mirror of
https://github.com/netblue30/firejail.git
synced 2026-06-30 09:05:57 -06:00
Merge branch 'master' into profile-template-improve-rules
This commit is contained in:
commit
925bba49ae
32 changed files with 169 additions and 389 deletions
4
.github/workflows/build-extra.yml
vendored
4
.github/workflows/build-extra.yml
vendored
|
|
@ -44,7 +44,7 @@ jobs:
|
|||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -79,7 +79,7 @@ jobs:
|
|||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
|
|||
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
|
|
@ -58,7 +58,7 @@ jobs:
|
|||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
|
|||
10
.github/workflows/check-c.yml
vendored
10
.github/workflows/check-c.yml
vendored
|
|
@ -46,7 +46,7 @@ jobs:
|
|||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -79,7 +79,7 @@ jobs:
|
|||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -112,7 +112,7 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
|
|
@ -131,7 +131,7 @@ jobs:
|
|||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
|
||||
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
|
||||
with:
|
||||
languages: cpp
|
||||
|
||||
|
|
@ -142,4 +142,4 @@ jobs:
|
|||
run: make -j "$(nproc)" -Orecurse
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
|
||||
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
|
||||
|
|
|
|||
2
.github/workflows/check-profiles.yml
vendored
2
.github/workflows/check-profiles.yml
vendored
|
|
@ -33,7 +33,7 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
|
|
|
|||
6
.github/workflows/check-python.yml
vendored
6
.github/workflows/check-python.yml
vendored
|
|
@ -31,7 +31,7 @@ jobs:
|
|||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
|
|
@ -52,9 +52,9 @@ jobs:
|
|||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
|
||||
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
|
||||
with:
|
||||
languages: python
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
|
||||
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
|
||||
|
|
|
|||
2
.github/workflows/codespell.yml
vendored
2
.github/workflows/codespell.yml
vendored
|
|
@ -24,7 +24,7 @@ jobs:
|
|||
timeout-minutes: 5
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
|
|||
10
.github/workflows/test.yml
vendored
10
.github/workflows/test.yml
vendored
|
|
@ -54,7 +54,7 @@ jobs:
|
|||
SHELL: /bin/bash
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -103,7 +103,7 @@ jobs:
|
|||
SHELL: /bin/bash
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -144,7 +144,7 @@ jobs:
|
|||
SHELL: /bin/bash
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -184,7 +184,7 @@ jobs:
|
|||
SHELL: /bin/bash
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
@ -226,7 +226,7 @@ jobs:
|
|||
SHELL: /bin/bash
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
|
||||
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
|
|
|
|||
10
config.mk.in
10
config.mk.in
|
|
@ -17,6 +17,7 @@ prefix=@prefix@
|
|||
exec_prefix=@exec_prefix@
|
||||
bindir=@bindir@
|
||||
libdir=@libdir@
|
||||
libexecdir=@libexecdir@
|
||||
datarootdir=@datarootdir@
|
||||
docdir=@docdir@
|
||||
mandir=@mandir@
|
||||
|
|
@ -89,9 +90,12 @@ COMMON_CFLAGS = \
|
|||
-Wall -Wextra $(HAVE_FATAL_WARNINGS) \
|
||||
-Wformat -Wformat-security \
|
||||
-fstack-protector-all \
|
||||
-DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/$(TARNAME)"' \
|
||||
-DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \
|
||||
-DVARDIR='"$(localstatedir)/lib/$(TARNAME)"'
|
||||
-DPREFIX='"$(prefix)"' \
|
||||
-DBINDIR='"$(bindir)"' \
|
||||
-DLIBDIR='"$(libdir)"' \
|
||||
-DLIBEXECDIR='"$(libexecdir)"' \
|
||||
-DVARDIR='"$(localstatedir)/lib/$(TARNAME)"' \
|
||||
-DSYSCONFDIR='"$(sysconfdir)/$(TARNAME)"'
|
||||
|
||||
PROG_CFLAGS = \
|
||||
$(COMMON_CFLAGS) \
|
||||
|
|
|
