github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Merge branch 'netblue30:master' into warzone2100

Browse source
This commit is contained in:
glitsj16 2023-01-31 02:32:32 +00:00 committed by GitHub
commit 00afe15594
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
32 changed files with 1072 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/build-extra.yml vendored
View file

@ -5,9 +5,9 @@ on:
branches: [ master ]
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'etc/**'
- 'contrib/gtksourceview-5/**'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
@ -27,9 +27,9 @@ on:
branches: [ master ]
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'etc/**'
- 'contrib/gtksourceview-5/**'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml

14
.github/workflows/codeql-analysis.yml vendored
View file

@ -10,9 +10,9 @@ on:
branches: [ master ]
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'etc/**'
- 'contrib/gtksourceview-5/**'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
@ -32,9 +32,9 @@ on:
branches: [ master ]
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'etc/**'
- 'contrib/gtksourceview-5/**'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
@ -88,7 +88,7 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02
uses: github/codeql-action/init@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@ -99,7 +99,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02
uses: github/codeql-action/autobuild@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@ -113,4 +113,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02
uses: github/codeql-action/analyze@3ebbd71c74ef574dbc558c82f70e52732c8b44fe

3
.gitignore vendored
View file

@ -16,6 +16,9 @@ config.log
config.mk
config.sh
config.status
contrib/syntax/files/example
contrib/syntax/files/firejail-profile.lang
contrib/syntax/files/firejail.vim
firejail-*.tar.xz
firejail-login.5
firejail-profile.5

3
CONTRIBUTING.md
View file

@ -38,8 +38,7 @@ If you add a new command, here's the checklist:
- [ ] Update manpages: firejail(1) and firejail-profile(5)
- [ ] Update shell completions
- [ ] Update vim syntax files
- [ ] Update gtksourceview language specs
- [ ] Update syntax files (run `make syntax` or just `make`)
- [ ] Update --help
# Editing the wiki

110
Makefile
View file

@ -6,6 +6,10 @@ MAN_TARGET = man
MAN_SRC = src/man
endif
ifneq ($(HAVE_CONTRIB_INSTALL),no)
CONTRIB_TARGET = contrib
endif
COMPLETIONDIRS = src/zsh_completion src/bash_completion
APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
@ -17,16 +21,32 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
# Lists of keywords used in profiles; used for generating syntax files.
SYNTAX_LISTS = \
contrib/syntax/lists/profile_commands_arg0.list \
contrib/syntax/lists/profile_commands_arg1.list \
contrib/syntax/lists/profile_conditionals.list \
contrib/syntax/lists/profile_macros.list \
contrib/syntax/lists/syscall_groups.list \
contrib/syntax/lists/syscalls.list \
contrib/syntax/lists/system_errnos.list
SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in))
SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
.PHONY: all
all: all_items mydirs $(MAN_TARGET) filters
all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
config.mk config.sh:
printf 'run ./configure to generate %s\n' "$@" >&2
false
@printf 'error: run ./configure to generate %s\n' "$@" >&2
@false
.PHONY: all_items $(ALL_ITEMS)
all_items: $(ALL_ITEMS)
@ -38,11 +58,6 @@ mydirs: $(MYDIRS)
$(MYDIRS):
$(MAKE) -C $@
$(MANPAGES): src/man config.mk
./mkman.sh $(VERSION) src/man/$(basename $@).man $@
man: $(MANPAGES)
filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
src/fseccomp/fseccomp default seccomp
@ -65,14 +80,83 @@ seccomp.mdwx: src/fseccomp/fseccomp
seccomp.mdwx.32: src/fseccomp/fseccomp
src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
$(MANPAGES): src/man config.mk
./mkman.sh $(VERSION) src/man/$(basename $@).man $@
man: $(MANPAGES)
# Makes all targets in contrib/
.PHONY: contrib
contrib: syntax
.PHONY: syntax
syntax: $(SYNTAX_FILES)
# TODO: include/rlimit are false positives
contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
@sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
# TODO: private-lib is special-cased in the code and doesn't match the regex
contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
LC_ALL=C sort -u >$@
contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
@awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
/\t*\{"[^"]+".*/ \
{ if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
/^\t\{ NULL, NULL \}$$/ {process=0;}' \
$< | LC_ALL=C sort -u >$@
contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
@sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
@sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
LC_ALL=C sort -u >$@
contrib/syntax/lists/system_errnos.list: src/lib/errno.c
@sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
edit_syntax_file = sed \
-e "s/@make_input@/$$(basename $@). Generated from $$(basename $<) by make./" \
-e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
-e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
-e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
-e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
-e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
-e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
-e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
@printf 'Generating %s from %s\n' $@ $<
@$(edit_syntax_file) $< >$@
# gtksourceview language-specs
contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
@printf 'Generating %s from %s\n' $@ $<
@$(edit_syntax_file) $< >$@
# vim syntax files
contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
@printf 'Generating %s from %s\n' $@ $<
@$(edit_syntax_file) $< >$@
.PHONY: clean
clean:
for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
$(MAKE) -C $$dir clean; \
done
$(MAKE) -C test clean
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
rm -f $(SECCOMP_FILTERS)
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
rm -f $(SYNTAX_FILES)
rm -f test/utils/index.html*
rm -f test/utils/wget-log
rm -f test/utils/firejail-test-file*
@ -124,10 +208,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
# gtksourceview-5 language-specs
install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
# gtksourceview language-specs
install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
endif
# documents
install -m 0755 -d $(DESTDIR)$(docdir)

4
README
View file

@ -125,6 +125,8 @@ Alexander Stein (https://github.com/ajstein)
alkim0 (https://github.com/alkim0)
- warn when encountering EIO during remount
- Add profile for chafa
amano-kenji (https://github.com/amano-kenji)
- fix private-etc in qutebrowser profile
Amin Vakil (https://github.com/aminvakil)
- whois profile fix
- added profile for strawberry
@ -679,6 +681,8 @@ Laurent Declercq (https://github.com/nuxwin)
- fixed test for shell interpreter in chroots
LaurentGH (https://github.com/LaurentGH)
- allow private-bin parameters to be absolute paths
layderv (https://github.com/layderv)
- prevent sandbox name from containing only digits
lecso7 (https://github.com/lecso7)
- added goldendict profile
- allow evince to read .cbz file format

25
README.md
View file

@ -184,7 +184,7 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
### private-etc rework
`````
--private-etc, --private-etc=file,directory
--private-etc, --private-etc=file,directory,@group
The files installed by --private-etc are copies of the original
system files from /etc directory. By default, the command
brings in a skeleton of files and directories used by most con
@ -192,24 +192,23 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
$ firejail --private-etc dig debian.org
For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter.
Example:
For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parame
ter. Example:
$ firejail --private-etc=GUI,python* gimp
$ firejail --private-etc=@x11,gcrypt,python* gimp
/etc/python* directories are not part of the generic GUI group.
These directories are reuqired by Gimp plugin system. File glob
bing is supported.
gcrypt and /etc/python* directories are not part of the generic
@x11 group. File globbing is supported.
For games, add GAMES group:
For games, add @games group:
$ firejail --private-etc=GUI,GAMES warzone2100
$ firejail --private-etc=@games,@x11 warzone2100
Sound and networking files are included automatically, unless
--nosound or --net=none are specified. Files for encrypted
TLS/SSL protocol are in TLS-CA group.
Sound and networking files are included automatically, unless
--nosound or --net=none are specified. Files for encrypted
TLS/SSL protocol are in @tls-ca group.
$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
Note: The easiest way to extract the list of /etc files accessed
by your program is using strace utility:

1
RELNOTES
View file

@ -1,6 +1,7 @@
firejail (0.9.73) baseline; urgency=low
* work in progress
* modif: Stop forwarding own double-dash to the shell (#5599 #5600)
* modif: prevent sandbox name from containing only digits (#5578)
* docs: remove apparmor options in --help when building without apparmor
support (#5589)
* fix: qutebrowser not opening tabs (#5601)

16
contrib/syntax/files/example.in Normal file
View file

