diff --git a/Makefile b/Makefile index b3bd1cc3b..2217b95e5 100644 --- a/Makefile +++ b/Makefile @@ -394,7 +394,7 @@ scan-build: clean .PHONY: codespell codespell: @printf 'Running %s...\n' $@ - @$(CODESPELL) --ignore-regex 'Manuel|UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \ + @$(CODESPELL) --ignore-regex 'Manuel|Projets|UE|als|chage|creat|doas|ether|isplay|readby|[Ss]hotcut' \ -S *.d,*.gz,*.o,*.so \ -S COPYING,m4 \ -S ./contrib/syscalls.sh \ diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list index 4ba780f11..9cfe9ac34 100644 --- a/contrib/syntax/lists/profile_macros.list +++ b/contrib/syntax/lists/profile_macros.list @@ -6,5 +6,6 @@ HOME MUSIC PATH PICTURES +PROJECTS RUNUSER VIDEOS diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 036febc6c..449884353 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -2,6 +2,9 @@ # Persistent customizations should go in a .local file. include allow-common-devel.local +# Default +noblacklist ${PROJECTS} + # Arduino noblacklist ${HOME}/.arduino15 noblacklist ${HOME}/Arduino diff --git a/etc/inc/disable-xdg.inc b/etc/inc/disable-xdg.inc index 22acf272d..f0b06845d 100644 --- a/etc/inc/disable-xdg.inc +++ b/etc/inc/disable-xdg.inc @@ -5,6 +5,7 @@ include disable-xdg.local blacklist ${DOCUMENTS} blacklist ${MUSIC} blacklist ${PICTURES} +blacklist ${PROJECTS} blacklist ${VIDEOS} # The following should be considered catch-all directories diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile index 9761efc72..f6df27750 100644 --- a/etc/profile-a-l/build-systems-common.profile +++ b/etc/profile-a-l/build-systems-common.profile @@ -28,7 +28,7 @@ include disable-shell.inc include disable-x11.inc include disable-xdg.inc -#whitelist ${HOME}/Projects +#whitelist ${PROJECTS} #include whitelist-common.inc whitelist /usr/share/pkgconfig diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index dccb99df5..bfec0f637 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -22,6 +22,7 @@ ignore read-only ${HOME}/.npmrc ignore read-only ${HOME}/.nvm ignore read-only ${HOME}/.yarnrc +noblacklist ${PROJECTS} noblacklist ${HOME}/.cache/deno noblacklist ${HOME}/.deno noblacklist ${HOME}/.local/share/pnpm @@ -46,8 +47,8 @@ include disable-shell.inc include disable-x11.inc include disable-xdg.inc -# If you want whitelisting, change ${HOME}/Projects below to your node projects directory -# and add the next lines to your nodejs-common.local. +# If you want whitelisting, change ${PROJECTS} below to your node projects +# directory and add the next lines to your nodejs-common.local. #mkdir ${HOME}/.local/share/pnpm #mkdir ${HOME}/.node-gyp #mkdir ${HOME}/.npm @@ -58,6 +59,7 @@ include disable-xdg.inc #mkdir ${HOME}/.yarncache #mkfile ${HOME}/.npmrc #mkfile ${HOME}/.yarnrc +#whitelist ${PROJECTS} #whitelist ${HOME}/.local/share/pnpm #whitelist ${HOME}/.node-gyp #whitelist ${HOME}/.npm @@ -68,7 +70,6 @@ include disable-xdg.inc #whitelist ${HOME}/.yarn-config #whitelist ${HOME}/.yarncache #whitelist ${HOME}/.yarnrc -#whitelist ${HOME}/Projects #include whitelist-common.inc whitelist /usr/share/doc/node diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6754f74e0..051045692 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -45,6 +45,7 @@ # ${HOME} (user's home) # ${PATH} (contents of PATH env var) # ${PICTURES} +# ${PROJECTS} # ${MUSIC} # ${RUNUSER} (/run/user/UID) # ${VIDEOS} diff --git a/src/firejail/macros.c b/src/firejail/macros.c index d3048ca02..a48c4dde2 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c @@ -61,6 +61,12 @@ Macro