|||
|
|
@ -1,32 +0,0 @@
|
|||
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
|
||||
noblacklist ${HOME}/.mozilla
|
||||
include /etc/firejail/disable-mgmt.inc
|
||||
include /etc/firejail/disable-secret.inc
|
||||
include /etc/firejail/disable-common.inc
|
||||
include /etc/firejail/disable-devel.inc
|
||||
caps.drop all
|
||||
|
||||
#seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
|
||||
seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,switch_endian,vm86,vm86old,lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,delete_module,finit_module,init_module,_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver,ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
|
||||
|
||||
protocol unix,inet,inet6,netlink
|
||||
netfilter
|
||||
# tracelog
|
||||
noroot
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${HOME}/.mozilla
|
||||
whitelist ${HOME}/.cache/mozilla/firefox
|
||||
whitelist ${HOME}/dwhelper
|
||||
whitelist ${HOME}/.zotero
|
||||
whitelist ${HOME}/.lastpass
|
||||
whitelist ${HOME}/.vimperatorrc
|
||||
whitelist ${HOME}/.vimperator
|
||||
whitelist ${HOME}/.pentadactylrc
|
||||
whitelist ${HOME}/.pentadactyl
|
||||
whitelist ${HOME}/.keysnail.js
|
||||
whitelist ${HOME}/.config/gnome-mplayer
|
||||
whitelist ${HOME}/.cache/gnome-mplayer/plugin
|
||||
include /etc/firejail/whitelist-common.inc
|
||||
|
||||
# experimental features
|
||||
#private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
# Firejail profile for atom
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include /etc/firejail/atom.local
|
||||
# Persistent global definitions
|
||||
include /etc/firejail/globals.local
|
||||
|
||||
# blacklist /run/user/*/bus
|
||||
|
||||
noblacklist ${HOME}/.atom
|
||||
noblacklist ${HOME}/.config/Atom
|
||||
|
||||
include /etc/firejail/disable-common.inc
|
||||
include /etc/firejail/disable-passwdmgr.inc
|
||||
include /etc/firejail/disable-programs.inc
|
||||
|
||||
caps.keep sys_admin,sys_chroot
|
||||
# net none
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nosound
|
||||
notv
|
||||
novideo
|
||||
shell none
|
||||
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
noexec ${HOME}
|
||||
noexec /tmp
|
||||
|
|
@ -1,99 +0,0 @@
|
|||
# Firejail profile for firefox
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include /etc/firejail/firefox.local
|
||||
# Persistent global definitions
|
||||
include /etc/firejail/globals.local
|
||||
|
||||
noblacklist ${HOME}/.cache/mozilla
|
||||
noblacklist ${HOME}/.config/okularpartrc
|
||||
noblacklist ${HOME}/.config/okularrc
|
||||
noblacklist ${HOME}/.config/qpdfview
|
||||
noblacklist ${HOME}/.kde/share/apps/kget
|
||||
noblacklist ${HOME}/.kde/share/apps/okular
|
||||
noblacklist ${HOME}/.kde/share/config/kgetrc
|
||||
noblacklist ${HOME}/.kde/share/config/okularpartrc
|
||||
noblacklist ${HOME}/.kde/share/config/okularrc
|
||||
noblacklist ${HOME}/.kde4/share/apps/kget
|
||||
noblacklist ${HOME}/.kde4/share/apps/okular
|
||||
noblacklist ${HOME}/.kde4/share/config/kgetrc
|
||||
noblacklist ${HOME}/.kde4/share/config/okularpartrc
|
||||
noblacklist ${HOME}/.kde4/share/config/okularrc
|
||||
# noblacklist ${HOME}/.local/share/gnome-shell/extensions
|
||||
noblacklist ${HOME}/.local/share/okular
|
||||
noblacklist ${HOME}/.local/share/qpdfview
|
||||
noblacklist ${HOME}/.mozilla
|
||||
noblacklist ${HOME}/.pki
|
||||
noblacklist ${HOME}/.local/share/pki
|
||||
|
||||
include /etc/firejail/disable-common.inc
|
||||
include /etc/firejail/disable-devel.inc
|
||||
include /etc/firejail/disable-programs.inc
|
||||
|
||||
mkdir ${HOME}/.cache/mozilla/firefox
|
||||
mkdir ${HOME}/.mozilla
|
||||
mkdir ${HOME}/.pki
|
||||
mkdir ${HOME}/.local/share/pki
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${HOME}/.cache/gnome-mplayer/plugin