@ -0,0 +1,16 @@
# @make_input@
# Example file to check the values of input variables.
FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
FJ_SYSCALLS = @FJ_SYSCALLS@
FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@

7
contrib/gtksourceview-5/language-specs/firejail-profile.lang → contrib/syntax/files/firejail-profile.lang.in
View file

@ -1,4 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- @make_input@ -->
<!-- vim: set ts=2 sts=2 sw=2 et: -->
<!--
https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
@ -20,15 +21,15 @@
<definitions>
<define-regex id="commands-with-arguments" extended="true">
(apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen)
(@FJ_PROFILE_COMMANDS_ARG1@)
</define-regex>
<define-regex id="commands-without-arguments" extended="true">
(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11)
(@FJ_PROFILE_COMMANDS_ARG0@)
</define-regex>
<define-regex id="conditions" extended="true">
(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11)
(@FJ_PROFILE_CONDITIONALS@)
</define-regex>
<context id="conditional-line">

99
contrib/syntax/files/firejail.vim.in Normal file
View file

@ -0,0 +1,99 @@
" @make_input@
" Vim syntax file
" Language: Firejail security sandbox profile
" URL: https://github.com/netblue30/firejail
if exists("b:current_syntax")
finish
endif
syn iskeyword @,48-57,_,.,-
syn keyword fjTodo TODO FIXME XXX NOTE contained
syn match fjComment "#.*$" contains=fjTodo
"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
syn match fjCapabilityList /,/ nextgroup=fjCapability contained
syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
syn match fjProtocolList /,/ nextgroup=fjProtocol contained
" Syscalls (auto-generated)
syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained
" Syscall groups (auto-generated)
syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained
syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
" Errnos (auto-generated)
syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained
syn match fjSyscallList /,/ nextgroup=fjSyscall contained
syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
syn keyword fjSeccompAction kill log ERRNO contained
syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
syn keyword fjAll all contained
syn keyword fjNone none contained
syn keyword fjLo lo contained
syn keyword fjFilter filter contained
" Variable names (auto-generated)
syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/
" Profile commands with 1 argument (auto-generated)
syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained
" Profile commands with 0 arguments (auto-generated)
syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained
syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
" Commands that can't be inside a ?CONDITIONAL: statement
syn match fjCommandNoCond /include / skipwhite contained
syn match fjCommandNoCond /quiet$/ contained
" Conditionals (auto-generated)
syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained
" A line is either a command, a conditional or a comment
syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
hi def link fjTodo Todo
hi def link fjComment Comment
hi def link fjCommand Statement
hi def link fjCommandNoCond Statement
hi def link fjConditional Macro
hi def link fjVar Identifier
hi def link fjCapability Type
hi def link fjProtocol Type
hi def link fjSyscall Type
hi def link fjSyscallErrno Constant
hi def link fjX11Sandbox Type
hi def link fjEnvVar Type
hi def link fjRmenvVar Type
hi def link fjAll Type
hi def link fjNone Type
hi def link fjLo Type
hi def link fjFilter Type
hi def link fjSeccompAction Type
let b:current_syntax = "firejail"

50
contrib/syntax/lists/profile_commands_arg0.list Normal file
View file

@ -0,0 +1,50 @@
allow-debuggers
allusers
apparmor
apparmor-replace
apparmor-stack
caps
deterministic-exit-code
deterministic-shutdown
disable-mnt
ipc-namespace
keep-config-pulse
keep-dev-shm
keep-var-tmp
machine-id
memory-deny-write-execute
