diff --git a/src/firejail/main.c b/src/firejail/main.c index 23df12b21..e355a3913 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1800,7 +1800,6 @@ int main(int argc, char **argv, char **envp) { } else if (strncmp(argv[i], "--profile=", 10) == 0) { // multiple profile files are allowed! - if (arg_noprofile) { fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); exit(1); @@ -1813,21 +1812,31 @@ int main(int argc, char **argv, char **envp) { // checking for strange chars in the file name, no globbing invalid_filename(ppath, 0); - if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) { - int has_colon = (*ppath == ':'); + // is this a file path? + if (*ppath == '/' || + strncmp(ppath, "~/", 2) == 0 || + strncmp(ppath, "./", 2) == 0 || + strncmp(ppath, "../", 3) == 0) { + if (access(ppath, R_OK)) { + fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath); + exit(1); + } + profile_read(ppath); + custom_profile = 1; + } + // or an application name? + else { char *ptr = ppath; while (*ptr != '/' && *ptr != '.' && *ptr != '\0') ptr++; // profile path contains no / or . chars, - // assume its a profile name + // for example firefox will be ok, firefox.profile will fail if (*ptr != '\0') { - fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath); + fprintf(stderr, "Error: %s is not an application name.\n", ppath); exit(1); } - // profile was not read in previously, try to see if - // we were given a profile name. - if (!profile_find_firejail(ppath + has_colon, 1)) { + if (!profile_find_firejail(ppath, 1)) { // do not fall through to default profile, // because the user should be notified that // given profile arg could not be used. @@ -1837,10 +1846,6 @@ int main(int argc, char **argv, char **envp) { else custom_profile = 1; } - else { - profile_read(ppath); - custom_profile = 1; - } free(ppath); } else if (strcmp(argv[i], "--noprofile") == 0) { diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 401f2dfad..a08257586 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -88,12 +88,9 @@ system directories mounted read-only. These directories are /etc, /var, /usr, /b /libx32 and /lib64. Only /home and /tmp are writable. .PP Upon execution Firejail first looks in ~/.config/firejail/ for a profile and if it doesn't find one, it looks in /etc/firejail/. -For profile resolution detail see -.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles#locations-and-types -.UE . If an appropriate profile is not found, Firejail will use a default profile. The default profile is quite restrictive. In case the application doesn't work, use --noprofile option -to disable it. For more information, please see \fBSECURITY PROFILES\fR section below. +to disable it. .PP If a program argument is not specified, Firejail starts the user's preferred shell. Examples: @@ -2406,15 +2403,68 @@ drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix .br .TP -\fB\-\-profile=filename_or_profilename -Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. -For more information, see \fBSECURITY PROFILES\fR section below. +\fB\-\-profile=filename|appname +Load a custom security profile from filename, or use the name of a specific application. +.br + +.br +If the command line option --profile is not provided, Firejail will attempt to extract the appname +from the target program filename. It will then search ~/.config/firejail directory for a suitable profile, +followed by a search in /etc/firejail/directory. .br .br Example: .br -$ firejail \-\-profile=myprofile +$ firejail firefox +.br +Reading profile /home/netblue/.config/firejail/firefox.profile +.br +Reading profile /etc/firejail/firefox.profile +.br +Reading profile /etc/firejail/firefox-common.profile +.br +[...] +.br + +.br +When using a filename, please include a full path or a relative path. +.br + +.br +$ firejail --profile=./firefox.profile firefox +.br +Reading profile ./firefox.profile +.br +Reading profile /etc/firejail/firefox.profile +.br +Reading profile /etc/firejail/firefox-common.profile +.br +[...] +.br + +.br +--profile=appname comes in handy when running appimages: +.br + +.br +$ firejail --appimage --profile=firefox firefox-nightly-148.0.r20260103-x86_64.AppImage +.br +Reading profile /home/netblue/.config/firejail/firefox.profile +.br +Reading profile /etc/firejail/firefox.profile +.br +Reading profile /etc/firejail/firefox-common.profile +.br +[...] +.br + +.br +See \fBman 5 firejail-profile\fR for profile file syntax information. +For profile resolution