|
||||
whitelist ${HOME}/.cache/mozilla/firefox
|
||||
whitelist ${HOME}/.config/gnome-mplayer
|
||||
whitelist ${HOME}/.config/okularpartrc
|
||||
whitelist ${HOME}/.config/okularrc
|
||||
whitelist ${HOME}/.config/pipelight-silverlight5.1
|
||||
whitelist ${HOME}/.config/pipelight-widevine
|
||||
whitelist ${HOME}/.config/qpdfview
|
||||
whitelist ${HOME}/.kde/share/apps/kget
|
||||
whitelist ${HOME}/.kde/share/apps/okular
|
||||
whitelist ${HOME}/.kde/share/config/kgetrc
|
||||
whitelist ${HOME}/.kde/share/config/okularpartrc
|
||||
whitelist ${HOME}/.kde/share/config/okularrc
|
||||
whitelist ${HOME}/.kde4/share/apps/kget
|
||||
whitelist ${HOME}/.kde4/share/apps/okular
|
||||
whitelist ${HOME}/.kde4/share/config/kgetrc
|
||||
whitelist ${HOME}/.kde4/share/config/okularpartrc
|
||||
whitelist ${HOME}/.kde4/share/config/okularrc
|
||||
whitelist ${HOME}/.keysnail.js
|
||||
whitelist ${HOME}/.lastpass
|
||||
whitelist ${HOME}/.local/share/gnome-shell/extensions
|
||||
whitelist ${HOME}/.local/share/okular
|
||||
whitelist ${HOME}/.local/share/qpdfview
|
||||
whitelist ${HOME}/.mozilla
|
||||
whitelist ${HOME}/.pentadactyl
|
||||
whitelist ${HOME}/.pentadactylrc
|
||||
whitelist ${HOME}/.pki
|
||||
whitelist ${HOME}/.local/share/pki
|
||||
whitelist ${HOME}/.vimperator
|
||||
whitelist ${HOME}/.vimperatorrc
|
||||
whitelist ${HOME}/.wine-pipelight
|
||||
whitelist ${HOME}/.wine-pipelight64
|
||||
whitelist ${HOME}/.zotero
|
||||
whitelist ${HOME}/dwhelper
|
||||
include /etc/firejail/whitelist-common.inc
|
||||
include /etc/firejail/whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
# machine-id breaks pulse audio; it should work fine in setups where sound is not required
|
||||
#machine-id
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
protocol unix,inet,inet6,netlink
|
||||
#seccomp - replaced with seccomp.drop for Firefox 60
|
||||
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
|
||||
shell none
|
||||
#tracelog - disabled for Firefox 60
|
||||
|
||||
disable-mnt
|
||||
# firefox requires a shell to launch on Arch.
|
||||
# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
|
||||
private-dev
|
||||
# private-etc below works fine on most distributions. There are some problems on CentOS.
|
||||
# private-etc alternatives,iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
|
||||
private-tmp
|
||||
|
||||
noexec ${HOME}
|
||||
noexec /tmp
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
# Firejail profile for gedit
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include /etc/firejail/gedit.local
|
||||
# Persistent global definitions
|
||||
include /etc/firejail/globals.local
|
||||
|
||||
# blacklist /run/user/*/bus - makes settings immutable
|
||||
|
||||
noblacklist ${HOME}/.config/enchant
|
||||
noblacklist ${HOME}/.config/gedit
|
||||
noblacklist ${HOME}/.gitconfig
|
||||
|
||||
include /etc/firejail/disable-common.inc
|
||||
# include /etc/firejail/disable-devel.inc
|
||||
include /etc/firejail/disable-passwdmgr.inc
|
||||
include /etc/firejail/disable-programs.inc
|
||||
|
||||
include /etc/firejail/whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
# net none - makes settings immutable
|
||||
machine-id
|
||||
no3d
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
nosound
|
||||
notv
|
||||
novideo
|
||||
protocol unix
|
||||
seccomp
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
# private-bin gedit
|
||||
private-dev
|
||||
# private-etc alternatives,fonts
|
||||
#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
|
||||
private-tmp
|
||||
|
||||
noexec ${HOME}
|
||||
noexec /tmp
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
# Firejail profile for libreoffice
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include /etc/firejail/libreoffice.local
|
||||
# Persistent global definitions
|
||||
include /etc/firejail/globals.local
|
||||
|
||||
noblacklist ${HOME}/.java
|
||||
