 200 -send -- "rm ~/fjtest-file-lnk\r" -after 200 -send -- "echo 123 > /tmp/fjtest-file\r" -after 200 -send -- "mkdir /tmp/fjtest-dir\r" -after 200 -send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r" -after 200 -send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r" -after 200 -send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r" -after 200 -send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" -expect { - timeout {puts "TESTING ERROR 40\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l ~/ | grep -v total | wc -l\r" -expect { - timeout {puts "TESTING ERROR 41\n";exit} - "2" -} -send -- "cat ~/fjtest-file-lnk\r" -expect { - timeout {puts "TESTING ERROR 42\n";exit} - "123" -} - -send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" -expect { - timeout {puts "TESTING ERROR 43\n";exit} - "123" -} -send -- "exit\r" -sleep 1 # cleanup send -- "rm -fr ~/fjtest-dir\r" @@ -216,10 +157,5 @@ send -- "rm ~/fjtest-file\r" after 200 send -- "rm ~/fjtest-file-lnk\r" after 200 -send -- "rm /tmp/fjtest-file\r" -after 200 -send -- "rm -fr /tmp/fjtest-dir\r" -after 200 - puts "\nall done\n" diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index 4e191ffd600..d608128f86b 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index a613b3e5406..586dfcba955 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index b8497d93673..d73669ebe42 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/configure b/test/network/configure index 64d09893109..f75e9b23fff 100755 --- a/test/network/configure +++ b/test/network/configure @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 brctl addbr br0 diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp index a002daecab1..5ee4c0d1994 100755 --- a/test/network/dns-print.exp +++ b/test/network/dns-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp index 70d12916539..8e0a0b1b06a 100755 --- a/test/network/firemon-arp.exp +++ b/test/network/firemon-arp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/firemon-interfaces.exp b/test/network/firemon-interfaces.exp index 17b9f75359a..494496a2656 100755 --- a/test/network/firemon-interfaces.exp +++ b/test/network/firemon-interfaces.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp index fe2f5a952e7..a1ded08c1e6 100755 --- a/test/network/firemon-route.exp +++ b/test/network/firemon-route.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 205ae8078b1..825f1f6cf99 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/interface.exp b/test/network/interface.exp index 35b22daaf07..78178e23327 100755 --- a/test/network/interface.exp +++ b/test/network/interface.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # # interface diff --git a/test/network/ip6.exp b/test/network/ip6.exp index e1583c22fd6..ed29964c6ae 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/iprange.exp b/test/network/iprange.exp index 5d270166f5f..2690a128af8 100755 --- a/test/network/iprange.exp +++ b/test/network/iprange.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_arp.exp b/test/network/net_arp.exp index 5b170bad587..84912cdddd5 100755 --- a/test/network/net_arp.exp +++ b/test/network/net_arp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index 4e20f904053..b09f4d192ce 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 9093c7ad4cb..19dd94dbd7d 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index 3ecb1cb5115..4f5864822a1 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index fe745d3265d..dc3589c3c23 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index e67dfd587f3..098eed758af 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_local.exp b/test/network/net_local.exp index c1794f200e4..d5d4170e825 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index d62a78e3975..e067f604f07 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp index 80c85a78859..1f67f059ecb 100755 --- a/test/network/net_macvlan2.exp +++ b/test/network/net_macvlan2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index 19a488376c3..439e0533490 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp index bce067c439e..8a949c22bb1 100755 --- a/test/network/net_netfilter.exp +++ b/test/network/net_netfilter.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index 46ef6f9fbfb..53b719f6cd6 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index 579661fbcb2..aa74d6ba80b 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 6ec4187d324..c8787c34281 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index f3152798441..e7c6530df45 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp index 6cd3804beb0..b9260925ab0 100755 --- a/test/network/net_scan.exp +++ b/test/network/net_scan.