details see +.UR +https://github.com/netblue30/firejail/wiki/Creating-Profiles. +.UE .TP \fB\-\-profile.print=name|pid @@ -3792,73 +3842,6 @@ adduser \-\-shell /usr/bin/firejail username Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file. -.SH SECURITY PROFILES -Several command line options can be passed to the program using -profile files. Firejail chooses the profile file as follows: - -1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. -Example: -.PP -.RS -$ firejail --profile=/home/netblue/icecat.profile /usr/bin/icecat -.br -Reading profile /home/netblue/icecat.profile -.br -[...] -.RE - -.PP -.RS -$ firejail --profile=icecat /usr/bin/icecat-wrapper.sh -.br -Reading profile /etc/firejail/icecat.profile -.br -[...] -.RE - -2. If a profile file with the same name as the application is present in ~/.config/firejail directory or -in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: -.PP -.RS -$ firejail /usr/bin/icecat -.br -Command name #icecat# -.br -Found icecat profile in /home/netblue/.config/firejail directory -.br -Reading profile /home/netblue/.config/firejail/icecat.profile -.br -[...] -.RE - -3. Use default.profile file if the sandbox -is started by a regular user, or server.profile file if the sandbox -is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. -To disable default profile loading, use --noprofile command option. Example: -.PP -.RS -$ firejail -.br -Reading profile /etc/firejail/default.profile -.br -Parent pid 8553, child pid 8554 -.br -Child process initialized -.br -[...] -.br - -.br -$ firejail \-\-noprofile -.br -Parent pid 8553, child pid 8554 -.br -Child process initialized -.br -[...] -.RE - -See \fBman 5 firejail-profile\fR for profile file syntax information. #ifdef HAVE_NETWORK .SH TRAFFIC SHAPING Network bandwidth is an expensive resource shared among all sandboxes running on a system. diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp index 58fa3acab..be7f35f3c 100755 --- a/test/capabilities/caps.exp +++ b/test/capabilities/caps.exp @@ -56,7 +56,7 @@ expect { } after 500 -send -- "firejail --profile=caps1.profile --debug ls\r" +send -- "firejail --profile=./caps1.profile --debug ls\r" expect { timeout {puts "TESTING ERROR 11\n";exit} "Drop CAP_SYS_MODULE" @@ -74,7 +74,7 @@ after 500 ## tofix: possible problem with caps.keep in profile files ##send -- "firejail --caps.keep=chown,fowner --noprofile\r" -#send -- "firejail --profile=caps2.profile\r" +#send -- "firejail --profile=./caps2.profile\r" #expect { # timeout {puts "TESTING ERROR 15\n";exit} # -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -94,7 +94,7 @@ after 500 #sleep 1 #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" -send -- "firejail --profile=caps3.profile cat /proc/self/status\r" +send -- "firejail --profile=./caps3.profile cat /proc/self/status\r" expect { timeout {puts "TESTING ERROR 18\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 20542d235..1aebb31dc 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -82,7 +82,7 @@ send -- "exit\r" sleep 1 -send -- "firejail --profile=dns.profile\r" +send -- "firejail --profile=./dns.profile\r" expect { timeout {puts "TESTING ERROR 5.1\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/environment/env.exp b/test/environment/env.exp index d7d8ca238..afe3cd750 100755 --- a/test/environment/env.exp +++ b/test/environment/env.exp @@ -34,7 +34,7 @@ send -- "exit\r" after 100 #*********************************************** -send -- "firejail --profile=env.profile\r" +send -- "firejail --profile=./env.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/environment/nice.exp b/test/environment/nice.exp index edd9918a8..12566f6fb 100755 --- a/test/environment/nice.exp +++ b/test/environment/nice.exp @@ -36,7 +36,7 @@ sleep 1 send -- "exit\r" after 100 -send -- "firejail --profile=nice.profile\r" +send -- "firejail --profile=./nice.profile\r" expect { timeout {puts "TESTING ERROR 10\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp index ade1fed26..e37ad20c5 100755 --- a/test/environment/rlimit-bad-profile.exp +++ b/test/environment/rlimit-bad-profile.exp @@ -7,41 +7,41 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=rlimit-bad-as.profile\r" +send -- "firejail --profile=./rlimit-bad-as.