github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Merge remote-tracking branch 'upstream/master'

Browse source
This commit is contained in:
vis 2016-11-03 15:06:57 +01:00
commit 2aafd9bd3a
No known key found for this signature in database
GPG key ID: 4B8D8DAEEFB06815
153 changed files with 5085 additions and 2542 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -18,4 +18,6 @@ src/firecfg/firecfg
src/ftee/ftee
src/tags
src/faudit/faudit
src/fnet/fnet
src/fseccomp/fseccomp
uids.h

13
Makefile.in
View file

@ -1,6 +1,6 @@
all: apps man
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet src/fseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
prefix=@prefix@
@ -76,6 +76,8 @@ realinstall:
install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
# documents
install -m 0755 -d $(DESTDIR)/$(DOCDIR)
install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@ -124,6 +126,8 @@ install-strip: all
strip src/libconnect/libconnect.so
strip src/ftee/ftee
strip src/faudit/faudit
strip src/fnet/fnet
strip src/fseccomp/fseccomp
$(MAKE) realinstall
uninstall:
@ -141,7 +145,7 @@ uninstall:
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils"
dist:
mv config.status config.status.old
@ -195,6 +199,9 @@ test-apps:
test-apps-x11:
cd test/apps-x11; ./apps-x11.sh | grep TESTING
test-apps-x11-xorg:
cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
test-sysutils:
cd test/sysutils; ./sysutils.sh | grep TESTING
@ -213,5 +220,5 @@ test-network:
test-fs:
cd test/fs; ./fs.sh | grep TESTING
test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters
test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
echo "TEST COMPLETE"

26
README
View file

@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich)
- added --join-or-start command
- CVE-2016-7545
Fred-Barclay (https://github.com/Fred-Barclay)
- lots of profile fixes
- added Vivaldi, Atril profiles
- added PaleMoon profile
- split Icedove and Thunderbird profiles
@ -69,7 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
- added audacity profile
- fixed Telegram and qtox profiles
- added Atom Beta and Atom profiles
- tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles.
- tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles
- several private-bin conversions
- added jitsi profile
- pidgin private-bin conversion
@ -77,13 +78,32 @@ Fred-Barclay (https://github.com/Fred-Barclay)
- added gnome-chess profile
- added DOSBox profile
- evince profile enhancement
- tightened Spotify profile
- added xiphos and Tor Browser Bundle profiles
Impyy (https://github.com/Impyy)
- added mumble profile
valoq (https://github.com/valoq)
- LibreOffice profile fixes
- cherrytree profile fixes
- added support for /srv in --whitelist feature
- Eye of GNOME, Evolution, display (imagemagik) and Wire profiles
- blacklist suid binaries in disable-common.inc
Vadim A. Misbakh-Soloviov (https://github.com/msva)
- profile fixes
Rafael Cavalcanti (https://github.com/rccavalcanti)
- chromium profile fixes for Arch Linux
Deelvesh Bunjun (https://github.com/DeelveshBunjun)
- added xpdf profile
vismir2 (https://github.com/vismir2)
- claws-mail, mutt, git, emacs, vim profiles
Dara Adib (https://github.com/daradib)
- ssh profile fix
- evince profile fix
vismir2 (https://github.com/vismir2)
- feh, ranger, 7z, keepass, keepassx and zathura profiles
- lots of profile fixes
graywolf (https://github.com/graywolf)
- spelling fix
Dara Adib (https://github.com/daradib)
- ssh profile fix
Tomasz Jan Góralczyk (https://github.com/tjg)
- fixed Steam profile
pwnage-pineapple (https://github.com/pwnage-pineapple)

72
README.md
View file

@ -40,75 +40,17 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
If you keep your Firejail profiles in a public repository, please give us a link:
* https://github.com/chiraag-nataraj/firejail-profiles
* https://github.com/triceratops1/fe
Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
`````
`````
# Current development version: 0.9.43
## X11 development
`````
--x11=none
Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
file specified in ${XAUTHORITY} environment variable. Remove
DISPLAY and XAUTHORITY environment variables. Stop with error
message if X11 abstract socket will be accessible in jail.
--x11=xorg
Sandbox the application using the untrusted mode implemented by
X11 security extension. The extension is available in Xorg
package and it is installed by default on most Linux distribu
tions. It provides support for a simple trusted/untrusted con
nection model. Untrusted clients are restricted in certain ways
to prevent them from reading window contents of other clients,
stealing input events, etc.
The untrusted mode has several limitations. A lot of regular
programs assume they are a trusted X11 clients and will crash
or lock up when run in untrusted mode. Chromium browser and
xterm are two examples. Firefox and transmission-gtk seem to be
working fine. A network namespace is not required for this
option.
Example:
$ firejail --x11=xorg firefox
# Current development version: 0.9.45
`````
## Other command line options
`````
--put=name|pid src-filename dest-filename
Put src-filename in sandbox container. The container is specified by name or PID.
--allusers
All user home directories are visible inside the sandbox. By default, only current user home
directory is visible.
Example:
$ firejail --allusers
--join-or-start=name
Join the sandbox identified by name or start a new one. Same as "firejail --join=name" if
sandbox with specified name exists, otherwise same as "firejail --name=name ..."
Note that in contrary to other join options there is respective profile option.
--no3d Disable 3D hardware acceleration.
Example:
$ firejail --no3d firefox
--veth-name=name
Use this name for the interface connected to the bridge for
--net=bridge_interface commands, instead of the default one.
Example:
$ firejail --net=br0 --veth-name=if0
`````
## New profile commands
x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start
## New profiles
qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx
## New Profiles
xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble

23
RELNOTES
View file

@ -1,9 +1,19 @@
firejail (0.9.43) baseline; urgency=low
firejail (0.9.45) baseline; urgency=low
* development version, work in progress
* security: overwrite /etc/resolv.conf found by Martin Carpenter
* feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
* feature: split most of networking code in a separate executable
* new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sun, 23 Oct 2016 08:00:00 -0500
firejail (0.9.44) baseline; urgency=low
* CVE-2016-7545 submitted by Aleksey Manevich
* development version
* modifs: removed man firejail-config
* modifs: --private-tmp whitelists /tmp/.X11-unix directory
* modifs: Nvidia drivers added to --private-dev
* modifs: /srv supported by --whitelist
* feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
* feature: support starting/joining sandbox is a single command
(--join-or-start)
* feature: X11 detection support for --audit
@ -15,10 +25,15 @@ firejail (0.9.43) baseline; urgency=low
* feature: X11 security extension (--x11=xorg)
* feature: disable 3D hardware acceleration (--no3d)
* feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
* feature: move files in sandbox (--put)
* feature: accept wildcard patterns in user name field of restricted
shell login feature
* new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
* new profiles: feh, ranger, zathura, 7z, keepass, keepassx
* new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
* new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
* new profiles: Flowblade, Eye of GNOME (eog), Evolution
* bugfixes
-- netblue30 <netblue30@yahoo.com> Fri, 9 Sept 2016 08:00:00 -0500
-- netblue30 <netblue30@yahoo.com> Fri, 21 Oct 2016 08:00:00 -0500
firejail (0.9.42) baseline; urgency=low
* security: --whitelist deleted files, submitted by Vasya Novikov

22
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for firejail 0.9.43.
# Generated by GNU Autoconf 2.69 for firejail 0.9.45.
#
# Report bugs to <netblue30@yahoo.com>.
#
@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
PACKAGE_VERSION='0.9.43'
PACKAGE_STRING='firejail 0.9.43'
PACKAGE_VERSION='0.9.45'
PACKAGE_STRING='firejail 0.9.45'
PACKAGE_BUGREPORT='netblue30@yahoo.com'
PACKAGE_URL='http://firejail.wordpress.com'
@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures firejail 0.9.43 to adapt to many kinds of systems.
\`configure' configures firejail 0.9.45 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1320,7 +1320,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of firejail 0.9.43:";;
short | recursive ) echo "Configuration of firejail 0.9.45:";;
esac
cat <<\_ACEOF
@ -1424,7 +1424,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
firejail configure 0.9.43
firejail configure 0.9.45
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by firejail $as_me 0.9.43, which was
It was created by firejail $as_me 0.9.45, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile"
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by firejail $as_me 0.9.43, which was
This file was extended by firejail $as_me 0.9.45, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -4357,7 +4357,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
firejail config.status 0.9.43
firejail config.status 0.9.45
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@ -4470,6 +4470,7 @@ do
case $ac_config_target in
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
"src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
"src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
"src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
"src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
"src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
@ -4478,6 +4479,7 @@ do
"src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
"src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
"src/libconnect/Makefile") CONFIG_FILES="$CONFIG_FILES src/libconnect/Makefile" ;;
"src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
*) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
esac

5
configure.ac
View file

@ -1,5 +1,5 @@
AC_PREREQ([2.68])
AC_INIT(firejail, 0.9.43, netblue30@yahoo.com, , http://firejail.wordpress.com)
AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com)
AC_CONFIG_SRCDIR([src/firejail/main.c])
#AC_CONFIG_HEADERS([config.h])
@ -148,7 +148,8 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile)
AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile \
src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile src/fseccomp/Makefile)
echo
echo "Configuration options:"

22
etc/Wire.profile Normal file
View file

@ -0,0 +1,22 @@
# wire messenger profile
noblacklist ~/.config/Wire
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix,inet,inet6,netlink
seccomp
shell none
private-tmp
private-dev
# please note: the wire binary is currently identified with a capital W. This might change in future versions

2
etc/atom-beta.profile
View file

@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6,netlink

2
etc/atom.profile
View file

@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6,netlink

2
etc/atril.profile
View file

@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
nogroups
nonewprivs
noroot
nosound
protocol unix

2
etc/audacity.profile
View file

@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
protocol unix
seccomp

2
etc/aweather.profile
View file

@ -11,8 +11,8 @@ whitelist ~/.config/aweather
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6