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_unconfigured.exp b/test/network/net_unconfigured.exp index 349d4c0424c..d2b60d73c46 100755 --- a/test/network/net_unconfigured.exp +++ b/test/network/net_unconfigured.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index ada2d7bd9e4..cd4e64e24b9 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp index 72dfa1653f1..dadea143030 100755 --- a/test/network/netfilter-template.exp +++ b/test/network/netfilter-template.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/netns.exp b/test/network/netns.exp index cec3151eff7..9ef4ed55484 100755 --- a/test/network/netns.exp +++ b/test/network/netns.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/netstats.exp b/test/network/netstats.exp index 4b47c389d66..e15e2f42d61 100755 --- a/test/network/netstats.exp +++ b/test/network/netstats.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/network/network.sh b/test/network/network.sh index a216f556384..9f2b9e1cd03 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/network/tcpserver.c b/test/network/tcpserver.c index f7f8a41bc01..72730b67401 100644 --- a/test/network/tcpserver.c +++ b/test/network/tcpserver.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2020 Firejail Authors + * Copyright (C) 2014-2021 Firejail Authors * * This file is part of firejail project * diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp index 4ad5f868c6c..1790381e382 100755 --- a/test/network/veth-name.exp +++ b/test/network/veth-name.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp index 395a91a1f9c..ecb9288b0b3 100755 --- a/test/overlay/firefox-x11-xorg.exp +++ b/test/overlay/firefox-x11-xorg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp index 1b3f779bb1d..5b7b1bec3b3 100755 --- a/test/overlay/firefox-x11.exp +++ b/test/overlay/firefox-x11.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp index fd3c73d32c7..25c6e5e070c 100755 --- a/test/overlay/firefox.exp +++ b/test/overlay/firefox.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp index abfddabc31b..df1dfc2441c 100755 --- a/test/overlay/fs-named.exp +++ b/test/overlay/fs-named.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/fs-tmpfs.exp b/test/overlay/fs-tmpfs.exp index 130159ad0b8..5bd2b25fcba 100755 --- a/test/overlay/fs-tmpfs.exp +++ b/test/overlay/fs-tmpfs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp index f8c8150d355..3314e849d71 100755 --- a/test/overlay/fs.exp +++ b/test/overlay/fs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh index 3d4ec06d43e..f1daba935c6 100755 --- a/test/overlay/overlay.sh +++ b/test/overlay/overlay.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/private-lib/atril.exp b/test/private-lib/atril.exp index effdf0b7f63..679799f022b 100755 --- a/test/private-lib/atril.exp +++ b/test/private-lib/atril.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/dig.exp b/test/private-lib/dig.exp index a15d5e44a75..39f3f6d4947 100755 --- a/test/private-lib/dig.exp +++ b/test/private-lib/dig.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp index 85f9b3e3db5..ac6ecfff748 100755 --- a/test/private-lib/eog.exp +++ b/test/private-lib/eog.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp index a8caf1b010f..47e74971260 100755 --- a/test/private-lib/eom.exp +++ b/test/private-lib/eom.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/evince.exp b/test/private-lib/evince.exp index 184d9e6e672..1e270a2ef7f 100755 --- a/test/private-lib/evince.exp +++ b/test/private-lib/evince.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/galculator.exp b/test/private-lib/galculator.exp index 2fc05772eb8..68ff9f834e7 100755 --- a/test/private-lib/galculator.exp +++ b/test/private-lib/galculator.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp index 00ecfb184ad..67be5c215ee 100755 --- a/test/private-lib/gedit.exp +++ b/test/private-lib/gedit.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp index 31c139738e5..67712bd67b8 100755 --- a/test/private-lib/gnome-calculator.exp +++ b/test/private-lib/gnome-calculator.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/gnome-logs.exp b/test/private-lib/gnome-logs.exp index c143f5c9994..f671effe40a 100755 --- a/test/private-lib/gnome-logs.exp +++ b/test/private-lib/gnome-logs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/gnome-nettool.exp b/test/private-lib/gnome-nettool.exp index 09841c4a884..a6808477628 100755 --- a/test/private-lib/gnome-nettool.exp +++ b/test/private-lib/gnome-nettool.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/gnome-system-log.exp b/test/private-lib/gnome-system-log.exp index 3a81cff8f89..c3b1f2377b9 100755 --- a/test/private-lib/gnome-system-log.exp +++ b/test/private-lib/gnome-system-log.