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "invalid rlimit-as:" } after 100 -send -- "firejail --profile=rlimit-bad-cpu.profile\r" +send -- "firejail --profile=./rlimit-bad-cpu.profile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} "invalid rlimit-cpu:" } after 100 -send -- "firejail --profile=rlimit-bad-fsize.profile\r" +send -- "firejail --profile=./rlimit-bad-fsize.profile\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "invalid rlimit-fsize:" } after 100 -send -- "firejail --profile=rlimit-bad-nofile.profile\r" +send -- "firejail --profile=./rlimit-bad-nofile.profile\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "invalid rlimit-nofile:" } after 100 -send -- "firejail --profile=rlimit-bad-nproc.profile\r" +send -- "firejail --profile=./rlimit-bad-nproc.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "invalid rlimit-nproc:" } after 100 -send -- "firejail --profile=rlimit-bad-sigpending.profile\r" +send -- "firejail --profile=./rlimit-bad-sigpending.profile\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "invalid rlimit-sigpending:" diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp index 5f174eea6..69b08747b 100755 --- a/test/environment/rlimit-profile.exp +++ b/test/environment/rlimit-profile.exp @@ -8,7 +8,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=rlimit.profile\r" +send -- "firejail --profile=./rlimit.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/environment/sound.exp b/test/environment/sound.exp index 7f0bf0133..10ee05e9b 100755 --- a/test/environment/sound.exp +++ b/test/environment/sound.exp @@ -36,7 +36,7 @@ expect { sleep 2 -send -- "firejail --profile=sound.profile speaker-test\r" +send -- "firejail --profile=./sound.profile speaker-test\r" expect { timeout {puts "TESTING ERROR 11\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -47,7 +47,7 @@ expect { } sleep 2 -send -- "firejail --profile=sound.profile aplay -l\r" +send -- "firejail --profile=./sound.profile aplay -l\r" expect { timeout {puts "TESTING ERROR 13\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/fs/macro.exp b/test/fs/macro.exp index 6b7b83395..a69e8d46f 100755 --- a/test/fs/macro.exp +++ b/test/fs/macro.exp @@ -8,7 +8,7 @@ spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=macro-whitelist.profile ls ~\r" +send -- "firejail --profile=./macro-whitelist.profile ls ~\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -39,7 +39,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r" +send -- "firejail --profile=./macro-blacklist.profile ls ~/Desktop\r" expect { timeout {puts "TESTING ERROR 7\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -50,7 +50,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r" +send -- "firejail --profile=./macro-blacklist.profile ls ~/Documents\r" expect { timeout {puts "TESTING ERROR 9n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -61,7 +61,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r" +send -- "firejail --profile=./macro-blacklist.profile ls ~/Downloads\r" expect { timeout {puts "TESTING ERROR 11n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -72,7 +72,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r" +send -- "firejail --profile=./macro-blacklist.profile ls ~/Music\r" expect { timeout {puts "TESTING ERROR 13\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -83,7 +83,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r" +send -- "firejail --profile=./macro-blacklist.profile ls ~/Pictures\r" expect { timeout {puts "TESTING ERROR 15\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -94,7 +94,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r" +send -- "firejail --profile=./macro-blacklist.profile ls ~/Videos\r" expect { timeout {puts "TESTING ERROR 17\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -105,7 +105,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r" +send -- "firejail --profile=./macro-readonly.profile touch ~/Desktop/blablabla\r" expect { timeout {puts "TESTING ERROR 19\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -116,7 +116,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r" +send -- "firejail --profile=./macro-readonly.profile touch ~/Documents/blablabla\r" expect { timeout {puts "TESTING ERROR 21\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -127,7 +127,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r" +send -- "firejail --profile=./macro-readonly.profile touch ~/Downloads/blablabla\r" expect { timeout {puts "TESTING ERROR 23\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -138,7 +138,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r" +send -- "firejail --profile=./macro-readonly.profile touch ~/Music/blablabla\r" expect { timeout {puts "TESTING ERROR 