netfilter
netlock
no3d
noautopulse
nodbus
nodvd
nogroups
noinput
nonewprivs
noprinters
noroot
nosound
notv
nou2f
novideo
overlay
overlay-tmpfs
private
private-cache
private-cwd
private-dev
private-etc
private-lib
private-tmp
quiet
restrict-namespaces
seccomp
seccomp\.block-secondary
tab
tracelog
writable-etc
writable-run-user
writable-var
writable-var-log
x11

76
contrib/syntax/lists/profile_commands_arg1.list Normal file
View file

@ -0,0 +1,76 @@
apparmor
bind
blacklist
blacklist-nolog
caps.drop
caps.keep
cpu
dbus-system.broadcast
dbus-system.call
dbus-system.own
dbus-system.see
dbus-system.talk
dbus-user.broadcast
dbus-user.call
dbus-user.own
dbus-user.see
dbus-user.talk
defaultgw
dns
env
hostname
hosts-file
ignore
include
ip
ip6
iprange
join-or-start
keep-fd
mac
mkdir
mkfile
mtu
name
net
netfilter
netfilter6
netmask
netns
nice
noblacklist
noexec
nowhitelist
overlay-named
private
private-bin
private-cwd
private-etc
private-home
private-lib
private-opt
private-srv
protocol
read-only
read-write
restrict-namespaces
rlimit-as
rlimit-cpu
rlimit-fsize
rlimit-nofile
rlimit-nproc
rlimit-sigpending
rmenv
seccomp
seccomp-error-action
seccomp.32
seccomp.32.drop
seccomp.32.keep
seccomp.drop
seccomp.keep
timeout
tmpfs
veth-name
whitelist
whitelist-ro
xephyr-screen

9
contrib/syntax/lists/profile_conditionals.list Normal file
View file

@ -0,0 +1,9 @@
ALLOW_TRAY
BROWSER_ALLOW_DRM
BROWSER_DISABLE_U2F
HAS_APPIMAGE
HAS_NET
HAS_NODBUS
HAS_NOSOUND
HAS_PRIVATE
HAS_X11

10
contrib/syntax/lists/profile_macros.list Normal file
View file

@ -0,0 +1,10 @@
CFG
DESKTOP
DOCUMENTS
DOWNLOADS
HOME
MUSIC
PATH
PICTURES
RUNUSER
VIDEOS

29
contrib/syntax/lists/syscall_groups.list Normal file
View file

@ -0,0 +1,29 @@
aio
basic-io
chown
clock
cpu-emulation
debug
default
default-keep
default-nodebuggers
file-system
io-event
ipc
keyring
memlock
module
mount
network-io
obsolete
privileged
process
raw-io
reboot
resources
setuid
signal
swap
sync
system-service
timer

454
contrib/syntax/lists/syscalls.list Normal file
View file

@ -0,0 +1,454 @@
_llseek
_newselect
_sysctl
accept
accept4
access
acct
add_key
adjtimex
afs_syscall
alarm
arch_prctl
arm_fadvise64_64
arm_sync_file_range
bdflush
bind
bpf
break
brk
capget
capset
chdir
chmod
chown
chown32
chroot
clock_adjtime
clock_adjtime64
clock_getres
clock_getres_time64
clock_gettime
clock_gettime64
clock_nanosleep
clock_nanosleep_time64
clock_settime
clock_settime64
clone
clone3
close
close_range
connect
copy_file_range
creat
create_module
delete_module
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_pwait2
epoll_wait
epoll_wait_old
eventfd
eventfd2
execve
execveat
exit
exit_group
faccessat
faccessat2
fadvise64
fadvise64_64
fallocate
fanotify_init
fanotify_mark
fchdir
fchmod
fchmodat
fchown
fchown32
fchownat
fcntl
fcntl64
fdatasync
fgetxattr
finit_module
flistxattr
flock
fork
fremovexattr
fsconfig
fsetxattr
fsmount
fsopen
fspick
fstat
fstat64
fstatat64
fstatfs
fstatfs64
fsync
ftime
ftruncate
ftruncate64
futex
futex_time64
futex_waitv
futimesat
get_kernel_syms
get_mempolicy
get_robust_list
get_thread_area
getcpu
getcwd
getdents
getdents64
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
getitimer
getpeername
getpgid
getpgrp
getpid
getpmsg
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
getrusage
getsid
getsockname
getsockopt
gettid
gettimeofday
getuid
getuid32
getxattr
gtty
idle
init_module
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
io_cancel
io_destroy
io_getevents
io_pgetevents
io_pgetevents_time64
io_setup
io_submit
io_uring_enter
io_uring_register
io_uring_setup
ioctl
ioperm
iopl
ioprio_get
ioprio_set
ipc
kcmp
kexec_file_load
kexec_load
keyctl
kill
landlock_add_rule
landlock_create_ruleset
landlock_restrict_self
lchown
lchown32
lgetxattr
link
linkat
listen
listxattr
llistxattr
lock
lookup_dcookie
lremovexattr
lseek
lsetxattr
lstat
lstat64
madvise
mbind
membarrier
memfd_create
migrate_pages
mincore
mkdir
mkdirat
mknod
mknodat
mlock
mlock2
mlockall
mmap
mmap2
