github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Merge branch 'master' into master

Browse source
This commit is contained in:
netblue30 2024-12-18 09:32:01 -05:00 committed by GitHub
commit 43e1833446
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1017 changed files with 10929 additions and 3793 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -22,7 +22,7 @@ _Describe the bug_
_Steps to reproduce the behavior_
1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent
1. Run in bash `LC_ALL=C firejail /path/to/program` (`LC_ALL=C` to get a consistent
output in English that can be understood by everybody)
2. Click on '....'
3. Scroll down to '....'
@ -47,10 +47,11 @@ _Any other detail that may help to understand/debug the problem_
### Environment
- Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
- Firejail version (`firejail --version`).
- Name/version/arch of the Linux kernel (`uname -srm`):
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
- Version of Firejail (`firejail --version`):
- If you use a development version of firejail, also the commit from which it
was compiled (`git rev-parse HEAD`).
was compiled (`git rev-parse HEAD`):
### Checklist

73
.github/ISSUE_TEMPLATE/build_issue.md vendored Normal file
View file

@ -0,0 +1,73 @@
---
name: Build issue
about: There is an issue when trying to build the project from source
title: 'build: '
labels: ''
assignees: ''
---
<!--
See the following links for help with formatting:
https://guides.github.com/features/mastering-markdown/
https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
-->
### Description
_Describe the bug_
### Steps to Reproduce
<!--
Note: If the output is too long to embed it into the comment, you can post it
in a gist at <https://gist.github.com/> and link it here or upload the build
log as a file.
Note: Make sure to include the exact command-line used for all commands and to
include the full output of ./configure.
Feel free to include only the errors in the make output if they are
self-explanatory (for example, with `make >/dev/null`).
-->
_Post the commands used to reproduce the issue and their output_
Example:
```console
$ ./configure --prefix=/usr --enable-apparmor
checking for gcc... gcc
checking whether the C compiler works... yes
[...]
$ make
make -C src/lib
gcc [...]
[...]
```
_If ./configure fails, include the output of config.log_
Example:
```console
$ cat config.log
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
[...]
```
### Additional context
_(Optional) Any other detail that may help to understand/debug the problem_
### Environment
- Name/version/arch of the Linux kernel (`uname -srm`):
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
- Name/version of the C compiler (e.g. "gcc 14.1.1-1"):
- Name/version of the libc (e.g. "glibc 2.40-1"):
- Name/version of the Linux API headers (e.g. "linux-api-headers 6.10-1" on
Arch Linux):
- Version of the source code being built (`git rev-parse HEAD`):

8
.github/ISSUE_TEMPLATE/feature_request.md vendored
View file

@ -22,3 +22,11 @@ _A clear and concise description of any alternative solutions or features you've
### Additional context
_Add any other context or screenshots about the feature request here._
### Environment
- Name/version/arch of the Linux kernel (`uname -srm`):
- Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
- Version of Firejail (`firejail --version`):
- If you use a development version of firejail, also the commit from which it:
was compiled (`git rev-parse HEAD`):

4
.github/dependabot.yml vendored
View file

@ -3,5 +3,5 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 2
interval: "monthly"
open-pull-requests-limit: 4

173
.github/workflows/build-extra.yml vendored
View file

@ -1,50 +1,39 @@
name: Build-extra CI
# Builds the project with alternative tools.
name: Build-extra
on:
workflow_dispatch:
push:
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
- .github/pull_request_template.md
- .github/workflows/build.yml
- .github/workflows/codeql-analysis.yml
- .github/workflows/profile-checks.yml
- .gitignore
- .gitlab-ci.yml
- CONTRIBUTING.md
- COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
- src/firecfg/firecfg.config
branches-ignore:
- 'dependabot/**'
paths:
- 'm4/**'
- 'src/**.c'
- 'src/**.h'
- 'src/**.mk'
- 'src/**Makefile'
- .github/workflows/build-extra.yml
- Makefile
- ci/printenv.sh
- config.mk.in
- config.sh.in
- configure
- configure.ac
pull_request:
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
- .github/pull_request_template.md
- .github/workflows/build.yml
- .github/workflows/codeql-analysis.yml
- .github/workflows/profile-checks.yml
- .gitignore
- .gitlab-ci.yml
- CONTRIBUTING.md
- COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
- src/firecfg/firecfg.config
paths:
- 'm4/**'
- 'src/**.c'
- 'src/**.h'
- 'src/**.mk'
- 'src/**Makefile'
- .github/workflows/build-extra.yml
- Makefile
- ci/printenv.sh
- config.mk.in
- config.sh.in
- configure
- configure.ac
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
@ -52,15 +41,18 @@ permissions: # added using https://github.com/step-security/secure-workflows
jobs:
build-clang:
runs-on: ubuntu-22.04
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
@ -71,96 +63,13 @@ jobs:
run: ./ci/printenv.sh
- name: configure
run: >
CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
--enable-selinux
./configure CC=clang-14
--prefix=/usr --enable-fatal-warnings
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make
- name: make install
run: sudo make install
- name: print version
run: command -V firejail && firejail --version
scan-build:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- name: update package information
run: sudo apt-get update -qy
- name: install clang-tools-14 and dependencies
run: >
sudo apt-get install -qy
clang-tools-14 libapparmor-dev libselinux1-dev
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor
--enable-selinux
|| (cat config.log; exit 1)
- name: scan-build
run: scan-build-14 --status-bugs make
cppcheck:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- name: update package information
run: sudo apt-get update -qy
- name: install cppcheck
run: sudo apt-get install -qy cppcheck
- run: cppcheck --version
- name: cppcheck
run: >
cppcheck -q --force --error-exitcode=1 --enable=warning,performance
-i src/firejail/checkcfg.c -i src/firejail/main.c .
# new cppcheck version currently chokes on checkcfg.c and main.c, therefore
# scan all files also with older cppcheck version from ubuntu 20.04.
cppcheck_old:
runs-on: ubuntu-20.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- name: update package information
run: sudo apt-get update -qy
- name: install cppcheck
run: sudo apt-get install -qy cppcheck
- run: cppcheck --version
- name: cppcheck
run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
codespell:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: sudo apt-get install -qy codespell
- run: codespell --version
- name: codespell
run: make codespell
run: make print-version

113
.github/workflows/build.yml vendored
View file

@ -1,100 +1,91 @@
name: Build CI
# Checks that `make dist` works and builds the project with the default
# configuration.
name: Build
# Note: Keep this list in sync with DISTFILES in ../../Makefile.
on:
workflow_dispatch:
push:
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- .git-blame-ignore-revs
- .github/dependabot.yml
- .github/pull_request_template.md
- .github/workflows/build-extra.yml
- .github/workflows/codeql-analysis.yml
- .github/workflows/profile-checks.yml
- .gitignore
- .gitlab-ci.yml
- CONTRIBUTING.md
branches-ignore:
- 'dependabot/**'
paths:
- 'contrib/**'
- 'etc/**'
- 'm4/**'
- 'platform/**'
- 'src/**'
- 'test/**'
- .github/workflows/build.yml
- COPYING
- Makefile
- README
- README.md
- RELNOTES
- SECURITY.md
- ci/printenv.sh
- config.mk.in
- config.sh.in
- configure
- configure.ac
- install.sh
- mkdeb.sh
- mketc.sh
pull_request:
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- .git-blame-ignore-revs
- .github/dependabot.yml
- .github/pull_request_template.md
- .github/workflows/build-extra.yml
- .github/workflows/codeql-analysis.yml
- .github/workflows/profile-checks.yml
- .gitignore
- .gitlab-ci.yml
- CONTRIBUTING.md
paths:
- 'contrib/**'
- 'etc/**'
- 'm4/**'
- 'platform/**'
- 'src/**'
- 'test/**'
- .github/workflows/build.yml
- COPYING
- Makefile
- README
- README.md
- RELNOTES
- SECURITY.md
- ci/printenv.sh
- config.mk.in
- config.sh.in
- configure
- configure.ac
- install.sh
- mkdeb.sh
- mketc.sh
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
build_and_test:
build:
runs-on: ubuntu-22.04
env:
SHELL: /bin/bash
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
1.1.1.1:1025
azure.archive.ubuntu.com:80
debian.org:80
dns.quad9.net:53
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
whois.pir.org:43
www.debian.org:443
www.debian.org:80
yahoo.com:1025
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: >
sudo apt-get install -qy
gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
bridge-utils
gcc-12 libapparmor-dev libselinux1-dev
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings
--enable-analyzer --enable-apparmor --enable-selinux
./configure CC=gcc-12
--prefix=/usr --enable-fatal-warnings --enable-analyzer
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make
- name: make install
run: sudo make install
- name: print firejail version
run: command -V firejail && firejail --version
- run: make lab-setup
- run: make test-seccomp-extra
- run: make test-firecfg
- run: make test-capabilities
- run: make test-apparmor
- run: make test-appimage
- run: make test-chroot
- run: make test-sysutils
- run: make test-private-etc
- run: make test-profiles
- run: make test-fcopy
- run: make test-fnetfilter
- run: make test-fs
- run: make test-utils
- run: make test-environment
- run: make test-network
- name: print version
run: make print-version

175
.github/workflows/check-c.yml vendored Normal file
View file

@ -0,0 +1,175 @@
# Checks for potential issues in the source code.
name: Check-C
on:
workflow_dispatch:
push:
branches-ignore:
- 'dependabot/**'
paths:
- '**.c'
- '**.h'
- 'm4/**'
- 'src/**.mk'
- 'src/**Makefile'
- .github/workflows/check-c.yml
- Makefile
- ci/printenv.sh
- config.mk.in
- config.sh.in
- configure
- configure.ac
pull_request:
paths:
- '**.c'
- '**.h'
- 'm4/**'
- 'src/**.mk'
- 'src/**Makefile'
- .github/workflows/check-c.yml
- Makefile
- ci/printenv.sh
- config.mk.in
- config.sh.in
- configure
- configure.ac
schedule:
- cron: '0 7 * * 2'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
scan-build:
runs-on: ubuntu-22.04
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install clang-tools-14 and dependencies
run: >
sudo apt-get install -qy
clang-tools-14 libapparmor-dev libselinux1-dev
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
./configure CC=clang-14 SCAN_BUILD=scan-build-14
--prefix=/usr --enable-fatal-warnings
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: scan-build
run: make scan-build
cppcheck:
runs-on: ubuntu-22.04
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install cppcheck
run: sudo apt-get install -qy cppcheck
- name: configure
run: >
./configure CPPCHECK='cppcheck -q'
|| (cat config.log; exit 1)
- run: cppcheck --version
- name: cppcheck
run: make cppcheck
# new cppcheck version currently chokes on checkcfg.c and main.c, therefore
# scan all files also with older cppcheck version from ubuntu 20.04.
cppcheck_old:
runs-on: ubuntu-20.04
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpad.net:80
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install cppcheck
run: sudo apt-get install -qy cppcheck
- name: configure
run: >
./configure CPPCHECK='cppcheck -q'
|| (cat config.log; exit 1)
- run: cppcheck --version
- name: cppcheck-old
run: make cppcheck-old
codeql-cpp:
permissions:
actions: read
contents: read
security-events: write
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: print env
run: ./ci/printenv.sh
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88
with:
languages: cpp
- name: configure
run: ./configure
- name: make
run: make -j "$(nproc)"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88

27
.github/workflows/profile-checks.yml → .github/workflows/check-profiles.yml vendored
View file

@ -1,18 +1,25 @@
name: Profile Checks
# Lints and checks for potential issues in the profiles.
name: Check-Profiles
on:
workflow_dispatch:
push:
branches-ignore:
- 'dependabot/**'
paths:
- 'ci/check/profiles/**'
- 'etc/**'
- .github/workflows/profile-checks.yml
- .github/workflows/check-profiles.yml
- ci/printenv.sh
- contrib/sort.py
- src/firecfg/firecfg.config
pull_request:
paths:
- 'ci/check/profiles/**'
- 'etc/**'
- .github/workflows/profile-checks.yml
- .github/workflows/check-profiles.yml
- ci/printenv.sh
- contrib/sort.py
- src/firecfg/firecfg.config
@ -22,24 +29,26 @@ permissions: # added using https://github.com/step-security/secure-workflows
jobs:
profile-checks:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: print env
run: ./ci/printenv.sh
- run: python3 --version
# - name: sort.py
# run: >
# ./ci/check/profiles/sort.py
# etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
- name: sort.py
run: >
./ci/check/profiles/sort.py
etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
# Currently broken (see #5610)
# - name: private-etc-always-required.sh
# run: >

59
.github/workflows/check-python.yml vendored Normal file
View file

@ -0,0 +1,59 @@
# Lints and checks for potential issues in Python files.
name: Check-Python
on:
workflow_dispatch:
push:
branches-ignore:
- 'dependabot/**'
paths:
- '**.py'
- .github/workflows/check-python.yml
pull_request:
paths:
- '**.py'
- .github/workflows/check-python.yml
schedule:
- cron: '0 7 * * 2'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
codeql-python:
permissions:
actions: read
contents: read
security-events: write
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: print env
run: ./ci/printenv.sh
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88
with:
languages: python
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88

121
.github/workflows/codeql-analysis.yml vendored
View file

@ -1,121 +0,0 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
on:
push:
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
- .github/pull_request_template.md
- .github/workflows/build-extra.yml
- .github/workflows/build.yml
- .github/workflows/profile-checks.yml
- .gitignore
- .gitlab-ci.yml
- CONTRIBUTING.md
- COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
- src/firecfg/firecfg.config
pull_request:
paths-ignore:
- '.github/ISSUE_TEMPLATE/*'
- 'contrib/syntax/**'
- 'contrib/vim/**'
- 'etc/**'
- 'src/man/*.txt'
- .git-blame-ignore-revs
- .github/dependabot.yml
- .github/pull_request_template.md
- .github/workflows/build-extra.yml
- .github/workflows/build.yml
- .github/workflows/profile-checks.yml
- .gitignore
- .gitlab-ci.yml
- CONTRIBUTING.md
- COPYING
- README
- README.md
- RELNOTES
- SECURITY.md
- src/firecfg/firecfg.config
schedule:
- cron: '0 7 * * 2'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
analyze:
permissions:
actions: read # for github/codeql-action/init to get workflow details
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/autobuild to send a status report
name: Analyze
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [ 'cpp', 'python' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
# Learn more:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
- name: print env
run: ./ci/printenv.sh
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@489225d82a57396c6f426a40e66d461b16b3461d
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@489225d82a57396c6f426a40e66d461b16b3461d
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@489225d82a57396c6f426a40e66d461b16b3461d

48
.github/workflows/codespell.yml vendored Normal file
View file

@ -0,0 +1,48 @@
# Checks the spelling on all non-third-party files.
name: Codespell
on:
workflow_dispatch:
push:
branches-ignore:
- 'dependabot/**'
paths-ignore:
- 'm4/**'
- COPYING
pull_request:
paths-ignore:
- 'm4/**'
- COPYING
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
codespell:
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
security.ubuntu.com:80
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: sudo apt-get install -qy codespell
- name: print env
run: ./ci/printenv.sh
- name: configure
run: ./configure || (cat config.log; exit 1)
- run: codespell --version
- name: codespell
run: make codespell

268
.github/workflows/test.yml vendored Normal file
View file

@ -0,0 +1,268 @@
# Checks that the tests are passing.
name: Test
on:
workflow_dispatch:
push:
branches-ignore:
- 'dependabot/**'
paths:
- 'm4/**'
- 'src/**.c'
- 'src/**.h'
- 'src/**.mk'
- 'src/**Makefile'
- 'test/**'
- .github/workflows/test.yml
- Makefile
- config.mk.in
- config.sh.in
- configure
- configure.ac
- etc/profile-a-l/default.profile
- src/firecfg/firecfg.config
pull_request:
paths:
- 'm4/**'
- 'src/**.c'
- 'src/**.h'
- 'src/**.mk'
- 'src/**Makefile'
- 'test/**'
- .github/workflows/test.yml
- Makefile
- config.mk.in
- config.sh.in
- configure
- configure.ac
- etc/profile-a-l/default.profile
- src/firecfg/firecfg.config
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
#
# Faster tests
#
jobs:
test-main:
runs-on: ubuntu-22.04
timeout-minutes: 10
env:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: >
sudo apt-get install -qy
gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
./configure CC=gcc-12
--prefix=/usr --enable-fatal-warnings --enable-analyzer
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make -j "$(nproc)"
- name: make install
run: sudo make install
- name: print version
run: make print-version
- run: make lab-setup
- run: make test-seccomp-extra
- run: make test-firecfg
- run: make test-capabilities
- run: make test-apparmor
- run: make test-appimage
- run: make test-chroot
- run: make test-fcopy
#
# Slower tests
#
test-fs:
runs-on: ubuntu-22.04
timeout-minutes: 10
env:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: >
sudo apt-get install -qy
gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
./configure CC=gcc-12
--prefix=/usr --enable-fatal-warnings --enable-analyzer
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make -j "$(nproc)"
- name: make install
run: sudo make install
- name: print version
run: make print-version
- run: make lab-setup
- run: make test-private-etc
- run: make test-fs
test-environment:
runs-on: ubuntu-22.04
timeout-minutes: 10
env:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: >
sudo apt-get install -qy
gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
./configure CC=gcc-12
--prefix=/usr --enable-fatal-warnings --enable-analyzer
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make -j "$(nproc)"
- name: make install
run: sudo make install
- name: print version
run: make print-version
- run: make lab-setup
- run: make test-environment
- run: make test-profiles
test-utils:
runs-on: ubuntu-22.04
timeout-minutes: 10
env:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
azure.archive.ubuntu.com:80
debian.org:80
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
www.debian.org:443
www.debian.org:80
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: >
sudo apt-get install -qy
gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
./configure CC=gcc-12
--prefix=/usr --enable-fatal-warnings --enable-analyzer
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make -j "$(nproc)"
- name: make install
run: sudo make install
- name: print version
run: make print-version
- run: make lab-setup
- run: make test-utils
test-network:
runs-on: ubuntu-22.04
timeout-minutes: 10
env:
SHELL: /bin/bash
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
with:
egress-policy: block
allowed-endpoints: >
1.1.1.1:1025
azure.archive.ubuntu.com:80
debian.org:80
dns.quad9.net:53
github.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
whois.pir.org:43
www.debian.org:443
www.debian.org:80
yahoo.com:1025
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: update package information
run: sudo apt-get update -qy
- name: install dependencies
run: >
sudo apt-get install -qy
gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
bridge-utils
- name: print env
run: ./ci/printenv.sh
- name: configure
run: >
./configure CC=gcc-12
--prefix=/usr --enable-fatal-warnings --enable-analyzer
--enable-apparmor --enable-selinux
|| (cat config.log; exit 1)
- name: make
run: make -j "$(nproc)"
- name: make install
run: sudo make install
- name: print version
run: make print-version
- run: make lab-setup
- run: make test-fnetfilter
- run: make test-sysutils
- run: make test-network

4
.gitignore vendored
View file

@ -1,9 +1,11 @@
*.d
*.o
*.so
*~
*.swp
*.deb
*.rpm
*.tar.xz
*.gcda
*.gcno
*.gz
@ -19,7 +21,6 @@ config.status
contrib/syntax/files/example
contrib/syntax/files/firejail-profile.lang
contrib/syntax/files/firejail.vim
firejail-*.tar.xz
src/fnettrace-dns/fnettrace-dns
src/fnettrace-sni/fnettrace-sni
src/fnettrace-icmp/fnettrace-icmp
@ -44,6 +45,7 @@ src/bash_completion/firejail.bash_completion
src/zsh_completion/_firejail
src/jailcheck/jailcheck
src/fnettrace/fnettrace
src/fnetlock/fnetlock
src/fzenity/fzenity
uids.h
seccomp