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp index cb8b2b0402d..b438c6de3f6 100755 --- a/test/private-lib/gpicview.exp +++ b/test/private-lib/gpicview.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/leafpad.exp b/test/private-lib/leafpad.exp index 9ef36641aaf..fbe8e284c70 100755 --- a/test/private-lib/leafpad.exp +++ b/test/private-lib/leafpad.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/mousepad.exp b/test/private-lib/mousepad.exp index 3bd0f4b7711..f47dfe464a3 100755 --- a/test/private-lib/mousepad.exp +++ b/test/private-lib/mousepad.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/pavucontrol.exp b/test/private-lib/pavucontrol.exp index 078c295928e..7b8883ade66 100755 --- a/test/private-lib/pavucontrol.exp +++ b/test/private-lib/pavucontrol.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp index ac274cbfc7a..99d4299fb48 100755 --- a/test/private-lib/pluma.exp +++ b/test/private-lib/pluma.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 724fa4303ad..a70c3fad60d 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3g diff --git a/test/private-lib/transmission-gtk.exp b/test/private-lib/transmission-gtk.exp index 1d4b4193e6c..3c5402c8174 100755 --- a/test/private-lib/transmission-gtk.exp +++ b/test/private-lib/transmission-gtk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/whois.exp b/test/private-lib/whois.exp index 19cd55d1603..83dc54c7619 100755 --- a/test/private-lib/whois.exp +++ b/test/private-lib/whois.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/private-lib/xcalc.exp b/test/private-lib/xcalc.exp index 46d8903ae12..7cd74d3bd2f 100755 --- a/test/private-lib/xcalc.exp +++ b/test/private-lib/xcalc.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/comment.profile b/test/profiles/comment.profile new file mode 100644 index 00000000000..4a907a4084d --- /dev/null +++ b/test/profiles/comment.profile @@ -0,0 +1,3 @@ +# this is a comment +net none # this is another comment +private # some other comment diff --git a/test/profiles/conditional.exp b/test/profiles/conditional.exp index fc84581c281..b06b983c16f 100755 --- a/test/profiles/conditional.exp +++ b/test/profiles/conditional.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 7c065ef5c26..e7f210a4605 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp index 1148fd7646c..240a446979c 100755 --- a/test/profiles/profile_appname.exp +++ b/test/profiles/profile_appname.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_comment.exp b/test/profiles/profile_comment.exp new file mode 100755 index 00000000000..a2be510c1fd --- /dev/null +++ b/test/profiles/profile_comment.exp @@ -0,0 +1,52 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2021 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -fr /tmp/firejailtest*\r" +send -- "rm -fr /tmp/firejail-strace*\r" +send -- "rm -fr /tmp/firejail-trace*\r" +sleep 1 + +send -- "firejail --profile=comment.profile /usr/bin/true\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Parent is shutting down" +} +sleep 2 + +send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r" +sleep 1 + +send -- "cat /tmp/firejailtest.profile\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "seccomp" +} +after 100 + +send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Parent is shutting down" +} +after 100 + +send -- "rm -fr /tmp/firejailtest*\r" +send -- "rm -fr /tmp/firejail-strace*\r" +send -- "rm -fr /tmp/firejail-trace*\r" +after 100 + +puts "\nall done\n" diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp index 272f4437d00..0500eac3577 100755 --- a/test/profiles/profile_followlnk.exp +++ b/test/profiles/profile_followlnk.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index d5f29b0eec8..609364389aa 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp index 57f1a61a607..2046cc2970a 100755 --- a/test/profiles/profile_readonly.exp +++ b/test/profiles/profile_readonly.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp index 22a97c96c89..c761a1039bb 100755 --- a/test/profiles/profile_recursivity.exp +++ b/test/profiles/profile_recursivity.