testing

2026-05-15 14:16:14 -06:00 · 2016-12-19 10:24:25 -05:00 · 2016-12-19 10:24:25 -05:00 · 759dc6ade2
commit 759dc6ade2
parent d94f357913
9 changed files with 191 additions and 5 deletions
--- a/5
+++ b/5
@ -97,6 +97,10 @@ valoq (https://github.com/valoq)
 	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
 	- added wget profile
 	- disable gnupg and systemd directories under /run/user
+thewisenerd (https://github.com/thewisenerd)
+	- appimage: pass commandline arguments
+KOLANICH (https://github.com/KOLANICH)
+	- added symlink fixer
 Jesse Smith (https://github.com/slicer69)
 	- added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip)
 	- support for files and directories starting with ~ in blacklist option
 	- support for files and directories with spaces in blacklist option
 	- lots of other fixes
+	- implement the --allow-private-blacklist option
 sarneaud (https://github.com/sarneaud)
 	- rewrite globbing code to fix various minor issues
 	- added noblacklist command for profile files
--- a/README.md
+++ b/README.md
@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is

              Example:
              $ firejail --machine-id
+
+       --allow-private-blacklist
+              Allow  blacklisting  files in private home directory. By default
+              these blacklists are disabled.
+
+              Example:
+              $   firejail    --allow-private-blacklist   --private=~/priv-dir
+              --blacklist=~/.mozilla
+             
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
--- a/4
+++ b/4
@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low
  * feature: private /opt directory (--private-opt, profile support)
  * feature: private /srv directory (--private-srv, profile support)
  * feature: spoof machine-id
-  * feature: config support for firejail prompt in terminal
+  * feature: config support for firejail prompt in terminals
+  * feature: pass command line arguments to appimages
+  * feature: --allow-private-blacklist option
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
--- a/contrib/fix_private-bin_for_symlinked_sh.py
+++ b/contrib/fix_private-bin_for_symlinked_sh.py
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@ -30,8 +30,8 @@ void usage(void) {
 	printf("Options:\n");
 	printf("    -- - signal the end of options and disables further option processing.\n");
 	printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-	printf("    --allow-private-blacklist - allow blacklisting things in private\n");
-	printf("\tdirectories.\n");
+	printf("    --allow-private-blacklist - allow blacklisting files in private\n");
+	printf("\thome directories.\n");
 	printf("    --allusers - all user home directories are visible inside the sandbox.\n");
 	printf("    --apparmor - enable AppArmor confinement.\n");
 	printf("    --appimage - sandbox an AppImage application.\n");
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -84,6 +84,15 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
+\fB\-\-allow-private-blacklist
+Allow blacklisting files in private home directory. By default these blacklists are disabled.
+.br
+
+.br
+Example:
+.br
+$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
+.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"execvp argument 2"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"AppRun"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"testfile"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"appimage Leafpad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	"appimage Leafpad"
+}
+expect {
+	timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"appimage Leafpad"
+}
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 14\n";exit}
+	"name=blablabla"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+
+puts "\nall done\n"
+
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
 ./appimage-v2.exp

 echo "TESTING: AppImage file name (test/appimage/filename.exp)";
-./filename.exp
+./filename.exp
+
+echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
+./appimage-args.exp
+
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} {
 	send -- "touch ~/.Xauthority\r"
 }
 after 100
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
 send -- "mkdir ~/_firejail_test_dir_\r"
 sleep 1

@ -65,6 +67,64 @@ expect {
 	"private directory should be owned by the current user"
 }
 sleep 1
+send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+after 100
+send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+sleep 1

+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"Not blacklist"
+}
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"test_dir_2"
+}
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"Child process initialized"
+}

-puts "all done\n"
+sleep 1
+
+send -- "find ~\r"
+expect {
+	timeout {puts "TESTING ERROR 9\n";exit}
+	"testfile"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"Disable"
+}
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"test_dir_2"
+}
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"Child process initialized"
+}
+
+sleep 1
+
+send -- "ls ~/test_dir_2\r"
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"cannot open directory"
+}
+after 100
+
+send "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
+
+puts "\nall done\n"