133
.gitlab-ci.yml
View file

@ -1,13 +1,17 @@
# Basic notes: builds firejail on 5 different systems for 2 package systems:
# 1. Debian-based systems. Use debian:jessie to ensure reasonable backwards
# compat and ubuntu:rolling for new setups
# 2. Redhat-based systems. Use centos:latest for reasonable backwards compat
# and fedora:latest for new setups
# 3. Alpine for installing directly from source
# Also builds apparmor package for Ubuntu LTS
# Builds on multiple systems using different package managers:
#
# - Debian-based systems: Use oldest working/supported debian image for
# reasonable backwards compatibility and ubuntu:rolling for new setups.
# Additionally, ensure that the package works without apparmor.
#
# - Redhat-based systems: Use a centos-like distribution for reasonable
# backwards compatibility and fedora:latest for new setups.
#
# - Alpine: Use it for installing directly from source.
build_ubuntu_package:
image: ubuntu:rolling
timeout: 10 minutes
variables:
DEBIAN_FRONTEND: noninteractive
script:
@ -18,12 +22,14 @@ build_ubuntu_package:
| grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
- ./ci/printenv.sh
- ./configure || (cat config.log; exit 1)
- make deb
- dpkg -i firejail*.deb
- command -V firejail && firejail --version
- make dist
- ./mkdeb.sh --enable-fatal-warnings
- dpkg -i ./*.deb
- make print-version
build_debian_package:
image: debian:buster
timeout: 10 minutes
variables:
DEBIAN_FRONTEND: noninteractive
script:
@ -34,46 +40,14 @@ build_debian_package:
| grep -Ev '^(Selecting|Preparing to unpack|Unpacking)'
- ./ci/printenv.sh
- ./configure || (cat config.log; exit 1)
- make deb
- dpkg -i firejail*.deb
- command -V firejail && firejail --version
build_redhat_package:
image: almalinux:latest
script:
- dnf update -y
- dnf install -y rpm-build gcc make
- ./ci/printenv.sh
- ./configure --prefix=/usr || (cat config.log; exit 1)
- make rpms
- rpm -i firejail*.rpm
- command -V firejail && firejail --version
build_fedora_package:
image: fedora:latest
script:
- dnf update -y
- dnf install -y rpm-build gcc make
- ./ci/printenv.sh
- ./configure --prefix=/usr || (cat config.log; exit 1)
- make rpms
- rpm -i firejail*.rpm
- command -V firejail && firejail --version
build_src_package:
image: alpine:latest
script:
- apk update
- apk upgrade
- apk add build-base linux-headers gawk
- ./ci/printenv.sh
- ./configure --prefix=/usr || (cat config.log; exit 1)
- make
- make install-strip
- command -V firejail && firejail --version
- make dist
- ./mkdeb.sh --enable-fatal-warnings
- dpkg -i ./*.deb
- make print-version
build_no_apparmor:
image: ubuntu:latest
timeout: 10 minutes
variables:
DEBIAN_FRONTEND: noninteractive
script:
@ -85,17 +59,64 @@ build_no_apparmor:
- ./ci/printenv.sh
- ./configure || (cat config.log; exit 1)
- make dist
- ./mkdeb.sh --disable-apparmor
- dpkg -i firejail*.deb
- command -V firejail && firejail --version
- firejail --version | grep -F 'AppArmor support is disabled'
- >
./mkdeb.sh --enable-fatal-warnings
--disable-apparmor
- dpkg -i ./*.deb
- make print-version
- make print-version | grep -F 'AppArmor support is disabled'
build_redhat_package:
image: almalinux:latest
timeout: 10 minutes
script:
- dnf update -y
- dnf install -y rpm-build gcc make
- ./ci/printenv.sh
- ./configure || (cat config.log; exit 1)
- make dist
- ./platform/rpm/mkrpm.sh --enable-fatal-warnings
- rpm -i ./*.rpm
- make print-version
build_fedora_package:
image: fedora:latest
timeout: 10 minutes
script:
- dnf update -y
- dnf install -y rpm-build gcc make
- ./ci/printenv.sh
- ./configure || (cat config.log; exit 1)
- make dist
- ./platform/rpm/mkrpm.sh --enable-fatal-warnings
- rpm -i ./*.rpm
- make print-version
build_src_package:
image: alpine:latest
timeout: 10 minutes
script:
- apk update
- apk upgrade
- apk add build-base linux-headers gawk
- ./ci/printenv.sh
# Note: Do not use ` --enable-fatal-warnings` because the build
# currently produces warnings on Alpine (see #6224).
- >
./configure --prefix=/usr
|| (cat config.log; exit 1)
- make
- make install-strip
- make print-version
debian_ci:
image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
timeout: 10 minutes
variables:
DEBFULLNAME: "$GITLAB_USER_NAME"
DEBEMAIL: "$GITLAB_USER_EMAIL"
DEBIAN_FRONTEND: noninteractive
PKGNAME: firejail
before_script:
- git checkout -B ci_build "$CI_COMMIT_SHA"
- gitlab-ci-enable-sid
@ -110,17 +131,17 @@ debian_ci:
- git config user.email "$DEBEMAIL"
- |
cd "$CI_PROJECT_DIR/.."
apt-get source --download-only -t experimental firejail ||
apt-get source --download-only firejail
apt-get source --download-only -t experimental "$PKGNAME" ||
apt-get source --download-only "$PKGNAME"
- |
cd "$CI_PROJECT_DIR"
tar xf ../firejail_*.debian.tar.*
tar xf "../${PKGNAME}"_*.debian.tar.*
- rm -rf debian/patches/
- |
VERSION="$(grep ^PACKAGE_VERSION= configure | cut -d "'" -f 2)"
dch -v "${VERSION}-0.1~ci" 'Non-maintainer upload.'
git archive -o "../firejail_${VERSION}.orig.tar.gz" HEAD
pristine-tar commit "../firejail_${VERSION}.orig.tar.gz" ci_build
git archive -o "../${PKGNAME}_${VERSION}.orig.tar.gz" HEAD
pristine-tar commit "../${PKGNAME}_${VERSION}.orig.tar.gz" ci_build
git branch -m pristine-tar origin/pristine-tar
- git add debian
- git commit -m 'add debian/'

352
Makefile
View file

@ -2,6 +2,20 @@
ROOT = .
-include config.mk
# Default programs (in configure.ac).
CC ?= cc
CODESPELL ?= codespell
CPPCHECK ?= cppcheck
GAWK ?= gawk
GZIP ?= gzip
SCAN_BUILD ?= scan-build
STRIP ?= strip
TAR ?= tar
# Default programs (not in configure.ac).
INSTALL ?= install
RM ?= rm -f
ifneq ($(HAVE_MAN),no)
MAN_TARGET = man
endif
@ -17,7 +31,7 @@ SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity
SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni
SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp src/fnetlock/fnetlock
MYDIRS = src/lib $(COMPLETIONDIRS)
MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
@ -62,33 +76,37 @@ mydirs: $(MYDIRS)
$(MYDIRS):
$(MAKE) -C $@
.PHONY: strip
strip: all
$(STRIP) $(ALL_ITEMS)
.PHONY: filters
filters: $(SECCOMP_FILTERS)
seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fsec-optimize/fsec-optimize seccomp.debug
seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize Makefile
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fsec-optimize/fsec-optimize seccomp.32
seccomp.block_secondary: src/fseccomp/fseccomp
seccomp.block_secondary: src/fseccomp/fseccomp Makefile
src/fseccomp/fseccomp secondary block seccomp.block_secondary
seccomp.mdwx: src/fseccomp/fseccomp
seccomp.mdwx: src/fseccomp/fseccomp Makefile
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
seccomp.mdwx.32: src/fseccomp/fseccomp
seccomp.mdwx.32: src/fseccomp/fseccomp Makefile
src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
seccomp.namespaces: src/fseccomp/fseccomp
seccomp.namespaces: src/fseccomp/fseccomp Makefile
src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts
seccomp.namespaces.32: src/fseccomp/fseccomp
seccomp.namespaces.32: src/fseccomp/fseccomp Makefile
src/fseccomp/fseccomp restrict-namespaces seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts
.PHONY: man
@ -103,58 +121,65 @@ contrib: syntax
syntax: $(SYNTAX_FILES)
# TODO: include/rlimit are false positives
contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c Makefile
@printf 'Generating %s from %s\n' $@ $<
@sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
grep -Ev '^(include|rlimit)$$' | LC_ALL=C sort -u >$@
# TODO: private-lib is special-cased in the code and doesn't match the regex
contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
LC_ALL=C sort -u >$@
contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c Makefile
@printf 'Generating %s from %s\n' $@ $<
@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) .*/\1/p' $<; \
echo private-lib; } | LC_ALL=C sort -u >$@
contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c Makefile
@printf 'Generating %s from %s\n' $@ $<
@awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
/\t*\{"[^"]+".*/ \
{ if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
/^\t\{ NULL, NULL \}$$/ {process=0;}' \
$< | LC_ALL=C sort -u >$@
contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
contrib/syntax/lists/profile_macros.list: src/firejail/macros.c Makefile
@printf 'Generating %s from %s\n' $@ $<
@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c Makefile
@printf 'Generating %s from %s\n' $@ $<
@sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS) Makefile
@printf 'Generating %s\n' $@
@sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
LC_ALL=C sort -u >$@
contrib/syntax/lists/system_errnos.list: src/lib/errno.c
contrib/syntax/lists/system_errnos.list: src/lib/errno.c Makefile
@printf 'Generating %s from %s\n' $@ $<
@sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
regex_fromlf = { tr '\n' '|' | sed -e 's/|$$//' -e 's/\./\\\\./g'; }
space_fromlf = { tr '\n' ' ' | sed -e 's/ $$//'; }
edit_syntax_file = sed \
-e "s/@make_input@/$$(basename $@). Generated from $$(basename $<) by make./" \
-e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
-e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
-e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
-e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
-e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(regex_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
-e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(regex_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
-e "s/@FJ_PROFILE_CONDITIONALS@/$$($(regex_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
-e "s/@FJ_PROFILE_MACROS@/$$($(regex_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
-e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
-e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
-e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
-e "s/@FJ_SYSCALL_GROUPS@/$$($(regex_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
-e "s/@FJ_SYSTEM_ERRNOS@/$$($(regex_fromlf) <contrib/syntax/lists/system_errnos.list)/"
contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS) Makefile
@printf 'Generating %s from %s\n' $@ $<
@$(edit_syntax_file) $< >$@
# gtksourceview language-specs
contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS) Makefile
@printf 'Generating %s from %s\n' $@ $<
@$(edit_syntax_file) $< >$@
# vim syntax files
contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS) Makefile
@printf 'Generating %s from %s\n' $@ $<
@$(edit_syntax_file) $< >$@
@ -165,209 +190,220 @@ clean:
done
$(MAKE) -C src/man clean
$(MAKE) -C test clean
rm -f $(SECCOMP_FILTERS)
rm -f firejail*.rpm
rm -f $(SYNTAX_FILES)
rm -f src/fnettrace/static-ip-map
rm -f test/utils/index.html*
rm -f test/utils/wget-log
rm -f test/utils/firejail-test-file*
rm -f test/utils/lstesting
rm -f test/environment/index.html*
rm -f test/environment/wget-log*
rm -fr test/environment/-testdir
rm -f test/environment/logfile*
rm -f test/environment/index.html
rm -f test/environment/wget-log
rm -f test/sysutils/firejail_t*
cd test/compile; ./compile.sh --clean; cd ../..
$(RM) $(SECCOMP_FILTERS)
$(RM) $(SYNTAX_FILES)
$(RM) -r ./$(TARNAME)-$(VERSION) ./$(TARNAME)-$(VERSION).tar.xz
$(RM) ./$(TARNAME)*.deb
$(RM) ./$(TARNAME)*.rpm
.PHONY: distclean
distclean: clean
for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
$(MAKE) -C $$dir distclean; \
done
$(MAKE) -C test distclean
rm -fr autom4te.cache config.log config.mk config.sh config.status
$(RM) -r autom4te.cache config.log config.mk config.sh config.status
.PHONY: realinstall
realinstall: config.mk
.PHONY: install
install: all config.mk
# firejail executable
install -m 0755 -d $(DESTDIR)$(bindir)
install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
$(INSTALL) -m 0755 -d $(DESTDIR)$(bindir)
$(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firejail/firejail
ifeq ($(HAVE_SUID),-DHAVE_SUID)
chmod u+s $(DESTDIR)$(bindir)/firejail
endif
# firemon executable
install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
$(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firemon/firemon
# firecfg executable
install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
$(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/firecfg/firecfg
# jailcheck executable
install -m 0755 src/jailcheck/jailcheck $(DESTDIR)$(bindir)
$(INSTALL) -m 0755 -t $(DESTDIR)$(bindir) src/jailcheck/jailcheck
# libraries and plugins
install -m 0755 -d $(DESTDIR)$(libdir)/firejail
install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
$(INSTALL) -m 0755 -d $(DESTDIR)$(libdir)/firejail
$(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
$(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
$(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
$(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
$(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail src/etc-cleanup/etc-cleanup
# plugins w/o read permission (non-dumpable)
install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
$(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
$(INSTALL) -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
$(INSTALL) -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
ifeq ($(HAVE_CONTRIB_INSTALL),yes)
# contrib scripts
install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
$(INSTALL) -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
# vim syntax
install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
$(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
$(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect contrib/vim/ftdetect/firejail.vim
$(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
$(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax contrib/syntax/files/firejail.vim
# gtksourceview language-specs
install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
$(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
$(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs contrib/syntax/files/firejail-profile.lang
endif
# documents
install -m 0755 -d $(DESTDIR)$(docdir)
install -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
$(INSTALL) -m 0755 -d $(DESTDIR)$(docdir)
$(INSTALL) -m 0644 -t $(DESTDIR)$(docdir) COPYING README RELNOTES etc/templates/*
# profiles and settings
install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail/firecfg.d
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/firejail/login.users ]; then \
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/login.users; \
fi"
ifeq ($(HAVE_IDS),-DHAVE_IDS)
install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/ids.config
endif
ifeq ($(BUSYBOX_WORKAROUND),yes)
./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
endif
ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
# install apparmor profile
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d etc/apparmor/firejail-default
# install apparmor profile customization file
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/local
sh -c "if [ ! -f $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default ]; then \
$(INSTALL) -m 0644 etc/apparmor/firejail-local $(DESTDIR)$(sysconfdir)/apparmor.d/local/firejail-default; \
fi"
# install apparmor base abstraction drop-in
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
$(INSTALL) -m 0755 -d $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
$(INSTALL) -m 0644 -t $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d etc/apparmor/firejail-base
endif
ifneq ($(HAVE_MAN),no)
# man pages
install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
install -m 0644 $(MANPAGES1_GZ) $(DESTDIR)$(mandir)/man1/
install -m 0644 $(MANPAGES5_GZ) $(DESTDIR)$(mandir)/man5/
$(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man1
$(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man1 $(MANPAGES1_GZ)
$(INSTALL) -m 0755 -d $(DESTDIR)$(mandir)/man5
$(INSTALL) -m 0644 -t $(DESTDIR)$(mandir)/man5 $(MANPAGES5_GZ)
endif
# bash completion
install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
$(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
$(INSTALL) -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
$(INSTALL) -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
$(INSTALL) -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
# zsh completion
install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/
.PHONY: install
install: all
$(MAKE) realinstall
$(INSTALL) -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions
$(INSTALL) -m 0644 -t $(DESTDIR)$(datarootdir)/zsh/site-functions src/zsh_completion/_firejail
.PHONY: install-strip
install-strip: all
strip $(ALL_ITEMS)
$(MAKE) realinstall
install-strip: strip install
.PHONY: uninstall
uninstall: config.mk
rm -f $(DESTDIR)$(bindir)/firejail
rm -f $(DESTDIR)$(bindir)/firemon
rm -f $(DESTDIR)$(bindir)/firecfg
rm -f $(DESTDIR)$(bindir)/jailcheck
rm -fr $(DESTDIR)$(libdir)/firejail
rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
rm -f $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
rm -f $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
rm -f $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
rm -f $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
rm -f $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
$(RM) $(DESTDIR)$(bindir)/firejail
$(RM) $(DESTDIR)$(bindir)/firemon
$(RM) $(DESTDIR)$(bindir)/firecfg
$(RM) $(DESTDIR)$(bindir)/jailcheck
$(RM) -r $(DESTDIR)$(libdir)/firejail
$(RM) -r $(DESTDIR)$(datarootdir)/doc/firejail
$(RM) $(addprefix $(DESTDIR)$(mandir)/man1/,$(notdir $(MANPAGES1_GZ)))
$(RM) $(addprefix $(DESTDIR)$(mandir)/man5/,$(notdir $(MANPAGES5_GZ)))
$(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
$(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
$(RM) $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
$(RM) $(DESTDIR)$(datarootdir)/zsh/site-functions/_firejail
$(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect/firejail.vim
$(RM) $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax/firejail.vim
$(RM) $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs/firejail-profile.lang
@echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
# Note: Keep this list in sync with `paths` in .github/workflows/build.yml.
DISTFILES = \
COPYING \
Makefile \
README \
RELNOTES \
config.mk.in \
config.sh.in \
configure \
configure.ac \
contrib \
etc \
install.sh \
m4 \
mkdeb.sh \
mketc.sh \
platform \
src
COPYING \
Makefile \
README \
RELNOTES \
config.mk.in \
config.sh.in \
configure \
configure.ac \
contrib \
etc \
install.sh \
m4 \
mkdeb.sh \
mketc.sh \
platform \
src
DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/capabilities test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils
DISTFILES_TEST = \
test/Makefile \
test/apps \
test/apps-x11 \
test/apps-x11-xorg \
test/capabilities \
test/compile \
test/environment \
test/fcopy \
test/filters \
test/fnetfilter \
test/fs \
test/network \
test/private-lib \
test/profiles \
test/sysutils \
test/utils
.PHONY: dist
dist: config.mk
mv config.sh config.sh.old
mv config.status config.status.old
make distclean
mv config.status.old config.status
mv config.sh.old config.sh
rm -fr $(TARNAME)-$(VERSION) $(TARNAME)-$(VERSION).tar.xz
dist: clean config.mk
mkdir -p $(TARNAME)-$(VERSION)/test
cp -a $(DISTFILES) $(TARNAME)-$(VERSION)
cp -a $(DISTFILES_TEST) $(TARNAME)-$(VERSION)/test
rm -rf $(TARNAME)-$(VERSION)/src/tools
find $(TARNAME)-$(VERSION) -name .svn -delete
tar -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
rm -fr $(TARNAME)-$(VERSION)
$(RM) -r $(TARNAME)-$(VERSION)/src/tools
$(TAR) -cJvf $(TARNAME)-$(VERSION).tar.xz $(TARNAME)-$(VERSION)
$(RM) -r $(TARNAME)-$(VERSION)
.PHONY: asc
asc: config.mk
./mkasc.sh $(VERSION)
asc: config.sh
./mkasc.sh
.PHONY: deb
deb: dist config.sh
./mkdeb.sh
.PHONY: test-compile
test-compile: dist config.mk
cd test/compile; ./compile.sh $(TARNAME)-$(VERSION)
test-compile: dist config.sh
cd test/compile; ./compile.sh
.PHONY: rpms
rpms: src/man config.mk
./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION)
rpms: src/man config.sh
./platform/rpm/mkrpm.sh
.PHONY: extras
extras: all
$(MAKE) -C extras/firetools
.PHONY: cppcheck
cppcheck: clean
cppcheck --force --error-exitcode=1 --enable=warning,performance .
cppcheck:
$(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance \
-i src/firejail/checkcfg.c -i src/firejail/main.c .
# For cppcheck 1.x; see .github/workflows/check-c.yml
.PHONY: cppcheck-old
cppcheck-old:
$(CPPCHECK) --force --error-exitcode=1 --enable=warning,performance .
.PHONY: scan-build
scan-build: clean
scan-build make
$(SCAN_BUILD) --status-bugs $(MAKE)
# TODO: Old codespell versions (such as v2.1.0 in CI) have issues with
# contrib/syscalls.sh
.PHONY: codespell
codespell: clean
codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test
codespell:
@printf 'Running %s...\n' $@
@$(CODESPELL) --ignore-regex 'Manuel|UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \
-S *.d,*.gz,*.o,*.so \
-S COPYING,m4 \
-S ./contrib/syscalls.sh \
.
.PHONY: print-env
print-env:
./ci/printenv.sh
.PHONY: print-version
print-version: config.mk
command -V $(TARNAME) && $(TARNAME) --version
#
# make test
#