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index 8d4b13f7479..a2cccb0d444 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -22,7 +22,7 @@ expect { } sleep 1 -send -- "ls -l /etc/shadow\r" +send -- "ls -l /dev/console\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "root root" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index c0d0656da71..e2ec20ca570 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 69f0dc08606..cbc6fa4d9cd 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -1,12 +1,15 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C +echo "TESTING: profile comments (test/profiles/profilecomment.exp)" +./profile_comment.exp + echo "TESTING: profile conditional (test/profiles/conditional.exp)" ./conditional.exp @@ -34,11 +37,16 @@ echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" ./profile_noperm.exp +# GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles. +UID=`id -u` +if [ -d "/run/user/$UID" ]; then + PROFILES=`ls /etc/firejail/*.profile` + echo "TESTING: default profiles installed in /etc" +else + PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile` + echo "TESTING: small number of default profiles installed in /etc" +fi - - -echo "TESTING: default profiles installed in /etc" -PROFILES=`ls /etc/firejail/*.profile` for PROFILE in $PROFILES do echo "TESTING: $PROFILE" diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index 51f87d51d41..625cb651144 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/profiles/test.profile b/test/profiles/test.profile index 26d6de849cd..27cb9960691 100644 --- a/test/profiles/test.profile +++ b/test/profiles/test.profile @@ -1,5 +1,5 @@ blacklist /sbin/iptables -blacklist /etc/shadow +blacklist /dev/console blacklist /bin/rmdir blacklist ${PATH}/umount blacklist ${PATH}/mount diff --git a/test/root/apache2.exp b/test/root/apache2.exp index 4d237932559..0b4b65dc79d 100755 --- a/test/root/apache2.exp +++ b/test/root/apache2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff --git a/test/root/cgroup.exp b/test/root/cgroup.exp index 3b7db513975..d24a39d07a1 100755 --- a/test/root/cgroup.exp +++ b/test/root/cgroup.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp index ff40035e36e..9a4c666e1e5 100755 --- a/test/root/checkcfg.exp +++ b/test/root/checkcfg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index b182eee13e0..65ecefe5d39 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/firemon-events.exp b/test/root/firemon-events.exp index 39834256601..7bf51e2c8c6 100755 --- a/test/root/firemon-events.exp +++ b/test/root/firemon-events.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/isc-dhcp.exp b/test/root/isc-dhcp.exp index 13177d38366..4c468c3e8b8 100755 --- a/test/root/isc-dhcp.exp +++ b/test/root/isc-dhcp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff --git a/test/root/join.exp b/test/root/join.exp index c9b9de11045..d995d8aa538 100755 --- a/test/root/join.exp +++ b/test/root/join.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/login_nobody.exp b/test/root/login_nobody.exp index 448b0957a7d..42d8fe0132d 100755 --- a/test/root/login_nobody.exp +++ b/test/root/login_nobody.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/nginx.exp b/test/root/nginx.exp index 5db6a45736e..924ee8afd00 100755 --- a/test/root/nginx.exp +++ b/test/root/nginx.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff --git a/test/root/option_bind_directory.exp b/test/root/option_bind_directory.exp index 1df318be183..ac642159395 100755 --- a/test/root/option_bind_directory.exp +++ b/test/root/option_bind_directory.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/option_bind_file.exp b/test/root/option_bind_file.exp index 9631ae39dc7..6ead284a8d9 100755 --- a/test/root/option_bind_file.exp +++ b/test/root/option_bind_file.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/option_tmpfs.exp b/test/root/option_tmpfs.exp index ab0a9f0f110..67a678c685b 100755 --- a/test/root/option_tmpfs.exp +++ b/test/root/option_tmpfs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/private.exp b/test/root/private.exp index ef4cf2ee25b..373bd6cef56 100755 --- a/test/root/private.exp +++ b/test/root/private.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/profile_tmpfs.exp b/test/root/profile_tmpfs.exp index c56b827e467..8a46d666e07 100755 --- a/test/root/profile_tmpfs.exp +++ b/test/root/profile_tmpfs.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/root.sh b/test/root/root.sh index 0c88e67d1e1..d6b60cb2356 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 # set a new firejail config file diff --git a/test/root/seccomp-chmod.exp b/test/root/seccomp-chmod.exp index 219c8cf608a..d6f8b8bcc5e 100755 --- a/test/root/seccomp-chmod.exp +++ b/test/root/seccomp-chmod.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp index 80d3eb92e9e..daf3a5d066e 100755 --- a/test/root/seccomp-chown.exp +++ b/test/root/seccomp-chown.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp index 37ae7173658..0a7310fddc9 100755 --- a/test/root/seccomp-umount.exp +++ b/test/root/seccomp-umount.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/root/snmpd.exp b/test/root/snmpd.exp index 7e6deca04ec..d1fc499674a 100755 --- a/test/root/snmpd.exp +++ b/test/root/snmpd.