modify_ldt
mount
mount_setattr
move_mount
move_pages
mprotect
mpx
mq_getsetattr
mq_notify
mq_open
mq_timedreceive
mq_timedreceive_time64
mq_timedsend
mq_timedsend_time64
mq_unlink
mremap
msgctl
msgget
msgrcv
msgsnd
msync
munlock
munlockall
munmap
name_to_handle_at
nanosleep
newfstatat
nfsservctl
nice
oldfstat
oldlstat
oldolduname
oldstat
olduname
open
open_by_handle_at
open_tree
openat
openat2
pause
pciconfig_iobase
pciconfig_read
pciconfig_write
perf_event_open
personality
pidfd_getfd
pidfd_open
pidfd_send_signal
pipe
pipe2
pivot_root
pkey_alloc
pkey_free
pkey_mprotect
poll
ppoll
ppoll_time64
prctl
pread64
preadv
preadv2
prlimit64
process_madvise
process_mrelease
process_vm_readv
process_vm_writev
prof
profil
pselect6
pselect6_time64
ptrace
putpmsg
pwrite64
pwritev
pwritev2
query_module
quotactl
quotactl_fd
read
readahead
readdir
readlink
readlinkat
readv
reboot
recv
recvfrom
recvmmsg
recvmmsg_time64
recvmsg
remap_file_pages
removexattr
rename
renameat
renameat2
request_key
restart_syscall
rmdir
rseq
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_sigtimedwait_time64
rt_tgsigqueueinfo
sched_get_priority_max
sched_get_priority_min
sched_getaffinity
sched_getattr
sched_getparam
sched_getscheduler
sched_rr_get_interval
sched_rr_get_interval_time64
sched_setaffinity
sched_setattr
sched_setparam
sched_setscheduler
sched_yield
seccomp
security
select
semctl
semget
semop
semtimedop
semtimedop_time64
send
sendfile
sendfile64
sendmmsg
sendmsg
sendto
set_mempolicy
set_robust_list
set_thread_area
set_tid_address
setdomainname
setfsgid
setfsgid32
setfsuid
setfsuid32
setgid
setgid32
setgroups
setgroups32
sethostname
setitimer
setns
setpgid
setpriority
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32
setrlimit
setsid
setsockopt
settimeofday
setuid
setuid32
setxattr
sgetmask
shmat
shmctl
shmdt
shmget
shutdown
sigaction
sigaltstack
signal
signalfd
signalfd4
sigpending
sigprocmask
sigreturn
sigsuspend
socket
socketcall
socketpair
splice
ssetmask
stat
stat64
statfs
statfs64
statx
stime
stty
swapoff
swapon
symlink
symlinkat
sync
sync_file_range
syncfs
sysfs
sysinfo
syslog
tee
tgkill
time
timer_create
timer_delete
timer_getoverrun
timer_gettime
timer_gettime64
timer_settime
timer_settime64
timerfd_create
timerfd_gettime
timerfd_gettime64
timerfd_settime
timerfd_settime64
times
tkill
truncate
truncate64
tuxcall
ugetrlimit
ulimit
umask
umount
umount2
uname
unlink
unlinkat
unshare
uselib
userfaultfd
ustat
utime
utimensat
utimensat_time64
utimes
vfork
vhangup
vm86
vm86old
vmsplice
vserver
wait4
waitid
waitpid
write
writev

135
contrib/syntax/lists/system_errnos.list Normal file
View file

@ -0,0 +1,135 @@
E2BIG
EACCES
EADDRINUSE
EADDRNOTAVAIL
EADV
EAFNOSUPPORT
EAGAIN
EALREADY
EBADE
EBADF
EBADFD
EBADMSG
EBADR
EBADRQC
EBADSLT
EBFONT
EBUSY
ECANCELED
ECHILD
ECHRNG
ECOMM
ECONNABORTED
ECONNREFUSED
ECONNRESET
EDEADLK
EDEADLOCK
EDESTADDRREQ
EDOM
EDOTDOT
EDQUOT
EEXIST
EFAULT
EFBIG
EHOSTDOWN
EHOSTUNREACH
EHWPOISON
EIDRM
EILSEQ
EINPROGRESS
EINTR
EINVAL
EIO
EISCONN
EISDIR
EISNAM
EKEYEXPIRED
EKEYREJECTED
EKEYREVOKED
EL2HLT
EL2NSYNC
EL3HLT
EL3RST
ELIBACC
ELIBBAD
ELIBEXEC
ELIBMAX
ELIBSCN
ELNRNG
ELOOP
EMEDIUMTYPE
EMFILE
EMLINK
EMSGSIZE
EMULTIHOP
ENAMETOOLONG
ENAVAIL
ENETDOWN
ENETRESET
ENETUNREACH
ENFILE
ENOANO
ENOATTR
ENOBUFS
ENOCSI
ENODATA
ENODEV
ENOENT
ENOEXEC
ENOKEY
ENOLCK
ENOLINK
ENOMEDIUM
ENOMEM
ENOMSG
ENONET
ENOPKG
ENOPROTOOPT
ENOSPC
ENOSR
ENOSTR
ENOSYS
ENOTBLK
ENOTCONN
ENOTDIR
ENOTEMPTY
ENOTNAM
ENOTRECOVERABLE
ENOTSOCK
ENOTSUP
ENOTTY
ENOTUNIQ
ENXIO
EOPNOTSUPP
EOVERFLOW
EOWNERDEAD
EPERM
EPFNOSUPPORT
EPIPE
EPROTO
EPROTONOSUPPORT
EPROTOTYPE
ERANGE
EREMCHG
EREMOTE
EREMOTEIO
ERESTART
ERFKILL
EROFS
ESHUTDOWN
ESOCKTNOSUPPORT
ESPIPE
ESRCH
ESRMNT
ESTALE
ESTRPIPE
ETIME
ETIMEDOUT
ETOOMANYREFS
ETXTBSY
EUCLEAN
EUNATCH
EUSERS
EWOULDBLOCK
EXDEV
EXFULL

104
contrib/vim/syntax/firejail.vim
View file

@ -1,104 +0,0 @@
" Vim syntax file
" Language: Firejail security sandbox profile
" URL: https://github.com/netblue30/firejail