113
README
View file

@ -28,13 +28,17 @@ Compile and install the mainline version from GitHub:
cd firejail
./configure && make && sudo make install-strip
On Debian/Ubuntu you will need to install git and gcc. AppArmor development
libraries and pkg-config are required when using the --enable-apparmor
./configure option:
On Debian/Ubuntu you will need to install git and gcc.
To build with AppArmor support (which is usually used on Debian, Ubuntu,
openSUSE and derivatives), install the AppArmor development libraries and
pkg-config and use the `--enable-apparmor` ./configure option:
sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
To build with SELinux support (which is usually used on Fedora, RHEL and
derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the
`--enable-selinux` ./configure option.
We build our release firejail.tar.xz and firejail.deb packages using the
following commands:
@ -59,7 +63,7 @@ Committers:
- rusty-snake (https://github.com/rusty-snake)
- smitsohu (https://github.com/smitsohu)
- SkewedZeppelin (https://github.com/SkewedZeppelin)
- startx2017 (https://github.com/startx2017) - LTS and *bugfixes branches
- startx2017 (https://github.com/startx2017)
maintainer)
- Topi Miettinen (https://github.com/topimiettinen)
- veloute (https://github.com/veloute)
@ -125,6 +129,7 @@ Aleksey Manevich (https://github.com/manevich)
Alexander Gerasiov (https://github.com/gerasiov)
- read-only ~/.ssh/authorized_keys
- profile updates
- fcopy: Use lstat when copy directory
Alexander Stein (https://github.com/ajstein)
- added profile for qutebrowser
alkim0 (https://github.com/alkim0)
@ -169,6 +174,8 @@ aoand (https://github.com/aoand)
- seccomp fix: allow numeric syscalls
Arne Welzel (https://github.com/awelzel)
- ignore SIGTTOU during flush_stdin()
archaon616 (https://github.com/archaon616)
- steam.profile: allow Factorio, Zomboid
Atrate (https://github.com/Atrate)
- BetterDiscord support
Austin Morton (https://github.com/apmorton)
@ -196,8 +203,11 @@ avoidr (https://github.com/avoidr)
- added mcabber profile
- fixed mpv profile
- various other fixes
ayham (https://github.com/ayham-1)
- allow custom homedir support for gpgagent
Азалия Смарагдова/ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
- add support for custom AppArmor profiles (--apparmor=)
- add Landlock support
backspac (https://github.com/backspac)
- firecfg fixes
- add steam-runtime alias
@ -253,6 +263,8 @@ bymoz089 (https://github.com/bymoz089)
- add timezone access to make libical functional
BytesTuner (https://github.com/BytesTuner)
- provided keepassxc profile
Caleb McCombs (https://github.com/squatched)
- Zoom profile fixes
caoliver (https://github.com/caoliver)
- network system fixes
Carlo Abelli (https://github.com/carloabelli)
@ -266,6 +278,9 @@ Cat (https://github.com/ecat3)
cayday (https://github.com/caydey)
- added ~/Private blacklist in disable-common.inc
- added quiet to some CLI profiles
celenityy (https://github.com/celenityy)
- Thunderbird profile fix
- wget profile fix
Christian Pinedo (https://github.com/chrpinedo)
- added nicotine profile
- allow python3 in totem profile
@ -283,6 +298,8 @@ Christian Stadelmann (https://github.com/genodeftest)
- evolution profile fix
Clayton Williams (https://github.com/gosre)
- addition of RLIMIT_AS
CodeWithMa (https://github.com/CodeWithMa)
- mpv.profile: add new XDG_STATE_HOME path
corecontingency (https://https://github.com/corecontingency)
- tighten private-bin and etc for torbrowser-launcher.profile
- added i2prouter profile
@ -320,6 +337,8 @@ curiosityseeker (https://github.com/curiosityseeker - new)
- fixed conky profile
- thunderbird.profile: harden and enable the rules necessary to make
Firefox open links
D357R0Y3R (https://github.com/D357R0Y3R)
- added floorp to firejail.config
da2x (https://github.com/da2x)
- matched RPM license tag
Daan Bakker (https://github.com/dbakker)
@ -349,6 +368,10 @@ David Hyrule (https://github.com/Svaag)
- remove nou2f in ssh profile
Deelvesh Bunjun (https://github.com/DeelveshBunjun)
- added xpdf profile
DefaultUser (https://github.com/DefaultUser)
- neochat: Allow netlink
Denis Subbotin (https://github.com/mr-tron)
- telegram.profile: allow ~/.local/share/telegram-desktop
Denys Havrysh (https://github.com/vutny)
- update SkypeForLinux profile for latest version
- removed outdated Skype profile
@ -361,6 +384,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
- fix qt5ct colour schemes and QSS
Dieter Plaetinck (https://github.com/Dieterbe)
- qutebrowser: update MPRIS name for qutebrowser-qt6
- fix email-common.profile
- fix claws-mail profile
Disconnect3d (https://github.com/disconnect3d)
- code cleanup
dm9pZCAq (https://github.com/dm9pZCAq)
@ -371,6 +396,7 @@ dmfreemon (https://github.com/dmfreemon)
- handle malloc() failures; use gnu_basename() instead of basenaem()
Dmitriy Chestnykh (https://github.com/chestnykh)
- add ability to disable user profiles at compile time
- lookup xauth in PATH
Dpeta (https://github.com/Dpeta)
- add Chatterino profile
dshmgh (https://github.com/dshmgh)
@ -397,11 +423,19 @@ Fabian Würfl (https://github.com/BafDyce)
- Liferea profile
Felipe Barriga Richards (https://github.com/fbarriga)
- --private-etc fix
Felix Pehla (https://github.com/FelixPehla)
- fix fractal profile
- blacklist sway IPC socket globally
fenuks (https://github.com/fenuks)
- fix sound in games using FMOD
- allow /opt/tor-browser for Tor Browser profile
fkrone (https://github.com/fkrone)
- fix Zoom profile
Fidel Ramos (https://github.com/haplo)
- added Ledger Live profile
- fixed geeqie profile
- added rawtherapee profile
- added electron-cache profile
Florian Begusch (https://github.com/florianbegusch)
- (la)tex profiles
- fixed transmission-common.profile
@ -411,6 +445,8 @@ floxo (https://github.com/floxo)
- fixed qml disk cache issue
Foemass (https://github.com/Foemass)
- documentation
Foxreef (https://github.com/Foxreef)
- steam profile fixes
Franco (nextime) Lanza (https://github.com/nextime)
- added --private-template/--private-home
František Polášek (https://github.com/fandaa)
@ -465,6 +501,9 @@ Fred-Barclay (https://github.com/Fred-Barclay)
- added Catfish profile
Frederik Olesen (https://github.com/Freso)
- added many vim profiles
Frostbyte4664 (https://github.com/Frostbyte4664)
- steam.profile: Allow Baba Is You
- blender-3.6 redirect
g3ngr33n (https://github.com/g3ngr33n)
- fix musl compilation
G4JC (https://sourceforge.net/u/gaming4jc/profile/)
@ -472,6 +511,10 @@ G4JC (https://sourceforge.net/u/gaming4jc/profile/)
- profile fixes
Gaman Gabriel (https://github.com/stelariusinfinitek)
- inox profile
Gabriel (https://github.com/gcb)
- okular profile fix
- irssi profile
- syncthing profile
geg2048 (https://github.com/geg2048)
- kwallet profile fixes
glitsj16 (https://github.com/glitsj16)
@ -497,6 +540,8 @@ glitsj16 (https://github.com/glitsj16)
- new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
- new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
- new profiles: masterpdfeditor
glu8716 (https://github.com/glu8716)
- nicotine: support Fcitx and dconf via dbus-user filter
gm10 (https://github.com/gm10)
- get_user() do not use the unreliable getlogin()
GovanifY (https://github.com/GovanifY)
@ -514,6 +559,7 @@ GSI (https://github.com/GSI)
- added Uzbl browser profile
haarp (https://github.com/haarp)
- Allow sound for hexchat
- discord-common.profile: harden & allow notifications
hamzadis (https://github.com/hamzadis)
- added --overlay-named=name and --overlay-path=path
Hans-Christoph Steiner (https://github.com/eighthave)
@ -548,6 +594,9 @@ Haowei Yu (https://github.com/sfc-gh-hyu)
Icaro Perseo (https://github.com/icaroperseo)
- Icecat profile
- several profile fixes
Ilya Pankratov (https://github.com/i-pankrat)
- profstats fix
- fix various memory resource leaks
Igor Bukanov (https://github.com/ibukanov)
- found/fiixed privilege escalation in --hosts-file option
iiotx (https://github.com/iiotx)
@ -642,6 +691,8 @@ jrabe (https://github.com/jrabe)
- Polari profile
- qTox profile
- X11 fixes
jtrv (https://github.com/jtrv)
- tidal-hifi profile
juan (https://github.com/nyancat18)
- fixed Kdenlive, Shotcut profiles
- new profiles for Cinelerra, Cliqz, Bluefish
@ -690,6 +741,8 @@ kuesji koesnu (https://github.com/kuesji)
- better parser for size strings
Kunal Mehta (https://github.com/legoktm)
- converted all links to https in manpages
kzsa (https://github.com/kzsa)
- wusc: add /usr/share/locale-langpack (LC_MESSAGES)
laniakea64 (https://github.com/laniakea64)
- added fj-mkdeb.py script to build deb packages
Lari Rauno (https://github.com/tuutti)
@ -705,6 +758,8 @@ layderv (https://github.com/layderv)
lecso7 (https://github.com/lecso7)
- added goldendict profile
- allow evince to read .cbz file format
leukimi (https://github.com/leukimi)
- 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed
Loïc Damien (https://github.com/dzamlo)
- small fixes
Liorst4 (https://github.com/Liorst4)
@ -714,6 +769,8 @@ Liorst4 (https://github.com/Liorst4)
- minetest fixes
Lockdis (https://github.com/Lockdis)
- Added crow, nyx, and google-earth-pro profiles
luca0N (https://github.com/luca0N)
- fixed crawl profile
Lukáš Krejčí (https://github.com/lskrejci)
- fixed parsing of --keep-var-tmp
luzpaz (https://github.com/luzpaz)
@ -729,12 +786,15 @@ Madura A (https://github.com/manushanga)
mahdi1234 (https://github.com/mahdi1234)
- cherrytree profile
- Seamonkey profiles
mammo0 (https://github.com/mammo0)
- remove 'text/plain' from firejail-profile.lang.in
Manuel Dipolt (https://github.com/xeniter)
- stack alignment for the ARM Architecture
Marek Küthe (https://github.com/marek22k)
- allow loading plugins in gajim
- allow bsfilter in email-common.profile
- email-common.profile: allow clamav plugin for claws-mail
- VSCodium: Fix developing Arduino
Martin Carpenter (https://github.com/mcarpenter)
- security audit and bug fixes
- Centos 6.x support
@ -766,6 +826,8 @@ Michael Haas (https://github.com/mhaas)
- bugfixes
Michael Hoffmann (https://github.com/brisad)
- added support for subdirs in private-etc
Michele Sorcinelli (https://github.com/michelesr)
- fix ssh profile
Mike Frysinger (vapier@gentoo.org)
- Gentoo compile patch
minus7 (https://github.com/minus7)
@ -803,6 +865,8 @@ NetSysFire (https://github.com/NetSysFire)
- update weechat profile
- update megaglest profile
- added parsecd profile
- fix minecraft-launcher.profile
- singularity profile
Nick Fox (https://github.com/njfox)
- add a profile alias for code-oss
- add code-oss config directory
@ -823,6 +887,11 @@ Nikos Chantziaras (https://github.com/realnc)
- fix audio support for Discord
nolanl (https://github.com/nolanl)
- added localtime to signal-desktop's profile
nutta-git (https://github.com/nutta-git)
- steam.profile: allow process_vm_readv syscall
- lutris.profile: allow more syscalls
- steam.profile: update novideo comment for webcam motion trackers
- more lutris.profile problems
nyancat18 (https://github.com/nyancat18)
- added ardour4, dooble, karbon, krita profiles
nya1 (https://github.com/nya1)
@ -905,6 +974,8 @@ PizzaDude (https://github.com/pizzadude)
- fix welcome.sh
polyzen (https://github.com/polyzen)
- fixed wusc issue with mpv/Vulkan
powerjungle (https://github.com/powerjungle)
- fixed multimc
probonopd (https://github.com/probonopd)
- automatic build on Travis CI
pshpsh (https://github.com/pshpsh)
@ -915,6 +986,9 @@ pszxzsd (https://github.com/pszxzsd)
-uGet profile
pwnage-pineapple (https://github.com/pwnage-pineapple)
- update Okular profile
qdii (https://github.com/qdii)
- added notpm command & keep tpm devices in private-dev
- keepassxc: add new socket location
Quentin Retornaz (https://github.com/qretornaz-adapei42)
- microsoft-edge profiles fixes
Quentin Minster (https://github.com/laomaiweng)
@ -969,6 +1043,8 @@ rootalc (https://github.com/rootalc)
- add nolocal6.net filter
Ruan (https://github.com/ruany)
- fixed hexchat profile
RundownRhino (https://github.com/RundownRhino)
- firefox profile fix
rusty-snake (https://github.com/rusty-snake)
- added profiles: thunderbird-wayland, supertuxkart, ghostwriter
- added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
@ -1006,18 +1082,17 @@ Serphentas (https://github.com/Serphentas)
- add Paradox Launcher to Steam profile
Slava Monich (https://github.com/monich)
- added configure option to disable man pages
Tobias Schmidl (https://github.com/schtobia)
- added profile for webui-aria2
Simon Peter (https://github.com/probonopd)
- set $APPIMAGE and $APPDIR environment variables
- AppImage version detection
- Leafppad type v1 and v2 appimage packages in test/appimage
- GitHub/Travis CI integration
Simo Piiroinen (https://github.com/spiiroin)
- Jolla/SailfishOS patches
- fix startup race condition for /run/firejail directory
sinkuu (https://github.com/sinkuu)
- blacklisting kwalletd
- fix symlink invocation for programs placing symlinks in $PATH
Simo Piiroinen (https://github.com/spiiroin)
- Jolla/SailfishOS patches
slowpeek (https://github.com/slowpeek)
- refine appimage example in docs
- allow resolution of .local names with avahi-daemon in the apparmor profile
@ -1025,6 +1100,9 @@ slowpeek (https://github.com/slowpeek)
- make appimage examples consistent with --appimage option short description
- blacklist google-drive-ocamlfuse config
- blacklist sendgmail config
Shahriar Heidrich (https://github.com/smheidrich)
- fix manpages
- fix i3 profile and disable-programs.profile
smitsohu (https://github.com/smitsohu)
- read-only kde4 services directory
- enhanced mediathekview profile
@ -1119,6 +1197,8 @@ startx2017 (https://github.com/startx2017)
- kwrite and geary profiles
StelFux (https://github.com/StelFux)
- Fix youtube video in totem
Syed Muhammad Shuja Haider (https://github.com/xplanthris)
- prismlauncher profile
the-antz (https://github.com/the-antz)
- Fix libx265 encoding in ffmpeg profile
- Fix Firefox profile
@ -1153,6 +1233,8 @@ Tomasz Jan Góralczyk (https://github.com/tjg)
- fixed Steam profile
Tomi Leppänen (https://github.com/Tomin1)
- Jolla/SailfishOS patches
Tobias Schmidl (https://github.com/schtobia)
- added profile for webui-aria2
Topi Miettinen (https://github.com/topimiettinen)
- improved seccomp printing
- improve mount handling, fix /run/user handling
@ -1167,6 +1249,11 @@ Ted Robertson (https://github.com/tredondo)
- various documentation fixes
- blacklist Exodus wallet
- blacklist monero-project directory
- several README file fixes
- use GitHub issues as the bug reporting address
- fix documentation for selinux
tools200ms (https://github.com/tools200ms)
- fixed allow-ssh.inc
Tus1688 (https://github.com/Tus1688)
- added neovim profile
user1024 (user1024@tut.by)
@ -1193,6 +1280,9 @@ Vadim A. Misbakh-Soloviov (https://github.com/msva)
ValdikSS (https://github.com/ValdikSS)
- Psi+, Corebird, Konversation profiles
- various profile fixes
Varun Sharma (https://github.com/varunsh-coder)
- update allowed endpoints
- build(deps): bump step-security/harden-runner from 2.5.0 to 2.5.1
Vasya Novikov (https://github.com/vn971)
- Wesnoth profile
- Hedegewars profile
@ -1257,6 +1347,9 @@ ydididodat (https://github.com/ydididodat)
yumkam (https://github.com/yumkam)
- add compile-time option to restrict --net= to root only
- man page fixes
Yves-Alexis Perez (https://github.com/corsac-s)
- signal-desktop profile fix
- signal: add access to D-Bus freedesktop.org secret API
Zack Weinberg (https://github.com/zackw)
- added support for joining a persistent, named network namespace
- removed libconnect
@ -1278,4 +1371,4 @@ Zack Weinberg (https://github.com/zackw)
zupatisc (https://github.com/zupatisc)
- patch-util fix
Copyright (C) 2014-2023 Firejail Authors
Copyright (C) 2014-2024 Firejail Authors

173
README.md
View file

@ -1,17 +1,25 @@
# Firejail
[![Build CI (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
[![Build CI (GitHub)](https://github.com/netblue30/firejail/workflows/Build%20CI/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3A%22Build+CI%22)
[![CodeQL CI](https://github.com/netblue30/firejail/workflows/CodeQL/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodeQL)
[![Build (GitLab)](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines)
[![Build (GitHub)](https://github.com/netblue30/firejail/workflows/Build/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild)
[![Build-extra](https://github.com/netblue30/firejail/workflows/Build-extra/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ABuild-extra)
[![Test](https://github.com/netblue30/firejail/workflows/Test/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ATest)
[![Check-C](https://github.com/netblue30/firejail/workflows/Check-C/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-C)
[![Check-Profiles](https://github.com/netblue30/firejail/workflows/Check-Profiles/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Profiles)
[![Check-Python](https://github.com/netblue30/firejail/workflows/Check-Python/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACheck-Python)
[![Codespell](https://github.com/netblue30/firejail/workflows/Codespell/badge.svg)](https://github.com/netblue30/firejail/actions?query=workflow%3ACodespell)
[![Packaging status (Repology)](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
Firejail is a SUID sandbox program that reduces the risk of security breaches
by restricting the running environment of untrusted applications using Linux
namespaces, seccomp-bpf and Linux capabilities. It allows a process and all
its descendants to have their own private view of the globally shared kernel
resources, such as the network stack, process table, mount table. Firejail can
work in a SELinux or AppArmor environment, and it is integrated with Linux
Control Groups.
Firejail is a lightweight security tool intended to protect a Linux system by
setting up a restricted environment for running (potentially untrusted)
applications.
More specifically, it is an SUID sandbox program that reduces the risk of
security breaches by using Linux namespaces, seccomp-bpf and Linux
capabilities. It allows a process and all its descendants to have their own
private view of the globally shared kernel resources, such as the network
stack, process table and mount table. Firejail can work in an SELinux or
AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software runs on any Linux
computer with a 3.x kernel version or newer. It can sandbox any type of
@ -30,7 +38,15 @@ and available on any Linux computer.
<tr>
<td>
<a href="https://odysee.com/@netblue30:9/firefox:c" target="_blank">
<a href="https://odysee.com/@netblue30:9/install" target="_blank">
<img src="https://thumbs.odycdn.com/f19bcfa08c2b35658dc18f4e2fd63f3f.webp"
alt="Quick Start" width="240" height="142" border="10" />
<br/>Quick Start
</a>
</td>
<td>
<a href="https://odysee.com/@netblue30:9/firefox" target="_blank">
<img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png"
alt="Advanced Browser Security" width="240" height="142" border="10" />
<br/>Advanced Browser Security
@ -38,18 +54,10 @@ alt="Advanced Browser Security" width="240" height="142" border="10" />
</td>
<td>
<a href="https://odysee.com/@netblue30:9/nonet:7" target="_blank">
<img src="https://thumbs.odycdn.com/5be2964201c31689ee8f78cb9f35e89a.png"
alt="How To Disable Network Access" width="240" height="142" border="10" />
<br/>How To Disable Network Access
</a>
</td>
<td>
<a href="https://odysee.com/@netblue30:9/divested:2" target="_blank">
<img src="https://thumbs.odycdn.com/f30ece33a6547af9ae48244f4ba73028.png"
alt="Deep Dive" width="240" height="142" border="10" />
<br/>Deep Dive
<a href="https://odysee.com/@netblue30:9/tor" target="_blank">
<img src="https://thumbs.odycdn.com/f6aa82bd7b86b2f17caed03ccb870d2b.webp"
alt="Tor Browser Security" width="240" height="142" border="10" />
<br/>Tor Browser Security
</a>
</td>
@ -83,6 +91,10 @@ Debian stable (bullseye): We recommend to use the
### Ubuntu
Note: The PPA recommendation is mainly for firejail itself; it should be fine
to install firetools and firejail-related tools directly from the distribution
if they are not in the PPA as they tend to be updated less frequently.
For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are **strongly
advised** to use the
[PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail).
@ -143,7 +155,9 @@ The version can be checked with `firejail --version` after installing.
You can also install one of the [released
packages](https://github.com/netblue30/firejail/releases).
Or clone the source code from our git repository and build manually:
## Building
You can clone the source code from this git repository and build manually:
```sh
git clone https://github.com/netblue30/firejail.git
@ -151,15 +165,19 @@ cd firejail
./configure && make && sudo make install-strip
```
On Debian/Ubuntu you will need to install git and gcc. AppArmor development
libraries and pkg-config are required when using the `--enable-apparmor`
./configure option:
On Debian/Ubuntu you will need to install git and gcc.
To build with AppArmor support (which is usually used on Debian, Ubuntu,
openSUSE and derivatives), install the AppArmor development libraries and
pkg-config and use the `--enable-apparmor` ./configure option:
```sh
sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
```
For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
To build with SELinux support (which is usually used on Fedora, RHEL and
derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the
`--enable-selinux` ./configure option.
Detailed information on using firejail from git is available on the
[wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
@ -306,6 +324,53 @@ Discussion:
* [private-etc rework](https://github.com/netblue30/firejail/discussions/5610)
### Landlock support
* Added on #6078, which is based on #5315 from ChrysoliteAzalea/landlock
* Compile-time detection based on linux/landlock.h - if the header is found,
the feature is compiled in
* Runtime detection based on whether Landlock is supported by the kernel and is
enabled on the system
```text
LANDLOCK
Landlock is a Linux security module first introduced in version 5.13 of
the Linux kernel. It allows unprivileged processes to restrict their
access to the filesystem. Once imposed, these restrictions can never
be removed, and all child processes created by a Landlock-restricted
processes inherit these restrictions. Firejail supports Landlock as an
additional sandboxing feature. It can be used to ensure that a sand
boxed application can only access files and directories that it was ex
plicitly allowed to access. Firejail supports populating the ruleset
with both a basic set of rules (see --landlock) and with a custom set
of rules.
Important notes:
- A process can install a Landlock ruleset only if it has either
CAP_SYS_ADMIN in its effective capability set, or the "No New
Privileges" restriction enabled. Because of this, enabling the
Landlock feature will also cause Firejail to enable the "No New
Privileges" restriction, regardless of the profile or the
--nonewprivs command line option.
- Access to the /proc directory is managed through the --land
lock.proc command line option.
- Access to the /etc directory is automatically allowed. To
override this, use the --writable-etc command line option. You
can also use the --private-etc option to restrict access to the
/etc directory.
To enable Landlock self-restriction on top of your current Firejail se
curity features, pass --landlock flag to Firejail command line. You
can also use --landlock.read, --landlock.write, --landlock.special and
--landlock.execute options together with --landlock or instead of it.
Example:
$ firejail --landlock --landlock.read=/media --landlock.proc=ro mc
```
### Profile Statistics
A small tool to print profile statistics. Compile and install as usual. The
@ -316,33 +381,35 @@ Run it over the profiles in /etc/profiles:
```console
$ /usr/lib/firejail/profstats /etc/firejail/*.profile
No include .local found in /etc/firejail/noprofile.profile
Warning: multiple caps in /etc/firejail/tidal-hifi.profile
Warning: multiple caps in /etc/firejail/transmission-daemon.profile
Stats:
profiles 1209
include local profile 1208 (include profile-name.local)
include globals 1181 (include globals.local)
blacklist ~/.ssh 1079 (include disable-common.inc)
seccomp 1096
capabilities 1202
noexec 1087 (include disable-exec.inc)
noroot 1003
memory-deny-write-execute 272
restrict-namespaces 958
apparmor 753
private-bin 704
private-dev 1058
private-etc 550
private-lib 71
private-tmp 932
whitelist home directory 585
whitelist var 870 (include whitelist-var-common.inc)
whitelist run/user 1176 (include whitelist-runuser-common.inc
profiles 1249
include local profile 1248 (include profile-name.local)
include globals 1217 (include globals.local)
blacklist ~/.ssh 1117 (include disable-common.inc)
seccomp 1127
capabilities 1242
noexec 1125 (include disable-exec.inc)
noroot 1030
memory-deny-write-execute 285
restrict-namespaces 981
apparmor 788
private-bin 750
private-dev 1090
private-etc 763
private-lib 78
private-tmp 959
whitelist home directory 609
whitelist var 907 (include whitelist-var-common.inc)
whitelist run/user 1214 (include whitelist-runuser-common.inc
or blacklist ${RUNUSER})
whitelist usr/share 640 (include whitelist-usr-share-common.inc
net none 410
dbus-user none 679
dbus-user filter 141
dbus-system none 851
dbus-system filter 12
whitelist usr/share 690 (include whitelist-usr-share-common.inc
net none 420
dbus-user none 705
dbus-user filter 164
dbus-system none 889
dbus-system filter 13
```