noblacklist /usr/local/sbin
|
||||
noblacklist ${HOME}/.config/libreoffice
|
||||
|
||||
include /etc/firejail/disable-common.inc
|
||||
include /etc/firejail/disable-devel.inc
|
||||
include /etc/firejail/disable-passwdmgr.inc
|
||||
include /etc/firejail/disable-programs.inc
|
||||
|
||||
include /etc/firejail/whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
machine-id
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
#nonewprivs
|
||||
noroot
|
||||
notv
|
||||
#protocol unix,inet,inet6
|
||||
#seccomp
|
||||
shell none
|
||||
#tracelog
|
||||
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
noexec ${HOME}
|
||||
noexec /tmp
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# Firejail profile alias for brave
|
||||
# This file is overwritten after every install/update
|
||||
|
||||
|
||||
# Redirect
|
||||
include /etc/firejail/brave.profile
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
# Firejail profile for brave
|
||||
# This file is overwritten after every install/update
|
||||
# Description: Web browser that blocks ads and trackers by default.
|
||||
# Persistent local customizations
|
||||
include brave.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.config/brave
|
||||
noblacklist ${HOME}/.config/BraveSoftware
|
||||
# brave uses gpg for built-in password manager
|
||||
noblacklist ${HOME}/.gnupg
|
||||
|
||||
mkdir ${HOME}/.config/brave
|
||||
mkdir ${HOME}/.config/BraveSoftware
|
||||
whitelist ${HOME}/.config/brave
|
||||
whitelist ${HOME}/.config/BraveSoftware
|
||||
whitelist ${HOME}/.gnupg
|
||||
|
||||
# noexec /tmp is included in chromium-common.profile and breaks Brave
|
||||
ignore noexec /tmp
|
||||
|
||||
# Redirect
|
||||
include /etc/firejail/chromium-common.profile
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
# Firejail profile for atom
|
||||
# Description: A hackable text editor for the 21st Century
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include atom.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.atom
|
||||
noblacklist ${HOME}/.config/Atom
|
||||
noblacklist ${HOME}/.cargo/config
|
||||
noblacklist ${HOME}/.cargo/registry
|
||||
|
||||
include disable-common.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
caps.keep sys_admin,sys_chroot
|
||||
# net none
|
||||
netfilter
|
||||
nodbus
|
||||
nodvd
|
||||
nogroups
|
||||
nosound
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
shell none
|
||||
|
||||
private-cache
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
noexec ${HOME}
|
||||
noexec /tmp
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
# Firejail profile for atom
|
||||
# Description: A hackable text editor for the 21st Century
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include atom.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.atom
|
||||
noblacklist ${HOME}/.config/Atom
|
||||
noblacklist ${HOME}/.config/git
|
||||
noblacklist ${HOME}/.cargo/config
|
||||
noblacklist ${HOME}/.cargo/registry
|
||||
noblacklist ${HOME}/.gitconfig
|
||||
noblacklist ${HOME}/.git-credentials
|
||||
noblacklist ${HOME}/.pythonrc.py
|
||||
|
||||
include disable-common.inc
|
||||
include disable-exec.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
caps.keep sys_admin,sys_chroot
|
||||
# net none
|
||||
netfilter
|
||||
nodbus
|
||||
nodvd
|
||||
nogroups
|
||||
nosound
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
shell none
|
||||
|
||||
private-cache
|
||||
private-dev
|
||||
private-tmp
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
These are patches for various Firejail versions for the security bug reported by Austin Morton
|
||||
on May 21, 2019:
|
||||
|
||||
Seccomp filters are copied into /run/firejail/mnt, and are writable
|
||||
within the jail. A malicious process can modify files from inside the
|
||||
jail. Processes that are later joined to the jail will not have seccomp
|
||||
filters applied.