macro[] = { {"Pictures", "Изображения", "Images", "Immagini", "Imágenes", "Imagens", "Bilder"} }, + { + "${PROJECTS}", + "XDG_PROJECTS_DIR=\"$HOME/", + {"Projects", "Проекты", "Projets", "Progetti", "Proyectos", "Projectos", "Projekte"} + }, + { "${VIDEOS}", "XDG_VIDEOS_DIR=\"$HOME/", diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 525847435..1e6ba40a0 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -13,6 +13,7 @@ mkdir -p ~/Documents mkdir -p ~/Downloads mkdir -p ~/Music mkdir -p ~/Pictures +mkdir -p ~/Projects mkdir -p ~/Videos echo "TESTING: tmpfs as regular user (test/fs/tmpfs.exp)" @@ -108,6 +109,7 @@ rm -f ~/Documents/_firejail_test_file rm -f ~/Downloads/_firejail_test_file rm -f ~/Music/_firejail_test_file rm -f ~/Pictures/_firejail_test_file +rm -f ~/Projects/_firejail_test_file rm -f ~/Videos/_firejail_test_file mkdir -p ~/Desktop/_firejail_test_dir/a @@ -120,6 +122,8 @@ mkdir -p ~/Music/_firejail_test_dir/a mkdir -p ~/Music/_firejail_test_dir/b mkdir -p ~/Pictures/_firejail_test_dir/a mkdir -p ~/Pictures/_firejail_test_dir/b +mkdir -p ~/Projects/_firejail_test_dir/a +mkdir -p ~/Projects/_firejail_test_dir/b mkdir -p ~/Videos/_firejail_test_dir/a mkdir -p ~/Videos/_firejail_test_dir/b echo "TESTING: macro subpaths (test/fs/macro-subpath.exp)" @@ -129,6 +133,7 @@ rm -fr ~/Documents/_firejail_test_dir rm -fr ~/Downloads/_firejail_test_dir rm -fr ~/Music/_firejail_test_dir rm -fr ~/Pictures/_firejail_test_dir +rm -fr ~/Projects/_firejail_test_dir rm -fr ~/Videos/_firejail_test_dir echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" diff --git a/test/fs/macro-blacklist.profile b/test/fs/macro-blacklist.profile index 04fb1dd3d..08fd98901 100644 --- a/test/fs/macro-blacklist.profile +++ b/test/fs/macro-blacklist.profile @@ -3,4 +3,5 @@ blacklist ${DOCUMENTS} blacklist ${DOWNLOADS} blacklist ${MUSIC} blacklist ${PICTURES} +blacklist ${PROJECTS} blacklist ${VIDEOS} diff --git a/test/fs/macro-readonly.profile b/test/fs/macro-readonly.profile index c7fd213a3..963ccef3d 100644 --- a/test/fs/macro-readonly.profile +++ b/test/fs/macro-readonly.profile @@ -3,4 +3,5 @@ read-only ${DOCUMENTS} read-only ${DOWNLOADS} read-only ${MUSIC} read-only ${PICTURES} +read-only ${PROJECTS} read-only ${VIDEOS} diff --git a/test/fs/macro-subpath-blacklist.profile b/test/fs/macro-subpath-blacklist.profile index 548021c71..3aeaf938d 100644 --- a/test/fs/macro-subpath-blacklist.profile +++ b/test/fs/macro-subpath-blacklist.profile @@ -3,4 +3,5 @@ blacklist ${DOCUMENTS}/_firejail_test_dir blacklist ${DOWNLOADS}/_firejail_test_dir blacklist ${MUSIC}/_firejail_test_dir blacklist ${PICTURES}/_firejail_test_dir +blacklist ${PROJECTS}/_firejail_test_dir blacklist ${VIDEOS}/_firejail_test_dir diff --git a/test/fs/macro-subpath-readonly.profile b/test/fs/macro-subpath-readonly.profile index c5a639236..841e09438 100644 --- a/test/fs/macro-subpath-readonly.profile +++ b/test/fs/macro-subpath-readonly.profile @@ -3,4 +3,5 @@ read-only ${DOCUMENTS}/_firejail_test_dir read-only ${DOWNLOADS}/_firejail_test_dir read-only ${MUSIC}/_firejail_test_dir read-only ${PICTURES}/_firejail_test_dir +read-only ${PROJECTS}/_firejail_test_dir read-only ${VIDEOS}/_firejail_test_dir diff --git a/test/fs/macro-subpath-whitelist.profile b/test/fs/macro-subpath-whitelist.profile index 9d39fe295..d8a73560d 100644 --- a/test/fs/macro-subpath-whitelist.profile +++ b/test/fs/macro-subpath-whitelist.profile @@ -3,4 +3,5 @@ whitelist ${DOCUMENTS}/_firejail_test_dir/a whitelist ${DOWNLOADS}/_firejail_test_dir/a whitelist ${MUSIC}/_firejail_test_dir/a whitelist ${PICTURES}/_firejail_test_dir/a +whitelist ${PROJECTS}/_firejail_test_dir/a whitelist ${VIDEOS}/_firejail_test_dir/a diff --git a/test/fs/macro-subpath.exp b/test/fs/macro-subpath.exp