139
RELNOTES
View file

@ -1,40 +1,95 @@
firejail (0.9.73) baseline; urgency=low
* work in progress
* security: fix sscanf rv checks (CodeQL) (#6184)
* feature: private-etc rework: improve handling of /etc/resolv.conf and add
private-etc groups (#6400 #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643
#5650 #5681 #5737 #5844 #5989 #6016 #6104 #5655 #6435 #6514 #6515)
* feature: Add "keep-shell-rc" command and option (#1127 #5634)
* feature: Print the argument when failing with "too long arguments" (#5677)
* feature: a random hostname is assigned to each sandbox unless
overwritten using --hostname command
* feature: add IPv6 support for --net.print option
* feature: QUIC (HTTP/3) support in --nettrace
* feature: use seccomp filters build at install time for --restrict-namespaces
* feature: add seccomp filters for --restrict-namespaces
* feature: stats support for --nettrace
* feature: add doas support in firecfg and jailcheck
* feature: add doas support in firecfg and jailcheck (#5899 #5900)
* feature: firecfg: add firecfg.d & add ignore command (#2097 #5245 #5876
#6153 #6268)
* feature: expand simple macros in more commands (--chroot= --netfilter=
--netfilter6= --trace=) (#6032 #6109)
* feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200
#6228 #6260 #6302 #6305)
* feature: add support for comm, coredump, and prctl procevents in firemon
(#6414 #6415)
* feature: add notpm command & keep tpm devices in private-dev (#6379 #6390)
* feature: fshaper.sh: support tc on NixOS (#6426 #6431)
* modif: Stop forwarding own double-dash to the shell (#5599 #5600)
* modif: Prevent sandbox name (--name=) and host name (--hostname=)
from containing only digits (#5578 #5741)
* modif: Escape control characters of the command line (#5613)
* modif: Allow mostly only ASCII letters and digits for sandbox name
(--name=) and host name (--hostname=) (#5708 #5856)
* modif: remove firemon --interface option (duplicating --net.print option)
* modif: make private-lib a configure-time option, disabled by default (see
--enable-private-lib) (#5727 #5732)
* modif: Improve --version/--help & print version on startup (#5829)
* bugfix: qutebrowser: links will not open in the existing instance (#5601
#5618)
* modif: Improve --version/--help & print version on startup (#5829 #6172)
* modif: improve errExit error messages (#5871)
* modif: drop deprecated 'shell' option references (#5894)
* modif: keep pipewire group unless nosound is used (#5992 #5993)
* modif: fcopy: use lstat when copying directory (#5378 #5957)
* modif: private-dev: keep /dev/kfd unless no3d is used (#6380)
* modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387)
* removal: firemon: remove --interface option (it duplicates the firejail
--net.print= option) (0e48f9933)
* removal: remove support for LTS and firetunnel (db09546f2)
* bugfix: fix --hostname and --hosts-file commands
* bugfix: fix examples in firejail-local AppArmor profile (#5717)
* bugfix: arp.c: ensure positive timeout on select(2) (#5806)
* bugfix: Wrong syscall names for s390_pci_mmio_read and s390_pci_mmio_write
(#5965 #5976)
* bugfix: firejail --ls reports wrong file sizes for large files (#5982
#6086)
* bugfix: fix startup race condition for /run/firejail directory (#6307)
* bugfix: fix various resource leaks (#6367)
* bugfix: profstats: fix restrict-namespaces max count (#6369)
* bugfix: remove --noautopulse from --help and zsh comp (#6401)
* build: auto-generate syntax files (#5627)
* build: mark all phony targets as such (#5637)
* build: mkdeb.sh: pass all arguments to ./configure (#5654)
* build: deb: enable apparmor by default & remove deb-apparmor (#5668)
* build: Fix whitespace and add .editorconfig (#5674)
* build: remove for loop initial declarations to fix building with old
compilers (#5778)
* build: enable compiler warnings by default (#5842)
* build: remove -mretpoline and NO_EXTRA_CFLAGS (#5859)
* build: disable all built-in implicit make rules (#5864)
* build: organize and standardize make vars and targets (#5866)
* build: fix seccomp filters and man pages always being rebuilt when running
make
* build: simplify code related to man pages (#5898)
make (#5156 #5898)
* build: fix hardcoded make & remove unnecessary distclean targets (#5911)
* build: dist and asc improvements (#5916)
* build: fix some shellcheck issues & use config.sh in more scripts (#5927)
* build: firecfg.config sorting improvements (#5942)
* build: codespell improvements (#5955)
* build: add missing makefile dep & syntax improvements (#5956)
* build: sort.py: use case-sensitive sorting (#6070)
* build: mkrpm.sh: append instead of override configure args (#6126)
* build: use CPPFLAGS instead of INCLUDE in compile targets (#6159)
* build: use full paths on compile/link targets (#6158)
* build: automatically generate header dependencies (#6164)
* build: improve main clean target (#6186)
* build: mkrpm.sh improvements (#6196)
* build: move errExit macro into inline function (#6217)
* build: allow overriding certain tools & sync targets with CI (#6222)
* build: reduce hardcoding and inconsistencies (#6230)
* build: sort.py: filter empty and duplicate items (#6261)
* build: fix "warning: "_FORTIFY_SOURCE" redefined" (#6282 #6283)
* build: sort.py: add -h/-i/-n/-- options (#6290 #6339 #6562)
* build: add strip target and simplify install targets (#6342)
* build: remove clean dependency from cppcheck targets (#6343)
* build: allow overriding common tools (#6354)
* build: standardize install commands (#6366)
* build: improve reliability/portability of date command usage (#6403 #6404)
* build: sort.py: strip whitespace in profiles (#6556)
* ci: always update the package db before installing packages (#5742)
* ci: fix codeql unable to download its own bundle (#5783)
* ci: split configure/build/install commands on gitlab (#5784)
@ -43,6 +98,14 @@ firejail (0.9.73) baseline; urgency=low
* ci: run for every branch instead of just master (#5815)
* ci: upgrade debian:stretch to debian:buster (#5818)
* ci: standardize apt-get update/install & misc improvements (#5857)
* ci: Update step-security/harden-runner and update allowed endpoints (#5953)
* ci: whitelist paths, reorganize workflows & speed-up tests (#5960)
* ci: fix dependabot duplicated workflow runs (#5984)
* ci: allow running workflows manually (#6026)
* ci: add timeout limits (#6178)
* ci: make dependabot updates monthly and bump PR limit (#6338)
* contrib/syntax: remove 'text/plain' from firejail-profile.lang.in (#6057
#6059)
* contrib/vim: match profile files more broadly (#5850)
* test: split individual test groups in github workflows
* test: add chroot, appimage and network tests in github workflows
@ -51,8 +114,62 @@ firejail (0.9.73) baseline; urgency=low
* docs: fix typos (#5693)
* docs: markdown formatting and misc improvements (#5757)
* docs: add uninstall instructions to README.md (#5812)
* docs: add precedence info to manpage & fix noblacklist example (#6358
#6359)
* docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382)
* docs: man: format and sort some private- items (#6398)
* docs: man: improve blacklist/whitelist examples with spaces (#6425)
* docs: add build_issue.md issue template (#6423)
* docs: man: sort commands (firejail.1) (#6451)
* docs: man: fix bold in command TPs (#6472)
* docs: man: fix wrong escapes (#6474)
* docs: github: streamline environment in issue templates (#6471)
* docs: fix typos of --enable-selinux configure option (#6526)
* docs: clarify intro and build section in README (#6524)
* legal: selinux.c: Split Copyright notice & use same license as upstream
(#5667)
* profiles: qutebrowser: fix links not opening in the existing instance
(#5601 #5618)
* profiles: clarify userns comments (#5686)
* profiles: bulk rename electron to electron-common (#5700)
* profiles: streamline seccomp socket comment (#5735)
* profiles: drop hostname option from all profiles (#5702)
* profiles: move read-only config entries to disable-common.inc (#5763)
* profiles: standardize on just "GTK" on comments (#5794)
* profiles: bleachbit: allow erasing Trash contents (#5337 #5902)
* profiles: improvements to profiles using private (#5946)
* profiles: standardize commented code and eol comments (#5987)
* profiles: disable-common: add more suid programs (#6049 #6051 #6052)
* profiles: replace private-opt with whitelist & document private-opt issues
(#6021)
* profiles: drop paths already in wusc (#6218)
* profiles: deny access to ~/.config/autostart (#6257)
* profiles: replace x11 socket blacklist with disable-X11.inc (#6286)
* profiles: sort blacklist sections (#6289)
* profiles: rename disable-X11.inc to disable-x11.inc (#6294)
* profiles: add allow-nodejs.inc to profile.template (#6298)
* profiles: add allow-php.inc to profile.template (#6299)
* profiles: clarify and add opengl-game to profile.template (#6300)
* profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309)
* profiles: libreoffice: support signing documents with GPG (#6352 #6353)
* profiles: blacklist i3 IPC socket & dir except for i3 itself (#6361)
* profiles: librewolf: add new dbus name (io.gitlab.firefox) (#6413 #6473)
* profiles: nextcloud: fix access to ~/Nextcloud (#5877 #6478)
* profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#5816 #6479)
* profiles: firecfg: disable text editors (#6002 #6477)
* profiles: browsers: centralize/sync/improve comments (#6486)
* profiles: keepassxc: add new socket location (#5447 #6391)
* profiles: signal-desktop: allow org.freedesktop.secrets (#6498)
* profiles: firefox-common: allow org.freedesktop.portal.Documents (#6444 #6499)
* profiles: keepassxc: allow access to ssh-agent socket (#3314 #6531)
* profiles: firecfg.config: disable dnsmasq (#6533)
* profiles: game-launchers: disable nou2f (#6534)
* profiles: anki: fix opening, allow media & add to firecfg (#6544 #6545)
* profiles: wget: allow ~/.local/share/wget (#6542)
* profiles: wget: unify wget2 into wget profile (#6551)
* profiles: tesseract: disable private-tmp to fix ocrmypdf (#6550 #6552)
* profiles: ensure allow-lua where mpv is allowed (#6555)
* profiles: video-players: add missing /usr/share paths (#6557)
* new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater
-- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500
@ -233,7 +350,7 @@ firejail (0.9.68) baseline; urgency=low
-- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500
firejail (0.9.66) baseline; urgency=low
* deprecated --audit options, relpaced by jailcheck utility
* deprecated --audit options, replaced by jailcheck utility
* deprecated follow-symlink-as-user from firejail.config
* new firejail.config settings: private-bin, private-etc
* new firejail.config settings: private-opt, private-srv
@ -358,7 +475,7 @@ firejail (0.9.62) baseline; urgency=low
* whitelisting /usr/share in a large number of profiles
* new scripts in contrib: gdb-firejail.sh and sort.py
* enhancement: whitelist /usr/share in some profiles
* added signal mediation ot apparmor profile
* added signal mediation to apparmor profile
* new conditions: HAS_X11, HAS_NET
* new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
* new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
@ -753,7 +870,7 @@ firejail (0.9.44.4) baseline; urgency=low
firejail (0.9.44.2) baseline; urgency=low
* security: overwrite /etc/resolv.conf found by Martin Carpenter (CVE-2016-10118)
* secuirty: TOCTOU exploit for --get and --put found by Daniel Hodson
* security: TOCTOU exploit for --get and --put found by Daniel Hodson
* security: invalid environment exploit found by Martin Carpenter (CVE-2016-10122)
* security: several security enhancements
* bugfix: crashing VLC by pressing Ctrl-O

5
ci/check/profiles/sort-firecfg.config.sh
View file

@ -1,2 +1,5 @@
#!/bin/sh
tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
# See ../../../src/firecfg/firecfg.config
sed -E -e '/^#$/d' -e '/^# /d' -e 's/^#([^ ])/\1/' "$1" |
LC_ALL=C sort -c -u

26
config.mk.in
View file

@ -34,11 +34,10 @@ HAVE_APPARMOR=@HAVE_APPARMOR@
HAVE_CHROOT=@HAVE_CHROOT@
HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
HAVE_IDS=@HAVE_IDS@
HAVE_LTS=@HAVE_LTS@
HAVE_LANDLOCK=@HAVE_LANDLOCK@
HAVE_NETWORK=@HAVE_NETWORK@
HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
HAVE_OUTPUT=@HAVE_OUTPUT@
@ -56,11 +55,10 @@ MANFLAGS = \
$(HAVE_CHROOT) \
$(HAVE_DBUSPROXY) \
$(HAVE_FILE_TRANSFER) \
$(HAVE_FIRETUNNEL) \
$(HAVE_FORCE_NONEWPRIVS) \
$(HAVE_GLOBALCFG) \
$(HAVE_IDS) \
$(HAVE_LTS) \
$(HAVE_LANDLOCK) \
$(HAVE_NETWORK) \
$(HAVE_ONLY_SYSCFG_PROFILES) \
$(HAVE_OUTPUT) \
@ -77,28 +75,40 @@ MANFLAGS = \
# the user building the package); see the following for details:
# https://www.gnu.org/software/automake/manual/1.16.5/html_node/User-Variables.html
CC=@CC@
CODESPELL=@CODESPELL@
CPPCHECK=@CPPCHECK@
GAWK=@GAWK@
GZIP=@GZIP@
SCAN_BUILD=@SCAN_BUILD@
STRIP=@STRIP@
TAR=@TAR@
CFLAGS=@CFLAGS@
CPPFLAGS=@CPPFLAGS@
LDFLAGS=@LDFLAGS@
# Project variables
EXTRA_CFLAGS =@EXTRA_CFLAGS@
DEPS_CFLAGS =@DEPS_CFLAGS@
COMMON_CFLAGS = \
-ggdb -O2 -DVERSION='"$(VERSION)"' -DMOD_DIR='"$(MOD_DIR)"' \
-ggdb -O2 -DVERSION='"$(VERSION)"' \
-Wall -Wextra $(HAVE_FATAL_WARNINGS) \
-Wformat -Wformat-security \
-fstack-protector-all -D_FORTIFY_SOURCE=2 \
-fstack-protector-all \
-DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' \
-DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \
-DVARDIR='"/var/lib/firejail"' \
-DVARDIR='"/var/lib/firejail"'
PROG_CFLAGS = \
$(COMMON_CFLAGS) \
$(HAVE_GCOV) $(MANFLAGS) \
$(EXTRA_CFLAGS) \
$(DEPS_CFLAGS) \
-fPIE
SO_CFLAGS = \
$(COMMON_CFLAGS) \
$(DEPS_CFLAGS) \
-fPIC
EXTRA_LDFLAGS =@EXTRA_LDFLAGS@
@ -106,4 +116,4 @@ PROG_LDFLAGS = -Wl,-z,relro -Wl,-z,now -fPIE -pie $(EXTRA_LDFLAGS)
SO_LDFLAGS = -Wl,-z,relro -Wl,-z,now -fPIC
LIBS =@LIBS@
CLEANFILES = *.o *.gcov *.gcda *.gcno *.plist
CLEANFILES = *.d *.o *.gcov *.gcda *.gcno *.plist