25\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -149,7 +149,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r" +send -- "firejail --profile=./macro-readonly.profile touch ~/Pictures/blablabla\r" expect { timeout {puts "TESTING ERROR 27\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -160,7 +160,7 @@ expect { } sleep 1 -send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r" +send -- "firejail --profile=./macro-readonly.profile touch ~/Videos/blablabla\r" expect { timeout {puts "TESTING ERROR 29\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp index 9095abb1f..0f67d6043 100755 --- a/test/fs/mkdir.exp +++ b/test/fs/mkdir.exp @@ -10,7 +10,7 @@ match_max 100000 send -- "rm -fr ~/_firejail_test_dir\r" after 100 -send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r" +send -- "firejail --profile=./mkdir.profile find ~/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} "_firejail_test_dir/_firejail_test_file" @@ -18,7 +18,7 @@ expect { send -- "rm -rf ~/_firejail_test_dir\r" after 100 -send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r" +send -- "firejail --profile=./mkdir.profile find /tmp/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 2.1\n";exit} "_firejail_test_dir/_firejail_test_file" @@ -29,7 +29,7 @@ after 100 set UID [exec id -u] set fexist [file exist /run/user/$UID] if { $fexist } { - send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r" + send -- "firejail --profile=./mkdir.profile find /run/user/$UID/_firejail_test_dir\r" expect { timeout {puts "TESTING ERROR 3.1\n";exit} "_firejail_test_dir/_firejail_test_file" @@ -38,7 +38,7 @@ if { $fexist } { after 100 - send -- "firejail --profile=mkdir2.profile\r" + send -- "firejail --profile=./mkdir2.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "only files or directories in user home, /tmp, or /run/user/" diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp index f0dbb9cac..9d1978acd 100755 --- a/test/fs/mkdir_mkfile.exp +++ b/test/fs/mkdir_mkfile.exp @@ -9,7 +9,7 @@ match_max 100000 # testing profile and private -send -- "firejail --private --profile=mkdir_mkfile.profile\r" +send -- "firejail --private --profile=./mkdir_mkfile.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -45,7 +45,7 @@ after 100 send -- "exit\r" after 100 -send -- "firejail --profile=mkfile.profile\r" +send -- "firejail --profile=./mkfile.profile\r" expect { timeout {puts "TESTING ERROR 7\n";exit} "only files or directories in user home, /tmp" diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index 3dbef7914..c3823121b 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -37,7 +37,7 @@ expect { send -- "exit\r" sleep 1 -send -- "firejail --profile=private-bin.profile\r" +send -- "firejail --profile=./private-bin.profile\r" expect { timeout {puts "TESTING ERROR 7\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp index bdb79613b..1c2adfe4f 100755 --- a/test/fs/private-cwd.exp +++ b/test/fs/private-cwd.exp @@ -44,7 +44,7 @@ expect { } sleep 1 -send -- "firejail --profile=private-cwd.profile pwd\r" +send -- "firejail --profile=./private-cwd.profile pwd\r" expect { timeout {puts "TESTING ERROR 6\n";exit} "$env(HOME)" diff --git a/test/fs/tab.exp b/test/fs/tab.exp index 6a3a21031..06d7116f9 100755 --- a/test/fs/tab.exp +++ b/test/fs/tab.exp @@ -31,7 +31,7 @@ expect { } sleep 1 -send -- "firejail --private --profile=tab.profile ls -al\r" +send -- "firejail --private --profile=./tab.profile ls -al\r" expect { timeout {puts "TESTING ERROR 5\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/network/ip6.exp b/test/network/ip6.exp index 51e5b7091..a4426ffe9 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -26,7 +26,7 @@ expect { } sleep 1 -send -- "firejail --profile=ip6.profile ip addr show\r" +send -- "firejail --profile=./ip6.profile ip addr show\r" expect { timeout {puts "TESTING ERROR 4\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index bc36fbab8..2ba4520ab 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -131,7 +131,7 @@ expect { after 500 -send -- "firejail --profile=net_ip.profile ip addr show\r" +send -- "firejail --profile=./net_ip.profile ip addr show\r" expect { timeout {puts "TESTING ERROR 26\n";exit} "eth0" @@ -158,7 +158,7 @@ expect { } after 500 -send -- "firejail --profile=net_ip.profile ip route show\r" +send -- "firejail --profile=./net_ip.profile ip route show\r" expect { timeout {puts "TESTING ERROR 32\n";exit} "default via 10.10.20.9" diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 40731a8a8..2234c1073 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -25,7 +25,7 @@ after 500 # profile -send -- "firejail --profile=net_none.profile\r" +send -- "firejail --profile=./net_none.profile\r" expect { timeout {puts "TESTING ERROR 2\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/profiles/profile_bad_appname.exp b/test/profiles/profile_bad_appname.exp new file mode 100755 index 000000000..bd2551f0f --- /dev/null +++ b/test/profiles/profile_bad_appname.