13
etc/cherrytree.profile
View file

@ -1,6 +1,7 @@
# cherrytree note taking application
noblacklist /usr/bin/python2*
noblacklist /usr/lib/python3*
noblacklist ${HOME}/.config/cherrytree
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
@ -8,20 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
seccomp
protocol unix,inet,inet6,netlink
tracelog
include /etc/firejail/whitelist-common.inc
# no private-bin support for various reasons:
#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree
#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"
#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree
#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null
#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc
# it requires acces to browser to show the online help
# it doesn't play nicely with expect

3
etc/chromium.profile
View file

@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
# specific to Arch
whitelist ~/.config/chromium-flags.conf
include /etc/firejail/whitelist-common.inc

35
etc/disable-common.inc
View file

@ -1,6 +1,7 @@
# History files in $HOME
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.*_history
blacklist-nolog ${HOME}/.bash_history
blacklist ${HOME}/.local/share/systemd
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.macromedia
@ -23,6 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart
blacklist ${HOME}/.config/openbox/environment
blacklist ${HOME}/.gnomerc
blacklist /etc/X11/Xsession.d/
blacklist ${HOME}/.xpra
# VirtualBox
blacklist ${HOME}/.VirtualBox
@ -96,9 +98,6 @@ read-only ${HOME}/.emacs.d
read-only ${HOME}/.nano
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.mutt/muttrc
read-only ${HOME}/.msmtprc
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.xmonad
read-only ${HOME}/.xscreensaver
@ -137,6 +136,11 @@ blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup
# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin
# system management
blacklist ${PATH}/umount
blacklist ${PATH}/mount
@ -149,11 +153,22 @@ blacklist ${PATH}/xev
blacklist ${PATH}/strace
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin
blacklist ${PATH}/gpasswd
blacklist ${PATH}/newgidmap
blacklist ${PATH}/newgrp
blacklist ${PATH}/newuidmap
blacklist ${PATH}/pkexec
blacklist ${PATH}/sg
blacklist ${PATH}/rsh
blacklist ${PATH}/rlogin
blacklist ${PATH}/rcp
blacklist ${PATH}/crontab
blacklist ${PATH}/ksu
blacklist ${PATH}/chsh
blacklist ${PATH}/chfn
blacklist ${PATH}/chage
blacklist ${PATH}/expiry
blacklist ${PATH}/unix_chkpwd
# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*
@ -172,3 +187,7 @@ blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd
# kernel files
blacklist /vmlinuz*
blacklist /initrd*

2
etc/disable-devel.inc
View file

@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
# clang/llvm
blacklist /usr/bin/clang*
blacklist /usr/bin/llvm*
blacklist /usb/bin/lldb*
blacklist /usr/bin/lldb*
blacklist /usr/lib/llvm*
# tcc - Tiny C Compiler

14
etc/disable-programs.inc
View file

@ -7,6 +7,8 @@ blacklist ${HOME}/.wine
blacklist ${HOME}/.Mathematica
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.stellarium
blacklist ${HOME}/.sword
blacklist ${HOME}/.xiphos
blacklist ${HOME}/.config/Atom
blacklist ${HOME}/.config/gthumb
blacklist ${HOME}/.config/mupen64plus
@ -33,6 +35,13 @@ blacklist ${HOME}/.synfig
blacklist ${HOME}/.inkscape
blacklist ${HOME}/.gimp*
blacklist ${HOME}/.config/zathura
blacklist ${HOME}/.config/cherrytree
blacklist ${HOME}/.xpdfrc
blacklist ${HOME}/.openshot
blacklist ${HOME}/.openshot_qt
blacklist ${HOME}/.flowblade
blacklist ${HOME}/.config/flowblade
blacklist ${HOME}/.config/eog
# Media players
@ -70,8 +79,12 @@ blacklist ${HOME}/.8pecxstudios
blacklist ${HOME}/.config/brave
blacklist ${HOME}/.config/inox
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.config/evolution
blacklist ${HOME}/.local/share/evolution
blacklist ${HOME}/.cache/evolution
# Instant Messaging
blacklist ${HOME}/.config/hexchat
@ -93,6 +106,7 @@ blacklist ${HOME}/.config/Slack
blacklist ${HOME}/.cache/gajim
blacklist ${HOME}/.local/share/gajim
blacklist ${HOME}/.config/gajim
blacklist ${HOME}/.config/Wire
# Games
blacklist ${HOME}/.hedgewars

23
etc/display.profile Normal file
View file

@ -0,0 +1,23 @@
# display (ImageMagick tool) image viewer profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
net none
nonewprivs
noroot
nogroups
nosound
shell none
x11 xorg
private-bin display
private-tmp
private-dev
private-etc none

22
etc/eog.profile Normal file
View file

@ -0,0 +1,22 @@
# eog (gnome image viewer) profile
noblacklist ~/.config/eog
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix
seccomp
shell none
private-bin eog
private-dev
private-etc fonts
private-tmp

1
etc/evince.profile
View file

@ -15,5 +15,4 @@ shell none
tracelog
private-bin evince,evince-previewer,evince-thumbnailer
whitelist /tmp/.X11-unix
private-dev

25
etc/evolution.profile Normal file
View file

@ -0,0 +1,25 @@
# evolution profile
noblacklist ~/.config/evolution
noblacklist ~/.local/share/evolution
noblacklist ~/.cache/evolution
noblacklist ~/.pki
noblacklist ~/.pki/nssdb
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

6
etc/feh.profile
View file

@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
net none
nogroups
nonewprivs
noroot
nogroups
nosound
protocol unix
seccomp
shell none
private-bin feh

21
etc/file.profile
View file

@ -1,16 +1,17 @@
# file profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-bin file
private-etc magic.mgc,magic,localtime
hostname file
private-dev
nosound
no3d
blacklist /tmp/.X11-unix
hostname file
net none
no3d
nosound
quiet
shell none
tracelog
private-dev
private-bin file
private-etc magic.mgc,magic,localtime

9
etc/filezilla.profile
View file

@ -13,10 +13,9 @@ noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
whitelist /tmp/.X11-unix
private-dev
nosound
private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
private-dev
whitelist /tmp/.X11-unix

3
etc/firejail-default
View file

@ -31,6 +31,9 @@ profile firejail-default {
/{,var/}run/user/**/pulse/ rw,
/{,var/}run/user/**/pulse/** rw,
/{,var/}run/firejail/mnt/fslogger r,
/{,var/}run/firejail/appimage r,
/{,var/}run/firejail/appimage/** r,
/{,var/}run/firejail/appimage/** ix,
/{run,dev}/shm/ r,
/{run,dev}/shm/** rmwk,

13
etc/flowblade.profile Normal file
View file

@ -0,0 +1,13 @@
# FlowBlade profile
noblacklist ${HOME}/.flowblade
noblacklist ${HOME}/.config/flowblade
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

6
etc/franz.profile
View file

@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
#tracelog
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
#tracelog
whitelist ${DOWNLOADS}
mkdir ~/.config/Franz

2
etc/gajim.profile
View file

@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

10
etc/gimp.profile
View file

@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
nogroups
nosound
private-dev
private-tmp

4
etc/git.profile
View file

@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
quiet
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nogroups
nosound
protocol unix,inet,inet6
quiet
seccomp
shell none

4
etc/gpredict.profile
View file

@ -6,13 +6,12 @@ include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelist
mkdir ~/.config/Gpredict
whitelist ~/.config/Gpredict
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6
@ -21,5 +20,6 @@ shell none
tracelog
private-bin gpredict
private-etc fonts,resolv.conf
private-dev
private-tmp

5
etc/gwenview.profile
View file

@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nogroups
private-dev
protocol unix
seccomp
nosound
private-dev
#Experimental:
#shell none
#private-bin gwenview

18
etc/gzip.profile
View file

@ -1,12 +1,14 @@
# gzip profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
blacklist /tmp/.X11-unix
private-dev
nosound
no3d
blacklist /tmp/.X11-unix
net none
no3d
nosound
quiet
shell none
tracelog
private-dev

10
etc/inkscape.profile
View file

@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
nogroups
nosound
private-dev
private-tmp

2
etc/jitsi.profile
View file

@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
nonewprivs
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

2
etc/keepass.profile
View file

@ -13,7 +13,7 @@ nogroups
nonewprivs
noroot
nosound
protocol unix
protocol unix,inet,inet6
seccomp
netfilter
shell none

2
etc/kmail.profile
View file

@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

8
etc/less.profile
View file

@ -2,8 +2,10 @@
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-dev
nosound
shell none
tracelog
private-dev

5
etc/libreoffice.profile
View file

@ -1,5 +1,6 @@
# Firejail profile for LibreOffice
noblacklist ~/.config/libreoffice
noblacklist /usr/local/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
@ -10,9 +11,9 @@ netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
protocol unix,inet,inet6
seccomp
tracelog
private-dev
whitelist /tmp/.X11-unix/
# whitelist /tmp/.X11-unix/

14
etc/luminance-hdr.profile
View file

@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
ipc-namespace
netfilter
protocol unix
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-tmp
private-dev
noexec ${HOME}
noexec /tmp
nogroups
nosound
ipc-namespace
private-tmp
private-dev

26
etc/mumble.profile Normal file
View file

@ -0,0 +1,26 @@
# mumble profile
noblacklist ${HOME}/.config/Mumble
noblacklist ${HOME}/.local/share/data/Mumble
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
mkdir ${HOME}/.config/Mumble
mkdir ${HOME}/.local/share/data/Mumble
whitelist ${HOME}/.config/Mumble
whitelist ${HOME}/.local/share/data/Mumble
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin mumble
private-tmp