639
configure vendored
View file

@ -2,7 +2,7 @@
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.71 for firejail 0.9.73.
#
# Report bugs to <netblue30@protonmail.com>.
# Report bugs to <https://github.com/netblue30/firejail/issues>.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
@ -267,10 +267,10 @@ then :
printf "%s\n" "$0: be upgraded to zsh 4.3.4 or later."
else
printf "%s\n" "$0: Please tell bug-autoconf@gnu.org and
$0: netblue30@protonmail.com about your system, including
$0: any error possibly output before this message. Then
$0: install a modern shell, or manually run the script
$0: under such a shell if you do have one."
$0: https://github.com/netblue30/firejail/issues about your
$0: system, including any error possibly output before this
$0: message. Then install a modern shell, or manually run
$0: the script under such a shell if you do have one."
fi
exit 1
fi
@ -612,7 +612,7 @@ PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
PACKAGE_VERSION='0.9.73'
PACKAGE_STRING='firejail 0.9.73'
PACKAGE_BUGREPORT='netblue30@protonmail.com'
PACKAGE_BUGREPORT='https://github.com/netblue30/firejail/issues'
PACKAGE_URL='https://firejail.wordpress.com'
ac_unique_file="src/firejail/main.c"
@ -650,7 +650,6 @@ ac_includes_default="\
ac_header_c_list=
ac_subst_vars='LTLIBOBJS
LIBOBJS
HAVE_LTS
HAVE_ONLY_SYSCFG_PROFILES
HAVE_FORCE_NONEWPRIVS
HAVE_CONTRIB_INSTALL
@ -666,8 +665,6 @@ HAVE_GLOBALCFG
HAVE_CHROOT
HAVE_PRIVATE_LIB
HAVE_PRIVATE_HOME
HAVE_FIRETUNNEL
HAVE_GAWK
HAVE_MAN
HAVE_USERTMPFS
HAVE_OUTPUT
@ -675,6 +672,7 @@ HAVE_OVERLAYFS
HAVE_DBUSPROXY
EXTRA_LDFLAGS
EXTRA_CFLAGS
HAVE_LANDLOCK
HAVE_SELINUX
AA_LIBS
AA_CFLAGS
@ -683,6 +681,14 @@ PKG_CONFIG_PATH
PKG_CONFIG
HAVE_APPARMOR
HAVE_IDS
DEPS_CFLAGS
TAR
STRIP
SCAN_BUILD
GZIP
GAWK
CPPCHECK
CODESPELL
OBJEXT
EXEEXT
ac_ct_CC
@ -737,11 +743,11 @@ enable_sanitizer
enable_ids
enable_apparmor
enable_selinux
enable_landlock
enable_dbusproxy
enable_output
enable_usertmpfs
enable_man
enable_firetunnel
enable_private_home
enable_private_lib
enable_chroot
@ -757,7 +763,6 @@ enable_gcov
enable_contrib_install
enable_force_nonewprivs
enable_only_syscfg_profiles
enable_lts
'
ac_precious_vars='build_alias
host_alias
@ -1396,11 +1401,11 @@ Optional Features:
--enable-ids enable ids
--enable-apparmor enable apparmor
--enable-selinux SELinux labeling support
--enable-landlock Landlock self-restriction support
--disable-dbusproxy disable dbus proxy
--disable-output disable --output logging
--disable-usertmpfs disable tmpfs as regular user
--disable-man disable man pages
--enable-firetunnel enable firetunnel
--disable-private-home disable private home feature
--disable-private-lib disable private lib feature
--disable-chroot disable chroot
@ -1421,7 +1426,6 @@ Optional Features:
enable force nonewprivs
--enable-only-syscfg-profiles
disable profiles in $HOME/.config/firejail
--enable-lts enable long-term support software version (LTS)
Some influential environment variables:
CC C compiler command
@ -1442,7 +1446,7 @@ Some influential environment variables:
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <netblue30@protonmail.com>.
Report bugs to <https://github.com/netblue30/firejail/issues>.
firejail home page: <https://firejail.wordpress.com>.
_ACEOF
ac_status=$?
@ -3272,9 +3276,424 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
for ac_prog in codespell
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CODESPELL+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$CODESPELL"; then
ac_cv_prog_CODESPELL="$CODESPELL" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_CODESPELL="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
CODESPELL=$ac_cv_prog_CODESPELL
if test -n "$CODESPELL"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CODESPELL" >&5
printf "%s\n" "$CODESPELL" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$CODESPELL" && break
done
for ac_prog in cppcheck
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CPPCHECK+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$CPPCHECK"; then
ac_cv_prog_CPPCHECK="$CPPCHECK" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_CPPCHECK="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
CPPCHECK=$ac_cv_prog_CPPCHECK
if test -n "$CPPCHECK"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CPPCHECK" >&5
printf "%s\n" "$CPPCHECK" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$CPPCHECK" && break
done
for ac_prog in gawk
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_GAWK+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$GAWK"; then
ac_cv_prog_GAWK="$GAWK" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_GAWK="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
GAWK=$ac_cv_prog_GAWK
if test -n "$GAWK"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GAWK" >&5
printf "%s\n" "$GAWK" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$GAWK" && break
done
for ac_prog in gzip
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_GZIP+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$GZIP"; then
ac_cv_prog_GZIP="$GZIP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_GZIP="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
GZIP=$ac_cv_prog_GZIP
if test -n "$GZIP"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $GZIP" >&5
printf "%s\n" "$GZIP" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$GZIP" && break
done
for ac_prog in scan-build
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_SCAN_BUILD+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$SCAN_BUILD"; then
ac_cv_prog_SCAN_BUILD="$SCAN_BUILD" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_SCAN_BUILD="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
SCAN_BUILD=$ac_cv_prog_SCAN_BUILD
if test -n "$SCAN_BUILD"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $SCAN_BUILD" >&5
printf "%s\n" "$SCAN_BUILD" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$SCAN_BUILD" && break
done
for ac_prog in strip
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_STRIP+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$STRIP"; then
ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_STRIP="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
STRIP=$ac_cv_prog_STRIP
if test -n "$STRIP"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5
printf "%s\n" "$STRIP" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$STRIP" && break
done
for ac_prog in tar
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_TAR+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$TAR"; then
ac_cv_prog_TAR="$TAR" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_TAR="$ac_prog"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
fi
fi
TAR=$ac_cv_prog_TAR
if test -n "$TAR"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $TAR" >&5
printf "%s\n" "$TAR" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
test -n "$TAR" && break
done
DEPS_CFLAGS=""
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -MMD -MP" >&5
printf %s "checking whether C compiler accepts -MMD -MP... " >&6; }
if test ${ax_cv_check_cflags___MMD__MP+y}
then :
printf %s "(cached) " >&6
else $as_nop
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -MMD -MP"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___MMD__MP=yes
else $as_nop
ax_cv_check_cflags___MMD__MP=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___MMD__MP" >&5
printf "%s\n" "$ax_cv_check_cflags___MMD__MP" >&6; }
if test "x$ax_cv_check_cflags___MMD__MP" = xyes
then :
DEPS_CFLAGS="$DEPS_CFLAGS -MMD -MP"
else $as_nop
:
fi
as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags_$CFLAGS $CPPFLAGS -Werror_-D_FORTIFY_SOURCE=2" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -D_FORTIFY_SOURCE=2" >&5
printf %s "checking whether C compiler accepts -D_FORTIFY_SOURCE=2... " >&6; }
if eval test \${$as_CACHEVAR+y}
then :
printf %s "(cached) " >&6
else $as_nop
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS $CFLAGS $CPPFLAGS -Werror -D_FORTIFY_SOURCE=2"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
eval "$as_CACHEVAR=yes"
else $as_nop
eval "$as_CACHEVAR=no"
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
eval ac_res=\$$as_CACHEVAR
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_CACHEVAR"\" = x"yes"
then :
EXTRA_CFLAGS="$EXTRA_CFLAGS -D_FORTIFY_SOURCE=2"
else $as_nop
:
fi
HAVE_SPECTRE="no"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mindirect-branch=thunk" >&5
printf %s "checking whether C compiler accepts -mindirect-branch=thunk... " >&6; }
if test ${ax_cv_check_cflags___mindirect_branch_thunk+y}
@ -3739,6 +4158,58 @@ then :
fi
HAVE_LANDLOCK=""
# Check whether --enable-landlock was given.
if test ${enable_landlock+y}
then :
enableval=$enable_landlock;
fi
ac_header= ac_cache=
for ac_item in $ac_header_c_list
do
if test $ac_cache; then
ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default"
if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then
printf "%s\n" "#define $ac_item 1" >> confdefs.h
fi
ac_header= ac_cache=
elif test $ac_header; then
ac_cache=$ac_item
else
ac_header=$ac_item
fi
done
if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes
then :
printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h
fi
if test "x$enable_landlock" != "xno"
then :
ac_fn_c_check_header_compile "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_landlock_h" = xyes
then :
HAVE_LANDLOCK="-DHAVE_LANDLOCK"
else $as_nop
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: header not found: linux/landlock.h, building without Landlock support" >&5
printf "%s\n" "$as_me: WARNING: header not found: linux/landlock.h, building without Landlock support" >&2;}
fi
fi
@ -3808,71 +4279,13 @@ if test "x$enable_man" != "xno"
then :
HAVE_MAN="-DHAVE_MAN"
# Extract the first word of "gawk", so it can be a program name with args.
set dummy gawk; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_HAVE_GAWK+y}
then :
printf %s "(cached) " >&6
else $as_nop
if test -n "$HAVE_GAWK"; then
ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
case $as_dir in #(((
'') as_dir=./ ;;
*/) ;;
*) as_dir=$as_dir/ ;;
esac
for ac_exec_ext in '' $ac_executable_extensions; do
if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
ac_cv_prog_HAVE_GAWK="yes"
printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
break 2
fi
done
done
IFS=$as_save_IFS
test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
fi
fi
HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
if test -n "$HAVE_GAWK"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
printf "%s\n" "$HAVE_GAWK" >&6; }
else
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi
if test "x$HAVE_GAWK" != "xyes"
if test "x$GAWK" = "x"
then :
as_fn_error $? "*** gawk not found ***" "$LINENO" 5
fi
fi
HAVE_FIRETUNNEL=""
# Check whether --enable-firetunnel was given.
if test ${enable_firetunnel+y}
then :
enableval=$enable_firetunnel;
fi
if test "x$enable_firetunnel" = "xyes"
then :
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
fi
HAVE_PRIVATE_HOME=""
# Check whether --enable-private-home was given.
@ -4100,67 +4513,6 @@ then :
fi
HAVE_LTS=""
# Check whether --enable-lts was given.
if test ${enable_lts+y}
then :
enableval=$enable_lts;
fi
if test "x$enable_lts" = "xyes"
then :
HAVE_LTS="-DHAVE_LTS"
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
HAVE_OUTPUT=""
HAVE_USERTMPFS=""
HAVE_MAN="-DHAVE_MAN"
HAVE_FIRETUNNEL=""
HAVE_PRIVATE_HOME=""
HAVE_PRIVATE_LIB=""
HAVE_CHROOT=""
HAVE_GLOBALCFG=""
HAVE_USERNS=""
HAVE_X11=""
HAVE_FILE_TRANSFER=""
HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
HAVE_CONTRIB_INSTALL="no"
fi
ac_header= ac_cache=
for ac_item in $ac_header_c_list
do
if test $ac_cache; then
ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default"
if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then
printf "%s\n" "#define $ac_item 1" >> confdefs.h
fi
ac_header= ac_cache=
elif test $ac_header; then
ac_cache=$ac_item
else
ac_header=$ac_item
fi
done
if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes
then :
printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h
fi
ac_fn_c_check_header_compile "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
if test "x$ac_cv_header_linux_seccomp_h" = xyes
then :
@ -4759,7 +5111,7 @@ Usage: $0 [OPTION]... [TAG]...
Configuration files:
$config_files
Report bugs to <netblue30@protonmail.com>.
Report bugs to <https://github.com/netblue30/firejail/issues>.
firejail home page: <https://firejail.wordpress.com>."
_ACEOF
@ -5335,8 +5687,10 @@ cat <<EOF
Compile options:
CC: $CC
CFLAGS: $CFLAGS
CPPFLAGS: $CPPFLAGS
LDFLAGS: $LDFLAGS
EXTRA_CFLAGS: $EXTRA_CFLAGS
DEPS_CFLAGS: $DEPS_CFLAGS
EXTRA_LDFLAGS: $EXTRA_LDFLAGS
LIBS: $LIBS
fatal warnings: $HAVE_FATAL_WARNINGS
@ -5357,10 +5711,9 @@ Features:
disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
enable --output logging: $HAVE_OUTPUT
file transfer support: $HAVE_FILE_TRANSFER
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
LTS: $HAVE_LTS
Landlock support: $HAVE_LANDLOCK
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
overlayfs support: $HAVE_OVERLAYFS
@ -5372,13 +5725,3 @@ Features:
EOF
if test "$HAVE_LTS" = -DHAVE_LTS; then
cat <<\EOF
*********************************************************
* Warning: Long-term support (LTS) was enabled! *
* Most compile-time options have been rewritten! *
*********************************************************
EOF
fi

82
configure.ac
View file

@ -12,13 +12,30 @@
#
AC_PREREQ([2.68])
AC_INIT([firejail], [0.9.73], [netblue30@protonmail.com], [],
[https://firejail.wordpress.com])
AC_INIT([firejail], [0.9.73], [https://github.com/netblue30/firejail/issues],
[], [https://firejail.wordpress.com])
AC_CONFIG_SRCDIR([src/firejail/main.c])
AC_CONFIG_MACRO_DIR([m4])
AC_PROG_CC
AC_CHECK_PROGS([CODESPELL], [codespell])
AC_CHECK_PROGS([CPPCHECK], [cppcheck])
AC_CHECK_PROGS([GAWK], [gawk])
AC_CHECK_PROGS([GZIP], [gzip])
AC_CHECK_PROGS([SCAN_BUILD], [scan-build])
AC_CHECK_PROGS([STRIP], [strip])
AC_CHECK_PROGS([TAR], [tar])
DEPS_CFLAGS=""
AC_SUBST([DEPS_CFLAGS])
AX_CHECK_COMPILE_FLAG([-MMD -MP], [
DEPS_CFLAGS="$DEPS_CFLAGS -MMD -MP"
])
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=2], [
EXTRA_CFLAGS="$EXTRA_CFLAGS -D_FORTIFY_SOURCE=2"
], [], [$CFLAGS $CPPFLAGS -Werror])
HAVE_SPECTRE="no"
AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
@ -81,6 +98,16 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
LIBS="$LIBS -lselinux"
])
HAVE_LANDLOCK=""
AC_SUBST([HAVE_LANDLOCK])
AC_ARG_ENABLE([landlock],
[AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
AS_IF([test "x$enable_landlock" != "xno"], [
AC_CHECK_HEADER([linux/landlock.h],
[HAVE_LANDLOCK="-DHAVE_LANDLOCK"],
[AC_MSG_WARN([header not found: linux/landlock.h, building without Landlock support])])
])
AC_SUBST([EXTRA_CFLAGS])
AC_SUBST([EXTRA_LDFLAGS])
@ -123,16 +150,7 @@ AC_ARG_ENABLE([man],
[AS_HELP_STRING([--disable-man], [disable man pages])])
AS_IF([test "x$enable_man" != "xno"], [
HAVE_MAN="-DHAVE_MAN"
AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no])
AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR([*** gawk not found ***])])
])
HAVE_FIRETUNNEL=""
AC_SUBST([HAVE_FIRETUNNEL])
AC_ARG_ENABLE([firetunnel],
[AS_HELP_STRING([--enable-firetunnel], [enable firetunnel])])
AS_IF([test "x$enable_firetunnel" = "xyes"], [
HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
AS_IF([test "x$GAWK" = "x"], [AC_MSG_ERROR([*** gawk not found ***])])
])
HAVE_PRIVATE_HOME=""
@ -258,31 +276,6 @@ AS_IF([test "x$enable_only_syscfg_profiles" = "xyes"], [
HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
])
HAVE_LTS=""
AC_SUBST([HAVE_LTS])
AC_ARG_ENABLE([lts],
[AS_HELP_STRING([--enable-lts], [enable long-term support software version (LTS)])])
AS_IF([test "x$enable_lts" = "xyes"], [
HAVE_LTS="-DHAVE_LTS"
HAVE_IDS=""
HAVE_DBUSPROXY=""
HAVE_OVERLAYFS=""
HAVE_OUTPUT=""
HAVE_USERTMPFS=""
HAVE_MAN="-DHAVE_MAN"
HAVE_FIRETUNNEL=""
HAVE_PRIVATE_HOME=""
HAVE_PRIVATE_LIB=""
HAVE_CHROOT=""
HAVE_GLOBALCFG=""
HAVE_USERNS=""
HAVE_X11=""
HAVE_FILE_TRANSFER=""
HAVE_SUID="-DHAVE_SUID"
BUSYBOX_WORKAROUND="no"
HAVE_CONTRIB_INSTALL="no"
])
AC_CHECK_HEADER([linux/seccomp.h], [],
[AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***])])
@ -299,8 +292,10 @@ cat <<EOF
Compile options:
CC: $CC
CFLAGS: $CFLAGS
CPPFLAGS: $CPPFLAGS
LDFLAGS: $LDFLAGS
EXTRA_CFLAGS: $EXTRA_CFLAGS
DEPS_CFLAGS: $DEPS_CFLAGS
EXTRA_LDFLAGS: $EXTRA_LDFLAGS
LIBS: $LIBS
fatal warnings: $HAVE_FATAL_WARNINGS
@ -321,10 +316,9 @@ Features:
disable user profiles: $HAVE_ONLY_SYSCFG_PROFILES
enable --output logging: $HAVE_OUTPUT
file transfer support: $HAVE_FILE_TRANSFER
firetunnel support: $HAVE_FIRETUNNEL
global config: $HAVE_GLOBALCFG
IDS support: $HAVE_IDS
LTS: $HAVE_LTS
Landlock support: $HAVE_LANDLOCK
manpage support: $HAVE_MAN
network: $HAVE_NETWORK
overlayfs support: $HAVE_OVERLAYFS
@ -335,13 +329,3 @@ Features:
X11 sandboxing support: $HAVE_X11
EOF
if test "$HAVE_LTS" = -DHAVE_LTS; then
cat <<\EOF
*********************************************************
* Warning: Long-term support (LTS) was enabled! *
* Most compile-time options have been rewritten! *
*********************************************************
EOF
fi

2
contrib/fj-mkdeb.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
# This script automates the creation of a .deb package. It was originally

2
contrib/fjclip.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
import sys

2
contrib/fjdisplay.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
import re

2
contrib/fjresize.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
import sys

2
contrib/gdb-firejail.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
set -x

6
contrib/jail_prober.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
"""
Figure out which profile options may be causing a particular program to break
@ -151,8 +151,8 @@ def run_firejail(program, all_args):
if arg:
myargs.insert(-1, arg)
subprocess.call(myargs)
ans = input('Did %s run correctly? [y]/n ' % program)
if ans in ['n', 'N']:
answer = input('Did %s run correctly? [y]/n ' % program)
if answer in ['n', 'N']:
bad_args.append(arg)
elif arg:
good_args.insert(-1, arg)

80
contrib/sort.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
# Requirements:
@ -9,18 +9,26 @@ from os import path
from sys import argv, exit as sys_exit, stderr
__doc__ = f"""\
Sort the arguments of commands in profiles.
Strip whitespace and sort the arguments of commands in profiles.
Usage: {path.basename(argv[0])} [/path/to/profile ...]
Usage: {path.basename(argv[0])} [-h] [-i] [-n] [--] [/path/to/profile ...]
The following commands are supported:
private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp.drop,
seccomp.drop, protocol
private-bin, private-etc, private-lib, caps.drop, caps.keep, seccomp,
seccomp.drop, seccomp.keep, protocol
Note that this is only applicable to commands that support multiple arguments.
Keep in mind that this will overwrite your profile(s).
Trailing whitespace is removed in all lines (that is, not just in lines
containing supported commands) and other whitespace is stripped depending on
the command.
Options:
-h Print this message.
-i Edit the profile file(s) in-place (this is the default).
-n Do not edit the profile file(s) in-place.
-- End of options.
Examples:
$ {argv[0]} MyAwesomeProfile.profile
@ -31,14 +39,16 @@ Examples:
Exit Codes:
0: Success: No profiles needed fixing.
1: Error: One or more profiles could not be processed correctly.
2: Error: Missing arguments.
2: Error: Invalid or missing arguments.
101: Info: One or more profiles were fixed.
"""
def sort_alphabetical(original_items):
items = original_items.split(",")
items.sort(key=str.casefold)
items = set(map(str.strip, items))
items = filter(None, items)
items = sorted(items)
return ",".join(items)
@ -49,6 +59,9 @@ def sort_protocol(original_protocols):
unix,inet,inet6,netlink,packet,bluetooth
"""
# remove all whitespace
original_protocols = "".join(original_protocols.split())
# shortcut for common protocol lines
if original_protocols in ("unix", "unix,inet,inet6"):
return original_protocols
@ -61,32 +74,33 @@ def sort_protocol(original_protocols):
return fixed_protocols[:-1]
def fix_profile(filename):
def check_profile(filename, overwrite):
with open(filename, "r+") as profile:
lines = profile.read().split("\n")
was_fixed = False
fixed_profile = []
for lineno, line in enumerate(lines, 1):
for lineno, original_line in enumerate(lines, 1):
line = original_line.rstrip()
if line[:12] in ("private-bin ", "private-etc ", "private-lib "):
fixed_line = f"{line[:12]}{sort_alphabetical(line[12:])}"
line = f"{line[:12]}{sort_alphabetical(line[12:])}"
elif line[:13] in ("seccomp.drop ", "seccomp.keep "):
fixed_line = f"{line[:13]}{sort_alphabetical(line[13:])}"
line = f"{line[:13]}{sort_alphabetical(line[13:])}"
elif line[:10] in ("caps.drop ", "caps.keep "):
fixed_line = f"{line[:10]}{sort_alphabetical(line[10:])}"
line = f"{line[:10]}{sort_alphabetical(line[10:])}"
elif line[:8] == "protocol":
fixed_line = f"protocol {sort_protocol(line[9:])}"
line = f"protocol {sort_protocol(line[9:])}"
elif line[:8] == "seccomp ":
fixed_line = f"{line[:8]}{sort_alphabetical(line[8:])}"
else:
fixed_line = line
if fixed_line != line:
line = f"{line[:8]}{sort_alphabetical(line[8:])}"
if line != original_line:
was_fixed = True
print(
f"{filename}:{lineno}:-{line}\n"
f"{filename}:{lineno}:+{fixed_line}"
f"{filename}:{lineno}:-{original_line}\n"
f"{filename}:{lineno}:+{line}"
)
fixed_profile.append(fixed_line)
fixed_profile.append(line)
if was_fixed:
if overwrite:
profile.seek(0)
profile.truncate()
profile.write("\n".join(fixed_profile))
@ -97,6 +111,26 @@ def fix_profile(filename):
def main(args):
overwrite = True
while len(args) > 0:
if args[0] == "-h":
print(__doc__)
return 0
elif args[0] == "-i":
overwrite = True
args.pop(0)
elif args[0] == "-n":
overwrite = False
args.pop(0)
elif args[0] == "--":
args.pop(0)
break
elif args[0][0] == "-":
print(f"[ Error ] Unknown option: {args[0]}", file=stderr)
return 2
else:
break
if len(args) < 1:
print(__doc__, file=stderr)
return 2
@ -107,9 +141,9 @@ def main(args):
for filename in args:
try:
if exit_code not in (1, 101):
exit_code = fix_profile(filename)
exit_code = check_profile(filename, overwrite)
else:
fix_profile(filename)
check_profile(filename, overwrite)
except FileNotFoundError as err:
print(f"[ Error ] {err}", file=stderr)
exit_code = 1

2
contrib/syntax/files/firejail-profile.lang.in
View file

@ -7,7 +7,7 @@
-->
<language id="firejail-profile" name="Firejail Profile" version="2.0" _section="Other">
<metadata>
<property name="mimetypes">text/plain;text/x-firejail-profile</property>
<property name="mimetypes">text/x-firejail-profile</property>
<property name="globs">*.profile;*.local;*.inc</property>
<property name="line-comment-start">#</property>
</metadata>

4
contrib/syntax/lists/profile_commands_arg0.list
View file

@ -12,6 +12,7 @@ keep-config-pulse
keep-dev-shm
keep-shell-rc
keep-var-tmp
landlock.enforce
machine-id
memory-deny-write-execute
netfilter
@ -26,6 +27,7 @@ nonewprivs
noprinters
noroot
nosound
notpm
notv
nou2f
novideo
@ -41,7 +43,7 @@ private-tmp
quiet
restrict-namespaces
seccomp
seccomp\.block-secondary
seccomp.block-secondary
tab
tracelog
writable-etc

9
contrib/syntax/lists/profile_commands_arg1.list
View file

@ -5,11 +5,13 @@ blacklist-nolog
caps.drop
caps.keep
cpu
dbus-system
dbus-system.broadcast
dbus-system.call
dbus-system.own
dbus-system.see
dbus-system.talk
dbus-user
dbus-user.broadcast
dbus-user.call
dbus-user.own
@ -27,6 +29,11 @@ ip6
iprange
join-or-start
keep-fd
landlock.fs.execute
landlock.fs.makedev
landlock.fs.makeipc
landlock.fs.read
landlock.fs.write
mac
mkdir
mkfile
@ -68,9 +75,11 @@ seccomp.32.drop
seccomp.32.keep
seccomp.drop
seccomp.keep
shell
timeout
tmpfs
veth-name
whitelist
whitelist-ro
x11
xephyr-screen

2
contrib/syscalls.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
STRACE_OUTPUT_FILE="$(pwd)/strace_output.txt"

4
contrib/update_deb.sh
View file

@ -1,6 +1,6 @@
#!/bin/sh
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# Copyright (C) 2014-2024 Firejail Authors
# License GPL v2
# Purpose: Fetch, compile, and install firejail from GitHub source. For
@ -16,7 +16,7 @@ sed -i "s/# restricted-network .*/restricted-network yes/" \
etc/firejail.config
make deb
sudo dpkg -i firejail*.deb
sudo dpkg -i ./*.deb
echo "Firejail updated."
cd ..
rm -rf firejail

2
etc-fixes/0.9.38/firefox.profile
View file

@ -7,7 +7,7 @@ include /etc/firejail/disable-devel.inc
caps.drop all
#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
protocol unix,inet,inet6,netlink
netfilter

5
etc/apparmor/firejail-local
View file

@ -20,5 +20,8 @@
# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,
# Uncomment to opt-in to apparmor for mullvad-browser under ${HOME}
#owner @{HOME}/.local/share/mullvad-browser/** ix,
# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser*/** ix,

8
etc/inc/allow-common-devel.inc
View file

@ -2,6 +2,10 @@
# Persistent customizations should go in a .local file.
include allow-common-devel.local
# Arduino
noblacklist ${HOME}/.arduino15
noblacklist ${HOME}/Arduino
# Git
noblacklist ${HOME}/.config/git
noblacklist ${HOME}/.gitconfig
@ -26,6 +30,9 @@ noblacklist ${HOME}/.yarn-config
noblacklist ${HOME}/.yarncache
noblacklist ${HOME}/.yarnrc
# PlatformIO
noblacklist ${HOME}/.platformio
# Python
noblacklist ${HOME}/.pylint.d
noblacklist ${HOME}/.python-history
@ -37,3 +44,4 @@ noblacklist ${HOME}/.bundle
# Rust
noblacklist ${HOME}/.cargo
noblacklist ${HOME}/.rustup

1
etc/inc/allow-lua.inc
View file

@ -8,5 +8,4 @@ noblacklist /usr/lib/liblua*
noblacklist /usr/lib/lua
noblacklist /usr/lib64/liblua*
noblacklist /usr/lib64/lua
noblacklist /usr/share/lua
noblacklist /usr/share/lua*