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2026 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=org.gnome.blablabla bwrap\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "is not an application name" +} +after 100 +puts "all done\n" diff --git a/test/profiles/profile_build.exp b/test/profiles/profile_build.exp new file mode 100755 index 000000000..38728a2e1 --- /dev/null +++ b/test/profiles/profile_build.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2026 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm -fr /tmp/firejailtest*\r" +sleep 1 + +send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r" +sleep 1 + +send -- "cat /tmp/firejailtest.profile\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "seccomp" +} +after 100 + +send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Parent is shutting down" +} +after 100 + +send -- "rm -fr /tmp/firejailtest*\r" +after 100 + +puts "\nall done\n" diff --git a/test/profiles/profile_comment.exp b/test/profiles/profile_comment.exp index f2206a044..917bffeab 100755 --- a/test/profiles/profile_comment.exp +++ b/test/profiles/profile_comment.exp @@ -7,12 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "rm -fr /tmp/firejailtest*\r" -send -- "rm -fr /tmp/firejail-strace*\r" -send -- "rm -fr /tmp/firejail-trace*\r" -sleep 1 - -send -- "firejail --profile=comment.profile /usr/bin/true\r" +send -- "firejail --profile=./comment.profile /usr/bin/true\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -21,32 +16,6 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Parent is shutting down" } -sleep 2 - -send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r" -sleep 1 - -send -- "cat /tmp/firejailtest.profile\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "seccomp" -} -after 100 - -send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Parent is shutting down" -} -after 100 - -send -- "rm -fr /tmp/firejailtest*\r" -send -- "rm -fr /tmp/firejail-strace*\r" -send -- "rm -fr /tmp/firejail-trace*\r" after 100 puts "\nall done\n" diff --git a/test/profiles/conditional.exp b/test/profiles/profile_conditional.exp similarity index 79% rename from test/profiles/conditional.exp rename to test/profiles/profile_conditional.exp index a0b9d6eb8..57c8e3f1c 100755 --- a/test/profiles/conditional.exp +++ b/test/profiles/profile_conditional.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --debug --nodbus --profile=cond1.profile\r" +send -- "firejail --debug --nodbus --profile=./cond1.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "conditional HAS_NODBUS, private" @@ -20,7 +20,7 @@ after 100 send -- "exit\r" sleep 1 -send -- "firejail --debug --profile=cond1.profile\r" +send -- "firejail --debug --profile=./cond1.profile\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "conditional HAS_NODBUS, private" {puts "TESTING ERROR 3\n";exit} @@ -30,14 +30,14 @@ after 100 send -- "exit\r" sleep 1 -send -- "firejail --profile=cond2.profile\r" +send -- "firejail --profile=./cond2.profile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "invalid conditional syntax" } after 100 -send -- "firejail --profile=cond3.profile\r" +send -- "firejail --profile=./cond3.profile\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "invalid conditional syntax" diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp index 9bd66ba38..82c26daeb 100755 --- a/test/profiles/profile_followlnk.exp +++ b/test/profiles/profile_followlnk.exp @@ -13,7 +13,7 @@ send -- "touch /tmp/firejailtestfile\r" send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r" sleep 1 -send -- "firejail --profile=readonly-lnk.profile\r" +send -- "firejail --profile=./readonly-lnk.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/profiles/ignore.exp b/test/profiles/profile_ignore.exp similarity index 80% rename from test/profiles/ignore.exp rename to test/profiles/profile_ignore.exp index a5c88f8ae..4d087493d 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/profile_ignore.