|
||||
|
||||
The original discussion thread: https://github.com/netblue30/firejail/issues/2718
|
||||
The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
|
||||
Binary file not shown.
10
etc/profile-a-l/gimp-3.2.profile
Normal file
10
etc/profile-a-l/gimp-3.2.profile
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Firejail profile alias for gimp
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include gimp-3.2.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
|
||||
# Redirect
|
||||
include gimp.profile
|
||||
|
|
@ -45,7 +45,7 @@ include whitelist-var-common.inc
|
|||
|
||||
apparmor
|
||||
caps.drop all
|
||||
ipc-namespace
|
||||
#ipc-namespace # problems on Arch
|
||||
machine-id
|
||||
net none
|
||||
nodvd
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ whitelist ${HOME}/.cache/winetricks
|
|||
whitelist ${HOME}/.config/MangoHud
|
||||
whitelist ${HOME}/.config/lutris
|
||||
whitelist ${HOME}/.local/share/lutris
|
||||
whitelist ${HOME}/.local/share/umu
|
||||
#whitelist ${HOME}/.wine
|
||||
whitelist /usr/share/lutris
|
||||
whitelist /usr/share/wine
|
||||
|
|
@ -78,7 +79,7 @@ notv
|
|||
#nou2f # may break gamepads in certain games (see #6523)
|
||||
novideo
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp !clone3,!modify_ldt,!process_vm_readv,!ptrace
|
||||
seccomp !chroot,!clone3,!modify_ldt,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
|
||||
seccomp.32 !modify_ldt
|
||||
|
||||
# Add the next line to your lutris.local if you do not need controller support.
|
||||
|
|
@ -90,4 +91,5 @@ dbus-user.own net.lutris.Lutris
|
|||
dbus-user.talk com.feralinteractive.GameMode
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
#breaks proton
|
||||
#restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ disable-mnt
|
|||
#private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc @x11,groff,man_db.conf,manpath.config,sysless