if exists("b:current_syntax")
finish
endif
syn iskeyword @,48-57,_,.,-
syn keyword fjTodo TODO FIXME XXX NOTE contained
syn match fjComment "#.*$" contains=fjTodo
"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
syn match fjCapabilityList /,/ nextgroup=fjCapability contained
syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
syn match fjProtocolList /,/ nextgroup=fjProtocol contained
" Syscalls grabbed from: src/include/syscall*.h
" Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' '
syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
" Syscall groups grabbed from: src/fseccomp/syscall.c
" Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|'
syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
" Errnos grabbed from: src/fseccomp/errno.c
" Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|'
syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
syn match fjSyscallList /,/ nextgroup=fjSyscall contained
syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
syn keyword fjSeccompAction kill log ERRNO contained
syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
syn keyword fjAll all contained
syn keyword fjNone none contained
syn keyword fjLo lo contained
syn keyword fjFilter filter contained
" Variable names grabbed from: src/firejail/macros.c
" Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|'
syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
" Commands grabbed from: src/firejail/profile.c
" Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
" Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below
syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
" Commands that can't be inside a ?CONDITIONAL: statement
syn match fjCommandNoCond /include / skipwhite contained
syn match fjCommandNoCond /quiet$/ contained
" Conditionals grabbed from: src/firejail/profile.c
" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|'
syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
" A line is either a command, a conditional or a comment
syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
hi def link fjTodo Todo
hi def link fjComment Comment
hi def link fjCommand Statement
hi def link fjCommandNoCond Statement
hi def link fjConditional Macro
hi def link fjVar Identifier
hi def link fjCapability Type
hi def link fjProtocol Type
hi def link fjSyscall Type
hi def link fjSyscallErrno Constant
hi def link fjX11Sandbox Type
hi def link fjEnvVar Type
hi def link fjRmenvVar Type
hi def link fjAll Type
hi def link fjNone Type
hi def link fjLo Type
hi def link fjFilter Type
hi def link fjSeccompAction Type
let b:current_syntax = "firejail"

4
etc/inc/disable-common.inc
View file

@ -18,6 +18,7 @@ blacklist-nolog ${HOME}/.histfile
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.kde/share/apps/klipper
blacklist-nolog ${HOME}/.kde4/share/apps/klipper
blacklist-nolog ${HOME}/.lesshst
blacklist-nolog ${HOME}/.local/share/fish/fish_history
blacklist-nolog ${HOME}/.local/share/ibus-typing-booster
blacklist-nolog ${HOME}/.local/share/klipper
@ -25,10 +26,9 @@ blacklist-nolog ${HOME}/.local/share/nvim
blacklist-nolog ${HOME}/.local/state/nvim
blacklist-nolog ${HOME}/.macromedia
blacklist-nolog ${HOME}/.mupdf.history
blacklist-nolog ${HOME}/.mutthistory
blacklist-nolog ${HOME}/.python-history
blacklist-nolog ${HOME}/.python_history
blacklist-nolog ${HOME}/.pythonhist
blacklist-nolog ${HOME}/.lesshst
blacklist-nolog ${HOME}/.viminfo
blacklist-nolog /tmp/clipmenu*

2
etc/profile-a-l/atool.profile
View file

@ -13,7 +13,7 @@ include allow-perl.inc
noroot
# without login.defs atool complains and uses UID/GID 1000 by default
private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd,resolv.conf
private-tmp
# Redirect

2
etc/profile-a-l/curl.profile
View file

@ -54,7 +54,7 @@ tracelog
private-cache
private-dev
# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
private-etc TLS-CA
private-etc @tls-ca
private-tmp
dbus-user none

2
etc/profile-a-l/firefox-common.profile
View file