6
etc/inc/allow-opengl-game.inc
View file

@ -2,6 +2,12 @@
# Persistent customizations should go in a .local file.
include allow-opengl-game.local
# Explanation: Fedora (and maybe others) install a .desktop file that uses
# `Exec=foo-wrapper` instead of `Exec=foo`. Each /usr/bin/foo-wrapper is a
# symlink to /usr/bin/opengl-game-wrapper.sh, which checks hardware
# acceleration and then starts the game or notifies the user that there is a
# problem.
noblacklist ${PATH}/bash
whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity

3
etc/inc/allow-ssh.inc
View file

@ -6,7 +6,8 @@ noblacklist ${HOME}/.ssh
noblacklist /etc/ssh
noblacklist /etc/ssh/ssh_config
noblacklist /etc/ssh/ssh_config.d
noblacklist ${PATH}/ssh
noblacklist /etc/ssh/ssh_revoked_hosts # RevokedHostKeys on Gentoo
noblacklist ${PATH}/ssh*
noblacklist /tmp/ssh-*
# Arch Linux and derivatives
noblacklist /usr/lib/ssh

15
etc/inc/disable-X11.inc
View file

@ -2,14 +2,7 @@
# Persistent customizations should go in a .local file.
include disable-X11.local
blacklist /tmp/.X11-unix
blacklist ${HOME}/.Xauthority
blacklist ${RUNUSER}/gdm/Xauthority
blacklist ${RUNUSER}/.mutter-Xwaylandauth*
blacklist ${RUNUSER}/xauth_*
#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
blacklist /tmp/xauth*
blacklist /tmp/.ICE-unix
blacklist ${RUNUSER}/ICEauthority
rmenv DISPLAY
rmenv XAUTHORITY
# Warning: This file is deprecated; use disable-x11.inc (lowercase) instead.
# Redirect
include disable-x11.inc

159
etc/inc/disable-common.inc
View file

@ -33,7 +33,8 @@ blacklist-nolog ${HOME}/.viminfo
blacklist-nolog /tmp/clipmenu*
# X11 session autostart
# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
# this will kill --x11=xpra cmdline option for all programs
#blacklist ${HOME}/.xpra
blacklist ${HOME}/.Xsession
blacklist ${HOME}/.blackbox
blacklist ${HOME}/.config/autostart
@ -166,11 +167,19 @@ blacklist ${RUNUSER}/gnome-session-leader-fifo
blacklist ${RUNUSER}/gnome-shell
blacklist ${RUNUSER}/gsconnect
# i3 IPC socket (allows arbitrary shell script execution)
blacklist ${RUNUSER}/i3/ipc-socket.*
blacklist /tmp/i3-*/ipc-socket.*
# sway IPC socket (allows arbitrary shell script execution)
blacklist ${RUNUSER}/sway-ipc.*
blacklist /tmp/sway-ipc.*
# systemd
blacklist ${HOME}/.config/systemd
blacklist ${HOME}/.local/share/systemd
blacklist ${PATH}/systemctl
blacklist ${PATH}/systemd-run
blacklist ${PATH}/systemd*
blacklist ${RUNUSER}/systemd
blacklist /etc/credstore*
blacklist /etc/systemd/network
@ -191,6 +200,7 @@ blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/VirtualBox VMs
# GNOME Boxes
blacklist ${HOME}/.cache/gnome-boxes
blacklist ${HOME}/.config/gnome-boxes
blacklist ${HOME}/.local/share/gnome-boxes
@ -241,8 +251,9 @@ blacklist /var/lib/mysql/mysql.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/pacman
blacklist /var/lib/upower
# blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
# every sandbox, unless --writable-var-log switch is activated
# a virtual /var/log directory (mostly empty) is build up by default for every
# sandbox, unless --writable-var-log switch is activated
#blacklist /var/log
blacklist /var/mail
blacklist /var/opt
blacklist /var/run/acpid.socket
@ -319,7 +330,7 @@ read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
# Remote access
# Remote access (used only by sshd; should always be blacklisted)
blacklist ${HOME}/.rhosts
blacklist ${HOME}/.shosts
blacklist ${HOME}/.ssh/authorized_keys
@ -327,13 +338,12 @@ blacklist ${HOME}/.ssh/authorized_keys2
blacklist ${HOME}/.ssh/environment
blacklist ${HOME}/.ssh/rc
blacklist /etc/hosts.equiv
read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.cargo/env
read-only ${HOME}/.config/mpv
read-only ${HOME}/.config/msmtp
read-only ${HOME}/.config/nano
read-only ${HOME}/.config/nvim
read-only ${HOME}/.config/pkcs11
@ -360,6 +370,8 @@ read-only ${HOME}/.nanorc
read-only ${HOME}/.npmrc
read-only ${HOME}/.pythonrc.py
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.vim
read-only ${HOME}/.viminfo
@ -422,6 +434,7 @@ blacklist /etc/group-
blacklist /etc/gshadow
blacklist /etc/gshadow+
blacklist /etc/gshadow-
blacklist /etc/msmtprc
blacklist /etc/passwd+
blacklist /etc/passwd-
blacklist /etc/shadow
@ -444,6 +457,7 @@ blacklist ${HOME}/.cargo/credentials.toml
blacklist ${HOME}/.cert
blacklist ${HOME}/.config/hub
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.config/msmtp
blacklist ${HOME}/.davfs2/secrets
blacklist ${HOME}/.ecryptfs
blacklist ${HOME}/.fetchmailrc
@ -502,6 +516,7 @@ blacklist /usr/sbin
# system management and various SUID executables
blacklist ${PATH}/at
blacklist ${PATH}/bmon
blacklist ${PATH}/busybox
blacklist ${PATH}/chage
blacklist ${PATH}/chfn
@ -510,69 +525,96 @@ blacklist ${PATH}/crontab
blacklist ${PATH}/doas
blacklist ${PATH}/evtest
blacklist ${PATH}/expiry
blacklist ${PATH}/fusermount
blacklist ${PATH}/fping
blacklist ${PATH}/fping6
blacklist ${PATH}/fusermount*
blacklist ${PATH}/gksu
blacklist ${PATH}/gksudo
blacklist ${PATH}/gpasswd
blacklist ${PATH}/groupmems
blacklist ${PATH}/hostname
#blacklist ${PATH}/ip # breaks --ip=dhcp
blacklist ${PATH}/kdesudo
blacklist ${PATH}/ksu
blacklist ${PATH}/mount
blacklist ${PATH}/mount.ecryptfs_private
blacklist ${PATH}/mount.*
blacklist ${PATH}/mountpoint
blacklist ${PATH}/mtr
blacklist ${PATH}/mtr-packet
blacklist ${PATH}/nc
blacklist ${PATH}/nc.openbsd
blacklist ${PATH}/nc.traditional
blacklist ${PATH}/ncat
blacklist ${PATH}/nmap
blacklist ${PATH}/netstat
blacklist ${PATH}/networkctl
blacklist ${PATH}/newgidmap
blacklist ${PATH}/newgrp
blacklist ${PATH}/newuidmap
blacklist ${PATH}/ntfs-3g
blacklist ${PATH}/pkexec
blacklist ${PATH}/procmail
blacklist ${PATH}/sg
blacklist ${PATH}/strace
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/tcpdump
blacklist ${PATH}/umount
blacklist ${PATH}/unix_chkpwd
blacklist ${PATH}/xev
blacklist ${PATH}/xinput
# from 0.9.67
blacklist /usr/lib/openssh
blacklist /usr/lib/ssh
blacklist /usr/libexec/openssh
blacklist ${PATH}/passwd
blacklist /usr/lib/xorg/Xorg.wrap
blacklist /usr/lib/policykit-1/polkit-agent-helper-1
blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
blacklist /usr/lib/eject/dmcrypt-get-device
blacklist /usr/lib/chromium/chrome-sandbox
blacklist /usr/lib/opera/opera_sandbox
blacklist /usr/lib/vmware
blacklist ${PATH}/suexec
blacklist /usr/lib/squid/basic_pam_auth
blacklist ${PATH}/slock
blacklist ${PATH}/physlock
blacklist ${PATH}/schroot
blacklist ${PATH}/wshowkeys
blacklist ${PATH}/pmount
blacklist ${PATH}/pumount
blacklist ${PATH}/bmon
blacklist ${PATH}/fping
blacklist ${PATH}/fping6
blacklist ${PATH}/hostname
# blacklist ${PATH}/ip - breaks --ip=dhcp
blacklist ${PATH}/mtr
blacklist ${PATH}/mtr-packet
blacklist ${PATH}/netstat
blacklist ${PATH}/nm-online
blacklist ${PATH}/nmap
blacklist ${PATH}/nmcli
blacklist ${PATH}/nmtui
blacklist ${PATH}/nmtui-connect
blacklist ${PATH}/nmtui-edit
blacklist ${PATH}/nmtui-hostname
blacklist ${PATH}/networkctl
blacklist ${PATH}/ntfs-3g
blacklist ${PATH}/passwd
blacklist ${PATH}/physlock
blacklist ${PATH}/pkexec
blacklist ${PATH}/plocate
blacklist ${PATH}/pmount
blacklist ${PATH}/procmail
blacklist ${PATH}/pumount
blacklist ${PATH}/schroot
blacklist ${PATH}/sg
blacklist ${PATH}/slock
blacklist ${PATH}/ss
blacklist ${PATH}/ssmtp
blacklist ${PATH}/strace
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/suexec
blacklist ${PATH}/tcpdump
blacklist ${PATH}/traceroute
blacklist ${PATH}/umount
blacklist ${PATH}/unix_chkpwd
blacklist ${PATH}/wall
blacklist ${PATH}/write
blacklist ${PATH}/wshowkeys
blacklist ${PATH}/xev
blacklist ${PATH}/xinput
blacklist /usr/lib/chromium/chrome-sandbox
blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
blacklist /usr/lib/eject/dmcrypt-get-device
blacklist /usr/lib/openssh
blacklist /usr/lib/opera/opera_sandbox
blacklist /usr/lib/policykit-1/polkit-agent-helper-1
blacklist /usr/lib/squid/basic_pam_auth
blacklist /usr/lib/ssh
blacklist /usr/lib/vmware
blacklist /usr/lib/xorg/Xorg.wrap
blacklist /usr/libexec/openssh
# since firejail version 0.9.73
blacklist ${PATH}/dpkg*
blacklist ${PATH}/apt*
blacklist ${PATH}/dumpcap
blacklist ${PATH}/efibootdump
blacklist ${PATH}/efibootmgr
blacklist ${PATH}/passmass
blacklist ${PATH}/proxy
blacklist ${PATH}/aa-*
blacklist ${PATH}/airscan-discover
blacklist ${PATH}/avahi*
blacklist ${PATH}/dbus-*
blacklist ${PATH}/debconf*
blacklist ${PATH}/grub-*
blacklist ${PATH}/kernel-install # from systemd package
# binaries installed by firejail
blacklist ${PATH}/firemon
blacklist ${PATH}/firecfg
blacklist ${PATH}/jailcheck
blacklist ${PATH}/firetools
# other SUID binaries
blacklist /opt/microsoft/msedge*/msedge-sandbox
@ -585,11 +627,13 @@ blacklist /tmp/.lxterminal-socket*
blacklist /tmp/tmux-*
# disable terminals running as server resulting in sandbox escape
blacklist ${PATH}/foot
blacklist ${PATH}/footserver
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/kgx
# blacklist ${PATH}/konsole
# konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
#blacklist ${PATH}/konsole
blacklist ${PATH}/lilyterm
blacklist ${PATH}/lxterminal
blacklist ${PATH}/mate-terminal
@ -640,6 +684,10 @@ blacklist /usr/lib/snapd
blacklist /var/lib/snapd
blacklist /var/snap
# bubblejail
blacklist ${HOME}/.config/bubblejail
blacklist ${HOME}/.local/share/bubblejail
# mail directories used by mutt
blacklist ${HOME}/.Mail
blacklist ${HOME}/.mail
@ -653,10 +701,13 @@ blacklist ${HOME}/sent
blacklist /proc/config.gz
# prevent DNS malware attempting to communicate with the server using regular DNS tools
blacklist ${PATH}/delv
blacklist ${PATH}/dig
blacklist ${PATH}/dlint
blacklist ${PATH}/dns2tcp
blacklist ${PATH}/dnssec-*
blacklist ${PATH}/dnstap-read
blacklist ${PATH}/mdig
blacklist ${PATH}/dnswalk
blacklist ${PATH}/drill
blacklist ${PATH}/host
@ -667,12 +718,14 @@ blacklist ${PATH}/knsupdate
blacklist ${PATH}/ldns-*
blacklist ${PATH}/ldnsd
blacklist ${PATH}/nslookup
blacklist ${PATH}/nsupdate
blacklist ${PATH}/nstat
blacklist ${PATH}/resolvectl
blacklist ${PATH}/unbound-host
# prevent an intruder to guess passwords using regular network tools
blacklist ${PATH}/ftp
blacklist ${PATH}/ssh
blacklist ${PATH}/ssh*
blacklist ${PATH}/telnet
# rest of ${RUNUSER}

61
etc/inc/disable-devel.inc
View file

@ -4,32 +4,70 @@ include disable-devel.local
# development tools
# autoconf/automake
blacklist ${PATH}/aclocal*
blacklist ${PATH}/autoconf
blacklist ${PATH}/autoheader
blacklist ${PATH}/autom4te
blacklist ${PATH}/automake*
blacklist ${PATH}/autoreconf
blacklist ${PATH}/autoscan
blacklist ${PATH}/autoupdate
blacklist ${PATH}/ifnames
blacklist ${PATH}/m4
# patch
blacklist ${PATH}/elfedit
blacklist ${PATH}/espdiff
blacklist ${PATH}/patch
blacklist ${PATH}/patchview
# packaging
blacklist ${PATH}/dh_*
blacklist ${PATH}/fakeroot*
blacklist ${PATH}/lintian
# expect
blacklist ${PATH}/autoexpect
blacklist ${PATH}/expect*
# clang/llvm
blacklist ${PATH}/analyze-build*
blacklist ${PATH}/asan_symbolize*
blacklist ${PATH}/bugpoint*
blacklist ${PATH}/c-index-test*
blacklist ${PATH}/clang*
blacklist ${PATH}/llc*
blacklist ${PATH}/lldb*
blacklist ${PATH}/lli*
blacklist ${PATH}/llvm*
blacklist ${PATH}/scan-build
# see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
# blacklist /usr/lib/llvm*
#blacklist /usr/lib/llvm*
# GCC
blacklist ${PATH}/*-g++*
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/as
blacklist ${PATH}/cc
blacklist ${PATH}/c++*
blacklist ${PATH}/c8*
blacklist ${PATH}/c9*
blacklist ${PATH}/cc
blacklist ${PATH}/cpp*
blacklist ${PATH}/elfedit
blacklist ${PATH}/g++*
blacklist ${PATH}/gcc*
blacklist ${PATH}/gcov*
blacklist ${PATH}/gdb
blacklist ${PATH}/gmake
blacklist ${PATH}/ld
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/*-g++*
blacklist ${PATH}/*-gcc*
blacklist ${PATH}/*-g++*
blacklist ${PATH}/make
blacklist ${PATH}/make-first-existing-target
blacklist ${PATH}/x86_64-linux-gnu-*
# seems to create problems on Gentoo
#blacklist /usr/lib/gcc
#Go
# Go
blacklist ${PATH}/gccgo
blacklist ${PATH}/go
blacklist ${PATH}/gofmt
@ -48,15 +86,14 @@ blacklist ${PATH}/scala3-compiler
blacklist ${PATH}/scala3-repl
blacklist ${PATH}/scalac
#OpenSSL
# OpenSSL
blacklist ${PATH}/openssl
blacklist ${PATH}/openssl-1.0
#Rust
# Rust
blacklist ${PATH}/rust-gdb
blacklist ${PATH}/rust-lldb
blacklist ${PATH}/rustc
blacklist ${HOME}/.rustup
# tcc - Tiny C Compiler
blacklist ${PATH}/tcc
@ -68,7 +105,7 @@ blacklist ${PATH}/valgrind*
blacklist /usr/lib/valgrind
# Source-Code
blacklist /usr/src
blacklist /usr/local/src
blacklist /usr/include
blacklist /usr/local/include
blacklist /usr/local/src
blacklist /usr/src

3
etc/inc/disable-interpreters.inc
View file

@ -44,8 +44,7 @@ blacklist /usr/share/perl*
# it is needed so that Firefox can run applications with Terminal=true in
# their .desktop file (depending on what is installed). The reason is that
# this is done via glib, which currently uses a hardcoded list of terminal
# emulators:
# https://gitlab.gnome.org/GNOME/glib/-/issues/338
# emulators: https://gitlab.gnome.org/GNOME/glib/-/issues/338.
# And in this list, rxvt comes before xterm.
blacklist ${PATH}/rxvt