1
etc/mutt.profile
View file

@ -2,6 +2,7 @@
noblacklist ~/.muttrc
noblacklist ~/.mutt
noblacklist ~/.mutt/muttrc
noblacklist ~/.mailcap
noblacklist ~/.gnupg
noblacklist ~/.mail

5
etc/okular.profile
View file

@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
nogroups
nonewprivs
noroot
private-dev
protocol unix
seccomp
nosound
private-dev
#Experimental:
#net none
#shell none

13
etc/openshot.profile Normal file
View file

@ -0,0 +1,13 @@
# OpenShot profile
noblacklist ${HOME}/.openshot
noblacklist ${HOME}/.openshot_qt
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

2
etc/pidgin.profile
View file

@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

3
etc/pix.profile
View file

@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
nogroups
nonewprivs
noroot
nosound
protocol unix
@ -20,4 +20,3 @@ tracelog
private-bin pix
whitelist /tmp/.X11-unix
private-dev

4
etc/psi-plus.profile
View file

@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+
mkdir ~/.cache/psi+
whitelist ~/.cache/psi+
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
noroot
protocol unix,inet,inet6
seccomp
include /etc/firejail/whitelist-common.inc

4
etc/qbittorrent.profile
View file

@ -15,6 +15,6 @@ seccomp
# there are some problems with "Open destination folder", see bug #536
#shell none
#private-bin qbittorrent
whitelist /tmp/.X11-unix
private-dev
nosound
whitelist /tmp/.X11-unix

2
etc/qpdfview.profile
View file

@ -18,5 +18,5 @@ shell none
tracelog
private-bin qpdfview
private-tmp
private-dev
private-tmp

2
etc/qtox.profile
View file

@ -11,8 +11,8 @@ whitelist ${DOWNLOADS}
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

9
etc/quiterss.profile
View file

@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
private-bin quiterss
private-dev
nosound
#private-etc X11,ssl
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin quiterss
private-dev
#private-etc X11,ssl
include /etc/firejail/whitelist-common.inc

3
etc/ranger.profile
View file

@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
net none
nogroups
nonewprivs
noroot
nogroups
protocol unix
seccomp
nosound
private-tmp
private-dev

2
etc/rhythmbox.profile
View file

@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6

1
etc/rtorrent.profile
View file

@ -16,4 +16,3 @@ shell none
private-bin rtorrent
whitelist /tmp/.X11-unix
private-dev
nosound

11
etc/server.profile
View file

@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
private
private-dev
nosound
no3d
private-tmp
blacklist /tmp/.X11-unix
no3d
nosound
seccomp
private
private-dev
private-tmp

35
etc/slack.profile
View file

@ -1,3 +1,4 @@
# Firejail profile for Slack
noblacklist ${HOME}/.config/Slack
noblacklist ${HOME}/Downloads
@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
blacklist /var
caps.drop all
name slack
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
shell none
private-bin slack
private-dev
private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
private-tmp
mkdir ${HOME}/.config
mkdir ${HOME}/.config/Slack
whitelist ${HOME}/.config/Slack
whitelist ${HOME}/Downloads
protocol unix,inet,inet6,netlink
private-dev
private-tmp
private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
name slack
blacklist /var
include /etc/firejail/whitelist-common.inc
caps.drop all
seccomp
netfilter
nonewprivs
nogroups
noroot
shell none
private-bin slack

22
etc/spotify.profile
View file

@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
# Whitelist the folders needed by Spotify - This is more restrictive
# than a blacklist though, but this is all spotify requires for
# streaming audio
# Whitelist the folders needed by Spotify
mkdir ${HOME}/.config/spotify
whitelist ${HOME}/.config/spotify
mkdir ${HOME}/.local/share/spotify
whitelist ${HOME}/.local/share/spotify
mkdir ${HOME}/.cache/spotify
whitelist ${HOME}/.cache/spotify
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
@ -27,5 +24,20 @@ protocol unix,inet,inet6,netlink
seccomp
shell none
#private-bin spotify
private-bin spotify
private-etc fonts,machine-id,pulse,resolv.conf
private-dev
private-tmp
blacklist ${HOME}/.Xauthority
blacklist ${HOME}/.bashrc
blacklist /boot
blacklist /lost+found
blacklist /media
blacklist /mnt
blacklist /opt
blacklist /root
blacklist /sbin
blacklist /srv
blacklist /sys
blacklist /var

20
etc/start-tor-browser.profile Normal file
View file

@ -0,0 +1,20 @@
# Firejail profile for the Tor Brower Bundle
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
private-etc fonts
private-dev
private-tmp

13
etc/strings.profile
View file

@ -1,10 +1,11 @@
# strings profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-dev
nosound
net none
nosound
quiet
shell none
tracelog
private-dev

6
etc/synfigstudio.profile
View file

@ -11,7 +11,9 @@ nonewprivs
noroot
protocol unix
seccomp
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
private-dev
private-tmp

14
etc/tar.profile
View file

@ -1,18 +1,18 @@
# tar profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
blacklist /tmp/.X11-unix
hostname tar
net none
no3d
nosound
quiet
shell none
tracelog
# support compressed archives
private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
private-dev
nosound
no3d
private-etc passwd,group,localtime
hostname tar
blacklist /tmp/.X11-unix

1
etc/telegram.profile
View file

@ -10,4 +10,3 @@ nonewprivs
noroot
protocol unix,inet,inet6
seccomp

2
etc/transmission-gtk.profile
View file

@ -18,6 +18,6 @@ shell none
tracelog
private-bin transmission-gtk
whitelist /tmp/.X11-unix
private-dev
whitelist /tmp/.X11-unix

5
etc/transmission-qt.profile
View file

@ -14,9 +14,10 @@ noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
shell none
private-bin transmission-qt
whitelist /tmp/.X11-unix
private-dev
whitelist /tmp/.X11-unix

13
etc/uget-gtk.profile
View file

@ -9,17 +9,16 @@ caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin uget-gtk
private-dev
whitelist /tmp/.X11-unix
whitelist ${DOWNLOADS}
mkdir ~/.config/uGet
whitelist ~/.config/uGet
include /etc/firejail/whitelist-common.inc
shell none
private-bin uget-gtk
whitelist /tmp/.X11-unix
private-dev
nosound

23
etc/unrar.profile
View file

@ -1,17 +1,18 @@
# unrar profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-bin unrar
private-dev
nosound
no3d
private-etc passwd,group,localtime
hostname unrar
private-tmp
blacklist /tmp/.X11-unix
hostname unrar
net none
no3d
nosound
quiet
shell none
tracelog
private-bin unrar
private-dev
private-etc passwd,group,localtime
private-tmp

22
etc/unzip.profile
View file

@ -1,16 +1,16 @@
# unzip profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-bin unzip
private-etc passwd,group,localtime
hostname unzip
private-dev
nosound
no3d
blacklist /tmp/.X11-unix
hostname unzip
net none
no3d
nosound
quiet
shell none
tracelog
private-bin unzip
private-dev
private-etc passwd,group,localtime

14
etc/uudeview.profile
View file

@ -1,15 +1,15 @@
# uudeview profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
blacklist /etc
hostname uudeview
net none
nosound
quiet
shell none
tracelog
private-bin uudeview
private-dev
private-etc nonexisting_fakefile_for_empty_etc
hostname uudeview
nosound
uudeview

3
etc/vim.profile
View file

@ -1,5 +1,4 @@
# vim profile
noblacklist ~/.vim
noblacklist ~/.vimrc
noblacklist ~/.viminfo
@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp

12
etc/virtualbox.profile Normal file
View file

@ -0,0 +1,12 @@
# VirtualBox profile
noblacklist ${HOME}/.VirtualBox
noblacklist ${HOME}/VirtualBox VMs
noblacklist ${HOME}/.config/VirtualBox
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all

1
etc/vlc.profile
View file

@ -14,7 +14,6 @@ noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
private-dev

1
etc/whitelist-common.inc
View file

@ -14,6 +14,7 @@ whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d
whitelist ~/.local/share/fonts
whitelist ~/.config/fontconfig
whitelist ~/.cache/fontconfig

30
etc/xiphos.profile Normal file
View file

@ -0,0 +1,30 @@
# Firejail profile for xiphos
noblacklist ~/.sword
noblacklist ~/.xiphos
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
blacklist ~/.bashrc
blacklist ~/.Xauthority
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin xiphos
private-etc fonts,resolv.conf,sword
private-dev
private-tmp
whitelist ${HOME}/.sword
whitelist ${HOME}/.xiphos

18
etc/xpdf.profile Normal file
View file

@ -0,0 +1,18 @@
################################
# xpdf application profile
################################
noblacklist ${HOME}/.xpdfrc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
net none
nonewprivs
noroot
protocol unix
shell none
seccomp
private-dev
private-tmp

2
etc/xplayer.profile
View file

@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

18
etc/xzdec.profile
View file

@ -1,12 +1,14 @@
# xzdec profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
blacklist /tmp/.X11-unix
private-dev
nosound
no3d
blacklist /tmp/.X11-unix
net none
no3d
nosound
quiet
shell none
tracelog
private-dev

6
etc/zathura.profile
View file

@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
nogroups
nonewprivs
noroot
nogroups
nosound
shell none
seccomp
protocol unix
private-bin zathura
private-dev

2
mkuid.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/sh
echo "extracting UID_MIN and GID_MIN"
echo "#ifndef FIREJAIL_UIDS_H" > uids.h

16
platform/debian/conffiles
View file

@ -155,3 +155,19 @@
/etc/firejail/7z.profile
/etc/firejail/keepass.profile
/etc/firejail/keepassx.profile
/etc/firejail/claws-mail.profile
/etc/firejail/mutt.profile
/etc/firejail/git.profile
/etc/firejail/emacs.profile
/etc/firejail/vim.profile
/etc/firejail/xpdf.profile
/etc/firejail/virtualbox.profile
/etc/firejail/openshot.profile
/etc/firejail/flowblade.profile
/etc/firejail/eog.profile
/etc/firejail/evolution.profile
/etc/firejail/start-tor-browser.profile
/etc/firejail/xiphos.profile
/etc/firejail/display.profile
/etc/firejail/Wire.profile
/etc/firejail/mumble.profile