@ -60,7 +60,7 @@ disable-mnt
# private-etc below works fine on most distributions. There are some problems on CentOS.
# Add it to your firefox-common.local if you want to enable it.
#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
private-etc GUI,mailcap,mime.types,NETWORK,os-release,TLS-CA
private-etc @tls-ca,@x11,mailcap,mime.types,os-release
private-tmp
blacklist ${PATH}/curl

2
etc/profile-a-l/gimp.profile
View file

@ -59,7 +59,7 @@ seccomp !mbind
tracelog
private-dev
private-etc gcrypt,GUI,python*
private-etc @x11,gcrypt,python*
private-tmp
dbus-user none

2
etc/profile-a-l/inkscape.profile
View file

@ -54,7 +54,7 @@ tracelog
# private-bin inkscape,potrace,python* - problems on Debian stretch
private-cache
private-dev
private-etc ImageMagick*,inkscape: GUI,python*
private-etc @x11,ImageMagick*,python*
private-tmp
dbus-user none

13
etc/profile-m-z/mutt.profile
View file

@ -23,6 +23,7 @@ noblacklist ${HOME}/.mail
noblacklist ${HOME}/.mailcap
noblacklist ${HOME}/.msmtprc
noblacklist ${HOME}/.mutt
noblacklist ${HOME}/.mutthistory
noblacklist ${HOME}/.muttrc
noblacklist ${HOME}/.nanorc
noblacklist ${HOME}/.signature
@ -51,29 +52,18 @@ include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.Mail
mkdir ${HOME}/.bogofilter
mkdir ${HOME}/.cache/mutt
mkdir ${HOME}/.config/mutt
mkdir ${HOME}/.config/nano
mkdir ${HOME}/.elinks
mkdir ${HOME}/.emacs.d
mkdir ${HOME}/.gnupg
mkdir ${HOME}/.mail
mkdir ${HOME}/.mutt
mkdir ${HOME}/.vim
mkdir ${HOME}/.w3m
mkdir ${HOME}/Mail
mkdir ${HOME}/mail
mkdir ${HOME}/postponed
mkdir ${HOME}/sent
mkfile ${HOME}/.emacs
mkfile ${HOME}/.mailcap
mkfile ${HOME}/.msmtprc
mkfile ${HOME}/.muttrc
mkfile ${HOME}/.nanorc
mkfile ${HOME}/.signature
mkfile ${HOME}/.viminfo
mkfile ${HOME}/.vimrc
whitelist ${DOCUMENTS}
whitelist ${DOWNLOADS}
whitelist ${HOME}/.Mail
@ -89,6 +79,7 @@ whitelist ${HOME}/.mail
whitelist ${HOME}/.mailcap
whitelist ${HOME}/.msmtprc
whitelist ${HOME}/.mutt
whitelist ${HOME}/.mutthistory
whitelist ${HOME}/.muttrc
whitelist ${HOME}/.nanorc
whitelist ${HOME}/.signature

2
etc/profile-m-z/warzone2100.profile
View file

@ -51,7 +51,7 @@ tracelog
disable-mnt
private-bin bash,dash,sh,warzone2100,which
private-dev
private-etc GAMES,GUI
private-etc @games,@x11
private-tmp
restrict-namespaces

12
src/firejail/fs_etc.c
View file

@ -77,15 +77,15 @@ char *fs_etc_build(char *str) {
char* ptr = strtok(str, ",");
while (ptr) {
// look for standard groups
if (strcmp(ptr, "TLS-CA") == 0)
if (strcmp(ptr, "@tls-ca") == 0)
etc_copy_group(&etc_group_tls_ca[0]);
if (strcmp(ptr, "GUI") == 0)
etc_copy_group(&etc_group_gui[0]);
if (strcmp(ptr, "SOUND") == 0)
if (strcmp(ptr, "@x11") == 0)
etc_copy_group(&etc_group_x11[0]);
if (strcmp(ptr, "@sound") == 0)
etc_copy_group(&etc_group_sound[0]);
if (strcmp(ptr, "NETWORK") == 0)
if (strcmp(ptr, "@network") == 0)
etc_copy_group(&etc_group_network[0]);
if (strcmp(ptr, "GAMES") == 0)
if (strcmp(ptr, "@games") == 0)
etc_copy_group(&etc_group_games[0]);
else
etc_add(ptr);

13
src/firejail/main.c
View file

@ -2172,11 +2172,24 @@ int main(int argc, char **argv, char **envp) {
// hostname, etc
//*************************************
else if (strncmp(argv[i], "--name=", 7) == 0) {
int only_numbers = 1;
cfg.name = argv[i] + 7;
if (strlen(cfg.name) == 0) {
fprintf(stderr, "Error: please provide a name for sandbox\n");
return 1;
}
const char *c = cfg.name;
while (*c) {
if (!isdigit(*c)) {
only_numbers = 0;
break;
}
++c;
}
if (only_numbers) {
fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
return 1;
}
}
else if (strncmp(argv[i], "--hostname=", 11) == 0) {