72
etc/inc/disable-programs.inc
View file

@ -22,13 +22,14 @@ blacklist ${HOME}/.Steampid
blacklist ${HOME}/.TelegramDesktop
blacklist ${HOME}/.VSCodium
blacklist ${HOME}/.ViberPC
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/.WebStorm*
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.ZAP
blacklist ${HOME}/.aMule
blacklist ${HOME}/.abook
blacklist ${HOME}/.addressbook
blacklist ${HOME}/.alienblaster
blacklist ${HOME}/.alienblaster_highscore
blacklist ${HOME}/.alpine-smime
blacklist ${HOME}/.ammonite
blacklist ${HOME}/.android
@ -44,6 +45,7 @@ blacklist ${HOME}/.attic
blacklist ${HOME}/.audacity-data
blacklist ${HOME}/.avidemux3
blacklist ${HOME}/.avidemux6
blacklist ${HOME}/.axelrc
blacklist ${HOME}/.ballbuster.hs
blacklist ${HOME}/.balsa
blacklist ${HOME}/.bcast5
@ -79,6 +81,7 @@ blacklist ${HOME}/.cache/PawelStolowski
blacklist ${HOME}/.cache/Psi
blacklist ${HOME}/.cache/QuiteRss
blacklist ${HOME}/.cache/Quotient/quaternion
blacklist ${HOME}/.cache/RawTherapee
blacklist ${HOME}/.cache/Shortwave
blacklist ${HOME}/.cache/Tox
blacklist ${HOME}/.cache/Zeal
@ -97,6 +100,7 @@ blacklist ${HOME}/.cache/cantata
blacklist ${HOME}/.cache/champlain
blacklist ${HOME}/.cache/chromium
blacklist ${HOME}/.cache/chromium-dev
blacklist ${HOME}/.cache/claws-mail
blacklist ${HOME}/.cache/cliqz
blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
blacklist ${HOME}/.cache/darktable
@ -112,6 +116,7 @@ blacklist ${HOME}/.cache/falkon
blacklist ${HOME}/.cache/feedreader
blacklist ${HOME}/.cache/firedragon
blacklist ${HOME}/.cache/flaska.net/trojita
blacklist ${HOME}/.cache/floorp
blacklist ${HOME}/.cache/folks
blacklist ${HOME}/.cache/font-manager
blacklist ${HOME}/.cache/fossamail
@ -124,7 +129,6 @@ blacklist ${HOME}/.cache/geeqie
blacklist ${HOME}/.cache/gegl-0.4
blacklist ${HOME}/.cache/gfeeds
blacklist ${HOME}/.cache/gimp
blacklist ${HOME}/.cache/gnome-boxes
blacklist ${HOME}/.cache/gnome-builder
blacklist ${HOME}/.cache/gnome-control-center
blacklist ${HOME}/.cache/gnome-recipes
@ -137,11 +141,13 @@ blacklist ${HOME}/.cache/google-chrome-beta
blacklist ${HOME}/.cache/google-chrome-unstable
blacklist ${HOME}/.cache/gradio
blacklist ${HOME}/.cache/gummi
blacklist ${HOME}/.cache/hashcat
blacklist ${HOME}/.cache/icedove
blacklist ${HOME}/.cache/inkscape
blacklist ${HOME}/.cache/inox
blacklist ${HOME}/.cache/io.github.lainsce.Notejot
blacklist ${HOME}/.cache/iridium
blacklist ${HOME}/.cache/journal-viewer
blacklist ${HOME}/.cache/kcmshell5
blacklist ${HOME}/.cache/kdenlive
blacklist ${HOME}/.cache/keepassxc
@ -156,6 +162,7 @@ blacklist ${HOME}/.cache/ksplashqml
blacklist ${HOME}/.cache/kube
blacklist ${HOME}/.cache/kwin
blacklist ${HOME}/.cache/lbry-viewer
blacklist ${HOME}/.cache/lettura
blacklist ${HOME}/.cache/libgweather
blacklist ${HOME}/.cache/librewolf
blacklist ${HOME}/.cache/liferea
@ -171,6 +178,7 @@ blacklist ${HOME}/.cache/mirage
blacklist ${HOME}/.cache/moonchild productions/basilisk
blacklist ${HOME}/.cache/moonchild productions/pale moon
blacklist ${HOME}/.cache/mozilla
blacklist ${HOME}/.cache/mpv
blacklist ${HOME}/.cache/ms-excel-online
blacklist ${HOME}/.cache/ms-office-online
blacklist ${HOME}/.cache/ms-onenote-online
@ -178,10 +186,12 @@ blacklist ${HOME}/.cache/ms-outlook-online
blacklist ${HOME}/.cache/ms-powerpoint-online
blacklist ${HOME}/.cache/ms-skype-online
blacklist ${HOME}/.cache/ms-word-online
blacklist ${HOME}/.cache/mullvad/mullvadbrowser
blacklist ${HOME}/.cache/mutt
blacklist ${HOME}/.cache/mypaint
blacklist ${HOME}/.cache/netsurf
blacklist ${HOME}/.cache/nheko
blacklist ${HOME}/.cache/nhex
blacklist ${HOME}/.cache/nvim
blacklist ${HOME}/.cache/ocenaudio
blacklist ${HOME}/.cache/okular
@ -218,10 +228,12 @@ blacklist ${HOME}/.cache/supertuxkart
blacklist ${HOME}/.cache/systemsettings
blacklist ${HOME}/.cache/telepathy
blacklist ${HOME}/.cache/thunderbird
blacklist ${HOME}/.cache/tiny-rdm
blacklist ${HOME}/.cache/torbrowser
blacklist ${HOME}/.cache/transmission
blacklist ${HOME}/.cache/ueberzugpp
blacklist ${HOME}/.cache/ungoogled-chromium
blacklist ${HOME}/.cache/virt-manager
blacklist ${HOME}/.cache/vivaldi
blacklist ${HOME}/.cache/vivaldi-snapshot
blacklist ${HOME}/.cache/vlc
@ -249,6 +261,7 @@ blacklist ${HOME}/.clonk
blacklist ${HOME}/.config/0ad
blacklist ${HOME}/.config/1Password
blacklist ${HOME}/.config/2048-qt
blacklist ${HOME}/.config/ArmCord
blacklist ${HOME}/.config/Atom
blacklist ${HOME}/.config/Audaciousrc
blacklist ${HOME}/.config/Authenticator
@ -331,21 +344,24 @@ blacklist ${HOME}/.config/QuiteRssrc
blacklist ${HOME}/.config/Quotient
blacklist ${HOME}/.config/RSS Guard 4
blacklist ${HOME}/.config/Rambox
blacklist ${HOME}/.config/RawTherapee
blacklist ${HOME}/.config/Riot
blacklist ${HOME}/.config/Rocket.Chat
blacklist ${HOME}/.config/RogueLegacy
blacklist ${HOME}/.config/RogueLegacyStorageContainer
blacklist ${HOME}/.config/Seafile
blacklist ${HOME}/.config/Session
blacklist ${HOME}/.config/Signal
blacklist ${HOME}/.config/Sinew Software Systems
blacklist ${HOME}/.config/Slack
blacklist ${HOME}/.config/Standard Notes
blacklist ${HOME}/.config/SubDownloader
blacklist ${HOME}/.config/Thunar
blacklist ${HOME}/.config/TinyRDM
blacklist ${HOME}/.config/Twitch
blacklist ${HOME}/.config/UNDERTALE
blacklist ${HOME}/.config/Unknown Organization
blacklist ${HOME}/.config/VSCodium
blacklist ${HOME}/.config/VirtualBox
blacklist ${HOME}/.config/Whalebird
blacklist ${HOME}/.config/Wire
blacklist ${HOME}/.config/Youtube
@ -382,6 +398,7 @@ blacklist ${HOME}/.config/borg
blacklist ${HOME}/.config/brasero
blacklist ${HOME}/.config/brave
blacklist ${HOME}/.config/brave-flags.conf
blacklist ${HOME}/.config/breezy
blacklist ${HOME}/.config/caja
blacklist ${HOME}/.config/calibre
blacklist ${HOME}/.config/cantata
@ -403,11 +420,14 @@ blacklist ${HOME}/.config/cliqz
blacklist ${HOME}/.config/cmus
blacklist ${HOME}/.config/cointop
blacklist ${HOME}/.config/com.github.bleakgrey.tootle
blacklist ${HOME}/.config/com.lettura.dev
blacklist ${HOME}/.config/corebird
blacklist ${HOME}/.config/coyim
blacklist ${HOME}/.config/curlrc
blacklist ${HOME}/.config/d-feet
blacklist ${HOME}/.config/darktable
blacklist ${HOME}/.config/deadbeef
blacklist ${HOME}/.config/deadlink
blacklist ${HOME}/.config/deluge
blacklist ${HOME}/.config/devilspie2
blacklist ${HOME}/.config/digikam
@ -440,6 +460,7 @@ blacklist ${HOME}/.config/flaska.net
blacklist ${HOME}/.config/flowblade
blacklist ${HOME}/.config/font-manager
blacklist ${HOME}/.config/freecol
blacklist ${HOME}/.config/fyne
blacklist ${HOME}/.config/gajim
blacklist ${HOME}/.config/galculator
blacklist ${HOME}/.config/gallery-dl
@ -449,6 +470,7 @@ blacklist ${HOME}/.config/geany
blacklist ${HOME}/.config/geary
blacklist ${HOME}/.config/gedit
blacklist ${HOME}/.config/geeqie
blacklist ${HOME}/.config/gh
blacklist ${HOME}/.config/ghb
blacklist ${HOME}/.config/ghostwriter
blacklist ${HOME}/.config/git
@ -471,6 +493,8 @@ blacklist ${HOME}/.config/google-chrome
blacklist ${HOME}/.config/google-chrome-beta
blacklist ${HOME}/.config/google-chrome-unstable
blacklist ${HOME}/.config/gpicview
blacklist ${HOME}/.config/gramps
blacklist ${HOME}/.config/green-recorder
blacklist ${HOME}/.config/gthumb
blacklist ${HOME}/.config/gummi
blacklist ${HOME}/.config/guvcview2
@ -514,6 +538,7 @@ blacklist ${HOME}/.config/kmplayerrc
blacklist ${HOME}/.config/knotesrc
blacklist ${HOME}/.config/konversation.notifyrc
blacklist ${HOME}/.config/konversationrc
blacklist ${HOME}/.config/koreader
blacklist ${HOME}/.config/kritarc
blacklist ${HOME}/.config/ktorrentrc
blacklist ${HOME}/.config/ktouch2rc
@ -546,10 +571,12 @@ blacklist ${HOME}/.config/midori
blacklist ${HOME}/.config/mirage
blacklist ${HOME}/.config/monero-project
blacklist ${HOME}/.config/mono
blacklist ${HOME}/.config/mov-cli
blacklist ${HOME}/.config/mpDris2
blacklist ${HOME}/.config/mpd
blacklist ${HOME}/.config/mps-youtube
blacklist ${HOME}/.config/mpv
blacklist ${HOME}/.config/mullvad-browser-flags.conf
blacklist ${HOME}/.config/mupen64plus
blacklist ${HOME}/.config/mutt
blacklist ${HOME}/.config/mutter
@ -569,6 +596,7 @@ blacklist ${HOME}/.config/nomacs
blacklist ${HOME}/.config/nuclear
blacklist ${HOME}/.config/nvim
blacklist ${HOME}/.config/obs-studio
blacklist ${HOME}/.config/obsidian
blacklist ${HOME}/.config/okularpartrc
blacklist ${HOME}/.config/okularrc
blacklist ${HOME}/.config/onboard
@ -615,12 +643,14 @@ blacklist ${HOME}/.config/scribus
blacklist ${HOME}/.config/scribusrc
blacklist ${HOME}/.config/sendgmail
blacklist ${HOME}/.config/sinew.in
blacklist ${HOME}/.config/singularity
blacklist ${HOME}/.config/sink
blacklist ${HOME}/.config/skypeforlinux
blacklist ${HOME}/.config/slimjet
blacklist ${HOME}/.config/smplayer
blacklist ${HOME}/.config/smtube
blacklist ${HOME}/.config/smuxi
blacklist ${HOME}/.config/sniffnet
blacklist ${HOME}/.config/snox
blacklist ${HOME}/.config/sound-juicer
blacklist ${HOME}/.config/specialmailcollectionsrc
@ -636,6 +666,7 @@ blacklist ${HOME}/.config/synfig
blacklist ${HOME}/.config/teams
blacklist ${HOME}/.config/teams-for-linux
blacklist ${HOME}/.config/telepathy-account-widgets
blacklist ${HOME}/.config/textroom
blacklist ${HOME}/.config/torbrowser
blacklist ${HOME}/.config/totem
blacklist ${HOME}/.config/tox
@ -646,6 +677,7 @@ blacklist ${HOME}/.config/tuir
blacklist ${HOME}/.config/tuta_integration
blacklist ${HOME}/.config/tutanota-desktop
blacklist ${HOME}/.config/tvbrowser
blacklist ${HOME}/.config/tvnamer
blacklist ${HOME}/.config/uGet
blacklist ${HOME}/.config/ueberzugpp
blacklist ${HOME}/.config/ungoogled-chromium
@ -699,8 +731,10 @@ blacklist ${HOME}/.dillo
blacklist ${HOME}/.dooble
blacklist ${HOME}/.dosbox
blacklist ${HOME}/.dropbox*
blacklist ${HOME}/.dvdcss
blacklist ${HOME}/.easystroke
blacklist ${HOME}/.electron-cache
blacklist ${HOME}/.electron-cash
blacklist ${HOME}/.electrum*
blacklist ${HOME}/.elinks
blacklist ${HOME}/.emacs
@ -708,8 +742,10 @@ blacklist ${HOME}/.emacs.d
blacklist ${HOME}/.equalx
blacklist ${HOME}/.ethereum
blacklist ${HOME}/.etr
blacklist ${HOME}/.factorio
blacklist ${HOME}/.filezilla
blacklist ${HOME}/.firedragon
blacklist ${HOME}/.floorp
blacklist ${HOME}/.flowblade
blacklist ${HOME}/.fltk
blacklist ${HOME}/.fossamail
@ -743,6 +779,7 @@ blacklist ${HOME}/.i2p
blacklist ${HOME}/.icedove
blacklist ${HOME}/.imagej
blacklist ${HOME}/.inkscape
blacklist ${HOME}/.irssi
blacklist ${HOME}/.itch
blacklist ${HOME}/.ivy2
blacklist ${HOME}/.jack-server
@ -825,6 +862,8 @@ blacklist ${HOME}/.klatexformula
blacklist ${HOME}/.klei
blacklist ${HOME}/.kodi
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.lbreakouthd
blacklist ${HOME}/.lettura
blacklist ${HOME}/.librewolf
blacklist ${HOME}/.lincity-ng
blacklist ${HOME}/.links
@ -836,6 +875,7 @@ blacklist ${HOME}/.local/lib/vivaldi
blacklist ${HOME}/.local/share/0ad
blacklist ${HOME}/.local/share/3909/PapersPlease
blacklist ${HOME}/.local/share/Anki2
blacklist ${HOME}/.local/share/Baba_Is_You
blacklist ${HOME}/.local/share/Colossal Order
blacklist ${HOME}/.local/share/Dredmor
blacklist ${HOME}/.local/share/Empathy
@ -895,6 +935,8 @@ blacklist ${HOME}/.local/share/cdprojektred
blacklist ${HOME}/.local/share/chatterino
blacklist ${HOME}/.local/share/clipit
blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
blacklist ${HOME}/.local/share/com.lettura.dev
blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
blacklist ${HOME}/.local/share/contacts
blacklist ${HOME}/.local/share/cor-games
blacklist ${HOME}/.local/share/data/Mendeley Ltd.
@ -903,6 +945,7 @@ blacklist ${HOME}/.local/share/data/MusE
blacklist ${HOME}/.local/share/data/MuseScore
blacklist ${HOME}/.local/share/data/nomacs
blacklist ${HOME}/.local/share/data/qBittorrent
blacklist ${HOME}/.local/share/dev.nhex
blacklist ${HOME}/.local/share/dino
blacklist ${HOME}/.local/share/dolphin
blacklist ${HOME}/.local/share/dolphin-emu
@ -912,6 +955,8 @@ blacklist ${HOME}/.local/share/evolution
blacklist ${HOME}/.local/share/feedreader
blacklist ${HOME}/.local/share/feral-interactive
blacklist ${HOME}/.local/share/five-or-more
blacklist ${HOME}/.local/share/fluffychat
blacklist ${HOME}/.local/share/fractal
blacklist ${HOME}/.local/share/freecol
blacklist ${HOME}/.local/share/gajim
blacklist ${HOME}/.local/share/gdfuse
@ -920,7 +965,6 @@ blacklist ${HOME}/.local/share/geeqie
blacklist ${HOME}/.local/share/ghostwriter
blacklist ${HOME}/.local/share/gitg
blacklist ${HOME}/.local/share/gnome-2048
blacklist ${HOME}/.local/share/gnome-boxes
blacklist ${HOME}/.local/share/gnome-builder
blacklist ${HOME}/.local/share/gnome-chess
blacklist ${HOME}/.local/share/gnome-klotski
@ -938,6 +982,7 @@ blacklist ${HOME}/.local/share/gnote
blacklist ${HOME}/.local/share/godot
blacklist ${HOME}/.local/share/gradio
blacklist ${HOME}/.local/share/gwenview
blacklist ${HOME}/.local/share/hashcat
blacklist ${HOME}/.local/share/i2p
blacklist ${HOME}/.local/share/io.github.lainsce.Notejot
blacklist ${HOME}/.local/share/jami
@ -964,6 +1009,7 @@ blacklist ${HOME}/.local/share/liferea
blacklist ${HOME}/.local/share/linphone
blacklist ${HOME}/.local/share/lobster
blacklist ${HOME}/.local/share/local-mail
blacklist ${HOME}/.local/share/localsend_app
blacklist ${HOME}/.local/share/lollypop
blacklist ${HOME}/.local/share/love
blacklist ${HOME}/.local/share/lugaru
@ -977,6 +1023,7 @@ blacklist ${HOME}/.local/share/meld
blacklist ${HOME}/.local/share/midori
blacklist ${HOME}/.local/share/minder
blacklist ${HOME}/.local/share/mirage
blacklist ${HOME}/.local/share/mullvad-browser
blacklist ${HOME}/.local/share/multimc
blacklist ${HOME}/.local/share/multimc5
blacklist ${HOME}/.local/share/mupen64plus
@ -999,6 +1046,7 @@ blacklist ${HOME}/.local/share/orage
blacklist ${HOME}/.local/share/org.kde.gwenview
blacklist ${HOME}/.local/share/pix
blacklist ${HOME}/.local/share/plasma_notes
blacklist ${HOME}/.local/share/pnpm
blacklist ${HOME}/.local/share/profanity
blacklist ${HOME}/.local/share/psi
blacklist ${HOME}/.local/share/psi+
@ -1012,14 +1060,17 @@ blacklist ${HOME}/.local/share/rtv
blacklist ${HOME}/.local/share/scribus
blacklist ${HOME}/.local/share/shotwell
blacklist ${HOME}/.local/share/signal-cli
blacklist ${HOME}/.local/share/singularity
blacklist ${HOME}/.local/share/sink
blacklist ${HOME}/.local/share/smuxi
blacklist ${HOME}/.local/share/spotify
blacklist ${HOME}/.local/share/sqlitebrowser
blacklist ${HOME}/.local/share/steam
blacklist ${HOME}/.local/share/strawberry
blacklist ${HOME}/.local/share/supertux2
blacklist ${HOME}/.local/share/supertuxkart
blacklist ${HOME}/.local/share/swell-foop
blacklist ${HOME}/.local/share/telegram-desktop
blacklist ${HOME}/.local/share/telepathy
blacklist ${HOME}/.local/share/terasology
blacklist ${HOME}/.local/share/torbrowser
@ -1040,6 +1091,7 @@ blacklist ${HOME}/.local/share/xreader
blacklist ${HOME}/.local/share/zathura
blacklist ${HOME}/.local/state/ani-cli
blacklist ${HOME}/.local/state/audacity
blacklist ${HOME}/.local/state/mpv
blacklist ${HOME}/.local/state/pipewire
blacklist ${HOME}/.lv2
blacklist ${HOME}/.lyx
@ -1061,7 +1113,7 @@ blacklist ${HOME}/.mp3splt-gtk
blacklist ${HOME}/.mpd
blacklist ${HOME}/.mpdconf
blacklist ${HOME}/.mplayer
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.mullvad/mullvadbrowser
blacklist ${HOME}/.multimc5
blacklist ${HOME}/.nanorc
blacklist ${HOME}/.netactview
@ -1103,6 +1155,7 @@ blacklist ${HOME}/.pinerc
blacklist ${HOME}/.pinercex
blacklist ${HOME}/.pingus
blacklist ${HOME}/.pioneer
blacklist ${HOME}/.platformio
blacklist ${HOME}/.prey
blacklist ${HOME}/.purple
blacklist ${HOME}/.pylint.d
@ -1117,6 +1170,7 @@ blacklist ${HOME}/.repo_.gitconfig.json
blacklist ${HOME}/.repoconfig
blacklist ${HOME}/.retroshare
blacklist ${HOME}/.ripperXrc
blacklist ${HOME}/.rustup
blacklist ${HOME}/.sbt
blacklist ${HOME}/.scorched3d
blacklist ${HOME}/.scribus
@ -1149,6 +1203,7 @@ blacklist ${HOME}/.torcs
blacklist ${HOME}/.tremulous
blacklist ${HOME}/.ts3client
blacklist ${HOME}/.tuxguitar*
blacklist ${HOME}/.tuxtype
blacklist ${HOME}/.tvbrowser
blacklist ${HOME}/.unknown-horizons
blacklist ${HOME}/.viking
@ -1195,6 +1250,8 @@ blacklist ${HOME}/SoftMaker
blacklist ${HOME}/Standard Notes Backups
blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
blacklist ${HOME}/TeamSpeak3-Client-linux_x86
blacklist ${HOME}/UpdateInfo
blacklist ${HOME}/Zomboid
blacklist ${HOME}/hyperrogue.ini
blacklist ${HOME}/i2p
blacklist ${HOME}/mps
@ -1204,11 +1261,16 @@ blacklist ${HOME}/yt-dlp.conf
blacklist ${HOME}/yt-dlp.conf.txt
blacklist ${RUNUSER}/*firefox*
blacklist ${RUNUSER}/akonadi
blacklist ${RUNUSER}/i3
blacklist ${RUNUSER}/psd/*firefox*
blacklist ${RUNUSER}/qutebrowser
blacklist /etc/clamav
blacklist /etc/ssmtp
blacklist /tmp/.wine-*
blacklist /tmp/akonadi-*
blacklist /tmp/evolution-*
blacklist /tmp/i3-*
blacklist /tmp/lwjgl_*
blacklist /var/games/nethack
blacklist /var/games/slashem
blacklist /var/games/vulturesclaw

15
etc/inc/disable-x11.inc Normal file
View file

@ -0,0 +1,15 @@
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include disable-x11.local
blacklist /tmp/.X11-unix
blacklist ${HOME}/.Xauthority
blacklist ${RUNUSER}/gdm/Xauthority
blacklist ${RUNUSER}/.mutter-Xwaylandauth*
blacklist ${RUNUSER}/xauth_*
#blacklist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
blacklist /tmp/xauth*
blacklist /tmp/.ICE-unix
blacklist ${RUNUSER}/ICEauthority
rmenv DISPLAY
rmenv XAUTHORITY

31
etc/inc/landlock-common.inc Normal file
View file

@ -0,0 +1,31 @@
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include landlock-common.local
landlock.fs.read / # whole system read
landlock.fs.read /proc
landlock.fs.makeipc / # sockets etc.
# write access
landlock.fs.write ${HOME}
landlock.fs.write ${RUNUSER}
landlock.fs.write /dev
landlock.fs.write /proc
landlock.fs.write /run/shm
landlock.fs.write /tmp
# exec access
## misc
landlock.fs.execute ${PATH}
landlock.fs.execute /opt
landlock.fs.execute /run/firejail # appimage and various firejail features
## lib
landlock.fs.execute /lib
landlock.fs.execute /lib32
landlock.fs.execute /libx32
landlock.fs.execute /lib64
landlock.fs.execute /usr/lib
landlock.fs.execute /usr/lib32
landlock.fs.execute /usr/libx32
landlock.fs.execute /usr/lib64
landlock.fs.execute /usr/local/lib

1
etc/inc/whitelist-usr-share-common.inc
View file

@ -40,6 +40,7 @@ whitelist /usr/share/kxmlgui5
whitelist /usr/share/libdrm
whitelist /usr/share/libthai
whitelist /usr/share/locale
whitelist /usr/share/locale-langpack
whitelist /usr/share/mime
whitelist /usr/share/misc
whitelist /usr/share/Modules

1
etc/inc/whitelist-var-common.inc
View file

@ -13,3 +13,4 @@ whitelist /var/cache/fontconfig
whitelist /var/tmp
whitelist /var/run
whitelist /var/lock
whitelist /var/games

3
etc/profile-a-l/0ad.profile
View file

@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/0ad
noblacklist ${HOME}/.config/0ad
noblacklist ${HOME}/.local/share/0ad
# Allow gjs (blacklisted by disable-interpreters.inc)
include allow-gjs.inc
blacklist /usr/libexec
include disable-common.inc

2
etc/profile-a-l/1password.profile
View file

@ -13,7 +13,7 @@ whitelist ${HOME}/.config/1Password
private-etc @tls-ca
# Needed for keychain things, talking to Firefox, possibly other things? Not sure how to narrow down
# Needed for keychain things, talking to Firefox, possibly other things?
ignore dbus-user none
# Redirect

4
etc/profile-a-l/abiword.profile
View file

@ -44,7 +44,7 @@ private-dev
private-etc @x11
private-tmp
# dbus-user none
# dbus-system none
#dbus-user none
#dbus-system none
restrict-namespaces

4
etc/profile-a-l/abrowser.profile
View file

@ -12,9 +12,9 @@ mkdir ${HOME}/.cache/mozilla/abrowser
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/abrowser
whitelist ${HOME}/.mozilla
whitelist /usr/share/abrowser
# private-etc must first be enabled in firefox-common.profile
#private-etc abrowser
private-etc abrowser
# Redirect
include firefox-common.profile

2
etc/profile-a-l/agetpkg.profile
View file

@ -7,7 +7,6 @@ include agetpkg.local
# Persistent global definitions
include globals.local
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
# Allow python (blacklisted by disable-interpreters.inc)
@ -20,6 +19,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-x11.inc
include disable-xdg.inc
whitelist ${DOWNLOADS}