542
platform/rpm/old-mkrpm.sh Executable file
View file

@ -0,0 +1,542 @@
#!/bin/bash
VERSION="0.9.44"
rm -fr ~/rpmbuild
rm -f firejail-$VERSION-1.x86_64.rpm
mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
cat <<EOF >~/.rpmmacros
%_topdir %(echo $HOME)/rpmbuild
%_tmppath %{_topdir}/tmp
EOF
cd ~/rpmbuild
echo "building directory tree"
mkdir -p firejail-$VERSION/usr/bin
install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
mkdir -p firejail-$VERSION/usr/lib/firejail
install -m 755 /usr/lib/firejail/faudit firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/firecfg.config firejail-$VERSION/usr/lib/firejail/.
install -m 755 /usr/lib/firejail/fshaper.sh firejail-$VERSION/usr/lib/firejail/.
install -m 755 /usr/lib/firejail/ftee firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libtrace.so firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libtracelog.so firejail-$VERSION/usr/lib/firejail/.
install -m 644 /usr/lib/firejail/libconnect.so firejail-$VERSION/usr/lib/firejail/.
mkdir -p firejail-$VERSION/usr/share/man/man1
install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
mkdir -p firejail-$VERSION/usr/share/man/man5
install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
mkdir -p firejail-$VERSION/etc/firejail
install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/.
install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/.
mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
install -m 644 /usr/share/bash-completion/completions/firejail firejail-$VERSION/usr/share/bash-completion/completions/.
install -m 644 /usr/share/bash-completion/completions/firemon firejail-$VERSION/usr/share/bash-completion/completions/.
install -m 644 /usr/share/bash-completion/completions/firecfg firejail-$VERSION/usr/share/bash-completion/completions/.
echo "building tar.gz archive"
tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
cp firejail-$VERSION.tar.gz SOURCES/.
echo "building config spec"
cat <<EOF > SPECS/firejail.spec
%define __spec_install_post %{nil}
%define debug_package %{nil}
%define __os_install_post %{_dbpath}/brp-compress
Summary: Linux namepaces sandbox program
Name: firejail
Version: $VERSION
Release: 1
License: GPL+
Group: Development/Tools
SOURCE0 : %{name}-%{version}.tar.gz
URL: http://firejail.wordpress.com
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
%prep
%setup -q
%build
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}
cp -a * %{buildroot}
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile
%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile
%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile
%config(noreplace) %{_sysconfdir}/%{name}/atom.profile
%config(noreplace) %{_sysconfdir}/%{name}/atril.profile
%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile
%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile
%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
%config(noreplace) %{_sysconfdir}/%{name}/brave.profile
%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile
%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile
%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile
%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile
%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile
%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile
%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
%config(noreplace) %{_sysconfdir}/%{name}/default.profile
%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile
%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc
%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc
%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile
%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile
%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile
%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
%config(noreplace) %{_sysconfdir}/%{name}/eom.profile
%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile
%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
%config(noreplace) %{_sysconfdir}/%{name}/file.profile
%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile
%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile
%config(noreplace) %{_sysconfdir}/%{name}/franz.profile
%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile
%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile
%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile
%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile
%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile
%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile
%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile
%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile
%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile
%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
%config(noreplace) %{_sysconfdir}/%{name}/inox.profile
%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile
%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile
%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile
%config(noreplace) %{_sysconfdir}/%{name}/less.profile
%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile
%config(noreplace) %{_sysconfdir}/%{name}/localc.profile
%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile
%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile
%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile
%config(noreplace) %{_sysconfdir}/%{name}/login.users
%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile
%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile
%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile
%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile
%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile
%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile
%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile
%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile
%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile
%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile
%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile
%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
%config(noreplace) %{_sysconfdir}/%{name}/okular.profile
%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile
%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile
%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
%config(noreplace) %{_sysconfdir}/%{name}/pix.profile
%config(noreplace) %{_sysconfdir}/%{name}/polari.profile
%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile
%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile
%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile
%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile
%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile
%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile
%config(noreplace) %{_sysconfdir}/%{name}/server.profile
%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile
%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
%config(noreplace) %{_sysconfdir}/%{name}/slack.profile
%config(noreplace) %{_sysconfdir}/%{name}/snap.profile
%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile
%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile
%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile
%config(noreplace) %{_sysconfdir}/%{name}/strings.profile
%config(noreplace) %{_sysconfdir}/%{name}/tar.profile
%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile
%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile
%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile
%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile
%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile
%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile
%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile
%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile
%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile
%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile
%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile
%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile
%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile
%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile
%config(noreplace) %{_sysconfdir}/%{name}/xz.profile
%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile
%config(noreplace) %{_sysconfdir}/%{name}/7z.profile
%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile
%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile
%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile
%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile
%config(noreplace) %{_sysconfdir}/%{name}/git.profile
%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile
%config(noreplace) %{_sysconfdir}/%{name}/vim.profile
%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile
%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile
%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile
%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile
%config(noreplace) %{_sysconfdir}/%{name}/eog.profile
%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile
%config(noreplace) %{_sysconfdir}/%{name}/feh.profile
%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile
%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile
%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile
%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile
%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile
%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile
%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile
/usr/bin/firejail
/usr/bin/firemon
/usr/bin/firecfg
/usr/lib/firejail/libtrace.so
/usr/lib/firejail/libtracelog.so
/usr/lib/firejail/libconnect.so
/usr/lib/firejail/faudit
/usr/lib/firejail/ftee
/usr/lib/firejail/firecfg.config
/usr/lib/firejail/fshaper.sh
/usr/share/doc/packages/firejail/COPYING
/usr/share/doc/packages/firejail/README
/usr/share/doc/packages/firejail/RELNOTES
/usr/share/man/man1/firejail.1.gz
/usr/share/man/man1/firemon.1.gz
/usr/share/man/man1/firecfg.1.gz
/usr/share/man/man5/firejail-profile.5.gz
/usr/share/man/man5/firejail-login.5.gz
/usr/share/bash-completion/completions/firejail
/usr/share/bash-completion/completions/firemon
/usr/share/bash-completion/completions/firecfg
%post
chmod u+s /usr/bin/firejail
%changelog
* Fri Oct 21 2016 netblue30 <netblue30@yahoo.com> 0.9.44-1
- CVE-2016-7545 submitted by Aleksey Manevich
- modifs: removed man firejail-config
- modifs: --private-tmp whitelists /tmp/.X11-unix directory
- modifs: Nvidia drivers added to --private-dev
- modifs: /srv supported by --whitelist
- feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
- feature: support starting/joining sandbox is a single command
(--join-or-start)
- feature: X11 detection support for --audit
- feature: assign a name to the interface connected to the bridge
(--veth-name)
- feature: all user home directories are visible (--allusers)
- feature: add files to sandbox container (--put)
- feature: blocking x11 (--x11=block)
- feature: X11 security extension (--x11=xorg)
- feature: disable 3D hardware acceleration (--no3d)
- feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
- feature: move files in sandbox (--put)
- feature: accept wildcard patterns in user name field of restricted
shell login feature
- new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
- new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
- new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
- new profiles: Flowblade, Eye of GNOME (eog), Evolution
- bugfixes
* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
- security: --whitelist deleted files, submitted by Vasya Novikov
- security: disable x32 ABI in seccomp, submitted by Jann Horn
- security: tighten --chroot, submitted by Jann Horn
- security: terminal sandbox escape, submitted by Stephan Sokolow
- security: several TOCTOU fixes submitted by Aleksey Manevich
- modifs: bringing back --private-home option
- modifs: deprecated --user option, please use "sudo -u username firejail"
- modifs: allow symlinks in home directory for --whitelist option
- modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
- modifs: recursive mkdir
- modifs: include /dev/snd in --private-dev
- modifs: seccomp filter update
- modifs: release archives moved to .xz format
- feature: AppImage support (--appimage)
- feature: AppArmor support (--apparmor)
- feature: Ubuntu snap support (/etc/firejail/snap.profile)
- feature: Sandbox auditing support (--audit)
- feature: remove environment variable (--rmenv)
- feature: noexec support (--noexec)
- feature: clean local overlay storage directory (--overlay-clean)
- feature: store and reuse overlay (--overlay-named)
- feature: allow debugging inside the sandbox with gdb and strace
(--allow-debuggers)
- feature: mkfile profile command
- feature: quiet profile command
- feature: x11 profile command
- feature: option to fix desktop files (firecfg --fix)
- compile time: Busybox support (--enable-busybox-workaround)
- compile time: disable overlayfs (--disable-overlayfs)
- compile time: disable whitlisting (--disable-whitelist)
- compile time: disable global config (--disable-globalcfg)
- run time: enable/disable overlayfs (overlayfs yes/no)
- run time: enable/disable quiet as default (quiet-by-default yes/no)
- run time: user-defined network filter (netfilter-default)
- run time: enable/disable whitelisting (whitelist yes/no)
- run time: enable/disable remounting of /proc and /sys
(remount-proc-sys yes/no)
- run time: enable/disable chroot desktop features (chroot-desktop yes/no)
- profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
- profiles: pix, audacity, xz, xzdec, gzip, cpio, less
- profiles: Atom Beta, Atom, jitsi, eom, uudeview
- profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
- profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
- bugfixes
EOF
echo "building rpm"
rpmbuild -ba SPECS/firejail.spec
rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
cd ..
rm -f firejail-$VERSION-1.x86_64.rpm
cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .

3
src/faudit/syscall.c
View file

@ -92,7 +92,8 @@ void syscall_run(const char *name) {
errExit("fork");
if (child == 0) {
execl(prog, prog, "syscall", name, NULL);
exit(1);
perror("execl");
_exit(1);
}
// wait for the child to finish

8
src/firecfg/firecfg.config
View file

@ -42,11 +42,13 @@ opera-beta
opera
palemoon
qutebrowser
start-tor-browser
seamonkey
seamonkey-bin
thunderbird
vivaldi-beta
vivaldi
evolution
# chat/messaging
bitlbee
@ -76,6 +78,7 @@ unbound
mupen64plus
wine
dosbox
virtualbox
# games
0ad
@ -134,8 +137,12 @@ Mathematica
mathematica
okular
pix
xpdf
xreader
zathura
openshot
flowblade
eog
# other
ssh
@ -144,6 +151,7 @@ atom
ranger
keepass
keepassx
xiphos
# weather/climate
aweather

4
src/firejail/Makefile.in
View file

@ -30,11 +30,11 @@ BINOBJS = $(foreach file, $(OBJS), $file)
CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
$(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
clean:; rm -f *.o firejail firejail.1 firejail.1.gz

79
src/firejail/appimage.c
View file

@ -39,7 +39,7 @@ void appimage_set(const char *appimage_path) {
assert(appimage_path);
assert(devloop == NULL); // don't call this twice!
EUID_ASSERT();
#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h
// check appimage_path
if (access(appimage_path, R_OK) == -1) {
@ -47,6 +47,12 @@ void appimage_set(const char *appimage_path) {
exit(1);
}
// get appimage type and ELF size
// a value of 0 means we are dealing with a type1 appimage
long unsigned int size = appimage2_size(appimage_path);
if (arg_debug)
printf("AppImage ELF size %lu\n", size);
// open as user to prevent race condition
int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC);
if (ffd == -1) {
@ -54,9 +60,8 @@ void appimage_set(const char *appimage_path) {
exit(1);
}
EUID_ROOT();
// find or allocate a free loop device to use
EUID_ROOT();
int cfd = open("/dev/loop-control", O_RDWR);
int devnr = ioctl(cfd, LOOP_CTL_GET_FREE);
if (devnr == -1) {
@ -72,38 +77,56 @@ void appimage_set(const char *appimage_path) {
fprintf(stderr, "Error: cannot configure the loopback device\n");
exit(1);
}
if (size) {
struct loop_info64 info;
memset(&info, 0, sizeof(struct loop_info64));
info.lo_offset = size;
if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1)
errExit("configure appimage offset");
}
close(lfd);
close(ffd);
EUID_USER();
// creates directory with perms 0700
char dirname[] = "/tmp/firejail-mnt-XXXXXX";
mntdir = strdup(mkdtemp(dirname));
if (mntdir == NULL) {
fprintf(stderr, "Error: cannot create temporary directory\n");
// creates appimage mount point perms 0700
if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
errExit("asprintf");
EUID_ROOT();
if (mkdir(mntdir, 0700) == -1) {
fprintf(stderr, "Error: cannot create appimage mount point\n");
exit(1);
}
if (chmod(mntdir, 0700) == -1)
errExit("chmod");
if (chown(mntdir, getuid(), getgid()) == -1)
errExit("chown");
EUID_USER();
ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);
// mount
char *mode;
if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
errExit("asprintf");
EUID_ROOT();
if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0)
errExit("mounting appimage");
if (size == 0) {
if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0)
errExit("mounting appimage");
}
else {
if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY, mode) < 0)
errExit("mounting appimage");
}
if (arg_debug)
printf("appimage mounted on %s\n", mntdir);
EUID_USER();
// set environment
if (appimage_path && setenv("APPIMAGE", appimage_path, 1) < 0)
errExit("setenv");
if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
errExit("setenv");
@ -121,16 +144,32 @@ void appimage_set(const char *appimage_path) {
void appimage_clear(void) {
int rv;
EUID_ROOT();
if (mntdir) {
rv = umount2(mntdir, MNT_FORCE);
if (rv == -1 && errno == EBUSY) {
sleep(1);
int i;
int rv = 0;
for (i = 0; i < 5; i++) {
rv = umount2(mntdir, MNT_FORCE);
(void) rv;
if (rv == 0)
break;
if (rv == -1 && errno == EBUSY) {
if (!arg_quiet)
printf("Warning: EBUSY error trying to unmount %s\n", mntdir);
sleep(2);
continue;
}
// rv = -1
if (!arg_quiet) {
printf("Warning: error trying to unmount %s\n", mntdir);
perror("umount");
}
}
if (rv == 0) {
rmdir(mntdir);
free(mntdir);
}
rmdir(mntdir);
free(mntdir);
}
if (devloop) {

160
src/firejail/appimage_size.c Normal file
View file

@ -0,0 +1,160 @@
/*
* Copyright (C) 2014-2016 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
Compile with:
gcc elfsize.c -o elfsize
Example:
ls -l 126584
Calculation using the values also reported by readelf -h:
Start of section headers e_shoff 124728
Size of section headers e_shentsize 64
Number of section headers e_shnum 29
e_shoff + ( e_shentsize * e_shnum ) = 126584
*/
#include <elf.h>
#include <byteswap.h>
#include <stdio.h>
#include <stdint.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
typedef Elf32_Nhdr Elf_Nhdr;
static Elf64_Ehdr ehdr;
#if __BYTE_ORDER == __LITTLE_ENDIAN
#define ELFDATANATIVE ELFDATA2LSB
#elif __BYTE_ORDER == __BIG_ENDIAN
#define ELFDATANATIVE ELFDATA2MSB
#else
#error "Unknown machine endian"
#endif
static uint16_t file16_to_cpu(uint16_t val) {
if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
val = bswap_16(val);
return val;
}
static uint32_t file32_to_cpu(uint32_t val) {
if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
val = bswap_32(val);
return val;
}
static uint64_t file64_to_cpu(uint64_t val) {
if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
val = bswap_64(val);
return val;
}
// return 0 if error
static long unsigned int read_elf32(int fd) {
Elf32_Ehdr ehdr32;
ssize_t ret;
ret = pread(fd, &ehdr32, sizeof(ehdr32), 0);
if (ret < 0 || (size_t)ret != sizeof(ehdr))
return 0;
ehdr.e_shoff = file32_to_cpu(ehdr32.e_shoff);
ehdr.e_shentsize = file16_to_cpu(ehdr32.e_shentsize);
ehdr.e_shnum = file16_to_cpu(ehdr32.e_shnum);
return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
}
// return 0 if error
static long unsigned int read_elf64(int fd) {
Elf64_Ehdr ehdr64;
ssize_t ret;
ret = pread(fd, &ehdr64, sizeof(ehdr64), 0);
if (ret < 0 || (size_t)ret != sizeof(ehdr))
return 0;
ehdr.e_shoff = file64_to_cpu(ehdr64.e_shoff);
ehdr.e_shentsize = file16_to_cpu(ehdr64.e_shentsize);
ehdr.e_shnum = file16_to_cpu(ehdr64.e_shnum);
return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
}
// return 0 if error
// return 0 if this is not an appimgage2 file
long unsigned int appimage2_size(const char *fname) {
/* TODO, FIXME: This assumes that the section header table (SHT) is
the last part of the ELF. This is usually the case but
it could also be that the last section is the last part
of the ELF. This should be checked for.
*/
ssize_t ret;
int fd;
long unsigned int size = 0;
fd = open(fname, O_RDONLY);
if (fd < 0)
return 0;
ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0);
if (ret != EI_NIDENT)
goto getout;
if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) &&
(ehdr.e_ident[EI_DATA] != ELFDATA2MSB))
goto getout;
if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) {
size = read_elf32(fd);
}
else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) {
size = read_elf64(fd);
}
else {
goto getout;
}
if (size == 0)
goto getout;
// look for a LZMA header at this location
unsigned char buf[4];
ret = pread(fd, buf, 4, size);
if (ret != 4) {
size = 0;
goto getout;
}
if (memcmp(buf, "hsqs", 4) != 0)
size = 0;
getout:
close(fd);
return size;
}