cfg.hostname = argv[i] + 11;

13
src/firejail/profile.c
View file

@ -326,11 +326,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
}
// sandbox name
else if (strncmp(ptr, "name ", 5) == 0) {
int only_numbers = 1;
cfg.name = ptr + 5;
if (strlen(cfg.name) == 0) {
fprintf(stderr, "Error: invalid sandbox name\n");
exit(1);
}
const char *c = cfg.name;
while (*c) {
if (!isdigit(*c)) {
only_numbers = 0;
break;
}
++c;
}
if (only_numbers) {
fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n");
exit(1);
}
return 0;
}
else if (strcmp(ptr, "ipc-namespace") == 0) {

16
src/include/etc_groups.h
View file

@ -23,7 +23,7 @@
#define ETC_MAX 256
// DEFAULT
// @default
static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
"alternatives",
"fonts",
@ -42,7 +42,7 @@ static char *etc_list[ETC_MAX + 1] = { // plus 1 for ending NULL pointer
NULL
};
// SOUND
// @sound
static char *etc_group_sound[] = {
"alsa",
"asound.conf",
@ -51,7 +51,7 @@ static char *etc_group_sound[] = {
NULL
};
// NETWORK
// @network
static char*etc_group_network[] = {
"hostname",
"hosts",
@ -60,7 +60,7 @@ static char*etc_group_network[] = {
NULL
};
// TLS-CA
// @tls-ca
static char *etc_group_tls_ca[] = {
"ca-certificates",
"crypto-policies",
@ -70,8 +70,8 @@ static char *etc_group_tls_ca[] = {
NULL
};
// GUI
static char *etc_group_gui[] = {
// @x11
static char *etc_group_x11[] = {
"xdg",
"drirc",
"dconf",
@ -80,10 +80,12 @@ static char *etc_group_gui[] = {
"kde4rc",
"kde5rc",
"pango", // text rendering/internationalization
"nvidia",
"X11",
NULL
};
// GAMES
// @games
static char *etc_group_games[] = {
"timidity", // MIDI
"timidity.cfg",

19
src/man/firejail.txt
View file

@ -1330,6 +1330,7 @@ $ firejail \-\-net=eth0 \-\-mtu=1492
\fB\-\-name=name
Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
this name to identify a sandbox.
The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join.
In case the name supplied by the user is already in use by another sandbox, Firejail will assign a
new name as "name-PID", where PID is the process ID of the sandbox. This functionality
@ -2127,27 +2128,27 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0
.br
$
.TP
\fB\-\-private-etc, \-\-private-etc=file,directory
\fB\-\-private-etc, \-\-private-etc=file,directory,@group
The files installed by \-\-private-etc are copies of the original system files from /etc directory.
By default, the command brings in a skeleton of files and directories used by most console tools:
$ firejail --private-etc dig debian.org
For X11/GTK/QT/Gnome/KDE programs add GUI group as a parameter. Example:
For X11/GTK/QT/Gnome/KDE programs add @x11 group as a parameter. Example:
$ firejail --private-etc=GUI,python* gimp
$ firejail --private-etc=@x11,gcrypt,python* gimp
/etc/python* directories are not part of the generic GUI group.
These directories are reuqired by Gimp plugin system. File globbing is supported.
gcrypt and /etc/python* directories are not part of the generic @x11 group.
File globbing is supported.
For games, add GAMES group:
For games, add @games group:
$ firejail --private-etc=GUI,GAMES warzone2100
$ firejail --private-etc=@games,@x11 warzone2100
Sound and networking files are included automatically, unless \-\-nosound or \-\-net=none are specified.
Files for encrypted TLS/SSL protocol are in TLS-CA group.
Files for encrypted TLS/SSL protocol are in @tls-ca group.
$ firejail --private-etc=TLS-CA,wgetrc wget https://debian.org
$ firejail --private-etc=@tls-ca,wgetrc wget https://debian.org
Note: The easiest way to extract the list of /etc files accessed by your program is using strace utility: