testing

README

@@ -97,6 +97,10 @@ valoq (https://github.com/valoq)
 	- added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
 	- added wget profile
 	- disable gnupg and systemd directories under /run/user
+thewisenerd (https://github.com/thewisenerd)
+	- appimage: pass commandline arguments
+KOLANICH (https://github.com/KOLANICH)
+	- added symlink fixer
 Jesse Smith (https://github.com/slicer69)
 	- added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
@@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip)
 	- support for files and directories starting with ~ in blacklist option
 	- support for files and directories with spaces in blacklist option
 	- lots of other fixes
+	- implement the --allow-private-blacklist option
 sarneaud (https://github.com/sarneaud)
 	- rewrite globbing code to fix various minor issues
 	- added noblacklist command for profile files

README.md

@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 
               Example:
               $ firejail --machine-id
+
+       --allow-private-blacklist
+              Allow  blacklisting  files in private home directory. By default
+              these blacklists are disabled.
+
+              Example:
+              $   firejail    --allow-private-blacklist   --private=~/priv-dir
+              --blacklist=~/.mozilla
+             
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,

RELNOTES

@@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low
   * feature: private /opt directory (--private-opt, profile support)
   * feature: private /srv directory (--private-srv, profile support)
   * feature: spoof machine-id
-  * feature: config support for firejail prompt in terminal
+  * feature: config support for firejail prompt in terminals
+  * feature: pass command line arguments to appimages
+  * feature: --allow-private-blacklist option
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,

src/firejail/usage.c

@@ -30,8 +30,8 @@ void usage(void) {
 	printf("Options:\n");
 	printf("    -- - signal the end of options and disables further option processing.\n");
 	printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
-	printf("    --allow-private-blacklist - allow blacklisting things in private\n");
+	printf("    --allow-private-blacklist - allow blacklisting files in private\n");
-	printf("\tdirectories.\n");
+	printf("\thome directories.\n");
 	printf("    --allusers - all user home directories are visible inside the sandbox.\n");
 	printf("    --apparmor - enable AppArmor confinement.\n");
 	printf("    --appimage - sandbox an AppImage application.\n");

src/man/firejail.txt

@@ -84,6 +84,15 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
+\fB\-\-allow-private-blacklist
+Allow blacklisting files in private home directory. By default these blacklists are disabled.
+.br
+
+.br
+Example:
+.br
+$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
+.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br

test/appimage/appimage-args.exp

@@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"execvp argument 2"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"AppRun"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"testfile"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"appimage Leafpad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+
+send -- "firejail --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+	"appimage Leafpad"
+}
+expect {
+	timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"appimage Leafpad"
+}
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 14\n";exit}
+	"name=blablabla"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+
+puts "\nall done\n"
+

test/appimage/appimage.sh

@@ -14,3 +14,7 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
 
 echo "TESTING: AppImage file name (test/appimage/filename.exp)";
 ./filename.exp
+
+echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
+./appimage-args.exp
+

test/fs/private-home-dir.exp

@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} {
 	send -- "touch ~/.Xauthority\r"
 }
 after 100
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
 send -- "mkdir ~/_firejail_test_dir_\r"
 sleep 1
 
@@ -65,6 +67,64 @@ expect {
 	"private directory should be owned by the current user"
 }
 sleep 1
+send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+after 100
+send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+sleep 1
 
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"Not blacklist"
+}
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"test_dir_2"
+}
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"Child process initialized"
+}
 
-puts "all done\n"
+sleep 1
+
+send -- "find ~\r"
+expect {
+	timeout {puts "TESTING ERROR 9\n";exit}
+	"testfile"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"Disable"
+}
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"test_dir_2"
+}
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"Child process initialized"
+}
+
+sleep 1
+
+send -- "ls ~/test_dir_2\r"
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"cannot open directory"
+}
+after 100
+
+send "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
+
+puts "\nall done\n"