186
src/firejail/arp.c
View file

@ -40,6 +40,7 @@ typedef struct arp_hdr_t {
uint8_t target_ip[4];
} ArpHdr;
// returns 0 if the address is not in use, -1 otherwise
int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
if (strlen(dev) > IFNAMSIZ) {
@ -286,189 +287,4 @@ uint32_t arp_assign(const char *dev, Bridge *br) {
return ip;
}
// scan interface (--scan option)
void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
assert(dev);
assert(ifip);
// printf("Scanning interface %s (%d.%d.%d.%d/%d)\n",
// dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask));
if (strlen(dev) > IFNAMSIZ) {
fprintf(stderr, "Error: invalid network device name %s\n", dev);
exit(1);
}
// find interface mac address
int sock;
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
errExit("socket");
struct ifreq ifr;
memset(&ifr, 0, sizeof (ifr));
strncpy(ifr.ifr_name, dev, IFNAMSIZ);
if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
errExit("ioctl");
close(sock);
uint8_t mac[6];
memcpy (mac, ifr.ifr_hwaddr.sa_data, 6);
// open layer2 socket
if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
errExit("socket");
// try all possible ip addresses in ascending order
uint32_t range = ~ifmask + 1; // the number of potential addresses
// this software is not supported for /31 networks
if (range < 4) {
fprintf(stderr, "Warning: this option is not supported for /31 networks\n");
close(sock);
return;
}
uint32_t dest = (ifip & ifmask) + 1;
uint32_t last = dest + range - 1;
uint32_t src = htonl(ifip);
// wait not more than one second for an answer
int header_printed = 0;
uint32_t last_ip = 0;
struct timeval ts;
ts.tv_sec = 2; // 2 seconds receive timeout
ts.tv_usec = 0;
while (1) {
fd_set rfds;
FD_ZERO(&rfds);
FD_SET(sock, &rfds);
fd_set wfds;
FD_ZERO(&wfds);
FD_SET(sock, &wfds);
int maxfd = sock;
uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
memset(frame, 0, ETH_FRAME_LEN);
int nready;
if (dest < last)
nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL);
else
nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts);
if (nready < 0)
errExit("select");
if (nready == 0) { // timeout
break;
}
if (FD_ISSET(sock, &wfds) && dest < last) {
// configure layer2 socket address information
struct sockaddr_ll addr;
memset(&addr, 0, sizeof(addr));
if ((addr.sll_ifindex = if_nametoindex(dev)) == 0)
errExit("if_nametoindex");
addr.sll_family = AF_PACKET;
memcpy (addr.sll_addr, mac, 6);
addr.sll_halen = htons(6);
// build the arp packet header
ArpHdr hdr;
memset(&hdr, 0, sizeof(hdr));
hdr.htype = htons(1);
hdr.ptype = htons(ETH_P_IP);
hdr.hlen = 6;
hdr.plen = 4;
hdr.opcode = htons(1); //ARPOP_REQUEST
memcpy(hdr.sender_mac, mac, 6);
memcpy(hdr.sender_ip, (uint8_t *)&src, 4);
uint32_t dst = htonl(dest);
memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
// build ethernet frame
uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
memset(frame, 0, sizeof(frame));
frame[0] = frame[1] = frame[2] = frame[3] = frame[4] = frame[5] = 0xff;
memcpy(frame + 6, mac, 6);
frame[12] = ETH_P_ARP / 256;
frame[13] = ETH_P_ARP % 256;
memcpy (frame + 14, &hdr, sizeof(hdr));
// send packet
int len;
if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
errExit("send");
//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));
fflush(0);
dest++;
}
if (FD_ISSET(sock, &rfds)) {
// read the incoming packet
int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL);
if (len < 0) {
perror("recvfrom");
}
// parse the incoming packet
if ((unsigned int) len < 14 + sizeof(ArpHdr))
continue;
// look only at ARP packets
if (frame[12] != (ETH_P_ARP / 256) || frame[13] != (ETH_P_ARP % 256))
continue;
ArpHdr hdr;
memcpy(&hdr, frame + 14, sizeof(ArpHdr));
if (hdr.opcode == htons(2)) {
// check my mac and my address
if (memcmp(mac, hdr.target_mac, 6) != 0)
continue;
uint32_t ip;
memcpy(&ip, hdr.target_ip, 4);
if (ip != src)
continue;
memcpy(&ip, hdr.sender_ip, 4);
ip = ntohl(ip);
if (ip == last_ip) // filter duplicates
continue;
last_ip = ip;
// printing
if (header_printed == 0) {
printf(" Network scan:\n");
// print parent interface
if (cfg.bridge0.configured && cfg.bridge0.ip && cfg.bridge0.macvlan &&
(cfg.bridge0.ip & cfg.bridge0.mask) == (ifip & cfg.bridge0.mask))
printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
PRINT_MAC(cfg.bridge0.mac), PRINT_IP(cfg.bridge0.ip));
if (cfg.bridge1.configured && cfg.bridge1.ip && cfg.bridge1.macvlan &&
(cfg.bridge1.ip & cfg.bridge1.mask) == (ifip & cfg.bridge1.mask))
printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
PRINT_MAC(cfg.bridge1.mac), PRINT_IP(cfg.bridge1.ip));
if (cfg.bridge2.configured && cfg.bridge2.ip && cfg.bridge2.macvlan &&
(cfg.bridge2.ip & cfg.bridge2.mask) == (ifip & cfg.bridge2.mask))
printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
PRINT_MAC(cfg.bridge2.mac), PRINT_IP(cfg.bridge2.ip));
if (cfg.bridge3.configured && cfg.bridge3.ip && cfg.bridge3.macvlan &&
(cfg.bridge3.ip & cfg.bridge3.mask) == (ifip & cfg.bridge3.mask))
printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
PRINT_MAC(cfg.bridge3.mac), PRINT_IP(cfg.bridge3.ip));
header_printed = 1;
}
printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));
}
}
}
close(sock);
}

13
src/firejail/errno.c
View file

@ -17,7 +17,6 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_SECCOMP
#include "firejail.h"
#include <errno.h>
@ -205,16 +204,4 @@ char *errno_find_nr(int nr) {
return "unknown";
}
void errno_print(void) {
EUID_ASSERT();
int i;
int elems = sizeof(errnolist) / sizeof(errnolist[0]);
for (i = 0; i < elems; i++) {
printf("%d\t- %s\n", errnolist[i].nr, errnolist[i].name);
}
printf("\n");
}
#endif // HAVE_SECCOMP

77
src/firejail/firejail.h
View file

@ -28,6 +28,7 @@
// filesystem
#define RUN_FIREJAIL_BASEDIR "/run"
#define RUN_FIREJAIL_DIR "/run/firejail"
#define RUN_FIREJAIL_APPIMAGE_DIR "/run/firejail/appimage"
#define RUN_FIREJAIL_NAME_DIR "/run/firejail/name"
#define RUN_FIREJAIL_X11_DIR "/run/firejail/x11"
#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
@ -36,7 +37,6 @@
#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
#define RUN_RO_FILE "/run/firejail/firejail.ro.file"
#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"
#define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup"
#define RUN_CPU_CFG "/run/firejail/mnt/cpu"
#define RUN_GROUPS_CFG "/run/firejail/mnt/groups"
@ -47,6 +47,12 @@
#define RUN_BIN_DIR "/run/firejail/mnt/bin"
#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" // configured filter
#define RUN_SECCOMP_PROTOCOL "/run/firejail/mnt/seccomp.protocol" // protocol filter
#define RUN_SECCOMP_AMD64 "/run/firejail/mnt/seccomp.amd64" // amd64 filter installed on i386 architectures
#define RUN_SECCOMP_I386 "/run/firejail/mnt/seccomp.i386" // i386 filter installed on amd64 architectures
#define RUN_DEV_DIR "/run/firejail/mnt/dev"
#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
@ -59,6 +65,7 @@
#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"
#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"
#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"
#define RUN_WHITELIST_SRV_DIR "/run/firejail/mnt/orig-srv"
#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"
#define RUN_XAUTHORITY_SEC_FILE "/run/firejail/mnt/sec.Xauthority"
@ -72,6 +79,8 @@
#define RUN_GROUP_FILE "/run/firejail/mnt/group"
#define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger"
// profiles
#define DEFAULT_USER_PROFILE "default"
#define DEFAULT_ROOT_PROFILE "server"
@ -172,6 +181,7 @@ typedef struct profile_entry_t {
unsigned var_dir:1; // whitelist in /var directory
unsigned dev_dir:1; // whitelist in /dev directory
unsigned opt_dir:1; // whitelist in /opt directory
unsigned srv_dir:1; // whitelist in /srv directory
}ProfileEntry;
typedef struct config_t {
@ -358,21 +368,19 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
void net_if_ip6(const char *ifname, const char *addr6);
int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu);
int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
void net_ifprint(void);
void net_bridge_add_interface(const char *bridge, const char *dev);
uint32_t network_get_defaultgw(void);
int net_config_mac(const char *ifname, const unsigned char mac[6]);
int net_get_mac(const char *ifname, unsigned char mac[6]);
void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu);
// preproc.c
void preproc_build_firejail_dir(void);
void preproc_mount_mnt_dir(void);
void preproc_build_cp_command(void);
void preproc_delete_cp_command(void) ;
void preproc_remount_mnt_dir(void);
// fs.c
// build /run/firejail directory
void fs_build_firejail_dir(void);
// build /run/firejail/mnt directory
void fs_build_mnt_dir(void);
// grab a copy of cp command
void fs_build_cp_command(void);
// delete the temporary cp command
void fs_delete_cp_command(void) ;
// blacklist files or directoies by mounting empty files on top of them
void fs_blacklist(void);
// remount a directory read-only
@ -389,7 +397,6 @@ void fs_overlayfs(void);
// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
void fs_chroot(const char *rootdir);
int fs_check_chroot_dir(const char *rootdir);
void fs_private_tmp(void);
// profile.c
// find and read the profile specified by name from dir directory
@ -426,13 +433,6 @@ int restricted_shell(const char *user);
int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr);
// assign an IP address using arp scanning
uint32_t arp_assign(const char *dev, Bridge *br);
// scan interface (--scan option)
void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask);
// veth.c
int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
int net_move_interface(const char *dev, unsigned pid);
// util.c
void drop_privs(int nogroups);
@ -457,10 +457,11 @@ char *expand_home(const char *path, const char* homedir);
const char *gnu_basename(const char *path);
uid_t pid_get_uid(pid_t pid);
void invalid_filename(const char *fname);
uid_t get_tty_gid(void);
uid_t get_audio_gid(void);
uid_t get_group_id(const char *group);
int remove_directory(const char *path);
void flush_stdin(void);
void create_empty_dir_as_root(const char *dir, mode_t mode);
void create_empty_file_as_root(const char *dir, mode_t mode);
// fs_var.c
void fs_var_log(void); // mounting /var/log
@ -495,12 +496,14 @@ void fs_private_home_list(void);
// seccomp.c
int seccomp_load(const char *fname);
void seccomp_filter_32(void);
void seccomp_filter_64(void);
int seccomp_filter_drop(int enforce_seccomp);
int seccomp_filter_keep(void);
void seccomp_set(void);
int seccomp_filter_errno(void);
void seccomp_print_filter_name(const char *name);
void seccomp_print_filter(pid_t pid);
int seccomp_filter_errno(void);
// caps.c
int caps_default_filter(void);
@ -517,8 +520,6 @@ void caps_print_filter_name(const char *name);
const char *syscall_find_nr(int nr);
// return -1 if error, 0 if no error
int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg), int arg);
// print all available syscallsseccomp
void syscall_print(void);
// fs_trace.c
void fs_trace_preload(void);
@ -597,13 +598,10 @@ void fs_check_bin_list(void);
void fs_private_bin_list(void);
// protocol.c
void protocol_list();
void protocol_print_filter_name(const char *name);
void protocol_print_filter(pid_t pid);
void protocol_store(const char *prlist);
void protocol_filter(void);
void protocol_filter_save(void);
void protocol_filter_load(const char *fname);
void protocol_print_filter_name(const char *name);
void protocol_print_filter(pid_t pid);
// restrict_users.c
void restrict_users(void);
@ -672,14 +670,33 @@ extern char *xephyr_extra_params;
extern char *netfilter_default;
int checkcfg(int val);
void print_compiletime_support(void);
void x11_xorg(void);
// appimage.c
void appimage_set(const char *appimage_path);
void appimage_clear(void);
const char *appimage_getdir(void);
// appimage_size.c
long unsigned int appimage2_size(const char *fname);
// cmdline.c
void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
// sbox.c
// programs
#define PATH_FNET (LIBDIR "/firejail/fnet")
#define PATH_FIREMON (PREFIX "/bin/firemon")
#define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
// bitmapped filters for sbox_run
#define SBOX_ROOT (1 << 0)
#define SBOX_USER (1 << 1)
#define SBOX_SECCOMP (1 << 2)
#define SBOX_CAPS_NONE (1 << 3) // drop all capabilities
#define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs
// run sbox
int sbox_run(unsigned filter, int num, ...);
#endif

218
src/firejail/fs.c
View file

@ -29,149 +29,7 @@
static void fs_rdwr(const char *dir);
static void create_dir_as_root(const char *dir, mode_t mode) {
assert(dir);
if (arg_debug)
printf("Creating %s directory\n", dir);
if (mkdir(dir, mode) == -1)
errExit("mkdir");
if (chmod(dir, mode) == -1)
errExit("chmod");
ASSERT_PERMS(dir, 0, 0, mode);
}
static void create_empty_dir(void) {
struct stat s;
if (stat(RUN_RO_DIR, &s)) {
/* coverity[toctou] */
if (mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1)
errExit("mkdir");
if (chmod(RUN_RO_DIR, S_IRUSR | S_IXUSR) == -1)
errExit("chmod");
ASSERT_PERMS(RUN_RO_DIR, 0, 0, S_IRUSR | S_IXUSR);
}
}
static void create_empty_file(void) {
struct stat s;
if (stat(RUN_RO_FILE, &s)) {
/* coverity[toctou] */
FILE *fp = fopen(RUN_RO_FILE, "w");
if (!fp)
errExit("fopen");
SET_PERMS_STREAM(fp, 0, 0, S_IRUSR);
fclose(fp);
}
}
// build /run/firejail directory
void fs_build_firejail_dir(void) {
struct stat s;
// CentOS 6 doesn't have /run directory
if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
create_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
}
else { // check /tmp/firejail directory belongs to root end exit if doesn't!
if (s.st_uid != 0 || s.st_gid != 0) {
fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
exit(1);
}
}
if (stat(RUN_FIREJAIL_DIR, &s)) {
create_dir_as_root(RUN_FIREJAIL_DIR, 0755);
}
if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
create_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
}
if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
create_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
}
if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
create_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
}
if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
create_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
}
create_empty_dir();
create_empty_file();
}
// build /tmp/firejail/mnt directory
static int tmpfs_mounted = 0;
#ifdef HAVE_CHROOT
static void fs_build_remount_mnt_dir(void) {
tmpfs_mounted = 0;
fs_build_mnt_dir();
}
#endif
void fs_build_mnt_dir(void) {
struct stat s;
fs_build_firejail_dir();
// create /run/firejail/mnt directory
if (stat(RUN_MNT_DIR, &s)) {
create_dir_as_root(RUN_MNT_DIR, 0755);
}
// ... and mount tmpfs on top of it
if (!tmpfs_mounted) {
// mount tmpfs on top of /run/firejail/mnt
if (arg_debug)
printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mounting /tmp/firejail/mnt");
tmpfs_mounted = 1;
fs_logger2("tmpfs", RUN_MNT_DIR);
}
}
// grab a copy of cp command
void fs_build_cp_command(void) {
struct stat s;
fs_build_mnt_dir();
if (stat(RUN_CP_COMMAND, &s)) {
char* fname = realpath("/bin/cp", NULL);
if (fname == NULL) {
fprintf(stderr, "Error: /bin/cp not found\n");
exit(1);
}
if (stat(fname, &s)) {
fprintf(stderr, "Error: /bin/cp not found\n");
exit(1);
}
if (is_link(fname)) {
fprintf(stderr, "Error: invalid /bin/cp file\n");
exit(1);
}
int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
if (rv) {
fprintf(stderr, "Error: cannot access /bin/cp\n");
exit(1);
}
ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
free(fname);
}
}
// delete the temporary cp command
void fs_delete_cp_command(void) {
unlink(RUN_CP_COMMAND);
}
//***********************************************
// process profile file
@ -197,9 +55,6 @@ static void disable_file(OPERATION op, const char *filename) {
assert(op <OPERATION_MAX);
last_disable = UNSUCCESSFUL;
// rebuild /run/firejail directory in case tmpfs was mounted on top of /run
fs_build_firejail_dir();
// Resolve all symlinks
char* fname = realpath(filename, NULL);
if (fname == NULL && errno != EACCES) {
@ -251,9 +106,10 @@ static void disable_file(OPERATION op, const char *filename) {
// some distros put all executables under /usr/bin and make /bin a symbolic link
if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) &&
is_link(filename) &&
S_ISDIR(s.st_mode))
fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
S_ISDIR(s.st_mode)) {
if (!arg_quiet)
fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename);
}
else {
if (arg_debug)
printf("Disable %s\n", fname);
@ -644,7 +500,11 @@ void fs_proc_sys_dev_boot(void) {
disable_file(BLACKLIST_FILE, "/sys/firmware");
disable_file(BLACKLIST_FILE, "/sys/hypervisor");
disable_file(BLACKLIST_FILE, "/sys/fs");
{ // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
EUID_USER();
profile_add("blacklist /sys/fs");
EUID_ROOT();
}
disable_file(BLACKLIST_FILE, "/sys/module");
disable_file(BLACKLIST_FILE, "/sys/power");
disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
@ -745,8 +605,8 @@ void fs_basic_fs(void) {
fs_rdonly("/usr");
// update /var directory in order to support multiple sandboxes running on the same root directory
if (!arg_private_dev)
fs_dev_shm();
// if (!arg_private_dev)
// fs_dev_shm();
fs_var_lock();
fs_var_tmp();
fs_var_log();
@ -859,9 +719,6 @@ void fs_overlayfs(void) {
if (major == 3 && minor < 18)
oldkernel = 1;
// build overlay directories
fs_build_mnt_dir();
char *oroot;
if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
errExit("asprintf");
@ -1052,8 +909,8 @@ void fs_overlayfs(void) {
errExit("chroot");
// update /var directory in order to support multiple sandboxes running on the same root directory
if (!arg_private_dev)
fs_dev_shm();
// if (!arg_private_dev)
// fs_dev_shm();
fs_var_lock();
fs_var_tmp();
fs_var_log();
@ -1185,17 +1042,33 @@ void fs_chroot(const char *rootdir) {
free(newx11);
}
// some older distros don't have a /run directory
// create one by default
// no exit on error, let the user deal with any problems
// create /run/firejail directory in chroot
char *rundir;
if (asprintf(&rundir, "%s/run", rootdir) == -1)
errExit("asprintf");
if (!is_dir(rundir)) {
int rv = mkdir(rundir, 0755);
(void) rv;
rv = chown(rundir, 0, 0);
(void) rv;
create_empty_dir_as_root(rundir, 0755);
free(rundir);
if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
errExit("asprintf");
create_empty_dir_as_root(rundir, 0755);
free(rundir);
// create /run/firejail/mnt directory in chroot and mount a tmpfs
if (asprintf(&rundir, "%s/run/firejail/mnt", rootdir) == -1)
errExit("asprintf");
create_empty_dir_as_root(rundir, 0755);
if (mount("tmpfs", rundir, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mounting /run/firejail/mnt");
fs_logger2("tmpfs", RUN_MNT_DIR);
free(rundir);
// retrieve seccomp.protocol
struct stat s;
if (stat(RUN_SECCOMP_PROTOCOL, &s) == 0) {
if (asprintf(&rundir, "%s%s", rootdir, RUN_SECCOMP_PROTOCOL) == -1)
errExit("asprintf");
copy_file(RUN_SECCOMP_PROTOCOL, rundir, getuid(), getgid(), 0644);
free(rundir);
}
// copy /etc/resolv.conf in chroot directory
@ -1219,13 +1092,14 @@ void fs_chroot(const char *rootdir) {
printf("Chrooting into %s\n", rootdir);
if (chroot(rootdir) < 0)
errExit("chroot");
// mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot
fs_build_remount_mnt_dir();
// create all other /run/firejail files and directories
preproc_build_firejail_dir();
if (checkcfg(CFG_CHROOT_DESKTOP)) {
// update /var directory in order to support multiple sandboxes running on the same root directory
if (!arg_private_dev)
fs_dev_shm();
// if (!arg_private_dev)
// fs_dev_shm();
fs_var_lock();
fs_var_tmp();
fs_var_log();
@ -1245,12 +1119,4 @@ void fs_chroot(const char *rootdir) {
}
#endif
void fs_private_tmp(void) {
// mount tmpfs on top of /run/firejail/mnt
if (arg_debug)
printf("Mounting tmpfs on /tmp directory\n");
if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
errExit("mounting /tmp/firejail/mnt");
fs_logger2("tmpfs", "/tmp");
}

7
src/firejail/fs_bin.c
View file

@ -192,6 +192,8 @@ static void duplicate(char *fname) {
if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1)
errExit("asprintf");
execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL);
perror("execlp");
_exit(1);
}
// wait for the child to finish
waitpid(child, NULL, 0);
@ -208,8 +210,7 @@ void fs_private_bin_list(void) {
char *private_list = cfg.bin_private_keep;
assert(private_list);
// create /tmp/firejail/mnt/bin directory
fs_build_mnt_dir();
// create /run/firejail/mnt/bin directory
if (mkdir(RUN_BIN_DIR, 0755) == -1)
errExit("mkdir");
if (chmod(RUN_BIN_DIR, 0755) == -1)
@ -245,7 +246,7 @@ void fs_private_bin_list(void) {
duplicate(ptr);
free(dlist);
fs_logger_print();
exit(0);
_exit(0);
}
// wait for the child to finish
waitpid(child, NULL, 0);

6
src/firejail/fs_dev.c
View file

@ -129,8 +129,6 @@ void fs_private_dev(void){
printf("Mounting tmpfs on /dev\n");
// create DRI_DIR
fs_build_mnt_dir();
// keep a copy of dev directory
if (mkdir(RUN_DEV_DIR, 0755) == -1)
errExit("mkdir");
@ -225,7 +223,7 @@ void fs_private_dev(void){
// mount /dev/pts
gid_t ttygid = get_tty_gid();
gid_t ttygid = get_group_id("tty");
char *data;
if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
errExit("asprintf");
@ -244,6 +242,7 @@ void fs_private_dev(void){
}
#if 0
void fs_dev_shm(void) {
uid_t uid = getuid(); // set a new shm only if we started as root
if (uid)
@ -282,6 +281,7 @@ void fs_dev_shm(void) {
}
}
#endif
static void disable_file_or_dir(const char *fname) {
if (arg_debug)

7
src/firejail/fs_etc.c
View file

@ -106,6 +106,8 @@ static void duplicate(char *fname) {
if (asprintf(&f, "/etc/%s", fname) == -1)
errExit("asprintf");
execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL);
perror("execlp");
_exit(1);
}
// wait for the child to finish
waitpid(child, NULL, 0);
@ -128,8 +130,7 @@ void fs_private_etc_list(void) {
exit(1);
}
// create /tmp/firejail/mnt/etc directory
fs_build_mnt_dir();
// create /run/firejail/mnt/etc directory
if (mkdir(RUN_ETC_DIR, 0755) == -1)
errExit("mkdir");
if (chmod(RUN_ETC_DIR, 0755) == -1)
@ -169,7 +170,7 @@ void fs_private_etc_list(void) {
duplicate(ptr);
free(dlist);
fs_logger_print();
exit(0);
_exit(0);
}
// wait for the child to finish
waitpid(child, NULL, 0);

10
src/firejail/fs_home.c
View file

@ -104,8 +104,6 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
static int store_xauthority(void) {
// put a copy of .Xauthority in XAUTHORITY_FILE
fs_build_mnt_dir();
char *src;
char *dest = RUN_XAUTHORITY_FILE;
if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
@ -130,9 +128,6 @@ static int store_xauthority(void) {
}
static int store_asoundrc(void) {
// put a copy of .Xauthority in XAUTHORITY_FILE
fs_build_mnt_dir();
char *src;
char *dest = RUN_ASOUNDRC_FILE;
if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
@ -591,8 +586,7 @@ void fs_private_home_list(void) {
exit(1);
}
// create /tmp/firejail/mnt/home directory
fs_build_mnt_dir();
// create /run/firejail/mnt/home directory
int rv = mkdir(RUN_HOME_DIR, 0755);
if (rv == -1)
errExit("mkdir");
@ -641,7 +635,7 @@ void fs_private_home_list(void) {
fs_logger_print(); // save the current log
free(dlist);
exit(0);
_exit(0);
}
// wait for the child to finish
waitpid(child, NULL, 0);

2
src/firejail/fs_hostname.c
View file

@ -27,7 +27,6 @@
void fs_hostname(const char *hostname) {
struct stat s;
fs_build_mnt_dir();
// create a new /etc/hostname
if (stat("/etc/hostname", &s) == 0) {
@ -100,7 +99,6 @@ void fs_resolvconf(void) {
return;
struct stat s;
fs_build_mnt_dir();
// create a new /etc/hostname
if (stat("/etc/resolv.conf", &s) == 0) {

4
src/firejail/fs_mkdir.c
View file

@ -81,7 +81,7 @@ void fs_mkdir(const char *name) {
// create directory
mkdir_recursive(expanded);
exit(0);
_exit(0);
}
// wait for the child to finish
waitpid(child, NULL, 0);
@ -126,7 +126,7 @@ void fs_mkfile(const char *name) {
(void) rv;
fclose(fp);
}
exit(0);
_exit(0);
}
// wait for the child to finish
waitpid(child, NULL, 0);

3
src/firejail/fs_trace.c
View file

@ -44,9 +44,6 @@ void fs_trace_preload(void) {
}
void fs_trace(void) {
// create /tmp/firejail/mnt directory
fs_build_mnt_dir();
// create the new ld.so.preload file and mount-bind it
if (arg_debug)
printf("Create the new ld.so.preload file\n");

3
src/firejail/fs_var.c
View file

@ -317,9 +317,6 @@ void fs_var_utmp(void) {
return;
}
// create /tmp/firejail/mnt directory
fs_build_mnt_dir();
// create a new utmp file
if (arg_debug)
printf("Create the new utmp file\n");

89
src/firejail/fs_whitelist.c
View file

@ -254,7 +254,16 @@ static void whitelist_path(ProfileEntry *entry) {
if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
errExit("asprintf");
}
else if (entry->srv_dir) {
fname = path + 4; // strlen("/srv")
if (*fname == '\0') {
fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path);
exit(1);
}
if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
errExit("asprintf");
}
// check if the file exists
struct stat s;
if (wfile && stat(wfile, &s) == 0) {
@ -317,7 +326,7 @@ void fs_whitelist(void) {
int var_dir = 0; // /var directory flag
int dev_dir = 0; // /dev directory flag
int opt_dir = 0; // /opt directory flag
int srv_dir = 0; // /srv directory flag
// verify whitelist files, extract symbolic links, etc.
while (entry) {
// handle only whitelist commands
@ -387,7 +396,9 @@ void fs_whitelist(void) {
dev_dir = 1;
else if (strncmp(new_name, "/opt/", 5) == 0)
opt_dir = 1;
else if (strncmp(new_name, "/srv/", 5) == 0)
opt_dir = 1;
continue;
}
@ -481,6 +492,16 @@ void fs_whitelist(void) {
goto errexit;
}
}
else if (strncmp(new_name, "/srv/", 5) == 0) {
entry->srv_dir = 1;
srv_dir = 1;
// both path and absolute path are under /srv
if (strncmp(fname, "/srv/", 5) != 0) {
if (arg_debug)
fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
goto errexit;
}
}
else {
if (arg_debug)
fprintf(stderr, "Debug %d: \n", __LINE__);
@ -508,10 +529,6 @@ void fs_whitelist(void) {
entry = entry->next;
}
// create mount points
fs_build_mnt_dir();
// /home/user
if (home_dir) {
// keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
@ -550,29 +567,6 @@ void fs_whitelist(void) {
if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
errExit("mounting tmpfs on /tmp");
fs_logger("tmpfs /tmp");
// mount appimage directory if necessary
if (arg_appimage) {
const char *dir = appimage_getdir();
assert(dir);
char *wdir;
if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1)
errExit("asprintf");
// create directory
if (mkdir(dir, 0755) < 0)
errExit("mkdir");
if (chown(dir, getuid(), getgid()) < 0)
errExit("chown");
if (chmod(dir, 0755) < 0)
errExit("chmod");
// mount
if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount bind");
fs_logger2("whitelist", dir);
free(wdir);
}
}
// /media mountpoint
@ -698,6 +692,36 @@ void fs_whitelist(void) {
fs_logger("tmpfs /opt");
}
// /srv mountpoint
if (srv_dir) {
// check if /srv directory exists
struct stat s;
if (stat("/srv", &s) == 0) {
// keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR
int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755);
if (rv == -1)
errExit("mkdir");
if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0)
errExit("chown");
if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0)
errExit("chmod");
if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount bind");
// mount tmpfs on /srv
if (arg_debug || arg_debug_whitelists)
printf("Mounting tmpfs on /srv directory\n");
if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mounting tmpfs on /srv");
fs_logger("tmpfs /srv");
}
else
srv_dir = 0;
}
// go through profile rules again, and interpret whitelist commands
entry = cfg.profile;
while (entry) {
@ -789,6 +813,13 @@ void fs_whitelist(void) {
fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
}
// mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
if (srv_dir) {
if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mount tmpfs");
fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
}
if (new_name)
free(new_name);

6
src/firejail/join.c
View file

@ -292,16 +292,16 @@ void join(pid_t pid, int argc, char **argv, int index) {
if (apply_caps == 1) // not available for uid 0
caps_set(caps);
#ifdef HAVE_SECCOMP
// set protocol filter
// read cfg.protocol from file
if (getuid() != 0)
protocol_filter_load(RUN_PROTOCOL_CFG);
if (cfg.protocol) { // not available for uid 0
protocol_filter();
seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter
}
// set seccomp filter
if (apply_seccomp == 1) // not available for uid 0
seccomp_set();
seccomp_load(RUN_SECCOMP_CFG);
#endif
// fix qt 4.8

Some files were not shown because too many files have changed in this diff Show more