|
||||
private-etc @x11,groff,man_db.conf,manpath.config,sysless,terminfo
|
||||
#private-tmp
|
||||
|
||||
dbus-user none
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ noblacklist /sys/module
|
|||
nowhitelist /sys/module/nvidia*
|
||||
ignore read-only /sys/module/nvidia*
|
||||
|
||||
allow-bwrap
|
||||
allow-debuggers
|
||||
allusers
|
||||
keep-config-pulse
|
||||
|
|
|
|||
|
|
@ -176,9 +176,10 @@ include globals.local
|
|||
##landlock.fs.execute PATH
|
||||
##include landlock-common.inc
|
||||
|
||||
## Commands that increase access to resources.
|
||||
##
|
||||
## Note: Keep this in sync with ../../etc/profile-m-z/noprofile.profile.
|
||||
# Commands that increase access to resources.
|
||||
#
|
||||
# Note: Keep this in sync with ../../etc/profile-m-z/noprofile.profile.
|
||||
##allow-bwrap
|
||||
##allow-debuggers
|
||||
##allusers
|
||||
##keep-config-pulse
|
||||
|
|
|
|||
|
|
@ -348,6 +348,7 @@ gimp
|
|||
gimp-2.10
|
||||
gimp-2.8
|
||||
gimp-3.0
|
||||
gimp-3.2
|
||||
gist
|
||||
gist-paste
|
||||
git-cola
|
||||
|
|
|
|||
12
src/firecfg/firejail-symlink.sh
Executable file
12
src/firecfg/firejail-symlink.sh
Executable file
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
# This file is part of Firejail project
|
||||
# Copyright (C) 2014-2026 Firejail Authors
|
||||
# License MIT
|
||||
|
||||
FIREJAIL_SYMLINK=1
|
||||
export FIREJAIL_SYMLINK
|
||||
|
||||
bindir="/usr/bin"
|
||||
basename="$(basename "$0")"
|
||||
|
||||
exec firejail "$bindir/$basename" "$@"
|
||||
|
|
@ -484,14 +484,30 @@ void reject_cntrl_chars(const char *fname) {
|
|||
}
|
||||
}
|
||||
|
||||
// Note: Characters intentionally ignored:
|
||||
//
|
||||
// * `'`: Used in some dirnames (see #4614).
|
||||
// * `()`: Used in some dirnames (see #3001 #3156).
|
||||
// * `~`: Might be useful for expansion and seems unlikely to cause problems by
|
||||
// itself.
|
||||
#ifndef METACHARS
|
||||
// All metachars except for ignored chars and chars in other groups.
|
||||
#define METACHARS "!\"#$%&',;<>\\^`{|}"
|
||||
#endif
|
||||
#ifndef GLOBCHARS
|
||||
#define GLOBCHARS "*?[]"
|
||||
#endif
|
||||
|
||||
void reject_meta_chars(const char *fname, int globbing) {
|
||||
assert(fname);
|
||||
|
||||
reject_cntrl_chars(fname);
|
||||
|
||||
const char *reject = "\\&!?\"<>%^{};,*[]";
|
||||
if (globbing)
|
||||
reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed
|
||||
const char *reject = METACHARS GLOBCHARS;
|
||||
if (globbing) {
|
||||
// file globbing is allowed
|
||||
reject = METACHARS;
|
||||
}
|
||||
|
||||
const char *c = strpbrk(fname, reject);
|
||||
if (c) {
|
||||
|
|
|
|||
|
|
@ -154,8 +154,8 @@ function extract_and_install()
|
|||
table_file_basen=$(basename "$table_file")
|
||||
local firejail_header="${table_file_basen%.*}".h
|
||||
|
||||
grep --color=never -v '^[[:space:]]*#' "$table_file" | # Ignore comment lines.
|
||||
grep --color=never -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" | # Keep lines with desired ABIs.
|
||||
grep -v '^[[:space:]]*#' "$table_file" | # Ignore comment lines.
|
||||
grep -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" | # Keep lines with desired ABIs.
|
||||
# Fill the array.
|
||||
sed -E 's/^([0-9]+)[[:space:]]+[^[:space:]]+[[:space:]]+([^[:space:]]+).*/{ "\2", \1 },/' \
|
||||
> "$DEST_DIR"/"$firejail_header"
|
||||
|
|
@ -164,8 +164,8 @@ function extract_and_install()
|
|||
|
||||
ALL_SYSCALLS+="▶ $firejail_header\n"
|
||||
ALL_SYSCALLS+=$(
|
||||
grep --color=never -v '^[[:space:]]*#' "$table_file" |
|
||||
grep --color=never -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" |
|
||||
grep -v '^[[:space:]]*#' "$table_file" |
|
||||
grep -E "^[^[:space:]]+[[:space:]]+($abi_1|$abi_2|$abi_3|$abi_4|$abi_5|$abi_6|$abi_7)\b" |
|
||||
awk '{printf "%s\t%s\t%s\n", $1, $3, $4}' # Keep column 1, 3 and 4.