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff --git a/test/root/unbound.exp b/test/root/unbound.exp index 87d84032326..710a95bf445 100755 --- a/test/root/unbound.exp +++ b/test/root/unbound.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 5 diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp index e5bcaac24ca..429a4153e2e 100755 --- a/test/root/whitelist.exp +++ b/test/root/whitelist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/ssh/login.exp b/test/ssh/login.exp index 67667576e1c..6a5086a7796 100755 --- a/test/ssh/login.exp +++ b/test/ssh/login.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/ssh/scp.exp b/test/ssh/scp.exp index a6583545cae..bca6a124f51 100755 --- a/test/ssh/scp.exp +++ b/test/ssh/scp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/ssh/sftp.exp b/test/ssh/sftp.exp index 0d9792de8d9..09d3c119e81 100755 --- a/test/ssh/sftp.exp +++ b/test/ssh/sftp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/ssh/ssh.sh b/test/ssh/ssh.sh index 77dc89f2f54..bdad8cf872d 100755 --- a/test/ssh/ssh.sh +++ b/test/ssh/ssh.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/stress/blacklist.exp b/test/stress/blacklist.exp index 149f8f3dfb5..fae874b258d 100755 --- a/test/stress/blacklist.exp +++ b/test/stress/blacklist.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/stress/env.exp b/test/stress/env.exp index 2ac0c622652..d6955811489 100755 --- a/test/stress/env.exp +++ b/test/stress/env.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/stress/net_macvlan.exp b/test/stress/net_macvlan.exp index b8d192d2c14..a535afa2afd 100755 --- a/test/stress/net_macvlan.exp +++ b/test/stress/net_macvlan.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/stress/stress.sh b/test/stress/stress.sh index f3488a0cf3e..d32ffe907c8 100755 --- a/test/stress/stress.sh +++ b/test/stress/stress.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp index 1d0d4354349..4230ba375ec 100755 --- a/test/sysutils/cpio.exp +++ b/test/sysutils/cpio.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/file.exp b/test/sysutils/file.exp index 74d5c3064b6..b97c0c28389 100755 --- a/test/sysutils/file.exp +++ b/test/sysutils/file.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp index d81b78abaf9..be2222f062b 100755 --- a/test/sysutils/gzip.exp +++ b/test/sysutils/gzip.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index 2bfb603021b..265b0e474eb 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -10,6 +10,7 @@ match_max 100000 send -- "firejail less sysutils.sh\r" expect { timeout {puts "TESTING ERROR 1\n";exit} + "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} "MALLOC_CHECK" } expect { diff --git a/test/sysutils/ping.exp b/test/sysutils/ping.exp index 58bcb61118d..fac4b2ac338 100755 --- a/test/sysutils/ping.exp +++ b/test/sysutils/ping.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp index 2b6c3848aba..7c91fb78ae6 100755 --- a/test/sysutils/strings.exp +++ b/test/sysutils/strings.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index fe931b045b8..96962d324fa 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 diff --git a/test/sysutils/tar.exp b/test/sysutils/tar.exp index 4ed7bace486..60e05f847ce 100755 --- a/test/sysutils/tar.exp +++ b/test/sysutils/tar.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp index 63b1ad3c7c4..4c6fcea9d75 100755 --- a/test/sysutils/xz.exp +++ b/test/sysutils/xz.exp @@ -1,9 +1,9 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 -set timeout 10 +set timeout 60 spawn $env(SHELL) match_max 100000 @@ -13,6 +13,9 @@ sleep 1 send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r" sleep 1 +send -- "md5sum firejail_t1 firejail_t2; ls -l firejail_t1 firejail_t2\r" +sleep 1 + send -- "diff -s firejail_t1 firejail_t2\r" expect { timeout {puts "TESTING ERROR 1\n";exit} diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp index 02621bbf0f4..737517d54e4 100755 --- a/test/sysutils/xzdec.exp +++ b/test/sysutils/xzdec.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/audit.exp b/test/utils/audit.exp deleted file mode 100755 index 6ce763e3f97..00000000000 --- a/test/utils/audit.exp +++ /dev/null @@ -1,167 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --audit\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "is running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "container/sandbox firejail" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "all capabilities are disabled" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "dev directory seems to be fully populated" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Parent is shutting down, bye..." -} -after 100 - - -send -- "firejail --audit\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "is running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "container/sandbox firejail" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "all capabilities are disabled" -} -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "dev directory seems to be fully populated" -} -expect { - timeout {puts "TESTING ERROR 11.1\n";exit} - "Parent is shutting down, bye..." -} -after 100 - -send -- "firejail --audit=blablabla\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "cannot find the audit program" -} -after 100 - -send -- "firejail --audit=\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "invalid audit program" -} -after 100 - -# run audit executable without a sandbox -send -- "faudit\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "is not running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "BAD: seccomp disabled" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "BAD: the capability map is" -} -expect { - timeout {puts "TESTING ERROR 16\n";exit} - "MAYBE: /dev directory seems to be fully populated" -} -after 100 - -# test seccomp -send -- "firejail --seccomp.drop=mkdir --audit\r" -expect { - timeout {puts "TESTING ERROR 17\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 18\n";exit} - "GOOD: seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 19\n";exit} - "UGLY: mount syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 20\n";exit} - "UGLY: umount2 syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 21\n";exit} - "UGLY: ptrace syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 22\n";exit} - "UGLY: swapon syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 23\n";exit} - "UGLY: swapoff syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 24\n";exit} - "UGLY: init_module syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 25\n";exit} - "UGLY: delete_module syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 26\n";exit} - "UGLY: chroot syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 27\n";exit} - "UGLY: pivot_root syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 28\n";exit} - "UGLY: iopl syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 29\n";exit} - "UGLY: ioperm syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 30\n";exit} - "GOOD: all capabilities are disabled" -} -after 100 - -puts "\nall done\n" diff --git a/test/utils/build.exp b/test/utils/build.exp index ae46ffa6e11..104ac037c56 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp @@ -1,57 +1,83 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --build cat ~/firejail-test-file-7699\r" +send -- "echo testing > ~/_firejail-test-file\r" +after 100 + +send -- "firejail --build cat ~/_firejail-test-file\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "whitelist ~/firejail-test-file-7699" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "include /etc/firejail/whitelist-common.inc" + "allow $\{HOME\}/_firejail-test-file" } expect { timeout {puts "TESTING ERROR 1\n";exit} - "private-tmp" + "include whitelist-common.inc" } expect { timeout {puts "TESTING ERROR 2\n";exit} - "private-dev" + "include whitelist-usr-share-common.inc" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "blacklist /var" + "include whitelist-var-common.inc" } expect { timeout {puts "TESTING ERROR 4\n";exit} - "private-bin cat," + "caps.drop all" } expect { timeout {puts "TESTING ERROR 5\n";exit} - "caps.drop all" + "ipc-namespace" } expect { timeout {puts "TESTING ERROR 6\n";exit} - "nonewprivs" + "netfilter" } expect { timeout {puts "TESTING ERROR 7\n";exit} - "seccomp" + "nonewprivs" } expect { timeout {puts "TESTING ERROR 8\n";exit} - "net none" + "noroot" } expect { timeout {puts "TESTING ERROR 9\n";exit} + "net none" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "seccomp" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} "shell none" } +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "private-bin cat," +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "private-dev" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "private-etc none" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "private-tmp" +} +after 100 + +send -- "rm -f ~/_firejail-test-file\r" after 100 send -- "firejail --build cat /etc/passwd\r" @@ -72,21 +98,6 @@ expect { } after 100 - -#send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r" -#expect { -# timeout {puts "TESTING ERROR 11\n";exit} -# "whitelist /var/tmp/firejail-test-file-7699" -#} -#after 100 - -#send -- "firejail --build man firejail\r" -#expect { -# timeout {puts "TESTING ERROR 12\n";exit} -# "whitelist /usr/share/man" -#} -#after 100 - send -- "firejail --build wget --output-document=~ debian.org\r" expect { timeout {puts "TESTING ERROR 13\n";exit} @@ -98,10 +109,4 @@ expect { } after 100 - -send -- "firejail --build cat /tmp/firejail-test-file-7699\r" -#todo - bug: it comes back with private-tmp -sleep 1 - - puts "all done\n" diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp index 753511536eb..6b60904763b 100755 --- a/test/utils/caps-print.exp +++ b/test/utils/caps-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/catchsignal-master.sh b/test/utils/catchsignal-master.sh index e8a5205bbff..28e646ddbfb 100755 --- a/test/utils/catchsignal-master.sh +++ b/test/utils/catchsignal-master.