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=ignore.profile --ignore=seccomp \r" +send -- "firejail --profile=./ignore.profile --ignore=seccomp \r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Error: please use --profile after --ignore" @@ -23,7 +23,7 @@ after 100 send -- "exit\r" sleep 1 -send -- "firejail --ignore=seccomp --ignore=name --profile=ignore.profile \r" +send -- "firejail --ignore=seccomp --ignore=name --profile=./ignore.profile \r" expect { timeout {puts "TESTING ERROR 3\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -39,7 +39,7 @@ after 100 send -- "exit\r" sleep 1 -send -- "firejail --ignore=private --ignore=name --profile=ignore.profile \r" +send -- "firejail --ignore=private --ignore=name --profile=./ignore.profile \r" expect { timeout {puts "TESTING ERROR 5\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -55,7 +55,7 @@ after 100 send -- "exit\r" sleep 1 -send -- "firejail --debug --profile=ignore2.profile\r" +send -- "firejail --debug --profile=./ignore2.profile\r" expect { timeout {puts "TESTING ERROR 7\n";exit} BLACKLIST {puts "TESTING ERROR 8\n";exit} @@ -66,7 +66,7 @@ after 100 send -- "exit\r" sleep 1 -send -- "firejail --ignore=quiet --ignore=name --profile=ignore.profile \r" +send -- "firejail --ignore=quiet --ignore=name --profile=./ignore.profile \r" expect { timeout {puts "TESTING ERROR 9\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/profiles/profile_multiple.exp b/test/profiles/profile_multiple.exp new file mode 100755 index 000000000..176cb0a4c --- /dev/null +++ b/test/profiles/profile_multiple.exp @@ -0,0 +1,24 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2026 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --ignore=quiet --profile=wget --profile=curl bwrap\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "disable-programs" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "disable-programs" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "fbwrap - bwrap replacement for Firejail sandbox" +} +after 100 +puts "all done\n" diff --git a/test/profiles/profile_noprofile.exp b/test/profiles/profile_noprofile.exp new file mode 100755 index 000000000..44e2a6b6b --- /dev/null +++ b/test/profiles/profile_noprofile.exp @@ -0,0 +1,16 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2026 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --profile=wget bwrap\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "options are mutually exclusive" +} +after 100 +puts "all done\n" diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp index 8e34e5846..8e0afa5f2 100755 --- a/test/profiles/profile_readonly.exp +++ b/test/profiles/profile_readonly.exp @@ -11,7 +11,7 @@ send -- "mkdir /tmp/firejailtestdir\r" send -- "touch /tmp/firejailtestfile\r" sleep 1 -send -- "firejail --profile=readonly.profile\r" +send -- "firejail --profile=./readonly.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp index 99a00c48e..b434e2d1c 100755 --- a/test/profiles/profile_recursivity.exp +++ b/test/profiles/profile_recursivity.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=test3.profile\r" +send -- "firejail --profile=./test3.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Reading profile test3.profile" diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index cfd1265b0..80143e9c1 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=test.profile\r" +send -- "firejail --profile=./test.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 76edf251c..1e8d4f2d0 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -7,10 +7,10 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=test2.profile\r" +send -- "firejail --profile=./test2.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile test2.profile" + "Reading profile ./test2.profile" } expect { timeout {puts "TESTING ERROR 1\n";exit} diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 5e1e4e850..acb9d874d 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -7,11 +7,14 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -echo "TESTING: profile comments (test/profiles/profilecomment.exp)" +echo "TESTING: profile comments (test/profiles/profile_comment.exp)" ./profile_comment.exp -echo "TESTING: profile conditional (test/profiles/conditional.exp)" -./conditional.exp +echo "TESTING: profile build (test/profiles/profile_build.exp)" +./profile_build.exp + +echo "TESTING: profile conditional (test/profiles/profile_conditional.exp)" +./profile_conditional.exp echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)" ./profile_recursivity.exp @@ -25,23 +28,32 @@ echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" ./profile_syntax2.exp -echo "TESTING: ignore command (test/profiles/ignore.exp)" -./ignore.exp +echo "TESTING: profile ignore command (test/profiles/profile_ignore.exp)" +./profile_ignore.exp echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" ./profile_readonly.exp -echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" +echo "TESTING: profile read-only links (test/profiles/profile_followlnk.exp)" ./profile_followlnk.exp echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" ./profile_noperm.exp -profiles=( /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile ) -echo "TESTING: small number of default profiles installed in /etc" +echo "TESTING: multiple profiles (test/profiles/profile_multiple.exp)" +./profile_multiple.exp + +echo "TESTING: profiles bad appname (test/profiles/profile_app_name.exp)" +./profile_bad_appname.exp + +echo "TESTING: profiles nopprofilee (test/profiles/profile_noprofile.exp)" +./profile_noprofile.exp + +profiles=( transmission-gtk transmission-qt firefox mpv vlc ping warzone2100 galculator ) +profiles+=( gimp inkscape qbittorrent chromium-browser ssh evince pdftotext audacity okular) for profile in "${profiles[@]}" do - echo "TESTING: $profile" + echo "TESTING: profile $profile" ./test-profile.exp "$profile" done diff --git a/test/profiles/test-profile.exp b/test/profiles/test-profile.exp index d346e037e..909bd6923 100755 --- a/test/profiles/test-profile.exp +++ b/test/profiles/test-profile.exp @@ -8,18 +8,15 @@ spawn $env(SHELL) match_max 100000 if { $argc != 1 } { - puts "TESTING ERROR: argument missing" - puts "Usage: test-profile.exp profile_name" - exit + puts "TESTING ERROR: argument missing" + puts "Usage: test-profile.exp profile_name" + exit } -send -- "stty -echo\r" -after 100 -send -- "firejail --profile=$argv echo done\r" +send -- "firejail --profile=$argv bwrap\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} - "done" {puts "all fine"} - "no suitable echo executable found" {puts "echo not found"} + timeout {puts "TESTING ERROR 1\n";exit} + "fbwrap - bwrap replacement for Firejail sandbox" } -#after 100 +after 100 puts "\n" diff --git a/test/seccomp-extra/block-secondary.exp b/test/seccomp-extra/block-secondary.exp index cb141b6c6..8434e65bb 100755 --- a/test/seccomp-extra/block-secondary.exp +++ b/test/seccomp-extra/block-secondary.exp @@ -28,7 +28,7 @@ expect { after 500 # 64 bit architecture - seccomp.block-secondary, profile -send -- "firejail --debug --profile=block-secondary.profile pwd\r" +send -- "firejail --debug --profile=./block-secondary.profile pwd\r" expect { timeout {puts "TESTING ERROR 7\n";exit} "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 8\n";exit} diff --git a/test/seccomp-extra/mrwx.exp b/test/seccomp-extra/mrwx.exp index 8fc1b0bce..6676e75c7 100755 --- a/test/seccomp-extra/mrwx.exp +++ b/test/seccomp-extra/mrwx.exp @@ -21,7 +21,7 @@ expect { } after 500 -send -- "firejail --debug --profile=mrwx.profile pwd\r" +send -- "firejail --debug --profile=./mrwx.profile pwd\r" expect { timeout {puts "TESTING ERROR 3\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/seccomp-extra/protocol-print.exp b/test/seccomp-extra/protocol-print.exp index 1c5191da8..52da49646 100755 --- a/test/seccomp-extra/protocol-print.exp +++ b/test/seccomp-extra/protocol-print.exp @@ -16,7 +16,7 @@ sleep 2 spawn $env(SHELL) -send -- "firejail --name=test1 --profile=protocol1.profile\r" +send -- "firejail --name=test1 --profile=./protocol1.profile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -24,7 +24,7 @@ expect { sleep 2 spawn $env(SHELL) -send -- "firejail --name=test2 --profile=protocol2.profile\r" +send -- "firejail --name=test2 --profile=./protocol2.profile\r" expect { timeout {puts "TESTING ERROR 2\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp index 45b1217ef..ca799537c 100755 --- a/test/utils/join-profile.exp +++ b/test/utils/join-profile.exp @@ -8,7 +8,7 @@ spawn $env(SHELL) match_max 100000 -send -- "firejail --profile=name.profile\r" +send -- "firejail --profile=./name.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" diff --git a/test/utils/join5.exp b/test/utils/join5.exp index 6fed89924..013010175 100755 --- a/test/utils/join5.exp +++ b/test/utils/join5.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=test123 --profile=join5.profile\r" +send -- "firejail --name=test123 --profile=./join5.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"