|
||||
)
|
||||
ALL_SYSCALLS+=$'\n'
|
||||
|
|
|
|||
|
|
@ -16,5 +16,13 @@ echo "TESTING: firecfg (test/firecfg/firecfg.exp)"
|
|||
|
||||
sudo rm -fr /tmp/ttt
|
||||
|
||||
#sudo cp -f firejail-program-args.sh /usr/bin/firejail-program-args
|
||||
#sudo printf 'firejail-program-args\n' >/etc/firejail/firecfg.d/firejail-program-args.conf
|
||||
#sudo firecfg
|
||||
#echo "TESTING: firejail-program-args (test/firecfg/firejail-program-args.exp)"
|
||||
#./firejail-program-args.exp
|
||||
#sudo rm -f /etc/firejail/firecfg.d/firejail-program-args.conf
|
||||
#sudo rm -f /usr/bin/firejail-program-args
|
||||
|
||||
cd ../../
|
||||
./mkgcov.sh
|
||||
|
|
|
|||
57
test/firecfg/firejail-program-args.exp
Normal file
57
test/firecfg/firejail-program-args.exp
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
#!/usr/bin/expect -f
|
||||
# This file is part of Firejail project
|
||||
# Copyright (C) 2014-2026 Firejail Authors
|
||||
# License GPL v2
|
||||
|
||||
set timeout 3
|
||||
spawn $env(SHELL)
|
||||
match_max 100000
|
||||
|
||||
send -- "firecfg --list\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 0\n";exit}
|
||||
"/usr/local/bin/firejail-program-args"
|
||||
}
|
||||
after 100
|
||||
|
||||
send -- "file /usr/local/bin/firejail-program-args\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 1\n";exit}
|
||||
-re "firejail-program-args: symbolic link to .*/firejail-symlink" {}
|
||||
"cannot open" {puts "TESTING ERROR 2";exit}
|
||||
}
|
||||
after 100
|
||||
|
||||
send -- "command -V firejail-program-args\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 3\n";exit}
|
||||
"/usr/local/bin/firejail-program-args" {}
|
||||
"not found" {puts "TESTING ERROR 4";exit}
|
||||
}
|
||||
after 100
|
||||
|
||||
send -- "firejail --version\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 5\n";exit}
|
||||
"firejail version "
|
||||
}
|
||||
after 100
|
||||
|
||||
# Test that firejail does not intercept `--version` (see #7140).
|
||||
send -- "./firejail-program-args.sh --version\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 6\n";exit}
|
||||
"firejail-program-args version " {}
|
||||
"firejail version " {puts "TESTING ERROR 7";exit}
|
||||
}
|
||||
after 100
|
||||
|
||||
send -- "firejail-program-args --version\r"
|
||||
expect {
|
||||
timeout {puts "TESTING ERROR 8\n";exit}
|
||||
"firejail-program-args version " {}
|
||||
"firejail version " {puts "TESTING ERROR 9";exit}
|
||||
}
|
||||
after 100
|
||||
|
||||
puts "\nall done\n"
|
||||
22
test/firecfg/firejail-program-args.sh
Executable file
22
test/firecfg/firejail-program-args.sh
Executable file
|
|
@ -0,0 +1,22 @@
|
|||
#!/bin/sh
|
||||
# This file is part of Firejail project
|
||||
# Copyright (C) 2014-2026 Firejail Authors
|
||||
# License GPL v2
|
||||
|
||||
basename="$(basename "$0")"
|
||||
|
||||
if test "$#" -lt 1; then
|
||||
printf '%s: error: missing option\n' "$basename" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
--version)
|
||||
printf '%s: version 1\n' "$basename"
|
||||
break
|
||||
;;
|
||||
*)
|
||||
printf '%s: error: unknown option: %s\n' "$basename" "$1" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
Loading…
Add table
Add a link
Reference in a new issue