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 ./catchsignal.sh & diff --git a/test/utils/catchsignal.sh b/test/utils/catchsignal.sh index de2c068b360..f7a501011a3 100755 --- a/test/utils/catchsignal.sh +++ b/test/utils/catchsignal.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 _term() { diff --git a/test/utils/catchsignal2.sh b/test/utils/catchsignal2.sh index 6499972d86e..9ba939ef40a 100755 --- a/test/utils/catchsignal2.sh +++ b/test/utils/catchsignal2.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 _term() { diff --git a/test/utils/command.exp b/test/utils/command.exp index a2f7e4204ab..6cb52a7fa38 100755 --- a/test/utils/command.exp +++ b/test/utils/command.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index 8b3b51dba5d..e7d709cee6d 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp index edbe66a5127..b3b732bee6e 100755 --- a/test/utils/dns-print.exp +++ b/test/utils/dns-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp index a51e5a765c7..837d0827118 100755 --- a/test/utils/firemon-caps.exp +++ b/test/utils/firemon-caps.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-cgroup.exp b/test/utils/firemon-cgroup.exp index f7c6e0adbef..3976b0c50d1 100755 --- a/test/utils/firemon-cgroup.exp +++ b/test/utils/firemon-cgroup.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-cpu.exp b/test/utils/firemon-cpu.exp index 90bb702a356..b410c764e52 100755 --- a/test/utils/firemon-cpu.exp +++ b/test/utils/firemon-cpu.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-interface.exp b/test/utils/firemon-interface.exp index ff3cea8bbf9..0c358d129ca 100755 --- a/test/utils/firemon-interface.exp +++ b/test/utils/firemon-interface.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-name.exp b/test/utils/firemon-name.exp index 88e41d96d5f..57729d662a4 100755 --- a/test/utils/firemon-name.exp +++ b/test/utils/firemon-name.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-seccomp.exp b/test/utils/firemon-seccomp.exp index a8c7fc24dce..d35027827f7 100755 --- a/test/utils/firemon-seccomp.exp +++ b/test/utils/firemon-seccomp.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/firemon-version.exp b/test/utils/firemon-version.exp index 837bf0f9244..8e4e33ec080 100755 --- a/test/utils/firemon-version.exp +++ b/test/utils/firemon-version.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp index 736c309ecbf..4b6eac391b0 100755 --- a/test/utils/fs-print.exp +++ b/test/utils/fs-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/help.exp b/test/utils/help.exp index 77c2e6ec391..71bb5788cc0 100755 --- a/test/utils/help.exp +++ b/test/utils/help.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp index b44f44cfecf..d6fcc50d765 100755 --- a/test/utils/join-profile.exp +++ b/test/utils/join-profile.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join.exp b/test/utils/join.exp index 1f1a905b27c..25dd31922cb 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 6c26db4e950..dada9715885 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join3.exp b/test/utils/join3.exp index 74dad707006..305000e9255 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join4.exp b/test/utils/join4.exp index d04cbee46fc..8c5e91d682b 100755 --- a/test/utils/join4.exp +++ b/test/utils/join4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/join5.exp b/test/utils/join5.exp new file mode 100755 index 00000000000..3d365944d58 --- /dev/null +++ b/test/utils/join5.exp @@ -0,0 +1,46 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2021 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test123 --profile=join5.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} +sleep 1 +spawn $env(SHELL) +send -- "firejail --join=test123\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 +send -- "ps aux\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" +} + +send -- "exit\r" +after 100 + +send -- "firejail --protocol.print=test123\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Switching to pid" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "unix" +} + +puts "\nall done\n" diff --git a/test/utils/join5.profile b/test/utils/join5.profile new file mode 100644 index 00000000000..e9eb37a4f65 --- /dev/null +++ b/test/utils/join5.profile @@ -0,0 +1,4 @@ +dbus-user filter +dbus-system none +seccomp +protocol unix diff --git a/test/utils/list.exp b/test/utils/list.exp index fefdd4787d5..d7d39357dd3 100755 --- a/test/utils/list.exp +++ b/test/utils/list.