12
etc/profile-a-l/akonadi_control.profile
View file

@ -34,7 +34,7 @@ include whitelist-var-common.inc
# disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
# this affects ubuntu and debian currently
# apparmor
#apparmor
caps.drop all
ipc-namespace
netfilter
@ -42,17 +42,17 @@ no3d
nodvd
nogroups
noinput
# nonewprivs
#nonewprivs
noroot
nosound
notv
nou2f
novideo
# protocol unix,inet,inet6,netlink
# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
#protocol unix,inet,inet6,netlink
#seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
tracelog
private-dev
# private-tmp - breaks programs that depend on akonadi
#private-tmp # breaks programs that depend on akonadi
# restrict-namespaces
#restrict-namespaces

2
etc/profile-a-l/akregator.profile
View file

@ -49,4 +49,4 @@ private-dev
private-tmp
deterministic-shutdown
# restrict-namespaces
#restrict-namespaces

3
etc/profile-a-l/alacarte.profile
View file

@ -21,7 +21,6 @@ include disable-xdg.inc
whitelist /usr/share/alacarte
whitelist /usr/share/app-info
whitelist /usr/share/desktop-directories
whitelist /usr/share/icons
whitelist /var/lib/app-info/icons
whitelist /var/lib/flatpak/exports/share/applications
whitelist /var/lib/flatpak/exports/share/icons
@ -49,7 +48,7 @@ seccomp.block-secondary
tracelog
disable-mnt
# private-bin alacarte,bash,python*,sh
#private-bin alacarte,bash,python*,sh
private-cache
private-dev
private-etc @tls-ca,@x11,mime.types

1
etc/profile-a-l/alienarena-wrapper.profile
View file

@ -6,6 +6,7 @@ include alienarena-wrapper.local
# added by included profile
#include globals.local
# Allow opengl-game wrapper script (distribution-specific)
include allow-opengl-game.inc
private-bin alienarena-wrapper

55
etc/profile-a-l/alienblaster.profile Normal file
View file

@ -0,0 +1,55 @@
# Firejail profile for alienblaster
# Persistent local customizations
include alienblaster.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.alienblaster
noblacklist ${HOME}/.alienblaster_highscore
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
mkdir ${HOME}/.alienblaster
mkfile ${HOME}/.alienblaster_highscore
whitelist ${HOME}/.alienblaster
whitelist ${HOME}/.alienblaster_highscore
whitelist ${RUNUSER}/pulse
whitelist /usr/share/games/alienblaster
whitelist /usr/share/timidity
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
netfilter
net none
nodvd
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix
seccomp
tracelog
disable-mnt
private-dev
private-etc @games,@sound,@x11
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
restrict-namespaces

2
etc/profile-a-l/alpine.profile
View file

@ -30,7 +30,6 @@ noblacklist ${HOME}/.pinercex
noblacklist ${HOME}/.signature
noblacklist ${HOME}/mail
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
@ -39,6 +38,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-x11.inc
include disable-xdg.inc
#whitelist ${DOCUMENTS}

8
etc/profile-a-l/amarok.profile
View file

@ -26,11 +26,11 @@ notv
nou2f
novideo
protocol unix,inet,inet6
# seccomp
#seccomp
# private-bin amarok
#private-bin amarok
private-dev
# private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,resolv.conf,ssl
private-tmp
dbus-user filter
@ -45,4 +45,4 @@ dbus-user.talk org.freedesktop.Notifications
#dbus-user.talk org.kde.knotify
dbus-system none
# restrict-namespaces
#restrict-namespaces

2
etc/profile-a-l/android-studio.profile
View file

@ -36,7 +36,7 @@ protocol unix,inet,inet6
seccomp
private-cache
# private-tmp
#private-tmp
# noexec /tmp breaks 'Android Profiler'
#noexec /tmp

5
etc/profile-a-l/ani-cli.profile
View file

@ -10,6 +10,7 @@ include ani-cli.local
noblacklist ${HOME}/.cache/ani-cli
noblacklist ${HOME}/.local/state/ani-cli
noblacklist ${PATH}/patch
# Allow /bin/sh (blacklisted by disable-shell.inc)
include allow-bin-sh.inc
@ -30,9 +31,9 @@ noprinters
notv
disable-mnt
private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc
private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mktemp,mv,nl,nohup,patch,printf,rm,rofi,sed,sh,sort,tail,tput,tr,uname,wc
#private-cache
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
private-etc X11,alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,xdg
private-tmp
# Redirect

21
etc/profile-a-l/anki.profile
View file

@ -6,8 +6,19 @@ include anki.local
# Persistent global definitions
include globals.local
# Add the following to anki.local if you don't need media playing/recording
# (lua is needed by mpv):
#ignore include allow-lua.inc
#machine-id
#nosound
noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.config/mpv
noblacklist ${HOME}/.local/share/Anki2
noblacklist ${HOME}/.mplayer
# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
@ -23,13 +34,15 @@ include disable-xdg.inc
mkdir ${HOME}/.local/share/Anki2
whitelist ${DOCUMENTS}
whitelist ${HOME}/.config/mpv
whitelist ${HOME}/.local/share/Anki2
whitelist ${HOME}/.mplayer
include whitelist-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
machine-id
#machine-id
netfilter
no3d
nodvd
@ -37,7 +50,7 @@ nogroups
noinput
nonewprivs
noroot
nosound
#nosound
notv
nou2f
novideo
@ -46,7 +59,7 @@ protocol unix,inet,inet6
seccomp !chroot
disable-mnt
private-bin anki,python*
private-bin anki,mplayer,mpv,python*
private-cache
private-dev
private-etc @tls-ca,@x11
@ -55,4 +68,4 @@ private-tmp
dbus-user none
dbus-system none
# restrict-namespaces
#restrict-namespaces

1
etc/profile-a-l/apostrophe.profile
View file

@ -32,7 +32,6 @@ include disable-xdg.inc
whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/apostrophe
whitelist /usr/share/texlive
whitelist /usr/share/texmf
whitelist /usr/share/pandoc-*
include whitelist-runuser-common.inc

2
etc/profile-a-l/archiver-common.profile
View file

@ -43,7 +43,7 @@ x11 none
private-cache
private-dev
private-etc
private-etc mkinitcpio*
dbus-user none
dbus-system none

2
etc/profile-a-l/arduino.profile
View file

@ -21,7 +21,7 @@ caps.drop all
netfilter
no3d
nodvd
# nogroups
#nogroups
nonewprivs
noroot
nosound

4
etc/profile-a-l/aria2c.profile
View file

@ -11,7 +11,6 @@ noblacklist ${HOME}/.cache/winetricks # XXX: See #5238
noblacklist ${HOME}/.config/aria2
noblacklist ${HOME}/.netrc
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
@ -19,6 +18,7 @@ include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-x11.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
@ -39,7 +39,7 @@ novideo
protocol unix,inet,inet6,netlink
seccomp
# disable-mnt
#disable-mnt
# Add your custom event hook commands to 'private-bin' in your aria2c.local.
private-bin aria2c,gzip
# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).

6
etc/profile-a-l/ark.profile
View file

@ -22,7 +22,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
# net none
#net none
netfilter
nodvd
nogroups
@ -42,7 +42,7 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
private-dev
private-tmp
# dbus-user none
# dbus-system none
#dbus-user none
#dbus-system none
restrict-namespaces

40
etc/profile-a-l/armcord.profile Normal file
View file

@ -0,0 +1,40 @@
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local
# Modules might depend on nodejs.
# Add the below lines to your armcord.local if you need this.
# Allow node (disabled by disable-interpreters.inc)
#include allow-nodejs.inc
#private-bin node
# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
noblacklist ${HOME}/.config/ArmCord
mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
whitelist /opt/armcord
whitelist /usr/share/armcord
ignore novideo
private-bin armcord
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none
join-or-start armcord
# Redirect
include electron-common.profile

2
etc/profile-a-l/artha.profile
View file

@ -35,7 +35,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
# net none - breaks on Ubuntu
#net none # breaks on Ubuntu
no3d
nodvd
nogroups

4
etc/profile-a-l/asunder.profile
View file

@ -26,7 +26,7 @@ apparmor
caps.drop all
netfilter
no3d
# nogroups
#nogroups
noinput
nonewprivs
noroot
@ -44,5 +44,5 @@ dbus-user none
dbus-system none
# mdwe is disabled due to breaking hardware accelerated decoding
# memory-deny-write-execute
#memory-deny-write-execute
restrict-namespaces

2
etc/profile-a-l/atom.profile
View file

@ -26,7 +26,7 @@ noblacklist ${HOME}/.config/Atom
# Allows files commonly used by IDEs
include allow-common-devel.inc
# net none
#net none
nosound
# Redirect

2
etc/profile-a-l/atool.profile
View file

@ -12,8 +12,6 @@ include allow-perl.inc
noroot
# without login.defs atool complains and uses UID/GID 1000 by default
private-etc
private-tmp
# Redirect

4
etc/profile-a-l/atril.profile
View file

@ -22,7 +22,7 @@ include disable-xdg.inc
include whitelist-var-common.inc
# apparmor
#apparmor
caps.drop all
machine-id
no3d
@ -44,7 +44,7 @@ private-dev
private-etc
# atril uses webkit gtk to display epub files
# waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
#private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
#private-lib webkit2gtk-4.0 # problems on Arch with the new version of WebKit
private-tmp
# webkit gtk killed by memory-deny-write-execute

15
etc/profile-a-l/audacious.profile
View file

@ -14,6 +14,7 @@ include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-xdg.inc
@ -26,6 +27,7 @@ netfilter
nogroups
noinput
nonewprivs
noprinters
noroot
notv
nou2f
@ -34,13 +36,18 @@ protocol unix,inet,inet6
seccomp
tracelog
# private-bin audacious
#private-bin audacious
private-cache
private-dev
private-tmp
# dbus needed for MPRIS
# dbus-user none
# dbus-system none
dbus-user filter
dbus-user.own org.atheme.audacious
dbus-user.own org.mpris.MediaPlayer2.audacious
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
dbus-user.talk org.mpris.MediaPlayer2.Player
dbus-system none
restrict-namespaces

17
etc/profile-a-l/audacity.profile
View file

@ -6,10 +6,9 @@ include audacity.local
# Persistent global definitions
include globals.local
# Add the below lines to your audacity.local if you need online plugins.
#ignore net none
#netfilter
#protocol inet6
# To disable networking, add the following lines to audacity.local:
#ignore netfilter
#net none
noblacklist ${HOME}/.audacity-data
noblacklist ${HOME}/.cache/audacity
@ -34,7 +33,7 @@ allow-debuggers
## Enabling App Armor appears to break some Fedora / Arch installs
#apparmor
caps.drop all
net none
netfilter
no3d
nodvd
nogroups
@ -44,17 +43,17 @@ noroot
notv
nou2f
novideo
protocol unix,inet
protocol unix,inet,inet6
seccomp
tracelog
private-bin audacity
private-dev
private-etc @x11
private-etc @network,@sound,@tls-ca,@x11
private-tmp
# problems on Fedora 27
# dbus-user none
# dbus-system none
#dbus-user none
#dbus-system none
restrict-namespaces

4
etc/profile-a-l/audio-recorder.profile
View file

@ -41,7 +41,7 @@ seccomp
tracelog
disable-mnt
# private-bin audio-recorder
#private-bin audio-recorder
private-cache
private-etc
private-tmp
@ -50,5 +50,5 @@ dbus-user filter
dbus-user.talk ca.desrt.dconf
dbus-system none
# memory-deny-write-execute - breaks on Arch
#memory-deny-write-execute # breaks on Arch
restrict-namespaces

12
etc/profile-a-l/authenticator.profile
View file

@ -19,7 +19,7 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
# apparmor
#apparmor
caps.drop all
netfilter
no3d
@ -31,19 +31,19 @@ noroot
nosound
notv
nou2f
# novideo
#novideo
protocol unix,inet,inet6
seccomp
disable-mnt
# private-bin authenticator,python*
#private-bin authenticator,python*
private-dev
private-etc @tls-ca
private-tmp
# makes settings immutable
# dbus-user none
# dbus-system none
#dbus-user none
#dbus-system none
#memory-deny-write-execute - breaks on Arch (see issue #1803)
#memory-deny-write-execute # breaks on Arch (see issue #1803)
restrict-namespaces

2
etc/profile-a-l/autokey-common.profile
View file

@ -38,5 +38,5 @@ private-cache
private-dev
private-tmp
#memory-deny-write-execute - breaks on Arch (see issue #1803)
#memory-deny-write-execute # breaks on Arch (see issue #1803)
restrict-namespaces

61
etc/profile-a-l/axel.profile Normal file
View file

@ -0,0 +1,61 @@
# Firejail profile for axel
# Description: Lightweight CLI download accelerator
quiet
# This file is overwritten after every install/update
# Persistent local customizations
include axel.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.axelrc
noblacklist ${HOME}/.netrc
blacklist ${RUNUSER}
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
#include disable-x11.inc # x11 none
include disable-xdg.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noprinters
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
tracelog
x11 none
#disable-mnt
private-bin axel
private-cache
private-dev
private-etc @network,@tls-ca,axelrc
private-lib
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
restrict-namespaces

1
etc/profile-a-l/ballbuster-wrapper.profile
View file

@ -6,6 +6,7 @@ include ballbuster-wrapper.local
# added by included profile
#include globals.local
# Allow opengl-game wrapper script (distribution-specific)
include allow-opengl-game.inc
private-bin ballbuster-wrapper

12
etc/profile-a-l/baloo_file.profile
View file

@ -7,10 +7,10 @@ include globals.local
# Make home directory read-only and allow writing only to ${HOME}/.local/share/baloo
# Note: Baloo will not be able to update the "first run" key in its configuration files.
# mkdir ${HOME}/.local/share/baloo
# read-only ${HOME}
# read-write ${HOME}/.local/share/baloo
# ignore read-write
#mkdir ${HOME}/.local/share/baloo
#read-only ${HOME}
#read-write ${HOME}/.local/share/baloo
#ignore read-write
noblacklist ${HOME}/.config/baloofilerc
noblacklist ${HOME}/.kde/share/config/baloofilerc
@ -31,7 +31,7 @@ include whitelist-var-common.inc
apparmor
caps.drop all
machine-id
# net none
#net none
netfilter
no3d
nodvd
@ -46,7 +46,7 @@ novideo
protocol unix
# blacklisting of ioprio_set system calls breaks baloo_file
seccomp !ioprio_set
# x11 xorg
#x11 xorg
private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4
private-cache

10
etc/profile-a-l/baobab.profile
View file

@ -6,13 +6,13 @@ include baobab.local
# Persistent global definitions
include globals.local
# include disable-common.inc
#include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# include disable-programs.inc
#include disable-programs.inc
include disable-shell.inc
# include disable-xdg.inc
#include disable-xdg.inc
include whitelist-runuser-common.inc
@ -37,8 +37,8 @@ private-bin baobab
private-dev
private-tmp
# dbus-user none
# dbus-system none
#dbus-user none
#dbus-system none
read-only ${HOME}
restrict-namespaces

4
etc/profile-a-l/basilisk.profile
View file

@ -12,14 +12,14 @@ mkdir ${HOME}/.cache/moonchild productions/basilisk
mkdir ${HOME}/.moonchild productions
whitelist ${HOME}/.cache/moonchild productions/basilisk
whitelist ${HOME}/.moonchild productions
whitelist /usr/share/basilisk
# Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
seccomp
ignore seccomp
#private-bin basilisk
# private-etc must first be enabled in firefox-common.profile
#private-etc basilisk
private-etc basilisk
#private-opt basilisk
restrict-namespaces

2
etc/profile-a-l/bcompare.profile
View file

@ -19,7 +19,7 @@ include disable-exec.inc
include disable-interpreters.inc
# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
#include disable-programs.inc
#include disable-shell.inc - breaks launch
#include disable-shell.inc # breaks launch
include disable-write-mnt.inc
apparmor

1
etc/profile-a-l/beaker.profile
View file

@ -13,7 +13,6 @@ ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore nou2f
ignore novideo
ignore shell none
ignore disable-mnt
ignore private-cache
ignore private-dev

4
etc/profile-a-l/bibletime.profile
View file

@ -48,7 +48,7 @@ protocol unix,inet,inet6,netlink
seccomp !chroot
disable-mnt
# private-bin bibletime
#private-bin bibletime
private-cache
private-dev
private-etc @tls-ca,sword,sword.conf
@ -57,4 +57,4 @@ private-tmp
dbus-user none
dbus-system none
# restrict-namespaces
#restrict-namespaces

7
etc/profile-a-l/bijiben.profile
View file

@ -48,7 +48,7 @@ tracelog
disable-mnt
private-bin bijiben
# private-cache -- access to .cache/tracker is required
#private-cache # access to .cache/tracker is required
private-dev
private-etc @x11
private-tmp
@ -59,5 +59,8 @@ dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.Tracker1
dbus-system none
env WEBKIT_FORCE_SANDBOX=0
# Warning: Disabling the webkit sandbox may be needed to make firejail work
# with webkit2gtk, but this is not recommended (see #2995).
# Add the following line to bijiben.local at your own risk:
#env WEBKIT_DISABLE_SANDBOX_THIS_IS_DANGEROUS=1
restrict-namespaces

2
etc/profile-a-l/bitlbee.profile
View file

@ -10,7 +10,7 @@ ignore noexec ${HOME}
noblacklist /sbin
noblacklist /usr/sbin
# noblacklist /var/log
#noblacklist /var/log
include disable-common.inc
include disable-devel.inc

11
etc/profile-a-l/bitwarden-desktop.profile Normal file
View file

@ -0,0 +1,11 @@
# Firejail profile for bitwarden-desktop
# Description: A secure and free password manager for all of your devices
# This file is overwritten after every install/update.
# Persistent local customisations
include bitwarden-desktop.local
# Persistent global definitions
# added by included profile
#include globals.local
# Redirect
include bitwarden.profile

8
etc/profile-a-l/bitwarden.profile
View file

@ -6,17 +6,18 @@ include bitwarden.local
# Persistent global definitions
include globals.local
# Disabled until someone reported positive feedback
ignore include whitelist-usr-share-common.inc
ignore noexec /tmp
noblacklist ${HOME}/.config/Bitwarden
# Allow /bin/sh (blacklisted by disable-shell.inc)
include allow-bin-sh.inc
include disable-shell.inc
mkdir ${HOME}/.config/Bitwarden
whitelist ${HOME}/.config/Bitwarden
whitelist /opt/Bitwarden
machine-id
no3d
@ -24,7 +25,6 @@ nosound
?HAS_APPIMAGE: ignore private-dev
private-etc @tls-ca
private-opt Bitwarden
# Redirect
include electron-common.profile

6
etc/profile-a-l/bleachbit.profile
View file

@ -18,7 +18,7 @@ include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
# include disable-programs.inc
#include disable-programs.inc
caps.drop all
net none
@ -36,11 +36,11 @@ protocol unix
seccomp
private-dev
# private-tmp
#private-tmp
dbus-user none
dbus-system none
# memory-deny-write-execute breaks some systems, see issue #1850
# memory-deny-write-execute
#memory-deny-write-execute
restrict-namespaces

10
etc/profile-a-l/blender-3.6.profile Normal file
View file

@ -0,0 +1,10 @@
# Firejail profile alias for blender
# This file is overwritten after every install/update
# Persistent local customizations
include blender-3.6.local
# Persistent global definitions
# added by included profile
#include globals.local
# Redirect
include blender.profile

2
etc/profile-a-l/bless.profile
View file

@ -31,7 +31,7 @@ novideo
protocol unix
seccomp
# private-bin bash,bless,mono,sh
#private-bin bash,bless,mono,sh
private-cache
private-dev
private-etc mono

61
etc/profile-a-l/bpftop.profile Normal file
View file

@ -0,0 +1,61 @@
# Firejail profile for bpftop
# Description: Dynamic real-time view of running eBPF programs
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include bpftop.local
# Persistent global definitions
include globals.local
blacklist ${RUNUSER}
blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-x11.inc
include disable-xdg.inc
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
apparmor
caps.keep sys_admin
ipc-namespace
machine-id
net none
no3d
nodvd
nogroups
noinput
noprinters
#noroot
nosound
notv
nou2f
novideo
seccomp.drop socket
seccomp.block-secondary
tracelog
x11 none
disable-mnt
private-bin bpftop
private-cache
private-dev
private-etc
private-tmp
dbus-user none
dbus-system none
memory-deny-write-execute
restrict-namespaces
read-only ${HOME}

2
etc/profile-a-l/brackets.profile
View file

@ -32,4 +32,4 @@ seccomp !chroot,!ioperm
private-cache
private-dev
# restrict-namespaces
#restrict-namespaces

6
etc/profile-a-l/brasero.profile
View file

@ -29,9 +29,9 @@ protocol unix
seccomp
tracelog
# private-bin brasero
#private-bin brasero
private-cache
# private-dev
# private-tmp
#private-dev
#private-tmp
restrict-namespaces

4
etc/profile-a-l/brave.profile
View file

@ -9,8 +9,8 @@ include globals.local
# noexec /tmp is included in chromium-common.profile and breaks Brave
ignore noexec /tmp
# TOR is installed in ${HOME}.
# NOTE: chromium-common.profile enables apparmor. To keep that intact
# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
# Note: chromium-common.profile enables apparmor. To keep that intact,
# uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
# Alternatively you can add 'ignore apparmor' to your brave.local.
ignore noexec ${HOME}
# Causes slow starts (#4604)

14
etc/profile-a-l/brz.profile Normal file
View file

@ -0,0 +1,14 @@
# Firejail profile for brz
# Description: Distributed VCS with support for Bazaar and Git file formats
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include brz.local
# Persistent global definitions
# added by included profile
#include globals.local
noblacklist ${HOME}/.config/breezy
# Redirect
include git.profile

Some files were not shown because too many files have changed in this diff Show more