index b6fcd117c..4cc6f5ff5 100644 --- a/test/fs/macro-subpath.exp +++ b/test/fs/macro-subpath.exp @@ -14,6 +14,7 @@ send -- "firejail --profile=./macro-subpath-whitelist.profile ls \ ~/Downloads/_firejail_test_dir \ ~/Music/_firejail_test_dir \ ~/Pictures/_firejail_test_dir \ + ~/Projects/_firejail_test_dir \ ~/Videos/_firejail_test_dir \ \r" @@ -46,6 +47,11 @@ expect { "Pictures/_firejail_test_dir/a" {} "Pictures/_firejail_test_dir/b" {puts "TESTING ERROR 1.2 Pictures\n";exit} } +expect { + timeout {puts "TESTING ERROR 1.1 Projects\n";exit} + "Projects/_firejail_test_dir/a" {} + "Projects/_firejail_test_dir/b" {puts "TESTING ERROR 1.2 Projects\n";exit} +} expect { timeout {puts "TESTING ERROR 1.1 Videos\n";exit} "Videos/_firejail_test_dir/a" {} @@ -114,6 +120,18 @@ expect { } after 100 +send -- "firejail --profile=./macro-subpath-blacklist.profile ls ~/Projects/_firejail_test_dir; echo ret \$?\r" +expect { + timeout {puts "TESTING ERROR 2 Projects\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 2.1 Projects\n";exit} + "Permission denied" {} + -re {ret 0} {puts "TESTING ERROR 2.2 Projects\n";exit} +} +after 100 + send -- "firejail --profile=./macro-subpath-blacklist.profile ls ~/Videos/_firejail_test_dir; echo ret \$?\r" expect { timeout {puts "TESTING ERROR 2 Videos\n";exit} @@ -187,6 +205,18 @@ expect { } after 100 +send -- "firejail --profile=./macro-subpath-readonly.profile touch ~/Projects/_firejail_test_dir/_firejail_test_file; echo ret \$?\r" +expect { + timeout {puts "TESTING ERROR 3 Projects\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3.1 Projects\n";exit} + "Read-only file system" {} + -re {ret 0} {puts "TESTING ERROR 3.2 Projects\n";exit} +} +after 100 + send -- "firejail --profile=./macro-subpath-readonly.profile touch ~/Videos/_firejail_test_dir/_firejail_test_file; echo ret \$?\r" expect { timeout {puts "TESTING ERROR 3 Videos\n";exit} diff --git a/test/fs/macro-whitelist.profile b/test/fs/macro-whitelist.profile index cee2bc8bf..3c74c1a8b 100644 --- a/test/fs/macro-whitelist.profile +++ b/test/fs/macro-whitelist.profile @@ -3,4 +3,5 @@ whitelist ${DOCUMENTS} whitelist ${DOWNLOADS} whitelist ${MUSIC} whitelist ${PICTURES} +whitelist ${PROJECTS} whitelist ${VIDEOS} diff --git a/test/fs/macro.exp b/test/fs/macro.exp index c69992d71..48deefeb2 100755 --- a/test/fs/macro.exp +++ b/test/fs/macro.exp @@ -33,6 +33,10 @@ expect { timeout {puts "TESTING ERROR 1.1 Pictures\n";exit} "Pictures" } +expect { + timeout {puts "TESTING ERROR 1.1 Projects\n";exit} + "Projects" +} expect { timeout {puts "TESTING ERROR 1.1 Videos\n";exit} "Videos" @@ -100,6 +104,18 @@ expect { } after 100 +send -- "firejail --profile=./macro-blacklist.profile ls ~/Projects; echo ret \$?\r" +expect { + timeout {puts "TESTING ERROR 2 Projects\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 2.1 Projects\n";exit} + "Permission denied" {} + -re {ret 0} {puts "TESTING ERROR 2.2 Projects\n";exit} +} +after 100 + send -- "firejail --profile=./macro-blacklist.profile ls ~/Videos; echo ret \$?\r" expect { timeout {puts "TESTING ERROR 2 Videos\n";exit} @@ -173,6 +189,18 @@ expect { } after 100 +send -- "firejail --profile=./macro-readonly.profile touch ~/Projects/_firejail_test_file; echo ret \$?\r" +expect { + timeout {puts "TESTING ERROR 3 Projects\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3.1 Projects\n";exit} + "Read-only file system" {} + -re {ret 0} {puts "TESTING ERROR 3.2 Projects\n";exit} +} +after 100 + send -- "firejail --profile=./macro-readonly.profile touch ~/Videos/_firejail_test_file; echo ret \$?\r" expect { timeout {puts "TESTING ERROR 3 Videos\n";exit}