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/ls.exp b/test/utils/ls.exp index b70f53a7427..080bfdad24d 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/man.exp b/test/utils/man.exp index 3cde9f2c86e..41f5a2ff860 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 @@ -10,6 +10,7 @@ match_max 100000 send -- "man firejail\r" expect { timeout {puts "TESTING ERROR 0\n";exit} + "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} "Linux namespaces sandbox program" } after 100 diff --git a/test/utils/name.exp b/test/utils/name.exp index 3a1dfb6409e..9e5367ba706 100755 --- a/test/utils/name.exp +++ b/test/utils/name.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/profile_print.exp b/test/utils/profile_print.exp index ddeeb8af621..f8f6708bb4b 100755 --- a/test/utils/profile_print.exp +++ b/test/utils/profile_print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp index c44a659e1b6..1ed92ddd6ad 100755 --- a/test/utils/protocol-print.exp +++ b/test/utils/protocol-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index 41a6ce77889..86f1e984505 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown.exp b/test/utils/shutdown.exp index 0f6cab8bb1d..35d2750db18 100755 --- a/test/utils/shutdown.exp +++ b/test/utils/shutdown.exp @@ -1,9 +1,9 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 -set timeout 10 +set timeout 15 cd /home spawn $env(SHELL) match_max 100000 diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp index 463c2fb781c..7eb3d516b44 100755 --- a/test/utils/shutdown2.exp +++ b/test/utils/shutdown2.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp index 9e92889dc52..a543bb9e5fd 100755 --- a/test/utils/shutdown3.exp +++ b/test/utils/shutdown3.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index e7733ca4112..a9a3978ea4d 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/top.exp b/test/utils/top.exp index 2ef6f0375e0..150011bba78 100755 --- a/test/utils/top.exp +++ b/test/utils/top.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/trace.exp b/test/utils/trace.exp index 5df44c1ca06..3ed09565b58 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 30 diff --git a/test/utils/tree.exp b/test/utils/tree.exp index 82045e8c9a2..ff834bec69d 100755 --- a/test/utils/tree.exp +++ b/test/utils/tree.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10 diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 82ccc82bb8d..e3e24bd9a08 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -1,6 +1,6 @@ #!/bin/bash # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 export MALLOC_CHECK_=3 @@ -8,27 +8,15 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C if [ -f /etc/debian_version ]; then - libdir=$(dirname "$(dpkg -L firejail | grep faudit)") + libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") export PATH="$PATH:$libdir" fi export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" -echo "testing" > ~/firejail-test-file-7699 -echo "testing" > /tmp/firejail-test-file-7699 -echo "testing" > /var/tmp/firejail-test-file-7699 echo "TESTING: build (test/utils/build.exp)" ./build.exp -rm -f ~/firejail-test-file-7699 -rm -f /tmp/firejail-test-file-7699 -rm -f /var/tmp/firejail-test-file-7699 -rm -f firejail-test-file-4388 - -if [ $(readlink /proc/self) -lt 100 ]; then - echo "TESTING SKIP: already running in pid namespace (test/utils/audit.exp)" -else - echo "TESTING: audit (test/utils/audit.exp)" - ./audit.exp -fi +rm -f ~/_firejail-test-file +rm -f _firejail-test-file echo "TESTING: name (test/utils/name.exp)" ./name.exp @@ -104,9 +92,12 @@ echo "TESTING: join2 (test/utils/join2.exp)" echo "TESTING: join3 (test/utils/join3.exp)" ./join3.exp -echo "TESTING: join3 (test/utils/join4.exp)" +echo "TESTING: join4 (test/utils/join4.exp)" ./join4.exp +echo "TESTING: join5 (test/utils/join5.exp)" +./join5.exp + echo "TESTING: join profile (test/utils/join-profile.exp)" ./join-profile.exp diff --git a/test/utils/version.exp b/test/utils/version.exp index c78a087bb3e..be0d152b808 100755 --- a/test/utils/version.exp +++ b/test/utils/version.exp @@ -1,6 +1,6 @@ #!/usr/bin/expect -f # This file is part of Firejail project -# Copyright (C) 2014-2020 Firejail Authors +# Copyright (C) 2014-2021 Firejail Authors # License GPL v2 set timeout 10